===============================
OpenLDAP Server
===============================
.. meta::
:description: OpenLDAP configuration recipes
:keywords: openldap, networking, security, directory, network, ldap, schema, slapd, tls
:robots: noindex,nofollow
For this manual we will use **Ubuntu 20.04 LTS** for both servers. |br|
In **OpenLDAP** there is two type of servers;
Provider
LDAP Server thet provide content :abbr:`DIT (Directory Information Tree)` and make them avilable for retrieval by Consumer
Consumer
LDAP Server/Client that make a request content update to Provider or other Consumer.
Planning
=========
A Provider server must have a pubblic ip or port-forwarding because it need be contacted from Consumer servers.
The ``slapd`` configuration of Consumer server mapped the :abbr:`FQDN (Fully Qualified Domain Name)` in ``cn=config``,
best practice is put it the FQDN rather than utilize IP address.
FQDN is necessary also for TLS Certificates.
.. list-table:: FQDN
:widths: 25 25
:header-rows: 1
:align: center
* - IP Address
- Name
* - ``192.168.34.10``
- ``ldap-provider.oneos.it``
* - ``192.168.34.11``
- ``ldap-consumer01.oneos.it``
Now it's time to chose the LDAP directory tree. |br|
For this tutorial we will use: ``dc=oneos,dc=it``. |br|
Scenario
---------
We need to have an ldap tree for authenticate and authorize users to login in some applications. |br|
Users are in different workplaces across the world. |br|
Above there is LDAP directory tree. In the subtree **Membership** there is a list of users created dinamically
with a user attirbute ``ou=Rome``, to make this we will use the LDAP schema ``dyngroup``. |br|
Other branch is ``Groups``, each user can be a member of one or more groups.
.. highlight:: text
::
| dc=oneos,dc=it
| ├── cn=admin
| ├── ou=Membership
| | ├── cn=Rome
| | ├── cn=New York
| | └── cn=Shangay
| ├── ou=People
| | ├── uid=federico.fiordoliva
| | ├── uid=mark.smith
| | └── uid=meilin.wang
| └── ou=Groups
| ├── uid=Adminstration
| ├── uid=Sales
| ├── uid=Ict
Lets assume we have an application that need to read ldap for authentication and authorization. |br|
For authentication we will use ``uid`` and ``password`` attributes, for authorizations we want to have
an attribute for each applications with value ``TRUE`` if the user is authorize to use it.
In our personal schema we will have two attributes:
app1:
TRUE/BLANK
app2:
TRUE/BLANK
Installation Basics
====================
Install the necessary packages on **Ubuntu 20.04**. |br|
Ubuntu have a tool named ``dpkg-reconfigure`` than is run during package installation.
This tool helping to make a first configuration for some packages, ``slapd`` is one of this.
.. highlight:: bash
:linenothreshold: 1
::
user@ldap-provider:~$ sudo apt update
user@ldap-provider:~$ sudo apt upgrade
user@ldap-provider:~$ sudo apt install slapd ldap-utils
During installation the tool ``dpkg-reconfigure`` ask you to insert a password for
ldap super user admin and create a default ``dn`` as ``cn=admin,dc=example,dc=org``.
.. raw:: html
|br|
Enable ``slapd`` to start at boot. |br|
.. highlight:: bash
::
user@ldap-provider:~$ sudo systemctl enable slapd
Initial Configurations
=======================
Edit the ldap configuration file as above.
.. highlight:: text
:linenothreshold: 1
::
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=oneos,dc=it
URI ldap://ldap-provider.onesos.it ldap://ldap-provider.oneos.it:636
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
Now we can use ``dpkg-reconfigure`` tool for crate our LDAP directory tree.
