Hi folks,
finally I found proper way how to add meta directory. If somebody have extra
time, you can add it as example to documentation. There is lack of this
example. I know it may look as obvious for advanced user, but I have to say,
this takes me few hours before I find out how it is working, so I'll post full
man for other newbies.
# =====================| LDAP meta server under Docker |======================
* Install LDAP container. Name it as you want.
* Folder /srv/share is for easy sharing data. If you do not need it (you can
copy content of text files), then you can omit this parameter/line.
* Parameter "restart always" cause auto start-up with docker service
* If you do not need debug, simply remove "loglevel" parameter
$ docker run --name ldap_meta \
--restart always \
--volume /srv/share:/mnt/share \
--detach osixia/openldap:latest --loglevel debug
* Login to docker container
$ docker exec -it ldap_meta bash
* Following commands are called from docker container (with root access)
* Add "meta" backend in case that modules are not build-in
add_meta_backend.ldif:
==============================================================================
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: back_meta
olcModuleLoad: back_ldap
olcModuleLoad: rwm
==============================================================================
# ldapadd -Y EXTERNAL -H ldapi:/// -f add_meta_backend.ldif
* Add meta database. meta_database.ldif:
==============================================================================
dn: olcDatabase=meta,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMetaConfig
olcDatabase: meta
olcSuffix: dc=company,dc=com
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=binder,dc=company,dc=com
# For generation password hash you can use "slappasswd"
olcRootPW:: ***secret hash***
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
olcDbOnErr: continue
olcDbPseudoRootBindDefer: TRUE
olcDbSingleConn: FALSE
olcDbUseTemporaryConn: FALSE
olcDbConnectionPoolMax: 16
olcDbBindTimeout: 1000000
olcDbCancel: abandon
olcDbChaseReferrals: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbNretries: 100
olcDbProtocolVersion: 3
olcDbRebindAsUser: FALSE
olcDbSessionTrackingRequest: FALSE
olcDbTFSupport: no
==============================================================================
# ldapadd -Y EXTERNAL -H ldapi:/// -f meta_database.ldif
* Now check meta database number
# ls -l /etc/ldap/slapd.d/cn\=config/
total 44
-rw------- 1 openldap openldap 543 Jan 20 07:04 cn=module{0}.ldif
-rw------- 1 openldap openldap 579 Jan 20 07:08 cn=module{1}.ldif
drwxr-x--- 2 openldap openldap 4096 Jan 20 07:04 cn=schema
-rw------- 1 openldap openldap 396 Jan 20 07:04 cn=schema.ldif
-rw------- 1 openldap openldap 414 Jan 20 07:04 olcBackend={0}hdb.ldif
-rw------- 1 openldap openldap 657 Jan 20 07:04 olcDatabase={-1}frontend.ldif
-rw------- 1 openldap openldap 654 Jan 20 07:04 olcDatabase={0}config.ldif
drwxr-x--- 2 openldap openldap 4096 Jan 20 07:04 olcDatabase={1}hdb
-rw------- 1 openldap openldap 1202 Jan 20 07:04 olcDatabase={1}hdb.ldif
drwxr-x--- 2 openldap openldap 4096 Jan 20 07:58 olcDatabase={2}meta
-rw------- 1 openldap openldap 1100 Jan 20 07:25 olcDatabase={2}meta.ldif
* In my case it is number "2" ( olcDatabase={2}meta.ldif ). If can be 1, it
can be 3. It depends how many databases you have. But note this "database
number" somewhere.
* Now you're ready to add meta sub URI. meta_uri_0.ldif:
