.

Symas How-To Guide

Step 2: OpenLDAP HA Installation


Step 2: Configuring Apache Fortress-OpenLDAP for High Availability


Prereqs tailored for REDHAT

  • Apache Fortress-OpenLDAP Virtual IP Setup complete
  • Two time-synched machines.
  • 1 Core, 1 GB RAM, 20 GB HD (minimum)
  • root access (or a dedicated user with sudo access)
  • Recent version of OpenLDAP client and server installed
  • Installed rsyslog

Introduction

This document describes the preparation of two OpenLDAP server instances, each running on separate machines, into a multi-master configuration, suited for Apache Fortress.

Directory Information Tree (DIT) Layout

A DIT's a hierarchical structure that organizes its data under separate categories.  If new to LDAP, it helps to think of a DIT as volume of files on a typical computer system.  Each of the ou's under the suffix represent a category of data, sort of like folders in our typical machine's file manager.  The data nodes themselves reside below their parents, and are stored using keys like uid and cn (depending on the type).  This DIT recommendation supports Apache Fortress requirements and its data replicates between both masters.

OpenLDAP Server Setup

To be performed on each machine... 1. Download and extract config package: fortress-openldap-ha-config-v3 It contains three files referenced below:
  • slapd.conf - OpenLDAP's configuration file
  • bootstrap.ldif - Seeds the OpenLDAP directory structure and data.
  • fortress.schema - Contains object definitions to store RBAC policies in OpenLDAP.
Run these steps as root.
2. Navigate to the config folder and copy these files from the config package:
$ cp fortress.schema $OPENLDAP_HOME/etc/openldap/schema

$ cp slapd.conf $OPENLDAP_HOME/etc/openldap
Where OPENLDAP_HOME matches machine's installation location, e.g. /opt/symas 3. Edit the slapd.conf file, make mods: a. Set serverid on the first line, which must be unique across all the servers.

# Server Number 1
serverid 1
b. In each subsection of syncrepl, modify "servernameXX" to your server name. Host name or IP can be used:

provider=ldap://servername01
provider=ldap://servername02
c. Verify the credentials passwords in each section of the syncrepl section.
credentials=myslapdserverpw
d. Verify the rootpw in the default database section AND in the log database section.
rootpw myrootpw
e. Save the slapd.conf file. 4. Create two folders:



$ mkdir $DB_HOME/openldap-data/dflt
$ 
mkdir $DB_HOME/openldap-data/accesslog
Where DB_HOME matches local machine's OpenLDAP data home. This is specified in the slapd configuration. For example, default DB:
#-----------------------------------------------------------------------
# Default LMDB database definitions
#-----------------------------------------------------------------------
database        mdb

...

directory       "/var/symas/openldap-data/dflt"
and, accesslog DB:
#-----------------------------------------------------------------------
# AccessLog database
#-----------------------------------------------------------------------
database     mdb

...

directory    /var/symas/openldap-data/accesslog
5. Test the configuration:
$ slaptest -f $OPENLDAP_HOME/etc/openldap/slapd.conf -u
6. Import data using the supplied .ldif file.
a. Test the import with -u option:
$ slapadd -v -u -c -f $OPENLDAP_HOME/etc/openldap/slapd.conf -l bootstrap.ldif
b. Perform the import:
$ slapadd -v -c -f $OPENLDAP_HOME/etc/openldap/slapd.conf -l bootstrap.ldif
7. Create user for the slapd process.
$ adduser openldap
8. Create the slapd log file, then change owner from root to the new openldap user on slapd's files.
$ touch /var/log/openldap.log

$ chown openldap.openldap -R $OPENLDAP_HOME /var/log/openldap.log DB_HOME
9. Configure the slapd logger under rsyslog. a. edit rsyslog conf file
$ vi /etc/rsyslog.conf
b. Add the following to the file

local4.* /var/log/openldap.log
c. restart the rsyslog daemon

$ service rsyslog restart
10. Start the server under the openldap user.

Server 2 Specific Instructions

1. Extract the data from Server 1.
$ slapcat -b "dc=example,dc=com" -f $OPENLDAP_HOME/etc/openldap/slapd.conf -l output.ldif
2. Copy the Server 1 slapd.conf and output.ldif files over to Server 2.
3. Make the following mods to Server 2's slap.conf:
a. Set serverid on the first line, which must be unique across all the servers.

# Replica Server

serverid 2
Everything else should remain the same in the slapd.conf file on the second server.
b. Replace Server 2's slapd.conf with this new file.
4. Run the steps under OpenLDAP Server Setup again, on second machine. Be sure to use the extracted ldif, output.ldif, in place of the bootstrap.ldif on the import step.

Verify

1. slapd process is running as openldap user.

ps -ef | grep slapd
2. Tail the log

tail -f -n10000 /var/log/openldap.log
3. Connect and browse with Apache Directory Studio.
4. Add test data, verify it replicates.
5. Examine the Context CSN node on LDAP server #1.
ldapsearch -x -LLL -H ldap://fortress1 -D "cn=Manager,dc=example,dc=com" -w secret -s base -b 'dc=example,dc=com' contextCSN dn: dc=example,dc=com

dn: dc=example,dc=com
contextCSN: 20181123194724.769203Z#000000#001#000000
contextCSN: 20181123194743.991925Z#000000#002#000000
Where fortress1 is hostname or IP address of first instance.
6. Example on LDAP server #2.
ldapsearch -x -LLL -H ldap://fortress2 -D "cn=Manager,dc=example,dc=com" -w secret -s base -b 'dc=example,dc=com' contextCSN dn: dc=example,dc=com

dn: dc=example,dc=com
contextCSN: 20181123194724.769203Z#000000#001#000000
contextCSN: 20181123194743.991925Z#000000#002#000000
Where fortress2 is hostname or IP address of second instance.
7. Compare the two.
Developed by: Emmanuel Lécharny

Speak With Us Today

Our staff are here to answer your questions. 
+1 650.963.7601