Multi-Way Replication on OpenLDAP

A high availability LDAP service is a must in your cloud infrastructure.   We are going to discuss a solution on OpenLDAP that can handle any case.  If you need dynamic attribute +/- capability on your LDAP, see configuration synchronization, also.

You can't find out the right way from offical OpenLDAP website.  This is the common problem for Open Source Solution.

The following implementation will be done by directly modifying the configuration files under /etc/ldap/slapd.d ( /etc/openldap/slapd.d for RedHat ) and shell command ldapmodify.  No magic!

Here is the the N-Way MultiSync like two ADs.  You can maintain your ldap records on any machine any time.  It should be suitable for all case.  Just follow me and let's see how lucky you are.

Before configuration, check ldapi:/// is activated or not in /etc/default/slapd variable SLAPD_SERVICES  ( /etc/sysconfig/slapd on RedHat ), then restart slapd service since all configuration should be made by ldap command with ldapi local connection.  Of course, the package slapd, ldap-utils should be installed and configured.


1. Tell Machine One that will be a sync member soon.

Add the following line to cn=config.ldif, Just let you know I will be in some replication scheme
olcServerID: 1

You have to know the technique of modify version 2.4+ structure.  Use command! e.g.

    ldapmodify -Q -Y EXTERNAL -H ldapi:///

Enter the following lines, then, press ENTER (one empty line), CTRL-D to complete the update.

dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 1


Add a root password for configuration administrator to cn=config/olcDatabase={0}config.ldif.
Remember the value of attribue olcRootPW.  You will use it in sync argument below.

   ldapmodify -Q -Y EXTERNAL -H ldapi:///

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: 18u48we3e2fw

You may use replace instead of add of second time.

 

Add syncrepl module to cn=config/cn=module.ldif.  You may not have this file! If not exist, add it by:

    ldapadd -Q -Y EXTERNAL -H ldapi:///

Don't add if you already have!  Use ldapmodify to add the module! 

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}syncprov.la

 

If you have, modify it. by ldapmodify -Q -Y EXTERNAL -H ldapi:///

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}syncprov.la

 

The {0} may be {1} or {2} ..., Just the last attribute olcModuleLoad plus 1.



2. Tell Machine Two that will be a sync member soon.

Do almost the same just change olcServerID: 1 to olcServerID: 2


3. Online modification on Machine One and Two in detail setup

Now you can use shell ldapmodify command to change ldap configuration.  We need to modify cn=config and add a Overlay for configuration syncrhonization.
Run: ldapmodify -Q -Y EXTERNAL -H ldapi:///
Enter this, suppose Machine One is 10.1.1.1 and Machine Two is 10.1.1.2


dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://10.1.1.1/
olcServerID: 2 ldap://10.1.1.2/

dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov



4. Tell Machine One for configuration synchronization

Configuration is configuration, not data.  OpenLDAP 2.4+ configuration is dynamic, not file.   We use the searchbase to control how many things you want to sync.  The example just for schema.  It is recommended to doing this.  Anytime you +/- the schema, other ldap server will sync and keeps the same.  This action protects your data synchronization without structural error.

Run: ldapmodify -Q -Y EXTERNAL -H ldapi:///

Enter this, remind you binddn and credentials is what you specified above, may not be as follow, take care 10.1.1.2, should be your machine two IP.  The credentials is the olcRootPW you specified above:


dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=000 provider=ldap://10.1.1.2/ binddn="cn=config" bindmethod=simple credentials=18u48we3e2fw searchbase="cn=schema,cn=config" type=refreshAndPersist retry="15 5 1800 +" timeout=10
-
add: olcMirrorMode
olcMirrorMode: TRUE


5. Tell Machine Two for configuration synchronization

You can ommit these two step if you prefer handmade syncrhonization for configuration. Really few changes.  Anyway, don't rsync/scp/tar to overwrite configuration files because two machines have some different!

Run: ldapmodify -Q -Y EXTERNAL -H ldapi:///

Enter this, of course, different provider IP address than the machine itself, just change the 10.1.1.1 and credentials to machine one:
 

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=000 provider=ldap://10.1.1.1/ binddn="cn=config" bindmethod=simple credentials=18u48we3e2fw searchbase="cn=schema,cn=config" type=refreshAndPersist retry="15 5 1800 +" timeout=10
-
add: olcMirrorMode
olcMirrorMode: TRUE

 

6. Tell Machine One for data synchronization

Data synchronization configuration should be in another file.  It depends on what database you are using.  So, the hdb may bdb or other in your enivronment.

Run: ldapmodify -Q -Y EXTERNAL -H ldapi:///

Enter this, remind you for database type than hdb, the dn may be different.  The binddn and credentials is the RootDN information of your ldap:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcLimits
olcLimits: dn.exact="cn=Directory Manager,dc=yourbox,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
-
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://10.1.1.2/ binddn="cn=Directory Manager,dc=yourbox,dc=com" bindmethod=simple credentials="yOuRpAsSwD" searchbase="dc=yourbox,dc=com" type=refreshAndPersist interval=00:00:00:10 retry="15 5 1800 +" timeout=10
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov


7. Tell Machine Two for data synchronization

It is quite the same, just different in provider IP address.

Run: ldapmodify -Q -Y EXTERNAL -H ldapi:///

Enter this, should be the same except provider ip address:
 

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcLimits
olcLimits: dn.exact="cn=Directory Manager,dc=yourbox,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
-
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://10.1.1.1/ binddn="cn=Directory Manager,dc=yourbox,dc=com" bindmethod=simple credentials="yOuRpAsSwD" searchbase="dc=yourbox,dc=com" type=refreshAndPersist interval=00:00:00:10 retry="15 5 1800 +" timeout=10
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov



8. Done

If no record on Machine Two before, you will see the records now.


Have fun!