vahidhsahemi.com

OpenLDAP installation is fairly straight-forward and doesn’t have any caveats, but making it replicable has ambiguity. We will start with installing openLDAP. I will use following configs :

• ubuntu 16.04 server
• openLDAP 2.4.x
• phpLDAPadmin

Installing openLDAP :

First thing first, update your ubuntu box :

sudo apt-get update

Install openLDAP :

sudo apt-get install slapd ldap-utils

During installation process you will prompted to enter administrator password. After installing the ldap server you need to configure it :

sudo dpkg-reconfigure slapd

You will see a basic gui with couple of prompts of how to configuring your openLDAP here is my config:

• Omit openLDAP Server Configuration : No
• DNS Domain : your domain in my case, lab.devcrutch.com
• Organization Name : whatever you fancy, lab
• Database : MDB (It’s an in-memory database based on BerkeleyDB. In case you were curious)
• Remove Database when openLDAP is Removed : No
• Move Old Database : Yes
• Allow LDAP2 : No

That’s it, if you ever want to check status of your openLDAP :

ldapwhoami -H ldap:// -W -D "cn=admin,dc=lab,dc=devcrutch,dc=com"

This command will prompt you to enter your password and if you enter it correctly you will get following response :

dn:cn=admin,dc=lab,dc=devcrutch,dc=com

You are all set to use openLDAP. Now let’s add an user for replication purposes inside provider (master) node. The replication user only needs to have a password and an OU, run following commands to add repl user with only a password

dn: cn=repl,dc=lab,dc=devcrutch,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: repl
userPassword: {SSHA}Px1UjD+3EMII0g+JZBdZkdO6lhZt4j4k
#password is abc123

Save the above file in an LDIF file and run following command. I will call this file add_repl.ldif

ldapadd -Y EXTERNAL -H ldapi:// -f add_repl.ldif

This user needs to have a privilege to only read couple of items from directory, the most important items to read, is userPassword, cn, uid and shadowLastChange. But before granting such access there is an issue with openLDAP’s configs that shipped by Ubuntu 16.04. It is best to remove those configs using following command :

#Run ldapsearch -Y EXTERNAL -H ldapi:// -b "cn=config"

#Not approapriate configs for making your openLDAP replicable
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read

For deleting them run:

ldapmodify -Y EXTERNAL -H ldapi://

In the prompt write following lines one by one (this way you will delete them step by step for the sake of not getting any error)

dn: olcDatabase={1}mdb,cn=config 
changetype: modify
delete: olcAccess
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
#press enter
dn: olcDatabase={1}mdb,cn=config 
changetype: modify
delete: olcAccess
olcAccess: {0}to attrs=shadowLastChange by self write by * read
#press enter
dn: olcDatabase={1}mdb,cn=config 
changetype: modify
delete: olcAccess
olcAccess: {0}to * by * read
#Press ctrl-d at the end

And add following configs :

#Execute ldapmodify -Y EXTERNAL -H ldapi://
#Then write these configs in it, at end press ctrl-d
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=lab,dc=devcrutch,dc=com" write by dn="cn=repl,dc=lab,dc=devcrutch,dc=com" read by * none
#press enter
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {1}to dn.base="" by * read
#press enter
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {2}to * by self write by dn="cn=admin,dc=lab,dc=devcrutch,dc=com" write by * read

Now your provider is ready. We will go to consumer server. First of all install openLDAP using mentioned configs, it should be the same as the master. At the end add following configs into your consumer’s openLDAP :

#run ldapmodify -Y EXTERNAL -H ldapi://
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
#press enter
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
#press enter
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: ou eq
#press enter
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uid eq
#press enter
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn eq
#press enter
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: dc eq
#press enter
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: rid=001 provider="ldap://YOUR_MASTER_IP_ADDRESS:389/" type=refreshAndPersist retry="60 30 300 +" searchbase="dc=lab,dc=devcrutch,dc=com" bindmethod=simple binddn="cn=repl,dc=lab,dc=devcrutch,dc=com" credentials="abc123"

The reason I separate configs is because of stupidity level of ldap tools. If you happen to have one of these configs inside your openLDAP previously, the ldapmodify nags about it and will kick you out without knowing which config is saved and which one isn’t, so the best way for me was saving them sequentially.

Reason for having another user rather the “cn=admin” was because of  security, if you take a closer look at the latter config you will see that you have to add your password as a plain text. So it’s best to not to reveal your admin’s password. The repl user is a readonly user.

At the end you can install phpOpenLDAP in provider and consumer :

sudo apt-get install phpldapadmin

Edit below config :

sudo vim /etc/phpldapadmin/config.php

Change the following :

Find the line contains

$servers->setValue('server','base',array('dc=example,dc=com'));

Change it to

$servers->setValue('server','base',array('dc=lab,dc=devcrutch,dc=com'));

And another line contains

$servers->setValue('login','bind_id','cn=example,dc=com');

Change it to

$servers->setValue('login','bind_id','cn=admin,dc=lab,dc=devcrutch,dc=com');

Note: In this tutorial I’ve tried to create a replication server, replication doesn’t mean you have availability, which means if your master(provider) server is down then your client querys the slave(consumer) server. Replication means consistency not availability. If you happen to want availability you need to config openLDAP in multi-master mode.