replication

Author: BertrandGouny

image/env.yml

@@ -11,50 +11,16 @@ SSL_CRT_FILENAME: ldap.crt
 SSL_KEY_FILENAME: ldap.key
 SSL_CA_CRT_FILENAME: ca.crt
 
-USE_REPLICATION: false
+USE_REPLICATION: true
 
+# variables $BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD
+# are automaticaly replaced at run time
+
+# if you want to add replication to an existing ldap
+# adapt REPLICATION_CONFIG_SYNCPROV and REPLICATION_HDB_CONFIG to your configuration
+# avoid using $BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables
+REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
+REPLICATION_HDB_CONFIG: binddn="cn=admin,$BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1
 REPLICATION_HOSTS:
-  - ldap://ldap.example.org:
-    - server_id: 1
-    - syncprov_config:
-      - binddn: cn=admin,cn=config
-      - bindmethod: simple
-      - credentials: config
-      - searchbase: cn=config
-      - type: refreshAndPersist
-      - retry: 5 5 300 5
-      - timeout: 1
-      - starttls: critical
-      - tls_reqcert: demand
-    - syncprov_hdb:
-      - binddn: cn=admin,dc=example,dc=org
-      - bindmethod: simple
-      - credentials: test
-      - searchbase: dc=example,dc=org
-      - type: refreshAndPersist
-      - retry: 5 5 300 5
-      - timeout: 1
-      - starttls: critical
-      - tls_reqcert: demand
-  - ldap://ldap2.example.org:
-    - server_id: 1
-    - syncprov_config:
-      - binddn: cn=admin,cn=config
-      - bindmethod: simple
-      - credentials: config
-      - searchbase: cn=config
-      - type: refreshAndPersist
-      - retry: 5 5 300 5
-      - timeout: 1
-      - starttls: critical
-      - tls_reqcert: demand
-    - syncprov_hdb:
-      - binddn: cn=admin,dc=example,dc=org
-      - bindmethod: simple
-      - credentials: test
-      - searchbase: dc=example,dc=org
-      - type: refreshAndPersist
-      - retry: 5 5 300 5
-      - timeout: 1
-      - starttls: critical
-      - tls_reqcert: demand
+  - ldap://ldap.example.org # The order must be the same on all ldap servers
+  - ldap://ldap2.example.org

image/service/slapd/container-start.sh

@@ -2,6 +2,7 @@
 
 FIRST_START_DONE="/etc/docker-openldap-first-start-done"
 WAS_STARTED_WITH_TLS="/etc/ldap/slapd.d/docker-openldap-was-started-with-tls"
+WAS_STARTED_WITH_REPLICATION="/etc/ldap/slapd.d/docker-openldap-was-started-with-replication"
 
 # Reduce maximum number of number of open file descriptors to 1024
 # otherwise slapd consumes two orders of magnitude more of RAM
@@ -174,10 +175,6 @@ EOF
     echo "export PREVIOUS_SSL_KEY_FILENAME=${SSL_KEY_FILENAME}" >> $WAS_STARTED_WITH_TLS
     chmod +x $WAS_STARTED_WITH_TLS
 
-    # add localhost route to certificate cn (need docker 1.5.0)
-    cn=$(openssl x509 -in /osixia/slapd/assets/ssl/$SSL_CRT_FILENAME -subject -noout | sed -n 's/.*CN=\(.*\)\/*\(.*\)/\1/p')
-    echo "127.0.0.1 $cn" >> /etc/hosts
-
     # local ldap tls client config
     sed -i "s,TLS_CACERT.*,TLS_CACERT /osixia/slapd/assets/ssl/${SSL_CA_CRT_FILENAME},g" /etc/ldap/ldap.conf
 
@@ -194,135 +191,43 @@ EOF
   # replication config
   if [ "${USE_REPLICATION,,}" == "true" ]; then
 
-    echo "Set replication"
+    echo "Use replication"
 
     # copy template file
     cp /osixia/slapd/assets/config/replication/replication-enable-template.ldif /osixia/slapd/assets/config/replication/replication-enable.ldif
 
