0

I have setup a simple openldap server on centos 7 minimum. Added a couple of users and setup a client that can retrieve the users using getentpasswd and ldapsearch works fine between the two. Then I have tried to setup a simple replicator (consumer). No TLS at this stage, trying to keep it as simple as possible. For my syncprov on the provider I have inside the file /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb/olcOverlay={0}syncprov.ldif:

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 80120f94
dn: olcOverlay={0}syncprov
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpSessionlog: 100
structuralObjectClass: olcSyncProvConfig
entryUUID: ba668464-d734-1035-9bf8-97aa47bee689
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20160705194510Z
entryCSN: 20160705194510.621665Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20160705194510Z

Then I setup a new server called simple-replicator.example.com with the same base.ldif as my provider but did not create any users. I read that I should setup as a client first then install the ldap server, so I did that too. inside the file /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif I have:

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 3f0c6b1c
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 0f0af22a-d73a-1035-87b2-ddfb498f969e
creatorsName: cn=config
createTimestamp: 20160705202320Z
olcSuffix: dc=example,dc=com
olcRootDN: cn=Manager,dc=example,dc=com
olcRootPW:: e1NTSEF9YVdkdGFid0dteVhqRVNTY0hGUVVTL3JYOW1xYTMyeE0=
olcSyncrepl: {0}rid=001 provider=ldap://simple-provider.example.com:389/ bindmethod=simple bin
 ddn="cn=Manager,dc=example,dc=com" credentials={SSHA}UJzXEfBudfu5U6IGzFlea0
 TjKUvxBtc/ searchbase="dc=example,dc=com" scope=sub schemachecking=on type=
 refreshAndPersist retry="1 3 10 3" interval=00:00:01:00
entryCSN: 20160705205808.847049Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20160705205808Z

My provider is called simple-provider.example.com and my replicator server is called simple-replicator.example.com.

But my command ldapsearch -x -b 'ou=People,dc=example,dc=com' returns nothing. The provider has not pushed the data into the replicator. What am I doing wrong? It is suppose to do it after 1 minute based on interval=00:00:01:00 Thank you in advance.

kevbuntu
  • 169
  • 1
  • 1
  • 7

1 Answers1

0

Your credentials are likely wrong, unless {SSHA}UJzXEfBudfu5U6IGzFlea0 TjKUvxBtc/ is litterally the plaintext password for cn=Manager,dc=example,dc=com.

Note:

  • You should really use TLS.
  • Don't replicate using olcRootDn. Make a global read-only dn instead.
  • The provider will never push. Syncrepl is pull based. (refreshAndPersist is like IMAP idle.)
  • You probably want at least and eq index for uid,uidNumber and gidNumber.
84104
  • 12,905
  • 6
  • 45
  • 76
  • I will add TLS later, I just like to have a simple configuration working first. I have added a plain text password to my syncrepl.ldif and I ran ldapmodify -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif but that did not change the content of olcDatabase={2}hdb.ldif. I guess I must either delete it or use ldapdelete to remove the entire entry. But are you sure that I should use refreshOnly instead of refreshAndPersist !? – kevbuntu Jul 07 '16 at 13:12
  • Some how it is working, I know the password had to be clear text, and added refreshOnly, but my file "olcDatabase={2}hdb.ldif" on the replicator no longer exists. How come the replication works just fine!? where is the information from syncrepl.ldif? If the provider is switched off do the clients autamatically turn into reading from the replicator or the consumer? – kevbuntu Jul 07 '16 at 14:31
  • @kevbuntu I never said you should use refreshOnly, rather I am contesting your use of the word push. `slurpd`, which was the push replicator for OpenLDAP, last existed in 2.3. It is not present in 2.4, being replaced by syncRepl, which is pull based. – 84104 Jul 07 '16 at 18:20
  • I tried it again with clear password but not working. I guess I miss understood about refreshOnly, but I am using it as type here. Is there something we have to do in order to triger the replication? When I use this on the replicator I get nothing dapsearch -H ldap://simple-replicator.example.com -x -D "cn=Manager,dc=example,dc=com" -W -s base contextcsn | grep contextCSN. Should get the sync number that I get on the provider. Of on provider I use ldap://simple-provider instead of simple-replicator. Yesterday everything worked perfectly. There is something missing that I can not duplicate !? – kevbuntu Jul 08 '16 at 16:04