.. highlight:: bash
::
The first type need to be converted prior to load. dpkg-reconfigure slapd
.. raw:: html
|br|
Check the initial configuration by an ldap search command. |br|
.. highlight:: bash
:linenothreshold: 1
::
user@ldap-provider:~$ sudo ldapsearch -D "cn=admin,dc=oneos,dc=it" /
> -x -b "dc=oneos,dc=it" -W -h localhost
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# oneos.it
dn: dc=oneos,dc=it
objectClass: top
objectClass: dcObject
objectClass: organization
o: oneos
dc: oneos
# admin, oneos.it
dn: cn=admin,dc=oneos,dc=it
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1UMSEF9Y2paL7ZXL0EyfmtUVnhsZEpIMittK3IxTXdieTRsYTe=
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
LDAP Schema
============
The schemas used by ``slapd`` may be extended to support additional syntaxes, matching rules, attribute types, and object classes.
There are some schema in default OpenLDAP installation, we can load it and we can create our schema.
Make our schema
-----------------
In this tutorial we need to create a schema for add some attributes not present in every schema. |br|
For make a schema we need 2 arguments: ``olcAttributeTypes`` and ``olcObjectClasses``. |br|
The first one describe the attriubutes type, and the second one define the object class then contain this attributes.
Each argument need a globally unique :abbr:`OID(Object Identifier)`, assigned by :abbr:`IANA(Internet Assigned Numbers Authority)`. |br|
LDAP have his starter OID: ``1.3.6.1.4.1``, the next number (:abbr:`PEN(Private Enterprise Number)`) identify a unique organization like ``1.3.6.1.4.1.2``, where ``2`` is assigned to :abbr:`IBM(International Business Machines Corporation)`. |br|
After organization identifier it's possible to assign number for create our LDAP object.
At this link there is all assigned :abbr:`OID(Object Identifier)` by :abbr:`IANA(Internet Assigned Numbers Authority)`; https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers. |br|
It's possible to have our :abbr:`OID(Object Identifier)` by requesting it for free at this link; https://pen.iana.org/pen/PenApplication.page.
For this tutorial we use a :abbr:`PEN(Private Enterprise Number)` not assigned like ``220776``. |br|
Create a file named ``/etc/ldap/schema/oneos-schema.ldif``.
.. highlight:: text
:linenothreshold: 1
::
dn: cn=oneos,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: oneos
olcAttributeTypes: ( 1.3.6.1.4.1.220776.1.90
NAME 'app1'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.3.6.1.4.1.220776.1.91
NAME 'app2'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcObjectClasses: ( 1.3.6.1.4.1.220776.1.100 NAME 'oneos'
MUST ( app1 $ app2 ) )
.. attention::
Pay attention to the indentations, otherwise the loading will fail!
Load Schema
-------------
In ``/etc/ldap/schema`` directory there are some schema files, usually:
- ``core.ldif``
- ``inetorgperson.ldif``
- ``nis.ldif``
- ``cosine.ldif``
and so.
This schema are loaded by default. For this tutorial we need to load ``dyngroup.ldif`` schema. |br|
This schema permit to create a dynamic lists of user. |br|
Schema file have two type of syntax, ``schema`` and ``ldif``. Ubuntu have both file in schema directory.
The first type need to be converted prior to load, for this there is a tool named ``schem2ldif``. |br|
In Ubuntu you can install it by ``user@ldap-provider:~$ sudo apt install schema2ldif``.
To check which schemas are loaded type this.
.. highlight:: bash
::
user@ldap-provider:~$ sudo ldap-schema-manager -l
core
cosine
nis
inetorgperson
In this tutorial we will load only schema file in ``ldif`` format. |br|
For loading this file use the utility ``ldapadd``.
.. highlight:: text
::
user@ldap-provider:~$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// /
> -f /etc/ldap/schema/oneos-schema.ldif
adding new entry "cn=oneos,cn=schema,cn=config"
.. highlight:: bash
::
user@ldap-provider:~$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// /
> -f /etc/ldap/schema/dyngroup.ldif
adding new entry "cn=dyngroup,cn=schema,cn=config"
To check if schema was loaded.
