Community Articles

Pre-requsite:

1.Make sure /etc/hosts has the correct ip address and the hostnames and the master hostnames can be pinged from each other .

3. OpenLDAP to be setup.

4. Make sure the logs are captured in a valid log file for slapd process as follows:

    vi /etc/rsyslog.conf

Append the follwowing line to log OpenLDAP messages and restart rsyslogd service:

# Point SLAPD logs to /var/log/slapd.log
local4.*        /var/log/slapd.log
service rsyslog restart

HA OpenLDAP Sync Setup:

The following ldif files needs to be created on the users home directory and should be executed on all the master nodes:

basednupdate.ldif

syncproc_module.ldif

syncproc.ldif

addladpservers.ldif

NOTE: Please change the cn , dc accordingly.

vi /tmp/basednupdate.ldif

# updated your base dn below:
dn: olcDatabase={1}monitor,cn=configchangetype: modifyreplace: olcAccessolcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"read by dn.base="cn=Manager,dc=srv,dc=world"  read by * none

Execute the following command:

ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/basednupdate.ldif

Note: If the above command fails, then edit the following file and update it and run

vi /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif

Change cn and dc:

olcAccess: {0}to * by
dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" read by dn.base="cn=grj,dc=ganeshrj,dc=com" read by * none

Run slaptest -u to check if the update is successful.

vi /tmp/syncproc_module.ldif

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la

Execute:

ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/syncproc_module.ldif

vi /tmp/syncproc.ldif

dn:olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100
olcSpCheckpoint: 10 1

Execute:

ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/syncproc.ldif

vi /tmp/addladpservers.ldif

# Execute this on all master nodes. Make sure the server ids are incremented for each node:

dn: cn=configchangetype: modifyreplace: olcServerIDolcServerID: 1 ldap://ldap1.ganeshrj.comolcServerID: 2 ldap://ldap2.ganeshrj.com

Execute:

ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/addladpservers.ldif

vi /tmp/master01.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 
provider=ldap://ldap1.ganeshrj.com:389/ 
bindmethod=simple scope=sub
binddn="cn=grj,dc=ganeshrj,dc=com" credentials=password searchbase="dc=ganeshrj,dc=com"
schemachecking=off type=refreshAndPersist retry="5 10 30 +"
interval=00:00:00:10 
olcSyncRepl: rid=002
provider=ldap://ldap2.ganeshrj.com:389/ bindmethod=simple scope=sub
binddn="cn=grj,dc=ganeshrj,dc=com" credentials=password
searchbase="dc=ganeshrj,dc=com" schemachecking=off
type=refreshAndPersist retry="5 10 30 +" interval=00:00:00:10
add: olcMirrorMode
olcMirrorMode: TRUE  
add: olcDbIndex
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq

Execute:

ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/master01.ldif

Note: Make sure master01.ldif is also executed on other master nodes.

If the above command fails, then update it manually and run slaptest –u .

vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb olcOverlay={0}syncprov.ldif
Paste the following: 
-------------------
olcSyncRepl: rid=001 
provider=ldap://ldap1.ganeshrj.com:389/ 
bindmethod=simple 
scope=sub 
binddn="cn=grj,dc=ganeshrj,dc=com" 
credentials=password 
searchbase="dc=ganeshrj,dc=com" 
schemachecking=off 
type=refreshAndPersist 
retry="5 10 30 +" 
interval=00:00:00:10
olcSyncRepl: rid=002 
provider=ldap://ldap2.ganeshrj.com:389/ 
bindmethod=simple 
scope=sub 
binddn="cn=grj,dc=ganeshrj,dc=com" 
credentials=password 
searchbase="dc=ganeshrj,dc=com" 
schemachecking=off 
type=refreshAndPersist 
retry="5 10 30 +" 
interval=00:00:00:10
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN  eq
olcMirrorMode: TRUE

Restart slapd service

service
slapd restart

Check the sladp.log file to see if both the servers are communicating.

Testing:

1. Do an LDAP search to see the users are getting pulled.

 ldapsearch -x -b "dc=ganeshrj,dc=com"

2. Add users on one of the server and see if its replicated

 vi /tmp/Adduser.ldif

dn: uid=ganesh,ou=people,dc=testorg1,dc=ganeshrj,dc=com
objectclass:top
objectclass:person
objectclass:organizationalPerson
objectclass:inetOrgPerson
cn: Ganesh
sn: Ganesh
uid: ganesh
userPassword:ganesh-password

Execute:

 ldapadd -x -D "cn=grj,dc=ganeshrj,dc=com" -W -f adduser.ldif

Then try ldapsearch on both the boxes to validate:

 ldapsearch -x -b "dc=ganeshrj,dc=com"

OpenLdap High Availability Setup with SSL/TLS

There are two steps:

1. Creation of Self Signing certificate for OpenLDAP.

2. Update OpenLDAP with Certs created and Update the Config and hdp databases with the certificate information.

Creation self-Signing Certificate

1. Create a CA First

2. Create a Client Openldap Cert

3. Sign the Client Openldap cert with the CA Created in Step 1

4. Use the cert (from step 3) with a ca cert (from Step 1) in open ldap

Update to openssl.conf: This is “Nice to have” change since the default values are setup and don’t have to key in every time when a new key is generated.

Update /etc/pki/tls/openssl.conf and change as follows (This is an example and can be updated to organizational needs)

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
#countryName_default            = XX
countryName_default             = US
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
#stateOrProvinceName_default    = Default Province
stateOrProvinceName_default     = Virginia
localityName                    = Locality Name (eg, city)
#localityName_default           = Default City
localityName_default            = Ashburn
0.organizationName              = Organization Name (eg, company)
#0.organizationName_default     = Default Company Ltd
0.organizationName_default      = Unknown Company Ltd
# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd
organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
Update date to 10 year validity 
default_days    = 3650                  # how long to certify for

Create a cert file on the need you need (Optional)

#certificate    = $dir/cacert.pem       # The CA certificate
certificate     = $dir/ganeshrj.crt     # The CA certificate

Change path to the private Key if needed (Optional)

#private_key      =$dir/private/cakey.pem 
private_key       =$dir/private/ca.key

Update unique serial number and index file

Note: This step should be done only once as part of the setup. This file will keep tab of number of certs generated.

cd /etc/pki/CA
touch serial   
vi serial  and add 01 for the 1st serial number
touch index.txt

Creating a Certifying Authority (CA)

Now generate the key mentioned the openssl.conf (which is here: private_key = $dir/private/cakey.key# The private key). This key will be used to generate a certificate.

 openssl genrsa -des3 2048 > private/cakey.key

Using the key above create a CA certificate

 openssl req -new -x509 -key private/cakey.key -out ganeshrj.crt -days 3560