Need procedure to add openldap server in existing ldap setup

Latest response

Hi Guys I am newbie for openldap.

 

 

My customer is having openldap server installed and configured for their environment

Production Environment details - RHEL 5.2 with openldap server 2.4.19

1. I am planning to add RHEl6.3 with openldap server 2.4.23 in the existing setup.

a. How to configure new ldap server to import necesary configuration and schema ?

b. What precautions I need to take to avoid issues with production

2. After adding new ldap server I am planning to do N-Way Multimaster replication on RHEL6 using OpenLDAP by following 

https://access.redhat.com/site/solutions/273533

Will it work or I need to do something else. 

Thanks in advanced for your anticipation and prompt help.

Regards,

Santosh

 

 

 

Responses

Hey Santosh,

 

Still trying to track down some answers for you on this. Stay tuned.

Hi Santosh,

>a. How to configure new ldap server to import necesary configuration and schema ?

>b. What precautions I need to take to avoid issues with production?

To configure openldap server 2.4.23 in RHEL6.3, please refer to the following article.

https://access.redhat.com/kb/docs/DOC-60150

openldap 2.4 supports cn=config (on-the-fly) configuration method. And the link above

shows how to do it. Besides, the old style slapd.conf configuration method is still supported.

>2. After adding new ldap server I am planning to do N-Way Multimaster replication on RHEL6 using >OpenLDAP by following 

>https://access.redhat.com/site/solutions/273533

>Will it work or I need to do something else.

It will work if you follow the steps described in the article. If you want to tunning the openldap

, there are some parameters need to be reconfigured. If you just want to build up a N-Way Multimaster replication openldap server, the article above will be enough.

If you meet any problem when setting up the openldap server, please contact us by opening a support case.

Regards,

Shiyu Wang

Hi Thanks for the reply

App does not allow copy-paste ?

If you wish to copy/paste a large amount of text, right-click the text entry window and select "paste". You will see a pop-up box allowing you to paste text.

Hello

Thanks for your response on the discussion. I have used the same kbase article to migrate openldap from community 2.3 to 2.4 shipped to Red Hat Enterprise Linux.

--> I am refering to following section mentioned in kb https://access.redhat.com/kb/docs/DOC-60150

--------------------------------------------------------
add config database details to the slapd.conf file before any database/backed definitions(This is not required if openldap-servers version is 2.4.23-16.el6 or above).


database config
rootdn   "cn=admin,cn=config"
access to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break

--------------------------------------------------------

It has mentioned that "database config" details not required if we are using openldap-servers version 2.4.23-16 or above. However, I am using openldap-servers version is 2.4.23-26.el6 and stil required to add database config in slapd.conf. Without it cn=config didn't work.


--> With community version of openldap I do not have to configure userPassword parameter. But with 2.4.23-26.el6 I need to configure following in slapd.conf and then convert it into slapd-config i.e. slapd.d. Without adding these parameters users were not able to change the password.

--------------------------------------------------------

# database access control definitions

access to attrs=userPassword

by self write

by anonymous auth

by dn.base="cn=admin,dc=example,dc=com" write

by * none access to * by self write

by dn.base="cn=admin,dc=example,dc=com" write

by * read

--------------------------------------------------------

--> For replication I think we need more clarification in Kbase article for example IP addresses of all servers and steps should be in 1,2,3 format for each servers so that sys admin can understand the changes happened in openldap 2.4.


Thanks for your time and response. I appreciate your help.


Thanks & regards, Santosh

>>However, I am using openldap-servers version is 2.4.23-26.el6 and stil required to add database config in slapd.conf. Without it cn=config didn't work.

The changes were made to default slapd.conf (/usr/share/openldap-servers/slapd.conf.obsolete), shipeed with openldap-servers package.

>>With community version of openldap I do not have to configure userPassword parameter.

I'm not sure about default ACL present in community version of openldap, the default behavior is clearly mentioned in the man pages and write permission to an entry require additional acls. If no access controls are present, the default policy allows anyone and everyone to read anything but restricts updates to rootdn. (e.g., "access to * by * read"). From man slapd.access: If no access controls are present, the default policy allows anyone and everyone to read anything but restricts updates to rootdn. (e.g., "access to * by * read").