Joeri Casteels

Experienced in Cloud Open-source StorageNetworking

Multi-master LDAP (config and database replication) with TLS and memberof

This guide is build on Linux Ubuntu 18.04 LTS.

Note: all files to download are .txt files you should remove/rename the extension since .ldif is not supported to download

Setup OpenLDAP server

apt-get install slapd ldap-utils snmpd dirmngr mailutils postfix

dpkg-reconfigure slapd

 Omit OpenLDAP server configuration? … No
 DNS domain name:yourdomain.com
 Name of your organization:yourdomain.com
 Admin Password: XXXXX
 Confirm Password: XXXXX
 OK
 HDB
 Do you want your database to be removed when slapd is purged? … No
 Move old database? … Yes
 Allow LDAPv2 Protocol? … No

Check if Openldap is running:

/etc/init.d/slapd status

Enable TLS

apt-get install gnutls-bin ssl-cert

Add openldap to ssl-cert group

usermod -aG ssl-cert openldap
chown :ssl-cert /etc/ssl/private/*
chmod 640 /etc/ssl/private/*
nano /etc/default/slapd

SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

Change path of certificates in 01_addcerts.ldif name your certificates the same if you run a multi-master setup!

ldapmodify -Y EXTERNAL -H ldapi:/// -f 01_addcerts.ldif

After inserting the certificates in ldap change your password

slappasswd -h {SSHA} -s "password"

It will print a new SSHA something like this: {SSHA}lXDMMLYVYSwAX68tj8fXgg/muPxogl/a

Copy this into 02_changepwd.ldif behind olcRootPW and run:

ldapmodify -Y EXTERNAL -H ldapi:/// -f 02_changepwd.ldif

To enforce TLS apply 03_forcetls.ldif:

ldapmodify -Y EXTERNAL -H ldapi:/// -f 03_forcetls.ldif

Change the client file for ldap and edit the domain names

nano /etc/ldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=yourdomain,dc=com
URI ldap://ldap1server.domain.com ldaps://ldap1server.domain.com:666 ldap://ldap2server.domain.com ldaps://ldap2server.domain.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/DigiCertCA.crt

service slapd restart

Users now need to use STARTTLS (e.g. with -Z in ldapsearch):

ldapsearch -x -Z -D "cn=admin,dc=yourdomain,dc=com" -W ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -s base|grep TLS

Configure Multi-master LDAP

Note: If at any time you want to completely start over, just run this command on both servers:

apt remove --purge slapd -y; rm /var/lib/ldap/*

Config Replication

Copy the following ldif files and edit were necessary to execute on both servers this will replicate the config (If you use TLS make sure certs are named the same on both servers but are not identical)

04_syncprov_mod.ldif

05_olcserverid.ldif

olcServerID: 1 --> change olcServerID: unique number per server!

06_olcServer.ldif

LIST ALL MASTERS with unique server ID and full iqn name

olcServerID: 1 ldap://ldap1.yourdomain.com
olcServerID: 2 ldap://ldap2.yourdomain.com

07_syncprov.ldif

08_syncRepl.ldif

EVERY rid= needs to be unique like the ServerID but has no relation to the ServerID number. Also make sure the provider is the full iqn name and the credentials is the correct password!

olcSyncRepl: rid=001 provider=ldap://ldap1.yourdomain.com binddn="cn=admin,cn=config" bindmethod=simple credentials="yourpassword" searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=critical tls_reqcert=demand

Excute commands explained:

If you do not have TLS enabled you have to insert the ldifs like this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f "filename.ldif"

If you do have TLS enabled you have to insert the ldifs like this NOTE that you have to change the servername to the correct server:

ldapmodify -ZZ -h ldap1.mydomain.com -D "cn=admin,cn=config" -W -f "filename.ldif"

