Differences

This shows you the differences between two versions of the page.

--- docpublic:systemes:ldap:ldapc8reppartiel [2020/02/11 21:19]
procacci@tem-tsp.eu created
+++ docpublic:systemes:ldap:ldapc8reppartiel [2020/02/15 07:46] (current)
procacci@tem-tsp.eu [acl]
@@ Line 1: / Line 1: @@
+===== replica ====
+=== ref ===
+  * https://blog.debugo.fr/openldap-replication/
+  * https://ltb-project.org/documentation/nagios-plugins/check_ldap_syncrepl_status
+  * https://www.vincentliefooghe.net/content/openldap-surveiller-et-contr%C3%B4ler-la-r%C3%A9plication
+  * https://pratapsatve.wordpress.com/2017/11/11/replication-of-the-openldap-server/
+  * https://linux.die.net/man/5/slapd.conf => syncrepl parameters
+  * https://stackoverflow.com/questions/45161477/how-to-remove-all-records-from-ldap
 ===== package ltb-project =====
@@ Line 21: / Line 32: @@
 chown -R ldap:ldap /usr/local/openldap/var/openldap-data
 systemctl start slapd
+</code>
+===== ACL ldap master ====
+sur le master ldap il faut disposer d'un compte de replication qui a le droit en lecture sur toutes les arborecences et attributs necessaires a notre replica
+notament sur l'attribut userpassword , il faut que notre de compte de replication (ici cn=rep...) puis à la fois s'authentifier (self bind) pour lancer syncrepl , mais aussi lire l'attribut userpassword des autres utilisateurs (dans la cadre d'un replica replicant aussi cet attribut !) , donc un acces read pour ceux-ci, d'où l'usage de la directive "continue"
+<code>
+#JP acl
+# continue pour que repint puisse lire dans la replication son propre pass et pas seulement faire du auth
+# cf https://www.vincentliefooghe.net/content/les-acl-dans-openldap
+# finalement pas utile car pour etre self il faut d'abord etre authentifié !
+access to attrs=userPassword
+        by self                                     auth continue
+        by anonymous                                auth
+        by dn="cn=rep,ou=dsa,dc=int,dc=fr"          read
+        by * none
+#Voir le root DSE + base DN , cf http://www.openldap.org/lists/openldap-technical/201203/msg00132.html
+access to dn.subtree="dc=int,dc=fr" attrs=entry,objectclass,contextCSN
+        by dn="cn=rep,ou=dsa,dc=int,dc=fr"     read
+        by *                                        read
+...
 </code>
@@ Line 84: / Line 120: @@
 </code>
+==== acl ===
+sur ce replica partiel (pages blanches) , ACL assez simples
+<code>
+[root@ldapex openldap]# cat slapd.acl.conf
+# attribut userpassword, utile ici uniquement pour le compte DSA cn=rep
+access to attrs=userPassword
+        by anonymous                                            auth
+        by dn="cn=rep,ou=dsa,dc=int,dc=fr"          read
+        by * none
+#Voir le root DSE + base DN , cf http://www.openldap.org/lists/openldap-technical/201203/msg00132.html
+access to dn.subtree="dc=int,dc=fr"  attrs=entry,contextCSN,objectclass,mail,title,sn,cn,givenName,uid,telephoneNumber,ou,departmentNumber,employeeType,businessCategory
+        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+        by users read
+        by anonymous none
+        by * none
+access to *
+    by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+    by self read
+    by dn="cn=rep,ou=dsa,dc=int,dc=fr"          read
+    by * none
+</code>
+===== syncrepl partiel =====
+enfin la configuration de replication partielle a base de syncrepl , on ne replique que la branche ou=people et seulement certains attributs "pages blanches" . Cela necessite de mettre le schemacheck a Off autrement on aurait des erreurs de validation sur les attributs "Must" des objectclass concernées.
+<code>
+[root@ldapex openldap]# cat slapd.sync.conf
+syncrepl 	rid=001
+		provider=ldaps://master.int.eu
+		type=refreshAndPersist
+		searchbase="ou=people,dc=int,dc=fr"
