This drove me close to insanity, but I got there eventually!
I found an old discussion on the Synology forum http://forum.synology.com/enu/viewtopic.php?f=183&t=55020 and was optimistic it’d be pretty simple. The thread talks about compiling a later version of OpenLDAP from source, but the version included (in DSM5.0) is later than that discussed;
file-20> slapd -VV @(#) $OpenLDAP: slapd 2.4.34 (Feb 27 2014 03:17:07) $ root@build3:/source/openldap-2.4.x/servers/slapd
I tried configuring my provider and consumer using the example and referring to http://www.openldap.org/doc/admin23/syncrepl.html but wasn’t getting anywhere (after changing slapd.conf I would disable and re-enable the LDAP server through the web ui). I was getting an error “Permission denied. Please contact the server administrator.” and an entry in /var/log/messages;
file-20> tail /var/log/messages Aug 14 21:51:59 file-20 ldap.cgi: ldap_server_default_add.c:146 add [admin] to [cn=Directory Operators,cn=groups,dc=example,dc=com] failed, ldap_insufficient_access (53)
Oddly the slapd process continues to run but no replication is taking place. I believed the error might be because the admin account is locked in some way and wont allow any modification. I tried adding a filter;
filter="(!cn=admin)"
This prevented the error message popping up and the error in /var/log/messages but still no replication was taking place.
I imagine it would have been a trivial task on a standard Linux distribution but it seems OpenLDAP has been compiled in a manner which does not allow debug;
file-20> slapd -d 1 must compile with LDAP_DEBUG for debugging
So there’s no real feedback as to what is (or isn’t) working.
After blindly fumbling around for hours I decided to try and compile myself so I could debug. This itself was a mammoth chore!
I wanted to stick with the same version currently running on DSM5.0 so started with the source for 2.4.34 from http://www.openldap.org/software/download/OpenLDAP/openldap-release/
In order to cross compile I followed the Synology 3rd-Party Package Developers guide; http://www.synology.com/en-uk/support/third_party_app_int. I had a spare ubuntu machine I could use for compiling… I needed the DSM5.0 toolchain from http://sourceforge.net/projects/dsgpl/files/DSM%205.0%20Tool%20Chains/ as i’m using the DS214 which apparently has a marvell amanda xp processor. And extracted the archive;
tar zxpf gcc464_glibc215_hard_armada-GPL.tgz –C /usr/local/
Then Berkeley DB 5.1.25 from http://pkgs.fedoraproject.org/repo/pkgs/libdb/db-5.1.25.tar.gz/06656429bfc1abb6c0498eaeff70cd04/
tar xvfdb-5.1.25.tar.gz cd db-5.1.25 cd build_unix export CC=/usr/local/arm-marvell-linux-gnueabi/bin/arm-marvell-linux-gnueabi-gcc export LD=/usr/local/arm-marvell-linux-gnueabi/bin/arm-marvell-linux-gnueabi-ld export RANLIB=/usr/local/arm-marvell-linux-gnueabi/bin/arm-marvell-linux-gnueabi-ranlib export CFLAGS="-I/usr/local/arm-marvell-linux-gnueabi/arm-marvell-linux-gnueabi/libc/include -mhard-float -mfpu=vfpv3-d16" export LDFLAGS="-L/usr/local/arm-marvell-linux-gnueabi/arm-marvell-linux-gnueabi/libc/lib" ../dist/configure --host=armle-unknown-linux --target=armle-unknown-linux --build=i686-pc-linux --prefix=/usr/local
I also had to install;
sudo apt-get install lib32z1
Now I was able to configure OpenLDAP;
export LDFLAGS="-L/usr/local/lib -L/usr/local/BerkeleyDB.5.1/lib -R/usr/local/lib -R/usr/local/BerkeleyDB.5.1/lib" export LD_LIBRARY_PATH=/usr/local/BerkeleyDB.5.1/lib export LD_RUN_PATH=/usr/local/BerkeleyDB.5.1/lib export CPPFLAGS="-I/usr/local/BerkeleyDB.5.1/include" ./configure --host=armle-unknown-linux --target=armle-unknown-linux --build=i686-pc-linux --prefix=/usr/local --with-yielding-select=no --enable-crypt
But when I tried to;
make depend make
I received an error; cross compile openldap error: undefined reference to `lutil_memcmp’ – http://zhuqy.wordpress.com/2010/04/22/cross-compile-openldap-error-undefined-reference-to-lutil_memcmp/ put me straight- I just had to comment out a line from include/portable.h;
//#define NEED_MEMCMP_REPLACEMENT 1
make was now successful and I moved my newly compiled slapd to the synology diskstation, chown’d & chmod’d it, and tested debug… we see an instant result;
file-20> chown root:root slapd.me file-20> chmod 755 slapd.me file-20> slapd.me -d 1 ldap_url_parse_ext(ldap://localhost/) ldap_init: trying /usr/local/etc/openldap/ldap.conf ldap_init: HOME env is /root ldap_init: trying /root/ldaprc
Now I disabled the directory server in the web ui and instead ran my new version from the commandline with debug 1;
./slapd.me -d 1 -f /usr/syno/etc/openldap/slapd.conf
It failed with an error referring to;
password-hash {CRYPT}
Turns out I had to recompile slapd with –enable-crypt. I copied the newly compiled slapd over, ran again with -d 1 and now I could see it failing with error relating to an invalid filter;
filter="(!cn=admin)"
So I removed this… Try again, now;
ldap_sasl_bind_s failed
I think that sent me in the wrong direction (I thought it was an ssl/tls/authentication issue) and I spent hours messing with certificates, unsupported tls configuration parameters etc but got nowhere. Eventually I determined this error essentially means “can’t connect”. Eventually I tried without ssl and as if by magic everything sprung to life!
