Download Administrator Manual - Support

8.3 Using An External LDAP Server
A replication user, syncuser with password secret can be
added to the provider LDAP with adequate rights using the following
syncuser.ldif file:
dn: cn=syncuser,<suffix>
objectClass: person
cn: syncuser
sn: syncuser
userPassword: secret
Here, <suffix> is the suffix set in slapd.conf, which is originally something like dc=example,dc=com. The syncuser is added using:
ldapadd -x -D "cn=root,<suffix>" -W -f syncuser.ldif
This prompts for the root password configured in slapd.conf.
To verify syncuser is in the LDAP database the output of ldapsearch
can be checked:
ldapsearch -x "(sn=syncuser)"
To allow access to the userPassword attribute for syncuser the following lines in slapd.conf are changed, from:
access to attrs=userPassword
by self write
by anonymous auth
by * none
to:
access to attrs=userPassword
by self write
by dn="cn=syncuser,<suffix>" read
by anonymous auth
by * none
Provider configuration is now complete and the server can be restarted
using /etc/init.d/ldap restart.
External LDAP Server Replication: Configuring The Consumer(s)
The consumer is an LDAP server on a Bright Cluster Manager head node.
It is configured to replicate with the provider by adding the following
lines to /cm/local/apps/openldap/etc/slapd.conf:
syncrepl rid=2
provider=ldap://external.ldap.server
type=refreshOnly
interval=01:00:00:00
searchbase=<suffix>
scope=sub
schemachecking=off
binddn=cn=syncuser,<suffix>
bindmethod=simple
credentials=secret
Here:
• The rid=2 value is chosen to avoid conflict with the rid=1 setting
used during high availability configuration (section 8.3.2).
© Bright Computing, Inc.
277