LDAP replication between Synology DSM and OpenBSD
446 words, 3 minutes
I want my OpenBSD 6.4 services to authenticate users from a remote LDAP server ; namely a Synology Directory Server (DSM 6.2.x). It turns out that this a standard OpenLDAP 2.4.x configured to accept replication refreshAndPersist mode. So let’s configure a Primary / Secondary Replication system between Synology and OpenBSD.
Get stuff from Synology (Primary)
From the DSM instance, we’ll need extra LDAP schemas (that don’t come with OpenLDAP release on OpenBSD) and an initial dump of data:
root@synology:~# cd /usr/syno/etc.defaults/openldap/schema/
root@synology:/usr/syno/etc.defaults/openldap/schema/# \
tar cvzpf ~/syno-schemas.tar.gz apple.schema \
apple_auxillary.schema samba.schema syno.schema
apple.schema
apple_auxillary.schema
samba.schema
syno.schema
root@synology:~# slapcat -F /var/packages/DirectoryServer/target/etc/data/slapd.d \
> syno-dump.ldif
5bd85e20 [monitor.c:362] bdb_monitor_db_open: monitoring disabled; \
configure monitor database to enable
Then, simply transfer both files to the OpenBSD server.
Configure stuff on OpenBSD (Secondary)
First of all, install and enable OpenLDAP:
# pkg_add openldap-server-2.4.45p5
# rcctl enable slapd
# rcctl set slapd flags -h ldap://127.0.0.1
Then install the schema files:
# tar xvzpf syno-schemas.tar.gz -C /etc/openldap/schema/
apple.schema
apple_auxillary.schema
samba.schema
syno.schema
There a small modification to apply to the syno.schema file:
# diff -U2 /etc/openldap/schema/syno.schema.orig /etc/openldap/schema/syno.schema
--- /etc/openldap/schema/syno.schema.orig Fri Sep 7 10:56:21 2018
+++ /etc/openldap/schema/syno.schema Tue Oct 30 15:00:13 2018
@@ -146,5 +146,5 @@
attributetype ( 1.3.6.1.4.1.6574.5.2.1.25
- NAME 'SynoExcludeCommonPwd'
+ NAME 'pwdSynoExcludeCommonPwd'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
Configure OpenLDAP using the Synology schemas, suffix and enable replication:
# vi /etc/openldap/slapd.conf
(...)
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/apple_auxillary.schema
include /etc/openldap/schema/apple.schema
include /etc/openldap/schema/syno.schema
(...)
suffix "dc=synology,dc=tumfatig,dc=local"
rootdn "uid=root,cn=users,dc=synology,dc=tumfatig,dc=local"
(...)
syncrepl rid=000
provider=ldaps://synology.tumfatig.local
type=refreshAndPersist
retry="5 10 300 +"
searchbase="dc=synology,dc=tumfatig,dc=local"
attrs="*,+"
bindmethod=simple
binddn="uid=root,cn=users,dc=synology,dc=tumfatig,dc=local"
credentials=change_me
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 250
#EOF
# doas -u _openldap slaptest -u
config file testing succeeded
Before starting the OpenLDAP daemon, restore the initial dump.
# doas -u _openldap slapadd -f /etc/openldap/slapd.conf -l syno-dump.ldif
5bd86476 hdb_monitor_db_open: monitoring disabled; configure monitor database to enable
_#################### 100.00% eta none elapsed none fast!
Closing DB...
Finally, the OpenLDAP daemon can be started:
# rcctl start slapd
slapd(ok)
# rcctl check slapd
slapd(ok)
In my case, I only use the secondary locally. So it only listens on localhost without SSL.
# ldap search -x -b "cn=users,dc=synology,dc=tumfatig,dc=local" \
-H ldap://localhost "(mail=*)" gecos
dn: uid=joe,cn=users,dc=synology,dc=tumfatig,dc=local
gecos: Joel Carnat
# ldap search -x -b "cn=groups,dc=synology,dc=tumfatig,dc=local" \
-H ldap://localhost "(member=*)" description member
dn: cn=users,cn=groups,dc=synology,dc=tumfatig,dc=local
description: Directory default group
member: uid=joe,cn=users,dc=synology,dc=tumfatig,dc=local
member: uid=tom,cn=users,dc=synology,dc=tumfatig,dc=local
(...)
Changing attributes is done from the Synology DSM interface. And in seconds, the changes are accessible from the localhost secondary instance.
Every services can now use this local user database copy. Even when OpenBSD would lose connexion to the OpenLDAP primary.
It should be possible to maintain an LDAP copy on the OpenBSD server using the native ldapd(8) and scheduling some ldapsearch/ldapsadd commands. So far I didn’t try it…