====== Replicação Master/Master ======
Usuário responsável pela replicação:
[root@ldapmatriz01 ldifs]# cat replicator_user.ldif
dn: cn=replicator,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: replicator
userPassword: {SSHA}TeBX8HlxLzjEIBaeoxvMmMt7ExutUcAP
[root@ldapmatriz02 ldifs]# cat replicator_user.ldif
dn: cn=replicator,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: replicator
userPassword: {SSHA}TeBX8HlxLzjEIBaeoxvMmMt7ExutUcAP
[root@ldapmatriz01 ldifs]# ldapadd -H ldap://ldapmatriz01.example.com -x -D cn=Manager,dc=example,dc=com -W -f replicator_user.ldif
[root@ldapmatriz02 ldifs]# ldapadd -H ldap://ldapmatriz02.example.com -x -D cn=Manager,dc=example,dc=com -W -f replicator_user.ldif
ACL para que o usuário Replicator possa ler os atributos userPassword e shadowLastChange necessários para a replicação.
[root@ldapmatriz01 ldifs]# cat replicator_acl.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by dn.exact="cn=Manager,dc=example,dc=com" write
by dn.exact="cn=replicator,dc=example,dc=com" read
by self =xw
by anonymous auth
by * none
olcAccess: {1}to *
by dn.exact="cn=Manager,dc=example,dc=com" write
by dn.exact="cn=replicator,dc=example,dc=com" read
by self read
by users read
by * none
[root@ldapmatriz02 ldifs]# cat replicator_acl.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by dn.exact="cn=Manager,dc=example,dc=com" write
by dn.exact="cn=replicator,dc=example,dc=com" read
by self =xw
by anonymous auth
by * none
olcAccess: {1}to *
by dn.exact="cn=Manager,dc=example,dc=com" write
by dn.exact="cn=replicator,dc=example,dc=com" read
by self read
by users read
by * none
[root@ldapmatriz01 ldifs]# ldapadd -H ldap://ldapmatriz01.example.com -x -D cn=Manager,dc=example,dc=com -W -f replicator_acl.ldif
[root@ldapmatriz02 ldifs]# ldapadd -H ldap://ldapmatriz02.example.com -x -D cn=Manager,dc=example,dc=com -W -f replicator_acl.ldif
Modulo syncprov
[root@ldapmatriz01 ldifs]# cat syncprov_mod.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov
[root@ldapmatriz02 ldifs]# cat syncprov_mod.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov
[root@ldapmatriz01 ldifs]# ldapadd -H ldap://ldapmatriz01.example.com -x -D cn=Manager,dc=example,dc=com -W -f syncprov_mod.ldif
[root@ldapmatriz02 ldifs]# ldapadd -H ldap://ldapmatriz01.example.com -x -D cn=Manager,dc=example,dc=com -W -f syncprov_mod.ldif
[root@ldapmatriz01 ldifs]# cat syncprov_overlay.ldif
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
[root@ldapmatriz02 ldifs]# cat syncprov_overlay.ldif
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
[root@ldapmatriz01 ldifs]# ldapadd -H ldap://ldapmatriz01.example.com -x -D cn=Manager,dc=example,dc=com -W -f syncprov_overlay.ldif
[root@ldapmatriz02 ldifs]# ldapadd -H ldap://ldapmatriz01.example.com -x -D cn=Manager,dc=example,dc=com -W -f syncprov_overlay.ldif
Configuração dos servidores envolvidos na replicação:
[root@ldapmatriz01 ldifs]# cat ldap_master_master.ldif
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://ldapmatriz01.example.com
olcServerID: 2 ldap://ldapmatriz02.example.com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider="ldap://ldapmatriz01.example.com" binddn="cn=replicator,dc=example,dc=com" bindmethod=simple schemachecking=on credentials="martins58" searchbase="dc=example,dc=com" type=refreshAndPersist retry="5 5 300 5" interval=00:00:05:00 timeout=1
olcSyncRepl: rid=002 provider="ldap://ldapmatriz02.example.com" binddn="cn=replicator,dc=example,dc=com" bindmethod=simple schemachecking=on credentials="martins58" searchbase="dc=example,dc=com" type=refreshAndPersist retry="5 5 300 5" interval=00:00:05:00 timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