.. highlight:: bash
::
user@ldap-provider:~$ sudo ldap-schema-manager -l
core
cosine
nis
inetorgperson
oneos
dyngroup
``dyngroup`` module need to be activated, create a file ``dynlist.ldif``.
.. highlight:: text
:linenothreshold: 1
::
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModuleLoad: dynlist.la
olcModulePath: /usr/lib/ldap
dn: olcOverlay=dynlist,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynamicList
olcOverlay: dynlist
olcDlAttrSet: groupOfURLs memberURL uniqueMember
Load it.
.. highlight:: bash
::
user@ldap-provider:~$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// /
> -f /etc/ldap/dynlist.ldif
adding new entry "cn=module,cn=config"
adding new entry "olcOverlay=dynlist,olcDatabase={1}mdb,cn=config"
Web GUI
========
OpenLDAP have some third parts web gui, we will use phpLdapAdmin. |br|
To install it on Ubuntu 20.04 make this command.
.. highlight:: text
::
user@ldap-provider:~$ sudo apt install phpldapadmin
To make ``phpLdapAdmin`` available we need to make some configurations. |br|
Open the file ``/etc/phpldapadmin/config.php`` and change the values like this.
.. highlight:: php
:linenothreshold: 1
::
$servers->setValue('server','name','OneOS Ldap Server');
$servers->setValue('server','base',array('dc=oneos,dc=it'));
After you make installation go to http://ldap-provider.oneos.it/phpldapadmin. |br|
Insert correct ``dn``, password and click **Authenticate**.
.. figure:: images/phpldap1.png
:alt: phpLdapAdmin Login
:width: 700px
:class: with-shadow
:align: center
phpLdapAdmin Login Form
.. figure:: images/phpldap2.png
:alt: phpLdapAdmin Home Page
:width: 700px
:class: with-shadow
:align: center
phpLdapAdmin Login Home Page
In the directory there is olny the basic information provided by the tool ``dpkg-reconfigure slapd``, now ww must populate
with our tree planned.
Populate LDAP Directory
========================
Load content in LDAP is simple and fast. We create a file for every brunch of tree.
Create a file called ``/etc/ldap/ou.ldif``.
.. highlight:: text
:linenothreshold: 1
::
dn: ou=People,dc=oneos,dc=it
objectClass: organizationalUnit
objectClass: top
ou: People
dn: ou=Membership,dc=oneos,dc=it
objectClass: organizationalUnit
objectClass: top
ou: Membership
dn: ou=Groups,dc=oneos,dc=it
objectClass: organizationalUnit
objectClass: top
ou: Groups
Load this file.
.. highlight:: bash
::
user@ldap-provider:~$ sudo ldapadd -x -D cn=admin,dc=oneos,dc=it -W /
> -f /etc/ldap/ou.ldif -h localhost
Enter LDAP Password:
adding new entry "ou=People,dc=oneos,dc=it"
adding new entry "ou=Membership,dc=oneos,dc=it"
adding new entry "ou=Groups,dc=oneos,dc=it"
Now create a file ``/etc/ldap/membership.ldif``.
.. highlight:: text
:linenothreshold: 1
::
dn: cn=Rome,ou=Membership,dc=oneos,dc=it
cn: Rome
memberURL: ldap:///ou=People,dc=oneos,dc=it?uid?sub?(ou=Rome)
objectClass: groupOfURLs
objectClass: top
dn: cn=New York,ou=Membership,dc=oneos,dc=it
cn: New York
memberURL: ldap:///ou=People,dc=oneos,dc=it?uid?sub?(ou=New York)
objectClass: groupOfURLs
objectClass: top
dn: cn=Shangai,ou=Membership,dc=oneos,dc=it
cn: Shangai
memberURL: ldap:///ou=People,dc=oneos,dc=it?uid?sub?(ou=Shangai)
objectClass: groupOfURLs
objectClass: top
Load this file.
