Solution
Prerequisites
The following instructions intend to guide you in solving the following scenario: Axigen has defined the following domains:
domain1.tld1
domain2.tld2
and you want to synchronize Axigen to LDAP, LDAP to Axigen or both ways. If desired, authentication against the LDAP structure will be possible.
OpenLDAP configuration
We shall define one database with the base of the directory tree named "dc=base" in slapd.conf. A minimal slapd.conf sample:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/axigen.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib/openldap/openldap
moduleload back_passwd.so
moduleload memberof.la
moduleload syncprov.la
serverID 1
database bdb
suffix "dc=base"
rootdn "cn=admin,dc=base"
rootpw secret
directory /var/lib/openldap/base
index objectClass eq
index ou,cn,mail,surname,givenname eq,pres,sub
index entryUUID,entryCSN eq
overlay syncprov
syncprov-checkpoint 100 30
syncprov-sessionlog 100
overlay memberof
memberof-refint true
Initializing the LDAP structure from an ldif file for future use with Axigen. The LDAP structure is defined using the ldif file. In our example we shall use the following:
objectClass: dcObject
objectClass: organization
dc: base
o: base
dn: dc=tld1,dc=base
objectClass: dcObject
objectClass: organization
dc: tld1
o: tld1
dn: dc=tld2,dc=base
objectClass: dcObject
objectClass: organization
dc: tld2
o: tld2
dn: dc=domain1,dc=tld1,dc=base
objectClass: dcObject
objectClass: organization
dc: domain1
o: domain1
dn: dc=domain2,dc=tld2,dc=base
objectClass: dcObject
objectClass: organization
dc: domain2
o: domain2
dn: ou=users,dc=domain1,dc=tld1,dc=base
objectClass: organizationalUnit
ou: users
dn: ou=groups,dc=domain1,dc=tld1,dc=base
objectClass: organizationalUnit
ou: groups
dn: ou=users,dc=domain2,dc=tld2,dc=base
objectClass: organizationalUnit
ou: users
dn: ou=groups,dc=domain2,dc=tld2,dc=base
objectClass: organizationalUnit
ou: groups
This structure can be useful if you have more domains ending in tld1 or tld2 because they can be gathered under the same tree.
|
-----------------
| |
tld1 tld2
| |
------ ------
| | | |
domain1 domain2 domain1 domain2
Use the following command to import the ldif file:
Try to search the LDAP structure using different filters:
ldapsearch -b "dc=base" -x
ldapsearch -b "dc=tld1,dc=base" -x
ldapsearch -b "dc=domain1,dc=tld1,dc=base" -x
ldapsearch -b "dc=tld2,dc=base" -x
ldapsearch -b "dc=domain2,dc=tld2,dc=base" -xor using the -D option (Distinguished Name binddn to bind to the LDAP directory):
ldapsearch -b "dc=base" -D "cn=admin,dc=base" -W -x
ldapsearch -b "dc=tld1,dc=base" -D "cn=admin,dc=base" -W -xand so on.
Now we shall configure a single connector which will be used for all domains. Navigate via Webadmin -> Clustering -> Clustering Setup and define a new connector:
LDAP Connector name: Generic (we shall name the connector generic since
it will be used by all domains)
LDAP Server Parameters
IP / Hostname: The IP address and port of the LDAP server, the port
is usually 389
Server type: OpenLDAP
Synchronization direction: Axigen to LDAP (you can choose any of the
options desired)
Use Administrative DN: cn=admin,dc=base (you must also type the
password for specified in slapd.conf at: rootpw)
Account base DN: ou=users,%x,dc=base (%x will expand depending on
the name of the synchronized domain, to: dc=domainX,dc=tldX where X
in our case can be 1 or 2, domain1.tld1 or domain2.tld2)
Enable Group Synchronization
Group base DN: ou=groups,%x,dc=base (%x will expand to:
dc=domainX,dc=tldX where X in our case can be 1 or 2, domain1.tld1
or domain2.tld2)
Save the connector and enable LDAP synchronization on each domain using the "generic" connector via Webadmin -> Domains & Accounts -> Manage Domains -> Edit.
NOTE: It is strongly recommended that you fully test the above instructions using domains defined for this purpose and not the actual domains.