Friday, 22 January 2010

Setting up regional LDAP address book replicas

Purpose: Distribution of company's LDAP Address Book.
Source: address.example.com
Operating system - CENTOS 5.4

Install openldap
yum install openldap
Configure LDAP replication
cat /etc/openldap/slapd.conf


include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2

#increase for large number of address book entries
sizelimit 5000

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

database bdb
suffix "dc=example,dc=com"
rootdn "cn=manager,dc=example,dc=com"
rootpw password

directory /var/lib/ldap

# Log only sync messages
loglevel sync
logfile /var/log/ldap.log

# TODO:Have to think of adding a new index

index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

syncrepl rid=123
provider=ldap://address.example.com:389
type=refreshOnly
interval=00:01:00:00

retry="60 10 300 3"

searchbase="dc=example,dc=com"

filter="(objectClass=*)"

scope=sub

attrs="*,+"

schemachecking=off

bindmethod=simple

For example, retry="60 10 300 3" lets the consumer retry every 60 seconds for the first 10 times and then retry every 300 seconds for the next three times before stop retrying. + in <# of retries> means indefinite number of retries until success

See more at openldap.org

Setup LDAP logging

add the following lines to /etc/syslog.conf
#LDAP Log
local4.* /var/log/ldap.log

Setup LDAP log file rotation

In the directory /etc/logrotate.d create a file named ldap
with the following
/var/log/ldap.log {
    notifempty
missingok
postrotate
      /sbin/service ldap restart>/dev/null
endscript
}
Restart syslog
/etc/init.d/syslog restart


Start replication and test it

/etc/init.d/ldap start


File /var/log/ldap.log have to consist of something like that:
Oct 28 11:22:27 rnduser slapd[2166]: syncrepl_entry: rid 123 be_add (0)
Oct 28 11:22:27 rnduser slapd[2166]: syncrepl_entry: rid 123 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
Oct 28 11:22:27 rnduser slapd[2166]: <= bdb_equality_candidates: (entryUUID) not indexed Oct 28 11:22:28 rnduser slapd[2166]: syncrepl_entry: rid 123 be_search (0)
Make a test search
ldapsearch -v -x -b "dc=example,dc=com" -h localhost -v 3 -p 389

No comments: