replication

image/env.yml

@@ -11,3 +11,17 @@ USE_TLS: true
 SSL_CRT_FILENAME: ldap.crt
 SSL_KEY_FILENAME: ldap.key
 SSL_CA_CRT_FILENAME: ca.crt
+
+
+REPLICATION_SERVER_ID: 1
+REPLICATOR_DN: cn=replicator,dc=example,dc=org
+REPLICATOR_PASSWORD: replicator
+
+REPLICATION_HOSTS:
+  - ldap://ldap2.example.org:
+    - server_id: 2
+    - syncprov:
+      - binddn: cn=replicator,dc=example,dc=org
+      - credentials: replicator
+      - starttls: yes
+      - tls_reqcert: never

image/service/slapd/assets/config/bootstrap/index.ldif

@@ -0,0 +1,3 @@
+dn: olcDatabase={1}hdb,cn=config
+add: olcDbIndex
+olcDbIndex: uid eq,pres,sub

image/service/slapd/assets/config/bootstrap/logging.ldif

@@ -1,4 +1,4 @@
 dn: cn=config
 changetype: modify
 replace: olcLogLevel
-olcLogLevel: stats
+olcLogLevel: stats

image/service/slapd/assets/config/replication/repl-enable.ldif

@@ -0,0 +1,4 @@
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModuleLoad: syncprov.la

image/service/slapd/assets/config/replication/repl-module-enable.ldif

@@ -1,4 +1,76 @@
+# add replicator user
+dn: $REPLICATOR_DN
+cn: replicator
+sn: user
+objectClass: person
+userPassword: $REPLICATOR_PASSWORD
+
+# sets up the config database
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+olcServerID: $SERVER_ID ldap://$SERVER_NAME
+
+# sets up syncrepl as a provider
 dn: cn=module,cn=config
 objectClass: olcModuleList
 cn: module
 olcModuleLoad: syncprov.la
+
+dn: cn=config
+changetype: modify
+replace: olcServerID
+olcServerID: 1 $URI1
+olcServerID: 2 $URI2
+olcServerID: 3 $URI3
+
+dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcSyncProvConfig
+olcOverlay: syncprov
+
+dn: olcDatabase={0}config,cn=config
+changetype: modify
+add: olcSyncRepl
+olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple
+ credentials=secret searchbase="cn=config" type=refreshAndPersist
+ retry="5 5 300 5" timeout=1
+
+olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple
+ credentials=secret searchbase="cn=config" type=refreshAndPersist
+ retry="5 5 300 5" timeout=1
+
+olcSyncRepl: rid=003 provider=$URI3 binddn="cn=config" bindmethod=simple
+ credentials=secret searchbase="cn=config" type=refreshAndPersist
+ retry="5 5 300 5" timeout=1
+-
+add: olcMirrorMode
+olcMirrorMode: TRUE
+
+
+dn: olcDatabase={1}$BACKEND,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olc${BACKEND}Config
+olcDatabase: {1}$BACKEND
+olcSuffix: $BASEDN
+olcDbDirectory: ./db
+olcRootDN: $MANAGERDN
+olcRootPW: $PASSWD
+olcLimits: dn.exact="$MANAGERDN" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
+olcSyncRepl: rid=004 provider=$URI1 binddn="$MANAGERDN" bindmethod=simple
+ credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
+ interval=00:00:00:10 retry="5 5 300 5" timeout=1
+olcSyncRepl: rid=005 provider=$URI2 binddn="$MANAGERDN" bindmethod=simple
+ credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
+ interval=00:00:00:10 retry="5 5 300 5" timeout=1
+olcSyncRepl: rid=006 provider=$URI3 binddn="$MANAGERDN" bindmethod=simple
+ credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
+ interval=00:00:00:10 retry="5 5 300 5" timeout=1
+olcMirrorMode: TRUE
+
+dn: olcOverlay=syncprov,olcDatabase={1}${BACKEND},cn=config
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcSyncProvConfig
+olcOverlay: syncprov

image/service/slapd/assets/config/replication/replication-enable.ldif

@@ -0,0 +1,65 @@
+# Add indexes to the frontend db.
+dn: olcDatabase={1}hdb,cn=config
+changetype: modify
+add: olcDbIndex
+olcDbIndex: entryCSN eq
+-
+add: olcDbIndex
+olcDbIndex: entryUUID eq
+-
+add: olcSyncRepl
+olcSyncRepl: rid=0 provider=ldap://ldap01.exemple.com bindmethod=simple binddn="cn=admin,dc=exemple,dc=com"
+ credentials=secret searchbase="dc=exemple,dc=com" logbase="cn=accesslog"
+ logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on
+ type=refreshAndPersist retry="60 +" syncdata=accesslog
+-
+add: olcMirrorMode
+olcMirrorMode: TRUE
+
+#Load the syncprov and accesslog modules.
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: syncprov
+-
+add: olcModuleLoad
+olcModuleLoad: accesslog
+
+# Accesslog database definitions
+dn: olcDatabase={2}hdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcHdbConfig
+olcDatabase: {2}hdb
+olcDbDirectory: /var/lib/ldap/accesslog
+olcSuffix: cn=accesslog
+olcRootDN: cn=admin,dc=example,dc=com
+olcDbIndex: default eq
+olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
+
+# Accesslog db syncprov.
+dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcSyncProvConfig
+olcOverlay: syncprov
+olcSpNoPresent: TRUE
+olcSpReloadHint: TRUE
+
+# syncrepl Provider for primary db
+dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcSyncProvConfig
+olcOverlay: syncprov
+olcSpNoPresent: TRUE
+
+# accesslog overlay definitions for primary db
+dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcAccessLogConfig
+olcOverlay: accesslog
+olcAccessLogDB: cn=accesslog
+olcAccessLogOps: writes
+olcAccessLogSuccess: TRUE
+# scan the accesslog DB every day, and purge entries older than 7 days
+olcAccessLogPurge: 07+00:00 01+00:00

image/service/slapd/container-start.sh

@@ -185,6 +185,9 @@ EOF
   if [ "${USE_REPLICATION,,}" == "true" ]; then
 
 
+    cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog
+    chown openldap:openldap /var/lib/ldap/accesslog
+
   else
 
     # disable replication