+		filter="(objectClass=organizationalPerson)"
+		attrs="uid,cn,sn,ou,departmentNumber,telephoneNumber,mail"
+		scope=sub
+		schemachecking=off
+		bindmethod=simple
+		retry="60 10 300 +"
+                keepalive="240:10:30"
+		binddn="cn=rep,ou=dsa,dc=int,dc=fr"
+        	credentials="secretreplica"
+updateref       ldaps://master.int.eu:636
+</code>
+la liste des parametres syncrepl est dans le man slapd.conf
+<code>
+    https://linux.die.net/man/5/slapd.conf
+syncrepl rid=<replica ID> provider=ldap[s]://<hostname>[:port] searchbase=<base DN> [type=refreshOnly|refreshAndPersist]
+[interval=dd:hh:mm:ss] [retry=[<retry interval> <# of retries>]+] [filter=<filter str>] [scope=sub|one|base|subord]
+[attrs=<attr list>] [attrsonly] [sizelimit=<limit>] [timelimit=<limit>] [schemachecking=on|off] [network-timeout=<seconds>]
+[timeout=<seconds>] [bindmethod=simple|sasl] [binddn=<dn>] [saslmech=<mech>] [authcid=<identity>] [authzid=<identity>]
+[credentials=<passwd>] [realm=<realm>] [secprops=<properties>] [keepalive=<idle>:<probes>:<interval>] [starttls=yes|critical]
+[tls_cert=<file>] [tls_key=<file>] [tls_cacert=<file>] [tls_cacertdir=<path>] [tls_reqcert=never|allow|try|demand]
+[tls_ciphersuite=<ciphers>] [tls_crlcheck=none|peer|all] [logbase=<base DN>] [logfilter=<filter str>]
+[syncdata=default|accesslog|changelog]
+</code>
+===== rebuild script =====
+Script qui permet de reconstruire completement le replica partiel , en 2 temps:
+  - avec injection de l'arborescence de base (dc=int,dc=fr et le compte de requettage dans ou=dsa)
+  - puis relance avec syncrepl pour recuperer toutes les entrées ou=people depuis le master .
+<code>
+[root@ldapex openldap]# cat RebuildAllRep.sh
+## 1st pass from delete all current database and init a fresh one
+#stop slapd service
+systemctl stop slapd
+#delete all databases
+rm -f /usr/local/openldap/var/openldap-data/*.mdb
+#delete all OLC config
+cd /usr/local/openldap/etc/openldap/slapd.d
+rm -rf *
+cd ..
+#rebuild slpad.d OLC config from slapd-nosync.conf (copy of slapd.conf but without syncrep config)
+#because of updateref incompatibility  with inital load of local root tree and dsa accounts
+/usr/local/openldap/sbin/slaptest -f /usr/local/openldap/etc/openldap/slapd-nosync.conf -F /usr/local/openldap/etc/openldap/slapd.d
+#reset ldap acces to subtree slapd.d
+chown -R ldap:ldap /usr/local/openldap/etc/openldap/slapd.d
+#reset ldap acces to subtree databases directory
+chown -R ldap:ldap /usr/local/openldap/var/openldap-data
+#restart slapd service
+systemctl start slapd
+#insert root tree and local dsa account from ldif with ldapi (local soket connect)
+/usr/local/openldap/bin/ldapadd -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi -Y EXTERNAL  -f /root/Ldifs/dc-int-ldapex.ldif -c
+#pause 1s with sleep 1
+sleep 1
+###################################################################################
+## 2nd pass to introduce syncrepl and build all sync data from master
+#stop slapd service again this time to reload config with syncrepl enabled
+systemctl stop slapd
+#delete all OLC config
+cd /usr/local/openldap/etc/openldap/slapd.d
+rm -rf *
+cd ..
+#rebuild slpad.d OLC config from slapd.conf (containing the syncrepl included)
+/usr/local/openldap/sbin/slaptest -f /usr/local/openldap/etc/openldap/slapd.conf -F /usr/local/openldap/etc/openldap/slapd.d
+#reset ldap acces to subtree slapd.d
+chown -R ldap:ldap /usr/local/openldap/etc/openldap/slapd.d
+#reset ldap acces to subtree databases directory
+chown -R ldap:ldap /usr/local/openldap/var/openldap-data
+#restart slapd service
+systemctl start slapd
+</code>

docpublic/systemes/ldap/ldapc8reppartiel.1581455954.txt.gz · Last modified: 2020/02/11 21:19 by procacci@tem-tsp.eu

Show page Old revisions

[unknown link type]Back to top