From b13fbe1c2a0b59b5ee50496ad8984ba3660aeb29 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Thu, 6 Jun 2019 22:11:10 +0300
Subject: [PATCH] add support for ldap replication

---
 roles/ldap/server/templates/slapd.conf.j2 | 26 +++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/roles/ldap/server/templates/slapd.conf.j2 b/roles/ldap/server/templates/slapd.conf.j2
index e733c23..a00f2c2 100644
--- a/roles/ldap/server/templates/slapd.conf.j2
+++ b/roles/ldap/server/templates/slapd.conf.j2
@@ -81,6 +81,25 @@ constraint_attribute uniqueMember uri ldap:///ou=People,{{ ldap_basedn }}?entryD
 # access without access to clear text data
 directory /srv/ldap
 
+{% if ldap_master is not defined %}
+# replication
+syncrepl rid={{ 999 | random(seed=inventory_hostname) }}
+    provider=ldaps://ldap01.foo.sh
+    type=refreshAndPersist
+    retry="10 10 60 +"
+    searchbase="{{ ldap_basedn }}"
+    filter="(objectClass=*)"
+    scope="sub"
+    sizelimit=500000
+    timelimit=360000
+    schemachecking="off"
+    bindmethod="simple"
+    tls_reqcert="demand"
+    binddn="uid=replicator,cn={{ inventory_hostname }},ou=Hosts,{{ ldap_basedn }}"
+    credentials="{{ ldap_replicator_pass[inventory_hostname] }}"
+updateref ldaps://ldap01.foo.sh
+
+{% endif %}
 # for syncrepl
 index entryCSN,entryUUID,objectClass eq
 # for kerberos kdc
@@ -110,6 +129,13 @@ access to *
     by anonymous auth
     by * break
 
+{% if ldap_master is defined %}
+# allow replicator to read everything
+access to *
+    by dn.regex="uid=replicator,cn=[^,]+,ou=Hosts,{{ ldap_basedn }}" read
+    by * break
+
+{% endif %}
 # allow self to change password
 access to attrs=userPassword
     by self write