====== Multi Master ======
==== ldap-master-01 ====
Instalando os pacotes necessário:
<code bash>
yum install openldap openldap-clients openldap-servers -y
</code>

Usando o DB de exemplo:
<code bash>
install -m 644 -o ldap -g ldap /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
</code>
Iniciando o OpenLDAP:
<code bash>
systemctl start slapd
systemctl enable slapd
</code>
Adicionando schemas:
<code bash>
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
</code>
Modificando o /etc/openldap/ldap.conf:
<code>
BASE    dc=exemplo,dc=org
URI     ldap://ldap-master-01.exemplo.org
</code>
Gerar senha para gerenciamento do OpenLDAP:
<code bash>
# slappasswd
New password: 
Re-enter new password: 
{SSHA}5uvIrHMqDy8GWdThP87DQX/fCx6bqnY3
</code>
Exportando as variáveis a serem usadas nos próximos passos: 
<code bash>
export MYHASH="{SSHA}5uvIrHMqDy8GWdThP87DQX/fCx6bqnY3"
export MYDOMAIN=exemplo
export MYTLD=org
export FQDN="ldap-master-01.exemplo.org"
</code>

**Modificando o olcDatabase={0}config:**
<code bash>
ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<EOF
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: ${MYHASH}
-
replace: olcAccess
olcAccess: {0}to * 
       by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" manage
       by * none
EOF
</code>

**Modificando o olcDatabase={1}monitor:**
<code bash>
ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
       by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
       by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" read
       by * none
EOF
</code>

**Modificando o olcDatabase={2}hdb:**
<code bash>
ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=${MYDOMAIN},dc=${MYTLD}
-
replace: olcRootDN
olcRootDN: cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}
-
add: olcRootPW
olcRootPW: ${MYHASH}
EOF
</code>

**Modificando os index:**
<code bash>
ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcDbIndex
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: uid,memberUid,gidNumber eq
-
EOF
</code>

**Modificando as ACLs:**
<code bash>
ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
       by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write
       by self =xw
       by anonymous auth
       by * none
olcAccess: {1}to *
       by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write
       by self read
       by users read
       by * none
EOF
</code>

**Estrutura:**
<code bash>
ldapadd -H ldap://${FQDN} -x -W -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" <<EOF
dn: dc=${MYDOMAIN},dc=${MYTLD}
dc: ${MYDOMAIN}
objectClass: top
objectClass: domain

dn: ou=Usuarios,dc=${MYDOMAIN},dc=${MYTLD}
ou: Usuarios
objectClass: top
objectClass: organizationalUnit

dn: ou=Grupos,dc=${MYDOMAIN},dc=${MYTLD}
ou: Grupos
objectClass: top
objectClass: organizationalUnit
EOF
</code>

==== Replicação ====
<code bash>
ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: cn=replicator,dc=${MYDOMAIN},dc=${MYTLD}
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: replicator
userPassword: ${MYHASH}
EOF
</code>

<code bash>
ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
       by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write
       by dn.exact="cn=replicator,dc=${MYDOMAIN},dc=${MYTLD}" read
       by self =xw
       by anonymous auth
       by * none
olcAccess: {1}to *
       by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write
       by dn.exact="cn=replicator,dc=${MYDOMAIN},dc=${MYTLD}" read
       by self read
       by users read
       by * none
EOF
</code>

<code bash>
ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
EOF
</code>

<code bash>
ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
EOF
</code>

<code bash>
ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://ldap-master-01.exemplo.org
olcServerID: 2 ldap://ldap-master-02.exemplo.org

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001  
 provider="ldap://ldap-master-01.exemplo.org" 
 binddn="cn=replicator,dc=${MYDOMAIN},dc=${MYTLD}" 
 bindmethod=simple 
 schemachecking=on 
 credentials="martins58" 
 searchbase="dc=${MYDOMAIN},dc=${MYTLD}" 
 type=refreshAndPersist 
 retry="5 5 300 5" 
 interval=00:00:05:00 
 timeout=1 
olcSyncRepl: rid=002 
 provider="ldap://ldap-master-02.exemplo.org" 
 binddn="cn=replicator,dc=${MYDOMAIN},dc=${MYTLD}"  
 bindmethod=simple 
 schemachecking=on 
 credentials="martins58" 
 searchbase="dc=${MYDOMAIN},dc=${MYTLD}" 
 type=refreshAndPersist 
 retry="5 5 300 5" 
 interval=00:00:05:00 
 timeout=1 
-
add: olcMirrorMode
olcMirrorMode: TRUE
EOF
</code>

<code bash>
ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: uid=bob,ou=Usuarios,dc=${MYDOMAIN},dc=${MYTLD}
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: bob
uid: bob
uidNumber: 1234
gidNumber: 1234
homeDirectory: /home/bob
loginShell: /bin/bash
gecos: Bob
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
EOF
</code>

<code bash>
ldappasswd -H ldap://${FQDN} -S -x -W -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" "uid=bob,ou=Usuarios,dc=${MYDOMAIN},dc=${MYTLD}"
</code>

