Cool Solution - Creation of a meta-directory with multiple UCS DC Master servers

From Univention Wiki

Jump to: navigation, search
Produktlogo UCS Version 3.2

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

This setup works only with UCS 3.2. Any later version of UCS breaks this setup.

The goal of this implementation is to provide a centralized directory service by a UCS DC-Master system with the summarized directory information of several UCS DC-Master instances, limited to the user account information. So it may also be called a Meta Directory Service.

Therefore, a listener module pushes local users to a remote global UCS DC-Master instance, which can then be used as a centralized authentication service.


1. On the global DC master all LDAP schemas relevant to the users on any satellite DC master must be installed.

2. The listener runs on the satellite DC masters and currently needs full LDAP write access to the global DC master. (In a future version this could be changed to using a dedicated principal which only has permissions to create LDAP user objects in a dedicated section of the LDAP DIT. In addition write access to the "cn=uidNumber,cn=temporary,cn=univention,${ldap_base}" is needed for allocating unique UID numbers.)


On global DC master

Create one group for all satellites or multiple groups for each satellite:

udm groups/group create --position "cn=groups,$(ucr get ldap/base)" --set name="dom1"

Collect the following information from the global DC master:

global_master="$(getent hosts "$HOSTNAME" | cut -d\  -f1)"
global_base="$(ucr get ldap/base)"
global_passwd="$(cat /etc/ldap.secret)"
global_krbrealm="$(ucr get kerberos/realm)"

On satellite DC masters

Include Cool-Solutions repository on satellite DC masters:

ucr set repository/online/component/cool-solutions=yes \
 repository/online/component/cool-solutions/version="current" \
 repository/online/component/cool-solutions/unmaintained=yes \

Install packages on satellite DC masters:

univention-install multi-master-setup

Configure satellites:


(umask 0600 ; echo -n "${global_passwd}" >/etc/ldap-global.secret ; chmod 0600 /etc/ldap-global.secret )

ucr set \
 multi-master-setup/remote/ldapuri="ldap://${global_master}:7389" \
 multi-master-setup/remote/binddn="${global_admin}" \
 multi-master-setup/remote/basedn="${global_base}" \
 multi-master-setup/remote/groupdn="${global_group}" \
 multi-master-setup/remote/suffix="$local_suffix" \
 multi-master-setup/remote/position="${global_users}" \
 multi-master-setup/remote/krbrealm="${global_krbrealm}" \
 multi-master-setup/remote/bindpw="/etc/ldap-global.secret" \

invoke-rc.d univention-directory-listener restart


Creating users on the satellites triggers the listener, which pushes the newly created user to the global DC master. Several attributes are modified:

All users are always placed in the ${global_base} container
"_${local_suffix}" is appended to the satellite user name, that is meier on the satellite becomes meier_dom1 on the global DC master.
The gid number of the group specified via ${global_group} is always used instead.
The SID of the group specified via ${global_group} is always used instead.
${local_suffix} is inserted before the last directory name component, that is /home/meier on the satellite becomes /home/dom1/meier on the global DC master.
A new unique uid number is always allocated the on global DC master.
entryUUID, entryDN, entryCSN, creatorsName, createTimestamp, modifiersName, modifyTimestamp, structuralObjectClass, hasSubordinates, subschemaSubentry
These OpenLDAP internal operational attributes are excluded from being synchronized.

All other attributes are synchronized 1:1, which requires all LDAP schemas used on any satellite DC master to be also installed on the global DC master!

Personal tools