This documents the installation of the LDAP replication server at IMB.

Replication Server

slurpd

slurpd is the daemon that propagates updates from the LDAP server to the replication server. Please note that slurpd runs on the master LDAP server, not the replication server. The replication LDAP server simply receives changes via slurpd and by no other means.

Hardware/Software

Our implementation of the LDAP replication will use an intel computer, running Redhat Advanced Server 3, though the replication server was also tested on various other flavours of redhat and fedora.

• LDAP Replication server - runs slapd only

LDAP Replication server

I strongly recommend using a utility such as stow to manage these packages in an organised way.

• OpenSSL

  Download the latest version of openssl (0.9.7d) from http://www.openssl.org/.

  Then install it.

  [lance@ldap]$ tar -xzvf openssl-0.9.7d.tar.gz
[lance@ldap]$ cd openssl-0.9.7d
[lance@ldap]$ ./config --prefix=/opt/local/PACKAGES/openssl-0.9.7d
[lance@ldap]$ make
[lance@ldap]$ make test
[lance@ldap]$ su
[root@ldap]# make install
[root@ldap]# cd /opt/local/PACKAGES/
[root@ldap]# stow -v openssl-0.9.7


• Berkeley DB

  This provides the database backend for the LDAP servers

  Download the latest source code (db-4.2.52.NC) from http://www.sleepycat.com/

  [lance@ldap]$ tar -xzvf db-4.2.52.NC.tar.gz
[lance@ldap]$ db-4.2.52.NC/build_unix/
[lance@ldap]$ ../dist/configure --prefix=/opt/local/PACKAGES/db-4.2.52.NC
[lance@ldap]$ make
[lance@ldap]$ su
[root@ldap]# make install
[root@ldap]# cd /opt/local/PACKAGES/
[root@ldap]# stow -v db-4.2.52.NC


• OpenLDAP

  Download the latest stable source code (2.1.29) from http://www.openldap.org/ Our implementation involves enabling slurpd and TLS.

  [lance@ldap]$ gunzip openldap-2.1.29.tgz
[lance@ldap]$ tar -xvf openldap-2.1.29.tar
[lance@ldap]$ cd openldap-2.1.29
[lance@ldap]$ env CPPFLAGS="-I/opt/local/ssl/include -I/opt/local/include" LDFLAGS="-L/opt/local/ssl/lib -L/opt/local/lib" ./configure --prefix=/opt/local/PACKAGES/openldap-2.1.29 --with-tls
[lance@ldap]$ make depend
[lance@ldap]$ make
[lance@ldap]$ su
[root@ldap]# make install
[root@ldap]# cd /opt/local/PACKAGES/
[root@ldap]# stow -v openldap-2.1.29


  ERRORS using configure on OpenLDAP

  • checking for openssl/ssl.h... no
checking for ssl.h... no
configure: error: Could not locate TLS/SSL package


    You have not installed OpenSSL properly or you did not set your environmental variables correctly. The settings above (CPPFLAGS="-I/opt/local/ssl/include" LDFLAGS="-L/opt/local/ssl/lib") assume you have installed openSSL in /opt/local/ssl or used stow to create links there.

  • checking for db.h... no
configure: error: BDB: BerkeleyDB not available

    You have not installed BerkerleyDB properly or you did not set your environmental variables correctly. The settings above (CPPFLAGS="-I/opt/local/include" LDFLAGS="-L/opt/local/lib") assume you have installed BerkeleyDB and used stow.

    Obviously this will need to be changed to suit your BerkeleyDB version.

• Starting OpenLDAP

  There are a number of options when starting OpenLDAP. The main executable is slapd. The basic startup command is:

  [root@ldap]# /opt/local/libexec/slapd


  To start using SSL (as opposed to TLS) you could use something like:

  [root@ldap]# /opt/local/libexec/slapd -h "ldap:/// ldaps:///"


• slapd.conf for LDAP Replication Server

  # See slapd.conf(5) for details on configuration options.
  # This file should NOT be world readable.
  #
  include         /opt/local/etc/openldap/schema/core.schema
  include         /opt/local/etc/openldap/schema/cosine.schema
  include         /opt/local/etc/openldap/schema/misc.schema
  include         /opt/local/etc/openldap/schema/nis.schema
  include         /opt/local/etc/openldap/schema/inetorgperson.schema
  include         /opt/local/etc/openldap/schema/openldap.schema
  include         /opt/local/etc/openldap/schema/java.schema
  include         /opt/local/etc/openldap/schema/netinfo.schema
  include         /opt/local/etc/openldap/schema/samba.schema
  include         /opt/local/etc/openldap/schema/apple.schema
  include         /opt/local/etc/openldap/schema/RADIUS-LDAPv3.schema
  include         /opt/local/etc/openldap/schema/DUAConfig.schema
  
  
  SIZELIMIT       2000
  
  TLSCertificateFile /usr/share/ssl/certs/ldap.cert
  TLSCertificateKeyFile /usr/share/ssl/certs/ldap.key
  TLSCACertificateFile /usr/share/ssl/certs/ca.cert
  TLSVerifyClient never
  
  
  pidfile         /opt/local/var/slapd.pid
  argsfile        /opt/local/var/slapd.args
  
  #######################################################################
  # ldbm database definitions
  #######################################################################
  
  database        bdb
  suffix          "dc=dc=your,dc=site,dc=com
  rootdn          "cn=Manager,dc=your,dc=site,dc=com
  rootpw          {MD5}secret
  # The database directory MUST exist prior to running slapd AND
  # should only be accessible by the slapd/tools. Mode 700 recommended.
  directory       /opt/local/var/openldap-data
  
  # Where to send writes
  updatedn        "cn=Manager,dc=your,dc=site,dc=com
  updateref       ldap://master_ldap.your.site.com
  
  cachesize 2000
  
  # Indices to maintain
  index   userPassword,memberUid,gidNumber,uidNumber eq
  index   uid,mail,ou eq
  index   givenName,cn,sn eq,sub
  index   objectClass eq
  index   sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
  index   default sub
  
  

---

Author: Lance Rathbone
Last modified: Wednesday June 18, 2008
Home