Need help from LDAP Gurus to replicate NS LDAP

wclemo · February 5, 2017, 4:29pm

NethServer Version: v7rc3
Module: openldap

Hi all,

I have spent hours trying to unsuccesfully setup a two node Master-Master NS ldap replication. I need to replicate the NS server (mainly only mail services are setup) to a second node. I intend to have a live copy of the primary node data replicate to the second node. Let me mention that I am a novice in LDAP stuff.

When testing the replication, the NS logs are giving me this error:

slapd[6437]: slap_client_connect: URI=ldap://ns1.example.com DN="cn=admin,dc=example,dc=com" ldap_sasl_bind_s failed (49)

slapd[6437]: do_syncrepl: rid=000 rc 49 retrying

I believe this error is to do with login failure from a different host (both are in same LAN). Also if I do this command from the same host, I can login and retrieve info;

ldapsearch -h localhost -D "cn=libuser,dc=directory,dc=nh" -w `cat /var/lib/nethserver/secrets/libuser` -b "ou=People,dc=directory,dc=nh"

But if I do from the other host the following host

ldapsearch -h "other.example.com" -D "cn=libuser,dc=directory,dc=nh" -w `cat /var/lib/nethserver/secrets/libuser` -b "ou=People,dc=directory,dc=nh"

I get this error;

ldap_bind: Invalid credentials (49)

I have followed the guides listed below this post to help me setup ldap replication.

My SyncRepl ldif is as follows;

I have adjusted the olcServerID: , olcSyncRepl: rid=, & provider= accordingly for the second node

dn: cn=config changetype: modify replace: olcServerID olcServerID: 1

`dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://ns1.example.com:389/ bindmethod=simple binddn="cn=admin,dc=directory,dc=nh" credentials=<admin passwd> searchbase="dc=directory,dc=nh" scope=sub schemachecking=on type=refreshAndPersist retry="30 5 300 3" interval=00:00:05:00`

add: olcMirrorMode olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov

I have also tried to substitute my domain in dc=directory,dc=nh with dc=example,dc=com

In binddn = I have also tried - "cn=admin,ou=People,dc=directory,dc=nh" and even in despair uid=admin,ou=People,dc=directory,dc=nh !!

In searchbase= I have also tried "ou=People,dc=directory,dc=nh"

In short, it seems I just cant get the correct attribute to address for the login from the other node.

I would really appreciate If someone can assist me.

My setup links sources;

http://www.barryodonovan.com/2013/01/28/multi-master-ldap-replication

davidep · February 5, 2017, 5:24pm

Hi @wclemo, welcome to NethServer !

In NethServer starttls is required to protect simple binds. Also ldaps works by default in ns7. I don’t know how to enable it in replication…

Why do you need it? What is your goal?

wclemo · February 5, 2017, 6:18pm

Hi Davide,

We currently have a postfix/dovecot/mariadb setup in place. My boss insisted on having a two node setup for redundancy, so that if the primary node is down for any reason users can switch to the other one. The nodes are in separate locations connected via vpn.

I now want to migrate the current setup to NS, but I need to ensure everything works as before. The only challenge has been NS openldap.

My aim is to have mail user accounts on the primary server replicate to the other server and be able to access the already synced mailboxes. In my current setup, I have setup mariadb master-master replication which has been working well.

alefattorini · February 14, 2017, 3:10pm

Unfortunately, I’m not a LDAP guru but I can tag here some experts like @paspo and @Christian

Christian · February 14, 2017, 10:02pm

I’m not sure I can help here.
Question is not directly related to LDAP but more to the way LDAP is used (and this is quite often what really matters) but also to external stuff.
Let me try to explain.
You expect to get higly available mail system that is LDAP based. But not only LDAP based. Why? because LDPA will only provide back-end describing mail account, password, mail address, maihost… and other similar stuff but LDAP can’t be in charge of replicating mailbox content.

What really matter here is to understand what is in charge of what.

LDAP handles address book like information (your email mail address, you mail drop server etc…) but can’t handle mailbox content. If you want to achieve highly available mailbox, then you need to think about data replication, mirroring… or whatever you may think about but that will ensure that mail you received are pushed/synchronized to server acting as fail-over server… for sure not LDPA based.
regarding LDAP, this is as simple as replicating LDAP content but is it really what matters here?

wclemo · February 15, 2017, 5:07am

I actually have the mailboxes replication taken care of using an rsync based solution. So I only need LDAP replication for only account address book content

Christian · February 15, 2017, 5:59am

Then this is just matter of replicating LDAP
Quite easy in standard LDAP environment but I don’t really know about NS and its potential constraints.
I even don’t known how many LDAP servers (if any) exist in NS deployment as I gave up with in-depth investigations

If only LDAPS is authorized (I wonder why but why not… ), then you will have to rely on it even for replication.

Reading what you posted already, I think you have all the material required to set-up replication. One additional link, in case it helps: http://www.zytrax.com/books/ldap/ch7/

What is missing?

configure LDAPS in replication
account authorized to read/access the whole DIT => I can’t help here it really depends on NS implementation

i.e. use “-ZZ” in your ldapsearch but you may have also to add CA public key client side

wclemo · February 15, 2017, 7:46am

Thanks Christian.
During my attempts at trying to implement this, I think I narrowed down the NS LDAP replication failure to either LDAPS (and the certificates etc) or use of STARTTLS. So I find it interesting that you mention LDAPS/Certificates here.

Not being conversant with LDAP pls excuse me for using its non technical terms - So what I found out is that I could query the LDAP accounts of one host from the other one using CLI (e.g ldapsearch), but the same was not working using the replication config script.

So I wondered whether the cli method of querying ldap via STARTTLS is different.

I will read your link (thanks for it) and try again.

jitkian · July 18, 2018, 8:41am

Hi wclemo, did you manage to setup LDAP replication at last?

wclemo · July 18, 2018, 12:01pm

I never succeeded in doing so even after spending several hours on it. With vanilla Centos it works flawlessly, but with NS I found it complicated. Since I really needed to replicate two separate sites (to achieve a DR like status) I ended up setting up LDAP servers on each site and configuring the two NS to be LDAP clients. The LDAP servers (UCS) are configured on master-master mode and replicate each other flawlessly. Each NS is a client of the LDAP server in its site.

jitkian · July 19, 2018, 2:21am

Thanks for your sharing