REPLICATION OF LDAP DATABASE

Posted by harshit Labels:

For Replication we follow the following steps:

1. Stop the master server's slapd daemon.

2. Reconfigure the master server's slapd.conf to enable replication to the new slave server.

3. Copy the database from the master server to the replica.

4. Configure the replica server's slapd.conf.

5. Start the replica server's slapd process

6. Start the master server's slapd process.

7. Start the master server's slurpd process.


1. MASTER SIDE:

For replication add the following lines to slapd.conf already created above.

 replogfile    /var/ldap/slapd.replog

replica        uri=ldap://192.168.1.21:389 

                   suffix="dc=mnit,dc=ac,dc=in"

                   binddn="uid=easypush,ou=people,dc=mnit,dc=ac,dc=in"

                   bindmethod=simple 

                   credentials=******

 2. SLAVE SIDE:

 Here we add the following attributes to slapd.conf created for authentication. (All other attributes remain the same).

 updatedn             "uid=easypush,ou=people,dc=mnit,dc=ac,dc=in"

updateref              ldap://192.168.1.20:389

 ►Now we have to start the slurpd daemon for sending updation information to the slave.

 #  cd /var/easypush/ldap/sbin

# ./slurpd –d 1

 slurpd reads the ‘slapd.replog’ file created by the master slapd process where modification information is stored in LDIF format. After reading this replogfile, slurpd copies the entry to its own replay log ‘slurpd.replog’.

slurpd reads entries in the replication log file one at a time and propagates the changes using basic LDAP commands (e.g., add, modify, delete, modrdn, etc.). If a change cannot be made, slurpd writes the entry and reason for the failure to a reject log named .rej in the same directory as the slurpd.replog file.

 

0 comments

AUTHENTICATION OF CLIENTS USING A CENTRALIZED LDAP SERVER

Posted by harshit Labels:

 LDAP (Light Weight Directory Access Protocall) is used as a central storage directory for storing user information. All the clients authenticate via a single LDAP server. It reduces data redundancy.

 For authenticating clients we need to configure both the server and the client machines.

This configuration is for the deepOfix server and will work smoothly with debian clients (though the configuration is same for most of the linux clients) .

 SERVER SIDE CONFIGURATION:

 1. Configure /var/easypush/ldap/etc/openldap/slapd.conf file as follows:

 allow bind_v2

allow bind_anon_dn

loglevel 0

 

include /var/easypush/ldap/etc/openldap/schema/addressbook.schemainclude                /var/easypush/ldap/etc/openldap/schema/core.schema

include /var/easypush/ldap/etc/openldap/schema/cosine.schema

include /var/easypush/ldap/etc/openldap/schema/inetorgperson.schema

include                /var/easypush/ldap/etc/openldap/schema/nis.schema

include                /var/easypush/ldap/etc/openldap/schema/samba.schema

include                /var/easypush/ldap/etc/openldap/schema/qmail.schema

include                /var/easypush/ldap/etc/openldap/schema/deepofixuser.schema

 pidfile                  /var/easypush/ldap/var/run/slapd.pid

argsfile               /var/easypush/ldap/var/run/slapd.args

 database             bdb

suffix                   "dc=mnit,dc=ac,dc=in"

rootdn                 "uid=easypush,ou=people,dc=mnit,dc=ac,dc=in"

rootpw                {SSHA}*************

directory             /var/easypush/ldap/var/openldap-data

index          objectClass        eq

 

access to attrs="userPassword,sambaLMPassword,sambaNTPassword"

          by dn="uid=easypush,ou=people,dc=mnit,dc=ac,dc=in" write

          by anonymous auth

          by self write

          by * none

access to dn.subtree="dc=mnit,dc=ac,dc=in"

          by dn="uid=easypush,ou=people,dc=mnit,dc=ac,dc=in" write

          by dn="uid=deepofix,ou=people,dc=mnit,dc=ac,dc=in" read

          by self write

          by users read

access to dn.subtree="ou=people,dc=mnit,dc=ac,dc=in"

          by dn="uid=deepofix,ou=people,dc=mnit,dc=ac,dc=in" read

          by users read

 

access to dn.subtree="ou=group,dc=mnit,dc=ac,dc=in"

          by dn="uid=deepofix,ou=people,dc=mnit,dc=ac,dc=in" read

          by users read

 

access to dn.subtree="ou=addressbook,dc=mnit,dc=ac,dc=in"

          by dn="uid=deepofix,ou=people,dc=mnit,dc=ac,dc=in" read

          by users read

access to dn.subtree="dc=mnit,dc=ac,dc=in" by none

cachesize 1500

sizelimit 1500

 TLSCertificateFile              "/var/easypush/etc/certificates/server.crt"

TLSCertificateKeyFile       "/var/easypush/etc/certificates/server.ke

 

2. Now add the users to the ldap directory through the easypush server manager.

For this open the Mozilla Firefox browser from any machine and write:

https://192.168.1.12:4080/

The easypush server manager would open up from where user accounts can be added very easily.

3. After this we start the standalone ldap server slapd by:

# sv –v up slapd

 

CLIENT SIDE CONFIGURATION:


A.     Install the following packages

# apt-get install libpam-ldap libnss-ldap nss-switch nscd   (On Debian)

 

B. Change the following configuration files:

1. /etc/libnss-ldap.conf

    host 192.168.1.20

   base dc=mnit,dc=ac,dc=in

   ldap_version 3

   binddn  uid=admin,ou=people,dc=mnit,dc=ac,dc=in

   bindpw ******

 

2. /etc/pam_ldap.conf

 

host 192.168.1.20

base dc=mnit,dc=ac,dc=in

ldap_version 3

pam_password_prohibit_message Please change the password using  the  EasyPush Server Manager.

binddn uid=admin,ou=people,dc=mnit,dc=ac,dc=in

bindpw ******

 

 

3. /etc/nss-switch.conf

 

passwd:         compat ldap

group:           compat ldap

shadow:        compat ldap 

hosts:            files mdns4_minimal [NOTFOUND=return] dns mdns4

networks:     files

protocols:     db files

services:       db files

ethers:          db files

rpc:               db files

netgroup:     nis

 

 

4. /etc/ldap/ldap.conf

 

base                     dc=mnit,dc=ac,dc=in

uri                        ldap://192.168.1.20:389

ldap_version     3

scope                  sub      

pam_login_attribute  uid

pam_filter objectClass=posixAccount

 

 

5. /etc/pam.d/common-auth

 

auth     sufficient        pam_ldap.so

auth    required        pam_unix.so   nullok_secure

 

6. /etc/pam.d/common-account

 

account      sufficient            pam_ldap.so

account      required            pam_unix.so

 

7. /etc/pam.d/common-session

 

session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022

session optional        pam_foreground.so

session sufficient      pam_ldap.so

session required        pam_unix.so

 

Now restart the client machine and login as any of the users present in ldap directory added through the easypush server manager.  (If correct passwords are given then the user gets authenticated and is given his separate home directory)

 

 


0 comments

Subscribe to: Posts (Atom)

Copyright © 2008 - ProSceNiuM - is proudly powered by Blogger
Blogger Template