[root@ldapmatriz02 ldifs]# cat ldap_master_master.ldif
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://ldapmatriz01.example.com
olcServerID: 2 ldap://ldapmatriz02.example.com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider="ldap://ldapmatriz01.example.com" binddn="cn=replicator,dc=example,dc=com" bindmethod=simple schemachecking=on credentials="martins58" searchbase="dc=example,dc=com" type=refreshAndPersist retry="5 5 300 5" interval=00:00:05:00 timeout=1
olcSyncRepl: rid=002 provider="ldap://ldapmatriz02.example.com" binddn="cn=replicator,dc=example,dc=com" bindmethod=simple schemachecking=on credentials="martins58" searchbase="dc=example,dc=com" type=refreshAndPersist retry="5 5 300 5" interval=00:00:05:00 timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
[root@ldapmatriz01 ldifs]# ldapadd -H ldap://ldapmatriz02.example.com -x -D cn=Manager,dc=example,dc=com -W -f ldap_master_master.ldif
[root@ldapmatriz02 ldifs]# ldapadd -H ldap://ldapmatriz02.example.com -x -D cn=Manager,dc=example,dc=com -W -f ldap_master_master.ldif
====== Testando a replicação ======
[root@ldapmatriz01 ldifs]# ldapsearch -H ldap://ldapmatriz01.example.com -x -D cn=Manager,dc=example,dc=com -W -b dc=example,dc=com -LLL
Enter LDAP Password:
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=Usuarios,dc=example,dc=com
ou: Usuarios
objectClass: top
objectClass: organizationalUnit
dn: ou=Grupos,dc=example,dc=com
ou: Grupos
objectClass: top
objectClass: organizationalUnit
dn: cn=replicator,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: replicator
userPassword:: e1NTSEF9VGVCWDhIbHhMempFSUJhZW94dk1tTXQ3RXh1dFVjQVA=
[root@ldapmatriz02 ldifs]# ldapsearch -H ldap://ldapmatriz02.example.com -x -D cn=Manager,dc=example,dc=com -W -b dc=example,dc=com -LLL
Enter LDAP Password:
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=Usuarios,dc=example,dc=com
ou: Usuarios
objectClass: top
objectClass: organizationalUnit
dn: ou=Grupos,dc=example,dc=com
ou: Grupos
objectClass: top
objectClass: organizationalUnit
dn: cn=replicator,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: replicator
userPassword:: e1NTSEF9VGVCWDhIbHhMempFSUJhZW94dk1tTXQ3RXh1dFVjQVA=
[root@ldapmatriz01 ldifs]# cat users_posix.ldif
dn: cn=Gean Martins,ou=Usuarios,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: gean
cn: Gean Martins
givenName: Gean
sn: Martins
userPassword: {crypt}$6$52xe8leN$GJEWCL66DpnH31mT1vFyR062iM5KEkcK1M/T592.uE9C/CWSlUjxNUrWUqWj7PjLgK2SRIMOBDh6Ic.dgBxHK0
shadowLastChange: 17067
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/gean
gecos: Gean Martins
mail: gean@example.com
[root@ldapmatriz01 ldifs]# ldapadd -H ldap://ldapmatriz01.example.com -x -D cn=Manager,dc=example,dc=com -W -f users_posix.ldif
[root@ldapmatriz01 ldifs]# ldapsearch -H ldap://ldapmatriz01.example.com -x -D cn=Manager,dc=example,dc=com -W -b ou=Usuarios,dc=example,dc=com -LLL
Enter LDAP Password:
dn: ou=Usuarios,dc=example,dc=com
ou: Usuarios
objectClass: top
objectClass: organizationalUnit
dn: cn=Gean Martins,ou=Usuarios,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: gean
cn: Gean Martins
givenName: Gean
sn: Martins
userPassword:: e2NyeXB0fSQ2JDUyeGU4bGVOJEdKRVdDTDY2RHBuSDMxbVQxdkZ5UjA2MmlNNUt
Fa2NLMU0vVDU5Mi51RTlDL0NXU2xVanhOVXJXVXFXajdQakxnSzJTUklNT0JEaDZJYy5kZ0J4SEsw
shadowLastChange: 17067
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/gean
gecos: Gean Martins
mail: gean@example.com
[root@ldapmatriz02 ldifs]# ldapsearch -H ldap://ldapmatriz02.example.com -x -D cn=Manager,dc=example,dc=com -W -b ou=Usuarios,dc=example,dc=com -LLL
Enter LDAP Password:
dn: ou=Usuarios,dc=example,dc=com
ou: Usuarios
objectClass: top
objectClass: organizationalUnit
dn: cn=Gean Martins,ou=Usuarios,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: gean
cn: Gean Martins
givenName: Gean
sn: Martins
userPassword:: e2NyeXB0fSQ2JDUyeGU4bGVOJEdKRVdDTDY2RHBuSDMxbVQxdkZ5UjA2MmlNNUt
Fa2NLMU0vVDU5Mi51RTlDL0NXU2xVanhOVXJXVXFXajdQakxnSzJTUklNT0JEaDZJYy5kZ0J4SEsw
shadowLastChange: 17067
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/gean
gecos: Gean Martins
mail: gean@example.com
[root@ldapmatriz01 ldifs]# tail -n20 /var/log/slapd/slapd.log
Sep 27 15:53:50 ldapmatriz01 slapd[2978]: conn=1013 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128
Sep 27 15:53:50 ldapmatriz01 slapd[2978]: conn=1013 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 27 15:53:50 ldapmatriz01 slapd[2978]: conn=1013 op=0 RESULT tag=97 err=0 text=
Sep 27 15:53:50 ldapmatriz01 slapd[2978]: conn=1013 op=1 ADD dn="cn=Gean Martins,ou=Usuarios,dc=example,dc=com"
Sep 27 15:53:50 ldapmatriz01 slapd[2978]: conn=1013 op=1 RESULT tag=105 err=0 text=
Sep 27 15:53:50 ldapmatriz01 slapd[2978]: conn=1013 op=2 UNBIND
Sep 27 15:53:50 ldapmatriz01 slapd[2978]: conn=1013 fd=21 closed
Sep 27 15:54:30 ldapmatriz01 slapd[2978]: conn=1014 fd=21 ACCEPT from IP=203.0.113.90:60386 (IP=0.0.0.0:389)
Sep 27 15:54:30 ldapmatriz01 slapd[2978]: conn=1014 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128
Sep 27 15:54:30 ldapmatriz01 slapd[2978]: conn=1014 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 27 15:54:30 ldapmatriz01 slapd[2978]: conn=1014 op=0 RESULT tag=97 err=0 text=
Sep 27 15:54:30 ldapmatriz01 slapd[2978]: conn=1014 op=1 SRCH base="ou=Usuarios,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)"
Sep 27 15:54:30 ldapmatriz01 slapd[2978]: conn=1014 op=1 SEARCH RESULT tag=101 err=0 nentries=2 text=
Sep 27 15:54:30 ldapmatriz01 slapd[2978]: conn=1014 op=2 UNBIND
Sep 27 15:54:30 ldapmatriz01 slapd[2978]: conn=1014 fd=21 closed
Sep 27 15:55:00 ldapmatriz01 slapd[2978]: conn=1015 fd=21 ACCEPT from IP=203.0.113.91:36222 (IP=0.0.0.0:389)
Sep 27 15:55:00 ldapmatriz01 slapd[2978]: conn=1015 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128
Sep 27 15:55:00 ldapmatriz01 slapd[2978]: conn=1015 op=0 RESULT tag=97 err=53 text=unauthenticated bind (DN with no password) disallowed
Sep 27 15:55:00 ldapmatriz01 slapd[2978]: conn=1015 op=1 UNBIND
Sep 27 15:55:00 ldapmatriz01 slapd[2978]: conn=1015 fd=21 closed
[root@ldapmatriz02 ldifs]# tail -n20 /var/log/slapd/slapd.log
Sep 27 15:51:35 ldapmatriz02 slapd[2336]: conn=1009 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 27 15:51:35 ldapmatriz02 slapd[2336]: conn=1009 op=0 RESULT tag=97 err=0 text=
Sep 27 15:51:35 ldapmatriz02 slapd[2336]: conn=1009 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)"
Sep 27 15:51:35 ldapmatriz02 slapd[2336]: conn=1009 op=1 SEARCH RESULT tag=101 err=0 nentries=4 text=
Sep 27 15:51:35 ldapmatriz02 slapd[2336]: conn=1009 op=2 UNBIND
Sep 27 15:51:35 ldapmatriz02 slapd[2336]: conn=1009 fd=21 closed
Sep 27 15:53:50 ldapmatriz02 slapd[2336]: <= bdb_equality_candidates: (entryUUID) not indexed
Sep 27 15:55:09 ldapmatriz02 slapd[2336]: conn=1010 fd=27 ACCEPT from IP=203.0.113.91:35856 (IP=0.0.0.0:389)
Sep 27 15:55:09 ldapmatriz02 slapd[2336]: conn=1010 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128
Sep 27 15:55:09 ldapmatriz02 slapd[2336]: conn=1010 op=0 RESULT tag=97 err=49 text=
