LDAP Replication

Reasons for Implementing Replication:

• redundancy & failover
• capacity (load sharing, eg with round robin dns)
• network bandwidth/latency - put copies of the data close to where they are needed
• 'on-line' backups (take a slave off-line, back up from it, then hook it back into it's master)

Replication Mechanisms:

• replication is not defined in the standards, and is therefore 'vendor dependent'
• OpenLDAP only supports single-master architecture
• OpenLDAP supports two distinct mechanisms: slurpd and syncrepl
• slurpd:
  • slurpd daemon runs on master, monitoring change log
  • uses LDAP protocol to push changes out to registered slaves
  • needs complete write-access to the slave

Setting up slurpd replication

• repeat ldap server setup on second machine and test with:

        ldapsearch -x -h ldap3 -s base -b '' '(ObjectClass=*)' +
      

  Also configure /etc/syslog.conf (and restart syslogd) so we can watch what happens (and verify which server is responding to queries):

        local4.*     /var/log/slapd.log
      

• in the slave's slapd.conf:

        rootdn     cn=replica,dc=shellgrit,dc=com
        rootpw     secretslave
  
        # This database is a replica of the master on ldap4, which pushes
        # updates to us using:
        updatedn   cn=replica,dc=shellgrit,dc=com
  
        # Tell clients "where to go" if they ask us (a mere slave!) to do updates:
        updateref  ldap://ldap4.shellgrit.com
      

• in the master's slapd.conf:

        replogfile /var/lib/ldap/openldap-master-replog
        replica uri=ldap://ldap3.shellgrit.com:389  bindmethod=simple
                binddn=cn=replica,dc=shellgrit,dc=com  credentials=secretslave
      

• copy data across:
  • use slapcat to export data from master, and zero out the replication log

          # service ldap stop
          # slapcat -l /ldap/ldif/master-export.ldif
          # cat /dev/null > /var/lib/ldap/replica/slurpd.replog
          

  • use slapadd to import data into slave

          # service ldap stop
          # slapadd -u -v -l /ldap/ldif/master-export.ldif
          # slapadd -v -l /ldap/ldif/master-export.ldif
          # chown ldap:ldap /var/lib/ldap/*
          

• turn it on and test it out:
  • on both servers

          # service ldap start
          # tail -f /var/log/slapd.log
          

  • try a search against each server

          # searchall
          # searchall3
          

  • try changing a user's password

Failover

• on the client (eg ldap2), edit /etc/ldap.conf (either directly or run authconfig):

      < host ldap4.shellgrit.com
      > host ldap3.shellgrit.com,ldap4.shellgrit.com
    

• retry login, and observe the two servers' log files
• shut down ldap server on ldap3 and try login again