.. highlight:: bash
::
user@ldap-provider:~$ sudo ldapadd -x -D cn=admin,dc=oneos,dc=it -W /
> -f /etc/ldap/membership.ldif -h localhost
Enter LDAP Password:
adding new entry "cn=Rome,ou=Membership,dc=oneos,dc=it"
adding new entry "cn=New York,ou=Membership,dc=oneos,dc=it"
adding new entry "cn=Shangai,ou=Membership,dc=oneos,dc=it"
At this point we have two ``ou`` and two dinamic list of users. |br|
Load users.|br|
Create a file called ``/etc/ldap/users.ldif``.
.. highlight:: text
:linenothreshold: 1
::
dn: uid=federico.fiordoliva,ou=People,dc=oneos,dc=it
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: extensibleObject
objectClass: person
o: oneos
ou: Rome
sn: Wiz
cn: federico.fiordoliva
mail: federico.fiordoliva@oneos.it
uid: federico.fiordoliva
userPassword: {SSHA}EqMXhHPQAc0rirQIZLJi/pWz3mxZf/HD
loginShell: /bin/bash
uidNumber: 2001
gidNumber: 3001
homeDirectory: /home/federico.fiordoliva
app1: True
dn: uid=mark.smith,ou=People,dc=oneos,dc=it
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: extensibleObject
objectClass: person
o: oneos
ou: New York
sn: Wiz
cn: mark.smith
mail: mark.smith@oneos.it
uid: mark.smith
userPassword: {SSHA}EqMXhHPQAc0rirQIZLJi/pWz3mxZf/HD
loginShell: /bin/bash
uidNumber: 2002
gidNumber: 3002
homeDirectory: /home/mark.smith
app2: True
dn: uid=meilin.wang,ou=People,dc=oneos,dc=it
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: extensibleObject
objectClass: person
o: oneos
ou: Shangai
sn: Wiz
cn: meilin.wang
mail: meilin.wang@oneos.it
uid: meilin.wang
userPassword: {SSHA}EqMXhHPQAc0rirQIZLJi/pWz3mxZf/HD
loginShell: /bin/bash
uidNumber: 2003
gidNumber: 3003
homeDirectory: /home/meilin.wang
app2: True
Load file.
.. highlight:: bash
::
user@ldap-provider:~$ sudo ldapadd -x -D cn=admin,dc=oneos,dc=it -W /
> -f /etc/ldap/users.ldif -h localhost
Enter LDAP Password:
adding new entry "uid=federico.fiordoliva,ou=People,dc=oneos,dc=it"
adding new entry "uid=mark.smith,ou=People,dc=oneos,dc=it"
adding new entry "uid=meilin.wang,ou=People,dc=oneos,dc=it"
Now create a file ``/etc/ldap/groups.ldif``.
.. highlight:: text
:linenothreshold: 1
::
dn: cn=Administration,ou=Groups,dc=oneos,dc=it
cn: Administration
objectClass: posixGroup
gidNumber: 3003
memberUid: mailin.wang
dn: cn=Sales,ou=Groups,dc=oneos,dc=it
cn: Sales
objectClass: posixGroup
gidNumber: 3002
memberUid: mark.smith
dn: cn=Ict,ou=Groups,dc=oneos,dc=it
cn: Ict
objectClass: posixGroup
gidNumber: 3001
memberUid: federico.fiordoliva
Load file.
.. highlight:: text
::
user@ldap-provider:~$ sudo ldapadd -x -D cn=admin,dc=oneos,dc=it -W /
> -f /etc/ldap/groups.ldif -h localhost
Enter LDAP Password:
adding new entry "cn=Administration,ou=Groups,dc=oneos,dc=it"
adding new entry "cn=Sales,ou=Groups,dc=oneos,dc=it"
adding new entry "cn=Ict,ou=Groups,dc=oneos,dc=it"
Go to ``phpLdapAdmin`` and check the loading data. |br|
Check users data and check if dynamic list is populate.|br|
Go to ``cn=Rome,ou=Membership,dc=oneos,dc=it``.