Sep 27 15:55:09 ldapmatriz02 slapd[2336]: conn=1010 op=1 UNBIND
Sep 27 15:55:09 ldapmatriz02 slapd[2336]: conn=1010 fd=27 closed
Sep 27 15:55:14 ldapmatriz02 slapd[2336]: conn=1011 fd=27 ACCEPT from IP=203.0.113.91:35858 (IP=0.0.0.0:389)
Sep 27 15:55:14 ldapmatriz02 slapd[2336]: conn=1011 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128
Sep 27 15:55:14 ldapmatriz02 slapd[2336]: conn=1011 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 27 15:55:14 ldapmatriz02 slapd[2336]: conn=1011 op=0 RESULT tag=97 err=0 text=
Sep 27 15:55:14 ldapmatriz02 slapd[2336]: conn=1011 op=1 SRCH base="ou=Usuarios,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)"
Sep 27 15:55:14 ldapmatriz02 slapd[2336]: conn=1011 op=1 SEARCH RESULT tag=101 err=0 nentries=2 text=
Sep 27 15:55:14 ldapmatriz02 slapd[2336]: conn=1011 op=2 UNBIND
Sep 27 15:55:14 ldapmatriz02 slapd[2336]: conn=1011 fd=27 closed
[root@ldapmatriz01 ldifs]# tail -n50 /var/log/slapd/auditlog.log
-
replace: createTimestamp
createTimestamp: 20160927181332Z
-
replace: entryCSN
entryCSN: 20160927181332.288726Z#000000#000#000000
-
replace: modifiersName
modifiersName: cn=Manager,dc=example,dc=com
-
replace: modifyTimestamp
modifyTimestamp: 20160927181332Z
-
# end modify 1475001620
# add 1475002430 dc=example,dc=com cn=Manager,dc=example,dc=com IP=203.0.113.90:60384 conn=1013
dn: cn=Gean Martins,ou=Usuarios,dc=example,dc=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: gean
cn: Gean Martins
givenName: Gean
sn: Martins
userPassword:: e2NyeXB0fSQ2JDUyeGU4bGVOJEdKRVdDTDY2RHBuSDMxbVQxdkZ5UjA2MmlNN
UtFa2NLMU0vVDU5Mi51RTlDL0NXU2xVanhOVXJXVXFXajdQakxnSzJTUklNT0JEaDZJYy5kZ0J4
SEsw
shadowLastChange: 17067
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/gean
gecos: Gean Martins
mail: gean@example.com
structuralObjectClass: inetOrgPerson
entryUUID: 7944bff4-192f-1036-9121-c1efa05c52df
creatorsName: cn=Manager,dc=example,dc=com
createTimestamp: 20160927185350Z
entryCSN: 20160927185350.608142Z#000000#001#000000
modifiersName: cn=Manager,dc=example,dc=com
modifyTimestamp: 20160927185350Z
# end add 1475002430
[root@ldapmatriz02 ldifs]# tail -n50 /var/log/slapd/auditlog.log
changetype: modify
replace: contextCSN
contextCSN: 20160927182909.521077Z#000000#000#000000
-
# end modify 1475001640
# add 1475002430 dc=example,dc=com cn=Manager,dc=example,dc=com conn=-1
dn: cn=Gean Martins,ou=Usuarios,dc=example,dc=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: gean
cn: Gean Martins
givenName: Gean
sn: Martins
userPassword:: e2NyeXB0fSQ2JDUyeGU4bGVOJEdKRVdDTDY2RHBuSDMxbVQxdkZ5UjA2MmlNN
UtFa2NLMU0vVDU5Mi51RTlDL0NXU2xVanhOVXJXVXFXajdQakxnSzJTUklNT0JEaDZJYy5kZ0J4
SEsw
shadowLastChange: 17067
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/gean
gecos: Gean Martins
mail: gean@example.com
structuralObjectClass: inetOrgPerson
entryUUID: 7944bff4-192f-1036-9121-c1efa05c52df
creatorsName: cn=Manager,dc=example,dc=com
createTimestamp: 20160927185350Z
entryCSN: 20160927185350.608142Z#000000#001#000000
modifiersName: cn=Manager,dc=example,dc=com
modifyTimestamp: 20160927185350Z
# end add 1475002430
# modify 1475002430 dc=example,dc=com cn=Manager,dc=example,dc=com conn=-1
dn: dc=example,dc=com
changetype: modify
replace: contextCSN
contextCSN: 20160927182909.521077Z#000000#000#000000
contextCSN: 20160927185350.608142Z#000000#001#000000
-
# end modify 1475002430
Removendo o usuário:
[root@ldapmatriz01 ldifs]# ldapdelete -H ldap://ldapmatriz01.example.com -x -D cn=Manager,dc=example,dc=com -W cn="Gean Martins",ou=Usuarios,dc=example,dc=com