This documents the installation of the LDAP replication server at IMB.
Replication Server
slurpd
slurpd
is the daemon that propagates updates from the LDAP server to the replication server.
Please note that slurpd
runs on the master LDAP server, not the replication server.
The replication LDAP server simply receives changes via slurpd
and by no other means.
Hardware/Software
Our implementation of the LDAP replication will use an intel computer, running Redhat Advanced Server 3, though the replication server was also tested on various other flavours of redhat and fedora.- LDAP Replication server - runs slapd only
LDAP Replication server
I strongly recommend using a utility such as stow to manage these packages in an organised way.
OpenSSL
Download the latest version of openssl (0.9.7d) from http://www.openssl.org/.
Then install it.
[lance@ldap]$ tar -xzvf openssl-0.9.7d.tar.gz
[lance@ldap]$ cd openssl-0.9.7d
[lance@ldap]$ ./config --prefix=/opt/local/PACKAGES/openssl-0.9.7d
[lance@ldap]$ make
[lance@ldap]$ make test
[lance@ldap]$ su
[root@ldap]# make install
[root@ldap]# cd /opt/local/PACKAGES/
[root@ldap]# stow -v openssl-0.9.7
Berkeley DB
This provides the database backend for the LDAP servers
Download the latest source code (db-4.2.52.NC) from http://www.sleepycat.com/
[lance@ldap]$ tar -xzvf db-4.2.52.NC.tar.gz
[lance@ldap]$ db-4.2.52.NC/build_unix/
[lance@ldap]$ ../dist/configure --prefix=/opt/local/PACKAGES/db-4.2.52.NC
[lance@ldap]$ make
[lance@ldap]$ su
[root@ldap]# make install
[root@ldap]# cd /opt/local/PACKAGES/
[root@ldap]# stow -v db-4.2.52.NC
OpenLDAP
Download the latest stable source code (2.1.29) from http://www.openldap.org/ Our implementation involves enabling slurpd and TLS.
[lance@ldap]$ gunzip openldap-2.1.29.tgz
[lance@ldap]$ tar -xvf openldap-2.1.29.tar
[lance@ldap]$ cd openldap-2.1.29
[lance@ldap]$ env CPPFLAGS="-I/opt/local/ssl/include -I/opt/local/include" LDFLAGS="-L/opt/local/ssl/lib -L/opt/local/lib" ./configure --prefix=/opt/local/PACKAGES/openldap-2.1.29 --with-tls
[lance@ldap]$ make depend
[lance@ldap]$ make
[lance@ldap]$ su
[root@ldap]# make install
[root@ldap]# cd /opt/local/PACKAGES/
[root@ldap]# stow -v openldap-2.1.29
ERRORS using configure on OpenLDAP
checking for openssl/ssl.h... no
checking for ssl.h... no
configure: error: Could not locate TLS/SSL package
You have not installed OpenSSL properly or you did not set your environmental variables correctly. The settings above (CPPFLAGS="-I/opt/local/ssl/include" LDFLAGS="-L/opt/local/ssl/lib") assume you have installed openSSL in /opt/local/ssl or used
stow
to create links there.checking for db.h... no
configure: error: BDB: BerkeleyDB not availableYou have not installed BerkerleyDB properly or you did not set your environmental variables correctly. The settings above (CPPFLAGS="-I/opt/local/include" LDFLAGS="-L/opt/local/lib") assume you have installed BerkeleyDB and used
stow
.Obviously this will need to be changed to suit your BerkeleyDB version.
Starting OpenLDAP
There are a number of options when starting OpenLDAP. The main executable isslapd
. The basic startup command is:[root@ldap]# /opt/local/libexec/slapd
To start using SSL (as opposed to TLS) you could use something like:
[root@ldap]# /opt/local/libexec/slapd -h "ldap:/// ldaps:///"
slapd.conf for LDAP Replication Server
# See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /opt/local/etc/openldap/schema/core.schema include /opt/local/etc/openldap/schema/cosine.schema include /opt/local/etc/openldap/schema/misc.schema include /opt/local/etc/openldap/schema/nis.schema include /opt/local/etc/openldap/schema/inetorgperson.schema include /opt/local/etc/openldap/schema/openldap.schema include /opt/local/etc/openldap/schema/java.schema include /opt/local/etc/openldap/schema/netinfo.schema include /opt/local/etc/openldap/schema/samba.schema include /opt/local/etc/openldap/schema/apple.schema include /opt/local/etc/openldap/schema/RADIUS-LDAPv3.schema include /opt/local/etc/openldap/schema/DUAConfig.schema SIZELIMIT 2000 TLSCertificateFile /usr/share/ssl/certs/ldap.cert TLSCertificateKeyFile /usr/share/ssl/certs/ldap.key TLSCACertificateFile /usr/share/ssl/certs/ca.cert TLSVerifyClient never pidfile /opt/local/var/slapd.pid argsfile /opt/local/var/slapd.args ####################################################################### # ldbm database definitions ####################################################################### database bdb suffix "dc=dc=your,dc=site,dc=com rootdn "cn=Manager,dc=your,dc=site,dc=com rootpw {MD5}secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd/tools. Mode 700 recommended. directory /opt/local/var/openldap-data # Where to send writes updatedn "cn=Manager,dc=your,dc=site,dc=com updateref ldap://master_ldap.your.site.com cachesize 2000 # Indices to maintain index userPassword,memberUid,gidNumber,uidNumber eq index uid,mail,ou eq index givenName,cn,sn eq,sub index objectClass eq index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq index default sub
Author: Lance Rathbone
Last modified: Wednesday June 18, 2008
Home