On LDAP1 server:

ldapmodify -ZZ -h ldap1.mydomain.com -D "cn=admin,cn=config" -W -f 04_syncprov_mod.ldif
ldapmodify -ZZ -h ldap1.mydomain.com -D "cn=admin,cn=config" -W -f 05_olcserverid.ldif
ldapmodify -ZZ -h ldap1.mydomain.com -D "cn=admin,cn=config" -W -f 06_olcServer.ldif
ldapmodify -ZZ -h ldap1.mydomain.com -D "cn=admin,cn=config" -W -f 07_syncprov.ldif
ldapmodify -ZZ -h ldap1.mydomain.com -D "cn=admin,cn=config" -W -f 08_syncRepl.ldif

On LDAP2 server:

ldapmodify -ZZ -h ldap2.mydomain.com -D "cn=admin,cn=config" -W -f 04_syncprov_mod.ldif
ldapmodify -ZZ -h ldap2.mydomain.com -D "cn=admin,cn=config" -W -f 05_olcserverid.ldif
ldapmodify -ZZ -h ldap2.mydomain.com -D "cn=admin,cn=config" -W -f 06_olcServer.ldif
ldapmodify -ZZ -h ldap2.mydomain.com -D "cn=admin,cn=config" -W -f 07_syncprov.ldif
ldapmodify -ZZ -h ldap2.mydomain.com -D "cn=admin,cn=config" -W -f 08_syncRepl.ldif

WARNING! These ldif files should have NO TRAILING WHITESPACE after any line. If there is any trailing whitespace, the above command will fail with errors like:

ldapadd: wrong attributeType at line 5, entry "cn=module{0},cn=config"

You can now check with netstat if both ldap servers connect to eachother you should see 2 lines per server:

netstat -a | egrep ":ldap"

Database Replication

ONLY RUN ON LDAP1 Server NOT BOTH

Copy the following ldif files to execute on both servers this will replicate the database

09_olcDatabasehdb.ldif

10_olcSyncRepl.ldif

EVERY rid= needs to be unique like the ServerID but has no relation to the ServerID number. Also make sure the provider is the full iqn name, the searchbase is correct and the credentials is the correct password!

olcSyncRepl: rid=003 provider=ldap://ldap1.yourdomain.com binddn="cn=admin,dc=yourdomain,dc=com" bindmethod=simple credentials="yourpassword" searchbase="dc=yourdomain,dc=com" type=refreshAndPersist retry="5 5 300 5" timeout=1 starttls=critical tls_reqcert=demand

11_olcDatabaseIndex.ldif

On master LDAP (ONLY RUN ON 1 SERVER):

ldapmodify -ZZ -h ldap1.yourdomain.com -D "cn=admin,cn=config" -W -f 09_olcDatabasehdb.ldif
ldapmodify -ZZ -h ldap1.yourdomain.com -D "cn=admin,cn=config" -W -f 10_olcSyncRepl.ldif
ldapmodify -ZZ -h ldap1.yourdomain.com -D "cn=admin,cn=config" -W -f 11_olcDatabaseIndex.ldif

You can now check with netstat if both ldap servers connect to eachother you should see 4 lines per server:

netstat -a | egrep ":ldap"

Enable memberof

Change access for memberof: this need to be done on both servers since it does not copy modules

12_changeAccess.ldif

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f changeAccess.ldif

Copy below files Only on LDAP1 Server! Since new ldif will be pushed to ldap2 as well.

13_ldap_memberof_add.ldif

14_ldap_memberof_config.ldif

ldapadd -ZZ -h ldap1.yourdomain.com -D "cn=admin,cn=config" -W -f 01_ldap_memberof_add.ldif
ldapadd -ZZ -h ldap.yourdomain.com -D "cn=admin,cn=config" -W -f 02_ldap_memberof_config.ldif

Now you can search with the memberof attribute

ldapsearch -x -LLL -H ldap:/// -b cn=admin,dc=yourdomain,dc=com dn memberof

Hope this guide was helpful to you. If you have any remarks you can leave them below.


Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.