.. figure:: images/phpldap3.png
:alt: phpLdapAdmin Dynlist
:width: 700px
:class: with-shadow
:align: center
phpLdapAdmin Dynlist
Check the attribute ``uniqueMember``, the value was populate dinamically with entire ``dn`` of
user ``federico.fiordoliva``. |br|
If this user will relocate from Rome to New York, the user attribute ``ou`` need to be change with new value ``New York``.
Securing OpenLDAP - TLS
=========================
To enable TLS we need one x509 certificate for Provider and one for each clients connection to OpenLDAP servers.
Best practise is to obtain a valid certificate from a recognized :abbr:`CA(Certification Authority)`,
we will use **Let's Encrypt** with :abbr:`ACME Protocol(Automatic Certificate Management Enviroment)`.
We need one ``fullchain`` certificate from **Let's Encrypt** and two server certificate for Provider and Consumer servers. |br|
You can learn how to obtain a **Let's Encrypt** certificate on pfSense at this page: :doc:`letsencrypt`.
.. note::
If you have a certificates from standard CA you can bypass the :doc:`letsencrypt` tutorial.
After you obtain ``CA CHAIN`` file, your server certificate and your private key, you can configure OpenLDAP. |br|
Put this files in ``/etc/ldap`` and adjust the ownership. |br|
- ``cacert.crt``
- ``ldap-provider.oneos.it.crt``
- ``ldap-provider.oneos.it.key``
.. highlight:: text
::
user@ldap-provider:~$ sudo chown openldap:openldap /etc/ldap/*
user@ldap-provider:~$ sudo chmod 640 /etc/ldap/cacert.crt
user@ldap-provider:~$ sudo chmod 640 /etc/ldap/ldap-provider*
Modify ``/etc/ldap/ldap.conf`` file by adding this entry. |br|
.. highlight:: text
::
TLS_CACERTDIR /etc/ldap
TLS_CACERT /etc/ldap/cacert.crt
TLS_REQCERT allow
Now restart ``slapd``.
.. highlight:: text
::
user@ldap-provider:~$ sudo systemctl restart slapd
Create a file called ``/etc/ldap/olcTLS.ldif``.
.. highlight:: text
:linenothreshold: 1
::
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cacert.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ldap-provider.oneos.it.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ldap-provider.oneos.it.crt
Load the file.
.. highlight:: bash
::
user@ldap-provider:~$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// /
> -f /etc/ldap/olcTLS.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
Check configuration loaded.
.. highlight:: bash
::
user@ldap-provider:~$ sudo slapcat -b "cn=config" |egrep "olcTLS"
olcTLSCACertificateFile: /etc/ldap/cacert.crt
olcTLSCertificateKeyFile: /etc/ldap/ldap-provider.oneos.it.key
olcTLSCertificateFile: /etc/ldap/ldap-provider.oneos.it.crt
Now we need to active ``ldaps`` on default config of ``slapd``; ``/etc/default/slapd``
.. highlight:: text
::
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
Restart ``slapd``.
.. highlight:: text
::
user@ldap-provider:~$ sudo systemctl restart slapd
Replica Configurations
=======================
In OpenLDAP, there are some type of replication topologies. We will use ``refreshAndPersist``. |br|
The connection was initiated by Consumer to Provider and all changes made on Provider will push on all Consumer servers.
Provider
----------
Firts af all web need a user with ``read-only`` access to Provider, create it.
Make a file called ``replica-user.ldif``.
.. highlight:: text
:linenothreshold: 1
::
dn: cn=replicator,dc=oneos,dc=it
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: replicator
description: Replication user
userPassword: {SSHA}x
Load file.