Here are the lines I added to the default slapd.conf on the provider;
index entryCSN eq index entryUUID eq overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 10
And the consumer;
index entryCSN eq index entryUUID eq syncrepl rid=20 provider=ldap://192.168.10.250 type=refreshAndPersist interval=00:00:10:00 searchbase="dc=example,dc=com" bindmethod=simple binddn="uid=admin,cn=users,dc=example,dc=com" credentials=password scope=sub retry="60 +"
If you want to download my compiled version of slapd you can find it here; https://www.dropbox.com/s/sfb06uo0leqxqq9/slapd
I hope this will help you!
Just made a try with your configuration for synchronizing and LDAP between 2 Syno: DS414 & DS413j on 2 different sites (connected via a VPN).
It works just fine. I was just obliged to manually set the “admin” password on the master node to the same password I am using with the Syno or the SSH root user and it worked (password set as credentials). Looks like its value was different. I didn’t recompiled anything and used the default packages.
Users are now replicated. Just have to play with applications now…
Did you make the change to the ACL?
Have you tried authenticating/logging in using a replicated user?
Are you using LDAP just for fileserver access or also for logging on to your client machines etc?
Yes, I made the ACL modification, just in case.
My current main problem is that I have everything on the replicated server except the group membership. Groups are showed empty, except for user admin.
Small update: I made a group modification on the master node and groups are now correctly showed on the replicated node.
I have now to configure LDAP use on this site as no application were using LDAP there.
Hi,
I’ve come across the same problem namely we’d like to do a master-slave replication between internal and external instances to provide an automatic failover solution using load balancer.
Looking at a user created in Synology’s LDAP Server package I notice that apart from default objectClass on our Ceontos OpenLDAP such as:
extensibleObject
innetOrgPerson
organizationalPerson
person
posixAccount
top
we find additional:
apple-user*
sambaldmapEntry*
sambaSamAccount*
shadowAccount
* – these are missing in standard Centos openldap package
Attributes set:
cn=somename
gidNumber=1000001
homeDirectory=/home/somename
sambaSID=S-1-5-21-3221543215-2164843619-7529522612-6931
sn=somename
uid=1000001
authAuthority=;basic;
departmentNumber=SOMEVAL
displayName=somename
employeeNumber=001
employeeType=TEST
gecos=somestring
loginShell=/bin/sh
mail=some@email.com
sambaAcctFlags=[U ]
sambaLMPassword=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword=838D0129364CDA83611A77EGA9835FD3
sambaPwdLastSet=1415323080
shadowExpire=-1
shadowFlag=0
shadowInactive=0
shadowLastChange=16389
shadowMax=99999
shadowMin=0
shadowWarning=7
title=sometitle
userPassword=password
So, I thought maybe it’ll be easier to host LDAP on Synology in an office where all these objectClasses are already integrated and simply replicate to the external Centos OpenLDAP instance. We would have to add the missing objectClasses to it before replication is started.
Should this approach avoid making manual changes/hacking to the Synology’s LDAP instance so we don’t have worry about future DSM updates and how would you go about it? I’m considering multi-master replication though we’d have to enforce CRUD operations on Synology or ensure we write all the above necessary attributes on the external instance.
Also, would you be interested in 1-1 consulting?
Why are you looking at replication? It is important to consider the “why”.
I also believe, in 80% of situations you’ll want to do n-way master rather than master/slave.
I’m not too concerned about the changes being lost during an update- as long as they’re documented they’ll be trivial to re-apply (and, to date, they’ve yet to be lost during an upgrade).
And you will still need to make a few tweaks on the Syno end even if replicating to non-Syno.
Certainly interested- drop me an e-mail lee@tickett.net
Thanks