-    function addReplicationSyncRepl() {
-
-      local TYPE=$1
-      local HOST=$2
-      local INFOS=(${3})
-
-      olcSyncReplLine="olcSyncRepl:"
-
-      if [ "$TYPE" == "CONFIG" ]; then
-        olcSyncReplLine="$olcSyncReplLine rid=00$i"
-      else
-        olcSyncReplLine="$olcSyncReplLine rid=10$i"
-      fi
-
-      olcSyncReplLine="$olcSyncReplLine provider=$HOST"
-
-      for info in "${INFOS[@]}"
-      do
-
-        info=($info)
-        local key_value_pair=(${!info[0]})
-        local key=${!key_value_pair[0]}
-        local value=${!key_value_pair[1]}
-
-        olcSyncReplLine="$olcSyncReplLine $key=\"$value\""
-
-      done
-
-      if [ "$TYPE" == "CONFIG" ]; then
-        sed -i "s|{{ REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|$olcSyncReplLine\n{{ REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|g" /osixia/slapd/assets/config/replication/replication-enable.ldif
-      else
-        sed -i "s|{{ REPLICATION_HOSTS_HDB_SYNC_REPL }}|$olcSyncReplLine\n{{ REPLICATION_HOSTS_HDB_SYNC_REPL }}|g" /osixia/slapd/assets/config/replication/replication-enable.ldif
-      fi
-    }
-
-
-    # replication hosts config
-    function addReplicationHost() {
-
-      local HOST=$1
-      local INFOS=(${!2})
-
-      local SERVER_ID_FOUND=false
-      local SYNCPROV_CONFIG_OBJECT_FOUND=false
-      local SYNCPROV_HDB_OBJECT_FOUND=false
-
-      for info in "${INFOS[@]}"
-      do
-        info=($info)
-        local key_value_pair=(${!info[0]})
-        local key=${!key_value_pair[0]}
-        local value=${!key_value_pair[1]}
-
-        # olcServerID
-        if [ "$key" == "server_id" ]; then
-          sed -i "s|{{ REPLICATION_HOSTS }}|olcServerID: $value $HOST\n{{ REPLICATION_HOSTS }}|g" /osixia/slapd/assets/config/replication/replication-enable.ldif
-          SERVER_ID_FOUND=true
-
-        # olcSyncRepl for config and hdb
-        elif [ "$key" == "syncprov_config" ]; then
-          addReplicationSyncRepl CONFIG $HOST "$value"
-          SYNCPROV_CONFIG_OBJECT_FOUND=true
-
-        elif [ "$key" == "syncprov_hdb" ]; then
-          addReplicationSyncRepl HDB $HOST "$value"
-          SYNCPROV_HDB_OBJECT_FOUND=true
-
-        fi
-      done
-
-      if ! $SERVER_ID_FOUND; then
-        echo "Error: Replication host ${HOST} must define a server_id"
-        exit 1
-      fi
-
-      if ! $SYNCPROV_CONFIG_OBJECT_FOUND; then
-        echo "Error: Replication host ${HOST} must define a syncprov_config object"
-        exit 1
-      fi
-
-      if ! $SYNCPROV_HDB_OBJECT_FOUND; then
-        echo "Error: Replication host ${HOST} must define a syncprov_hdb object"
-        exit 1
-      fi
-    }
-
     REPLICATION_HOSTS=($REPLICATION_HOSTS)
     i=1
     for host in "${REPLICATION_HOSTS[@]}"
     do
 
       #host var contain a variable name, we access to the variable value and cast it to a table
-      infos=(${!host})
+      host=${!host}
 
-      # it's a table of infos
-      if [ "${#infos[@]}" -gt "1" ]; then
-
-        addReplicationHost ${!infos[0]} ${infos[1]}
-
-      else
-        echo "Error: Replication host ${!host} must define a server_id, syncprov_config and syncprov_hdb object"
-        exit 1
-      fi
+      sed -i "s|{{ REPLICATION_HOSTS }}|olcServerID: $i ${host}\n{{ REPLICATION_HOSTS }}|g" /osixia/slapd/assets/config/replication/replication-enable.ldif
+      sed -i "s|{{ REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|olcSyncRepl: rid=00$i provider=${host} ${REPLICATION_CONFIG_SYNCPROV}\n{{ REPLICATION_HOSTS_CONFIG_SYNC_REPL }}|g" /osixia/slapd/assets/config/replication/replication-enable.ldif
+      sed -i "s|{{ REPLICATION_HOSTS_HDB_SYNC_REPL }}|olcSyncRepl: rid=10$i provider=${host} ${REPLICATION_HDB_CONFIG}\n{{ REPLICATION_HOSTS_HDB_SYNC_REPL }}|g" /osixia/slapd/assets/config/replication/replication-enable.ldif
 
       ((i++))
     done
 
+    get_base_dn
+    sed -i "s|\$BASE_DN|$BASE_DN|g" /osixia/slapd/assets/config/replication/replication-enable.ldif
+    sed -i "s|\$LDAP_ADMIN_PASSWORD|$LDAP_ADMIN_PASSWORD|g" /osixia/slapd/assets/config/replication/replication-enable.ldif
+    sed -i "s|\$LDAP_CONFIG_PASSWORD|$LDAP_CONFIG_PASSWORD|g" /osixia/slapd/assets/config/replication/replication-enable.ldif
 
     sed -i "/{{ REPLICATION_HOSTS }}/d" /osixia/slapd/assets/config/replication/replication-enable.ldif
     sed -i "/{{ REPLICATION_HOSTS_CONFIG_SYNC_REPL }}/d" /osixia/slapd/assets/config/replication/replication-enable.ldif
     sed -i "/{{ REPLICATION_HOSTS_HDB_SYNC_REPL }}/d" /osixia/slapd/assets/config/replication/replication-enable.ldif
 
-    cat /osixia/slapd/assets/config/replication/replication-enable.ldif
-    ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f /osixia/slapd/assets/config/replication/replication-enable.ldif -v -d -1
+    ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f /osixia/slapd/assets/config/replication/replication-enable.ldif
+    touch $WAS_STARTED_WITH_REPLICATION
 
   else
 
-    echo "Don't set replication"
-
-    # disable replication
-    #for f in $(find /osixia/slapd/config/replication -name \*-disable.ldif -type f); do
-    #  echo "Processing file ${f}"
-    #  ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $f
-    # done
+    echo "Don't use replication"
+    [[ -f "$WAS_STARTED_WITH_REPLICATION" ]] && rm -f "$WAS_STARTED_WITH_REPLICATION"
+    ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// -f /osixia/slapd/assets/config/replication/replication-disable.ldif || true
 
   fi