==============================================================================
# In this case, you NEED to define database number!!!
# Please change it, if necessary ( {2} -> {x} )
dn: olcMetaSub=uri,olcDatabase={2}meta,cn=config
objectClass: olcMetaTargetConfig
olcMetaSub: uri
olcDbURI: "ldap://somewhere.eu:389/ou=cz,dc=company,dc=com";
olcDbIDAssertBind: mode=none flags=non-prescriptive,proxy-authz-non-critical
bindmethod=simple timeout=0 network-timeout=0 binddn="cn=binder for CZ,
dc=cz,dc=company,dc=eu" credentials="binders's secret password"
keepalive=0:0:0
olcDbRewrite: suffixmassage "ou=cz,dc=company,dc=com" "dc=cz,dc=company,dc=eu"
olcDbKeepalive: 0:0:0
olcDbBindTimeout: 1000000
olcDbCancel: abandon
olcDbChaseReferrals: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbNretries: 100
olcDbProtocolVersion: 3
olcDbRebindAsUser: FALSE
olcDbSessionTrackingRequest: FALSE
olcDbTFSupport: no
==============================================================================
# ldapadd -Y EXTERNAL -H ldapi:/// -f meta_uri_0.ldif
* If you want to add another meta sub URI, it is simple. meta_uri_1.ldif:
==============================================================================
# In this case, you NEED to define database number!!!
# Please change it, if necessary ( {2} -> {x} )
dn: olcMetaSub=uri,olcDatabase={2}meta,cn=config
objectClass: olcMetaTargetConfig
olcMetaSub: uri
olcDbURI: "ldap://somewhere.else.eu:389/ou=de,dc=company,dc=com";
olcDbIDAssertBind: mode=none flags=non-prescriptive,proxy-authz-non-critical
bindmethod=simple timeout=0 network-timeout=0 binddn="cn=binder for DE,
dc=company,dc=eu" credentials="binders's secret password" keepalive=0:0:0
olcDbRewrite: suffixmassage "ou=de,dc=company,dc=com" "dc=company,dc=eu"
olcDbKeepalive: 0:0:0
olcDbBindTimeout: 1000000
olcDbCancel: abandon
olcDbChaseReferrals: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbNretries: 100
olcDbProtocolVersion: 3
olcDbRebindAsUser: FALSE
olcDbSessionTrackingRequest: FALSE
olcDbTFSupport: no
==============================================================================
# ldapadd -Y EXTERNAL -H ldapi:/// -f meta_uri_1.ldif
* ... and so on.
Hope it will save somebody :)
Best regards
Martin Stejskal
________________________________
From: Martin Stejskal
Sent: 19 January 2017 16:46:05
To: Ulrich Windl; [email protected]; [email protected]
Subject: Re: Antw: Re: slapd-meta with olc
Hi Ulrich,
I totally agree, but I wanted to show "quick and dirty" way. Sometimes you
just need to test something, and when everything works it is time to play
around ;)
Hey Ryan,
thanks for advice. Today I played with "osixia/openldap" docker image and at
the end of the day I was able to make it work. Just for reference, I'm sending
modified part of ".config" file.
======================================================
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema//ppolicy.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
#ldapmod#modulepath ../servers/slapd/back-ldap/
#ldapmod#moduleload back_ldap.la
#metamod#modulepath ../servers/slapd/back-meta/
#metamod#moduleload back_meta.la
#monitormod#modulepath ../servers/slapd/back-monitor/
#monitormod#moduleload back_monitor.la
modulepath /usr/lib/ldap/
moduleload back_meta.la
moduleload rwm.la
moduleload back_ldap.la
======================================================
Then just delete old slapd.d and convert .config to slapd.d directory and it is
work. But still, it is not proper way through slapadd/slapmodify, which I'm
looking for.
Best regards
Martin Stejskal
________________________________
From: Ulrich Windl <[email protected]>
Sent: 19 January 2017 08:45:43
To: Martin Stejskal; [email protected]; [email protected]
Subject: Antw: Re: slapd-meta with olc
>>> Martin Stejskal <[email protected]> schrieb am 17.01.2017 um 09:08 in
>>> Nachricht
<os2pr01mb02343bfa404e587bc43468b9b3...@os2pr01mb0234.jpnprd01.prod.outlook.com>
[...]
> 3) Simply remove (3A) or configure (3B) "apparmor" to avoid strange start
> failure and another "permission denied" errors. Choice is up to you
> (security vs convenience)
>
> 3A) Remove apparrmor
> $ sudo apt remove apparmor
>
> 3B) Configure apparmor
[...]
I'd recommend to change the "enforce mode" for slapd to "complain mode". Then
updating the apparmor profile can be done with the tools provided.
Alternatively remove the profile for slapd in apparmor. I would not remove the
whole package, because then no appliocation can/will be protected.
Regards,
Ulrich
