Configuring LDAP Synchronization for Multiple Domains

How to perform LDAP Synchronization for multiple domains using a single LDAP database.

Solution

Prerequisites

The following instructions intend to guide you in solving the following scenario: Axigen has defined the following domains:

domain1.tld1
domain2.tld2

and you want to synchronize Axigen to LDAP, LDAP to Axigen or both ways. If desired, authentication against the LDAP structure will be possible.


OpenLDAP configuration

We shall define one database with the base of the directory tree named "dc=base" in slapd.conf. A minimal slapd.conf sample:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/axigen.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib/openldap/openldap
moduleload back_passwd.so
moduleload memberof.la
moduleload syncprov.la

serverID 1

database bdb

suffix "dc=base"
rootdn "cn=admin,dc=base"
rootpw secret
directory /var/lib/openldap/base
index objectClass eq
index ou,cn,mail,surname,givenname eq,pres,sub
index entryUUID,entryCSN eq
overlay syncprov
syncprov-checkpoint 100 30
syncprov-sessionlog 100
overlay memberof
memberof-refint true


Initializing the LDAP structure from an ldif file for future use with Axigen. The LDAP structure is defined using the ldif file. In our example we shall use the following:

dn: dc=base
objectClass: dcObject
objectClass: organization
dc: base
o: base

dn: dc=tld1,dc=base
objectClass: dcObject
objectClass: organization
dc: tld1
o: tld1

dn: dc=tld2,dc=base
objectClass: dcObject
objectClass: organization
dc: tld2
o: tld2

dn: dc=domain1,dc=tld1,dc=base
objectClass: dcObject
objectClass: organization
dc: domain1
o: domain1

dn: dc=domain2,dc=tld2,dc=base
objectClass: dcObject
objectClass: organization
dc: domain2
o: domain2

dn: ou=users,dc=domain1,dc=tld1,dc=base
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=domain1,dc=tld1,dc=base
objectClass: organizationalUnit
ou: groups

dn: ou=users,dc=domain2,dc=tld2,dc=base
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=domain2,dc=tld2,dc=base
objectClass: organizationalUnit
ou: groups

This structure can be useful if you have more domains ending in tld1 or tld2 because they can be gathered under the same tree.

                                                 base
                                                     |
                                           -----------------
                                           |                    |
                                      tld1                    tld2
                                      |                               |
                               ------                                ------
                               |      |                                |      |
                domain1    domain2   domain1     domain2


Use the following command to import the ldif file:

ldapadd -x -D "cn=admin,dc=base" -W -f users.ldif
Try to search the LDAP structure using different filters:
ldapsearch -b "dc=base" -x
ldapsearch -b "dc=tld1,dc=base" -x
ldapsearch -b "dc=domain1,dc=tld1,dc=base" -x
ldapsearch -b "dc=tld2,dc=base" -x
ldapsearch -b "dc=domain2,dc=tld2,dc=base" -x
or using the -D option (Distinguished Name binddn to bind to the LDAP directory):
ldapsearch -b "dc=base" -D "cn=admin,dc=base" -W -x
ldapsearch -b "dc=tld1,dc=base" -D "cn=admin,dc=base" -W -x
and so on.


Now we shall configure a single connector which will be used for all domains. Navigate via Webadmin -> Clustering -> Clustering Setup and define a new connector:

  LDAP Connector name: Generic (we shall name the connector generic since
it will be used by all domains)
  LDAP Server Parameters
IP / Hostname: The IP address and port of the LDAP server, the port
is usually 389
  Server type: OpenLDAP
  Synchronization direction: Axigen to LDAP (you can choose any of the
options desired)
  Use Administrative DN: cn=admin,dc=base (you must also type the
password for specified in slapd.conf at: rootpw)
  Account base DN: ou=users,%x,dc=base (%x will expand depending on
the name of the synchronized domain, to: dc=domainX,dc=tldX where X
in our case can be 1 or 2, domain1.tld1 or domain2.tld2)
  Enable Group Synchronization
Group base DN: ou=groups,%x,dc=base (%x will expand to:
dc=domainX,dc=tldX where X in our case can be 1 or 2, domain1.tld1
or domain2.tld2)

Save the connector and enable LDAP synchronization on each domain using the "generic" connector via Webadmin -> Domains & Accounts -> Manage Domains -> Edit.

NOTE: It is strongly recommended that you fully test the above instructions using domains defined for this purpose and not the actual domains.

OS: Linux