LDAP replication between Synology DSM and OpenBSD

    

I want my OpenBSD 6.4 services to authenticate users from a remote LDAP server ; namely a Synology Directory Server (DSM 6.2.x). It turns out that this a standard OpenLDAP 2.4.x configured to accept replication refreshAndPersist mode. So let’s configure a Primary / Secondary Replication system between Synology and OpenBSD.

Get stuff from Synology (Primary)

From the DSM instance, we’ll need extra LDAP schemas (that don’t come with OpenLDAP release on OpenBSD) and an initial dump of data:

root@synology:~# cd /usr/syno/etc.defaults/openldap/schema/
root@synology:/usr/syno/etc.defaults/openldap/schema/# \
  tar cvzpf ~/syno-schemas.tar.gz apple.schema \
      apple_auxillary.schema samba.schema syno.schema
apple.schema
apple_auxillary.schema
samba.schema
syno.schema

root@synology:~# slapcat -F /var/packages/DirectoryServer/target/etc/data/slapd.d \
  > syno-dump.ldif
5bd85e20 [monitor.c:362] bdb_monitor_db_open: monitoring disabled; \
  configure monitor database to enable

Then, simply transfer both files to the OpenBSD server.

Configure stuff on OpenBSD (Secondary)

First of all, install and enable OpenLDAP:

# pkg_add openldap-server-2.4.45p5
# rcctl enable slapd
# rcctl set slapd flags -h ldap://127.0.0.1

Then install the schema files:

# tar xvzpf syno-schemas.tar.gz -C /etc/openldap/schema/
apple.schema
apple_auxillary.schema
samba.schema
syno.schema

There a small modification to apply to the syno.schema file:

# diff -U2 /etc/openldap/schema/syno.schema.orig /etc/openldap/schema/syno.schema
--- /etc/openldap/schema/syno.schema.orig Fri Sep 7 10:56:21 2018
+++ /etc/openldap/schema/syno.schema Tue Oct 30 15:00:13 2018
@@ -146,5 +146,5 @@

attributetype ( 1.3.6.1.4.1.6574.5.2.1.25
- NAME 'SynoExcludeCommonPwd'
+ NAME 'pwdSynoExcludeCommonPwd'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7

Configure OpenLDAP using the Synology schemas, suffix and enable replication:

# vi /etc/openldap/slapd.conf
(...)
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/apple_auxillary.schema
include /etc/openldap/schema/apple.schema
include /etc/openldap/schema/syno.schema
(...)
suffix          "dc=synology,dc=tumfatig,dc=local"
rootdn          "uid=root,cn=users,dc=synology,dc=tumfatig,dc=local"
(...)
syncrepl rid=000
  provider=ldaps://synology.tumfatig.local
  type=refreshAndPersist
  retry="5 10 300 +"
  searchbase="dc=synology,dc=tumfatig,dc=local"
  attrs="*,+"
  bindmethod=simple
  binddn="uid=root,cn=users,dc=synology,dc=tumfatig,dc=local"
  credentials=change_me

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 250
#EOF

# doas -u _openldap slaptest -u
config file testing succeeded

Before starting the OpenLDAP daemon, restore the initial dump.

# doas -u _openldap slapadd -f /etc/openldap/slapd.conf -l syno-dump.ldif
5bd86476 hdb_monitor_db_open: monitoring disabled; configure monitor database to enable
_#################### 100.00% eta none elapsed none fast!
Closing DB...

Finally, the OpenLDAP daemon can be started:

# rcctl start slapd
slapd(ok)
# rcctl check slapd
slapd(ok)

In my case, I only use the secondary locally. So it only listens on localhost without SSL.

# ldap search -x -b "cn=users,dc=synology,dc=tumfatig,dc=local" \
  -H ldap://localhost "(mail=*)" gecos
dn: uid=joe,cn=users,dc=synology,dc=tumfatig,dc=local
gecos: Joel Carnat

# ldap search -x -b "cn=groups,dc=synology,dc=tumfatig,dc=local" \
  -H ldap://localhost "(member=*)" description member
dn: cn=users,cn=groups,dc=synology,dc=tumfatig,dc=local
description: Directory default group
member: uid=joe,cn=users,dc=synology,dc=tumfatig,dc=local
member: uid=tom,cn=users,dc=synology,dc=tumfatig,dc=local
(...)

Changing attributes is done from the Synology DSM interface. And in seconds, the changes are accessible from the localhost secondary instance.

Every services can now use this local user database copy. Even when OpenBSD would lose connexion to the OpenLDAP primary.

It should be possible to maintain an LDAP copy on the OpenBSD server using the native ldapd(8) and scheduling some ldapsearch/ldapsadd commands. So far I didn’t try it…