I have some basic experience interacting with & troubleshooting OpenLDAP as well as
389-ds, but I don't have a whole lot of experience setting them up or configuring an
OpenLDAP server.
My goal is to setup replication from a Primary inside a trusted network outwards to a
Replica that is in an untrusted network, without allowing the replica any direct access to the primary, due to firewall flows and network requirements. This is true even for the
initial connection, so a simple RefreshAndPersist configuration won't work.
I have read that it is possible to setup a push-based replication using a proxy, such
that:
- The proxy gets installed as a "hidden" database onto the same server as the
primary
- The proxy sets up replication with the primary using RefreshAndPersist
- The proxy is then able to push the data out of the replica
I have skimmed over, and re-read, a lot of portions from this
document: https://www.openldap.org/doc/admin24/replication.html
I have also followed this basic guide to setup a Primary with replication
capability: https://ubuntu.com/server/docs/service-ldap-replication
What I'm having trouble with, is finding a useful guide that will walk me through the
process to setup and configure the proxy as I've described above.
In my research & attempts at setting this up, I have learned how to load & enable modules, turn on logging, and setup TLS support.
I currently have OpenLDAP 2.4 running on Ubuntu 20.04 from the Ubuntu repositories (slapd and ldap-utils installed with apt).
Here's the modules currently enabled:
root@davidw-ldap-provider-with-proxy:~# slapcat -n 0 | grep olcModuleLoad
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}pcache
olcModuleLoad: {2}back_ldap
olcModuleLoad: {3}syncprov
olcModuleLoad: {4}back_monitor
olcModuleLoad: {5}rwm
Here's the logging setting:
root@davidw-ldap-provider-with-proxy:~# ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=config' -D 'cn=config' -s base -LLL -W olcLoglevel
Enter LDAP Password:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcLogLevel: Sync
olcLogLevel: stats
We can see in the above output that I have the back_ldap (a backend to OpenLDAP) and syncprov (an overlay) modules loaded. I'm now trying to follow the guide at https://www.pixelstech.net/article/1509263631-OpenLDAP-Proxy----slapd-conf to setup the proxy. I have added the following to /etc/ldap/ldap.conf:
modulepath /usr/lib/ldap
moduleload back_bdb.la
database ldap
readonly yes
protocol-version 3
rebind-as-user
uri: "ldapi:///"
suffix "dc=ma,dc=us,dc=example,dc=com"
overlay rwm
I am trying to convert this to ldif with the following command, which is producing an error that "ldap" is an Unrecognized database type:
root@davidw-ldap-provider-with-proxy:~# slaptest -f /etc/ldap/ldap.conf -F /etc/ldap/slapd.d/
Unrecognized database type (ldap)
61ccaacf /etc/ldap/ldap.conf: line 21: <database> failed init (ldap)
slaptest: bad configuration directory!
Questions
- Why am I getting this
Unrecognized database type error message, even though we can prove that the ldap backend is loaded?
- Once I get the proxy setup, where can I find helpful instructions for meeting the remaining requirements of my project? I have sent a few emails to the openldap mailing list at https://lists.openldap.org/hyperkitty/list/[email protected]/thread/UDTYKW6AEDR2ALY43V2DQZSL7AVTG5GB/, as I'm pretty stuck, and don't really know how to move forward. For a while, I tried to compile v2.5 from source, but wasn't able to get anywhere near as far with that configuration as I was able to get using the Ubuntu packages, so I'm back to trying to set things up with the standard packages from apt.
