Simple Directory Server 5.2 Master Replication

Contributed by mcdsco

November 17, 2006

Tagged: Solaris

This Tech-Recipe provides a simple way to replicate LDAP servers. Do your homework to ensure that this is going to give you all that you need to protect your LDAP world. I just wanted to get folks started in the right direction.

God bless! -scott.

by: Scott McDuff, CISSP SCSA MCSE+I TCA
scott.mcduff@gmail.com
–
First off, I have a Tech-Recipe that covers building an LDAP server. This provides a robust directory server installation if you are not familiar with the installation.

1. You first need to build two LDAP servers (ldapserver1 and ldapserver2), one can have your data in it, and the other can be empty. Make they can resolve each other’s names either through a DNS server or /etc/hosts. The /etc/hosts entry should include the following format:

# # Internet hosts table # 127.0.0.1 localhost loghost 192.168.1.101 ldapserver1.domain.com ldapserver1 192.168.1.102 ldapserver2.domain.com ldapserver2

Note: this is a good time to configure SSH on these servers to allow logins without passwords since you’ll be going between the servers often. Optional but recommended.

2. I access my first server called ldapserver1 by issuing the following command:

# ssh -X ldap@ldapserver1

The “-X” enables tunneling Xwin through ssh … if this doesn’t work, then again … you might need to enhance your /etc/sshd_config.

3. Launch directory server console

# /var/Sun/mps/startconsole &

4. Launch directory server console

# /var/Sun/mps/startconsole &

The Sun Java System Server Console will start and display your domain and below it will show your server which in this example is ldapserver1.domain.com. Click symbol by the ldapserver1 to expand –> Expand Server Group, and then select Directory Server –> Then click on the Open button in the right panel at the top.

This opens a new window. Since we are going to enable replication, we want to click on the Configuration Tab –> Expand Data –> Then Expand the domain (domain.com) –> Click on [ Replication (Disabled) –> Click on the Enable replication button. Select Master Replication Radio Button –> Choose a Replication ID to this master replica (integer between 1 and 65534), I will choose 777, Next –> The default changelog should be fine for your and my purposes, Next -= Creating –> You should be prompted for entering a password here … I entered it earlier so it didn’t prompt me, Next –> Should say Replication is now enabled, Close.

Now, repeat the same steps for ldapserver2 Starting at Step 3, but enter a different Replication ID (I used 777 on ldapserver1, now I will use 778 for ldapserver2).

5. Now, we are going to setup a master replication … ooo … fancy. Basically, we are going to have the two ldapservers push data to each other when it changes. Here we go …

Now we have one way replication working … this is the way I am going to leave it. Do all of your administration from LDAP1 and it will automagically push the data to ldapserver2.

Lastly, we need to change our clients to point to both servers. Here is the original client command from my first document. Add the second server with a comma and no spaces as follows. You will have to go back and change the /etc/nsswitch.conf:

# ldapclient init -a profileName=default \ -a domainName=domain.com \ -a proxyDN=cn=proxyagent,ou=profile,dc=domain,dc=com \ -a proxyPassword=differentpasswd \ -a defaultServerList=192.168.1.101,192.168.1.102

(should get successfully configured)

# vi /etc/nssitch.conf –> should look like this …

passwd: files ldap group: files ldap hosts: files ipnodes: files networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files netgroup: files ldap automount: files ldap aliases: files ldap services: files ldap printers: user files ldap auth_attr: files ldap prof_attr: files ldap project: files ldap

… and have a blessed day! -scott.

Previous recipe | Next recipe |

CATEGORIES