.. highlight:: text
::
user@ldap-provider:~$ sudo ldapadd -x -D cn=admin,dc=oneos,dc=it -W /
> -f /etc/ldap/replica-user.ldif -h localhost
Enter LDAP Password:
adding new entry "cn=replicator,dc=oneos,dc=it"
Now add password for ``replicauser``.
.. highlight:: text
::
user@ldap-provider:~$ sudo ldappasswd -h localhost -x -D cn=admin,dc=oneos,dc=it /
> -W -S cn=replicator,dc=oneos,dc=it
New password:
Re-enter new password:
Enter LDAP Password:
After adding user, we need to change privilegs. |br|
Create file called ``replica-acl.ldif``
.. highlight:: text
:linenothreshold: 1
::
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to *
by dn.exact="cn=replicator,dc=oneos,dc=it" read
by * break
-
add: olcLimits
olcLimits: dn.exact="cn=replicator,dc=oneos,dc=it"
time.soft=unlimited time.hard=unlimited
size.soft=unlimited size.hard=unlimited
.. attention::
Pay attention to the indentations, otherwise the loading will fail!
Load file.
.. highlight:: text
::
user@ldap-provider:~$ sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f replica-acl.ldif
modifying entry "olcDatabase={1}mdb,cn=config"
Now we can activate replica configurations. |br|
Create file called ``provider-sync.ldif``.
.. highlight:: text
:linenothreshold: 1
::
# Add indexes to the frontend db.
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq
#Load the syncprov module.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
# syncrepl Provider for primary db
dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint: 100 10
olcSpSessionLog: 1000
Load file.
.. highlight:: text
::
user@ldap-provider:~$ sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// /
> -f /etc/ldap/provider-sync.ldif
modifying entry "olcDatabase={1}mdb,cn=config"
modifying entry "cn=module{0},cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={1}mdb,cn=config"
Consumer
----------
Each Consumer need to be configured as Provider, follow the above step from **Installation Basics** to **LDAP Schema** and **Securing OpenLDAP - TLS**.
Configure the :abbr:`FQDN(Fully Qualified Domain Name)` of the Consumer as planned and obtain a new certificate for this name.
Create a file called ``cunsumer-sync.ldif``.
.. highlight:: text
:linenothreshold: 1
::
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcSyncrepl
olcSyncrepl: rid=0
provider=ldap://ldap-provider.oneos.it
bindmethod=simple
binddn="cn=replicator,dc=oneos,dc=it" credentials=PASSWORD
searchbase="dc=oneos,dc=it"
schemachecking=on
type=refreshAndPersist retry="60 +"
starttls=critical
tls_reqcert=demand
-
add: olcUpdateRef
olcUpdateRef: ldap://ldap-provider.oneos.it
The row ``olcSyncrepl: rid=0`` uniquely identifies this Consumer, if another Consumer will
configure the number of ``rid`` must be different.
.. attention::
Change ``PASSWORD`` with the correct password of cn=replicator.
Load file.
.. highlight:: text
::
user@ldap-provider:~$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// /
> -f /etc/ldap/consumer-sync.ldif
To check if the replica works simply do a ``slapcat`` command to see all directory content.
Verify TLS tansport
=====================
To check if TLS works as aspected we can make this test. |br|
- Stop ``slapd`` on Consumer server.
- Make a change on Provider by adding a new user.
- run ``tcpdump`` on Provider to record a connection with Consumer, run this command, put your network interface name in ``INTNAME``.
- ``tcpdump -i INTNAME host ldap-consumer01.oneos.it -w ldap-capture.pcap``
- start ``slapd`` service on Consumer.
- stop the capture on Provider.
When open a pcap file with ``WireShark`` we will see than the connection use TLS 1.3 protocol.
This is the capture.
.. literalinclude:: ldap-capture.txt
:caption: Capture LDAP TLS
:language: text
:emphasize-lines: 9,11,12,15,17-20,25,27,29,31,33
:linenos:
Check in Consumer if there is a new user by ``slapcat``.