rootninja

These are just some things to watch out for when setting up replicas.

SPACING IN REPLICA DEFINITIONS

In slapd.conf, replica server directives must start with replica, and accompanying defintions must be indented in order for slurpd to parse them properly.  Alternatively you could put the whole thing on one line but it’s ugly that way.  I couldn’t figure out why slurpd skipped my replica until I indented the lines.  Here’s what it should look like:

replica uri=ldap://ldap-slave.domain.com:389
         bindmethod=simple
         binddn=”cn=doppelganger,dc=domain.com”
         credentials=PasswordCanNotBeHashed
         replogfile /var/lib/ldap/the.replog.file

Unlike the rootdn password, the password for the replication user can’t be a hash!  I tried my {SSHA} password and ran slurpd with debugging turned on and it didn’t like the credentials.  So I put the plain text password in there, with no other changes, and it started working fine.

ACLS IN SLAPD.CONF ON THE REPLICA

Don’t forget to change your ACLs on the slave to allow write access to the replication user.  This is simple, but easily overlooked.  Your ACLs should look something like this:
access to attrs=shadowLastChange,userPassword,shadowMax,shadowWarning

by dn=”cn=doppelgangler,dc=domain.com” write
         by tls_ssf=256 ssf=256 self write
         by tls_ssf=256 ssf=256 anonymous auth
         by * none
access to *
         by dn=”cn=doppelgangler,dc=domain.com” write
         by tls_ssf=256 ssf=256 users read
         by tls_ssf=256 ssf=256 self write
         by tls_ssf=256 ssf=256 * read
         by * none

This is only needed on your slaves of course.  If you’re doing some sort of master-master setup where updates go both ways, then it’s needed on both sides of course.  updatedn on the slave must match the replica binddn on the master and updateref must be the master server’s uri.

SSL CERTIFICATES

To avoid problems using self-signed or certs signed by different CA’s, put them in the same place.  So both servers will have master.pem and slave.pem but each will point to it’s own cert just like so:

slapd.conf on ldap-master:

TLSCACertificateFile /etc/openldap/cacerts/master.pem
TLSCertificateFile /etc/openldap/cacerts/master.pem
TLSCertificateKeyFile /etc/openldap/cacerts/master.pem

slapd.conf on ldap-slave:

TLSCACertificateFile /etc/openldap/cacerts/slave.pem
TLSCertificateFile /etc/openldap/cacerts/slave.pem
TLSCertificateKeyFile /etc/openldap/cacerts/slave.pem

The TLS lines in slapd on the master and replicas will each point to their own certs, but as long as you leave them in the same directory, you can use “TLS_CACERTDIR” in ldap.conf and not have to specify exactly which one to use.

THE URI LINE IN LDAP.CONF

I overlooked this one it seemed like no instructions or howto’s on the net talked about this at all!  I guess it’s just that obvious, but it’s just another gotcha that you might overlook.  Since the ldap servers are also going to be client’s themselves, they need to point to their own databases in ldap.conf.  The master’s URI is ldap://ldap-master.domain.com and the replicas URI is ldap://ldap-slave.domain.com.  Don’t forget to put both servers on the same URI line for the clients or else they won’t be able to fail over.

uri ldap://ldap-master.domain.com ldap://ldap-slave.domain.com