<code bash>
ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: cn=admins,ou=Grupos,dc=${MYDOMAIN},dc=${MYTLD}
objectClass: top
objectClass: posixGroup
gidNumber: 3000
EOF
</code>

<code bash>
ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: cn=admins,ou=Grupos,dc=${MYDOMAIN},dc=${MYTLD}
changetype: modify
add: memberuid
memberuid: bob
EOF
</code>

<code bash>
ldapsearch -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W -LLL
</code>

==== ldap-master-02 ====
Instalando os pacotes necessário:
<code bash>
yum install openldap openldap-clients openldap-servers -y
</code>

Usando o DB de exemplo:
<code bash>
install -m 644 -o ldap -g ldap /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
</code>
Iniciando o OpenLDAP:
<code bash>
systemctl start slapd
systemctl enable slapd
</code>

Adicionando schemas:
<code bash>
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
</code>

Modificando o /etc/openldap/ldap.conf:
<code>
BASE    dc=exemplo,dc=org
URI     ldap://ldap-master-02.exemplo.org
</code>

Gerar senha para gerenciamento do OpenLDAP:
<code bash>
# slappasswd
New password: 
Re-enter new password: 
{SSHA}XRWCc3CX14eFVCSpLmddc7vQ/3QKMfmz
</code>

Exportando as variáveis a serem usadas nos próximos passos: 
<code bash>
export MYHASH="{SSHA}XRWCc3CX14eFVCSpLmddc7vQ/3QKMfmz"
export MYDOMAIN=exemplo
export MYTLD=org
export FQDN="ldap-master-02.exemplo.org"
</code>


**Modificando o olcDatabase={0}config:**
<code bash>
ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<EOF
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: ${MYHASH}
-
replace: olcAccess
olcAccess: {0}to * 
       by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" manage
       by * none
EOF
</code>

**Modificando o olcDatabase={1}monitor:**
<code bash>
ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
       by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
       by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" read
       by * none
EOF
</code>

**Modificando o olcDatabase={2}hdb:**
<code bash>
ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=${MYDOMAIN},dc=${MYTLD}
-
replace: olcRootDN
olcRootDN: cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}
-
add: olcRootPW
olcRootPW: ${MYHASH}
EOF
</code>

**Modificando os index:**
<code bash>
ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcDbIndex
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: uid,memberUid,gidNumber eq
-
EOF
</code>

**Modificando as ACLs:**
<code bash>
ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
       by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write
       by self =xw
       by anonymous auth
       by * none
olcAccess: {1}to *
       by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write
       by self read
       by users read
       by * none
EOF
</code>

**Estrutura:**
<code bash>
ldapadd -H ldap://${FQDN} -x -W -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" <<EOF
dn: dc=${MYDOMAIN},dc=${MYTLD}
dc: ${MYDOMAIN}
objectClass: top
objectClass: domain

dn: ou=Usuarios,dc=${MYDOMAIN},dc=${MYTLD}
ou: Usuarios
objectClass: top
objectClass: organizationalUnit

dn: ou=Grupos,dc=${MYDOMAIN},dc=${MYTLD}
ou: Grupos
objectClass: top
objectClass: organizationalUnit
EOF
</code>

==== Replicação ====
<code bash>
ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: cn=replicator,dc=${MYDOMAIN},dc=${MYTLD}
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: replicator
userPassword: ${MYHASH}
EOF
</code>

<code bash>
ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
       by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write
       by dn.exact="cn=replicator,dc=${MYDOMAIN},dc=${MYTLD}" read
       by self =xw
       by anonymous auth
       by * none
olcAccess: {1}to *
       by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write
       by dn.exact="cn=replicator,dc=${MYDOMAIN},dc=${MYTLD}" read
       by self read
       by users read
       by * none
EOF
</code>

<code bash>
ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
EOF
</code>

<code bash>
ldapadd -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
EOF
</code>

<code bash>
ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://ldap-master-01.exemplo.org
olcServerID: 2 ldap://ldap-master-02.exemplo.org

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001  
 provider="ldap://ldap-master-01.exemplo.org" 
 binddn="cn=replicator,dc=${MYDOMAIN},dc=${MYTLD}" 
 bindmethod=simple 
 schemachecking=on 
 credentials="martins58" 
 searchbase="dc=${MYDOMAIN},dc=${MYTLD}" 
 type=refreshAndPersist 
 retry="5 5 300 5" 
 interval=00:00:05:00 
 timeout=1 
olcSyncRepl: rid=002 
 provider="ldap://ldap-master-02.exemplo.org" 
 binddn="cn=replicator,dc=${MYDOMAIN},dc=${MYTLD}"  
 bindmethod=simple 
 schemachecking=on 
 credentials="martins58" 
 searchbase="dc=${MYDOMAIN},dc=${MYTLD}" 
 type=refreshAndPersist 
 retry="5 5 300 5" 
 interval=00:00:05:00 
 timeout=1 
-
add: olcMirrorMode
olcMirrorMode: TRUE
EOF
</code>

<code bash>
ldapsearch -H ldap://${FQDN} -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W -LLL
</code>