Configure OpenLDAP Multi-Master Replication on Linux

ADVERTISEMENT

In this guide, we will configure Multi-master replication of OpenLDAP server on CentOS 7 / RHEL 7. This Multi-Master replication setup is to overcome the limitation of typical Master-Slave replication where only the master server does the changes in the LDAP directory.

READ: How to configure OpenLDAP Master-Slave Replication

ADVERTISEMENT
Article will continue after the ad

In the Multi-Master replication, two or more servers act as master and all these are authoritative for any change in the LDAP directory. Queries from the clients are distributed across the multiple servers with the help of replication.

Configure OpenLDAP Multi-Master Replication
Configure OpenLDAP Multi-Master Replication

Environment:

For Multi-Master replication, we are going to use two OpenLDAP servers; details are below.

READ: Step by Step OpenLDAP Server Configuration on CentOS 7 / RHEL 7

ldpsrv1.itzgeek.local (192.168.12.11)
ldpsrv2.itzgeek.local (192.168.12.12)
Perform the steps shown in the above link except creating LDAP users. We will create a test user here to verify the replication.

Configure OpenLDAP Multi-Master Replication:

Once your LDAP server configurations are complete, we will enable syncprov module.

You would need to perform below steps on all of your OpenLDAP servers unless otherwise stated.
vi syncprov_mod.ldif

Copy and paste the below lines to syncprov_mod.ldif file.

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la

Now send the configuration to the LDAP master server.

ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif

Output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

We would need to enable syncprov for each directory.

vi syncprov.ldif

Copy and paste the below text into the above file.

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100

Update the configuration on LDAP server.

ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif

Output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

Now set up the replication by placing most important configurations into the file of each of your master node.

vi rp.ldif

Don’t forget to change the “olcServerID: x” and “rid=xxx” information, this should be unique for each server.

Example:

dn: cn=config
changetype: modify
replace: olcServerID
### Specify uniq ID number ###
olcServerID: 0

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
### Specify uniq ID number ###
olcSyncRepl: rid=001
  ### Specify another LDAP server's URI ###
  provider=ldap://anotherLDAP:389/
  bindmethod=simple
  ### LDAP Domain Name ###
  binddn="cn=ldapadm,dc=itzgeek,dc=local"
  ### Replication user credential ###
  credentials=root1234
  searchbase="dc=itzgeek,dc=local"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
Do not forget to remove #hashed lines, as it may cause an error while updating the LDAP configuration

Actual configuration on both servers will look like below.

ldpsrv1.itzgeek.local:

dn: cn=config
changetype: modify
replace: olcServerID
### Specify uniq ID number ###
olcServerID: 1

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
### Specify uniq ID number ###
olcSyncRepl: rid=001
  ### Specify another LDAP server's URI ###
  provider=ldap://ldpsrv2.itzgeek.local:389/
  bindmethod=simple
  ### LDAP Domain Name ###
  binddn="cn=ldapadm,dc=itzgeek,dc=local"
  ### Replication user credential ###
  credentials=root1234
  searchbase="dc=itzgeek,dc=local"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

ldpsrv2.itzgeek.local:

dn: cn=config
changetype: modify
replace: olcServerID
### Specify uniq ID number ###
olcServerID: 2

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
### Specify uniq ID number ###
olcSyncRepl: rid=002
  ### Specify another LDAP server's URI ###
  provider=ldap://ldpsrv1.itzgeek.local:389/
  bindmethod=simple
  ### LDAP Domain Name ###
  binddn="cn=ldapadm,dc=itzgeek,dc=local"
  ### Replication user credential ###
  credentials=root1234
  searchbase="dc=itzgeek,dc=local"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

Send the configuration to the LDAP.

ldapmodify -Y EXTERNAL  -H ldapi:/// -f rp.ldif

Output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

Test the LDAP replication:

Let’s create a user LDAP called “ldaptest“ in any one of your master servers, to do that, create a .ldif file on the ldpsrv1.itzgeek.local (in my case).

[root@ldpsrv1 ~]# vi ldaptest.ldif

Update the above file with below content.

dn: uid=ldaptest,ou=People,dc=itzgeek,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: ldaptest
uid: ldaptest
uidNumber: 9988
gidNumber: 100
homeDirectory: /home/ldaptest
loginShell: /bin/bash
gecos: LDAP Replication Test User
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7

Add a user to LDAP server using the ldapadd command.

[root@ldpsrv1 ~]# ldapadd -x -W -D "cn=ldapadm,dc=itzgeek,dc=local" -f ldaptest.ldif

Output:

Enter LDAP Password:
adding new entry "uid=ldaptest,ou=People,dc=itzgeek,dc=local"

Search for “ldaptest” on another master server (ldpsrv2.itzgeek.local).

[root@ldpsrv2 ~]# ldapsearch -x cn=ldaptest -b dc=itzgeek,dc=local

Output:

# extended LDIF
#
# LDAPv3
# base <dc=itzgeek,dc=local> with scope subtree
# filter: cn=ldaptest
# requesting: ALL
#

# ldaptest, People, itzgeek.local
dn: uid=ldaptest,ou=People,dc=itzgeek,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: ldaptest
uid: ldaptest
uidNumber: 9988
gidNumber: 100
homeDirectory: /home/ldaptest
loginShell: /bin/bash
gecos: LDAP Replication Test User
userPassword:: e2NyeXB0fXg=
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Now, set a password for the user created on ldpsrv1.itzgeek.local by going to ldpsrv2.itzgeek.local. If you can able to set the password, that means the replication is working as expected.

[root@ldpsrv2 ~]# ldappasswd -s password123 -W -D "cn=ldapadm,dc=itzgeek,dc=local" -x "uid=ldaptest,ou=People,dc=itzgeek,dc=local"

Where,

-s specify the password for the username

-x username for which the password is changed

-D Distinguished name to authenticate to the LDAP server.

In Master-Slave replication topology, you can not set the password for LDAP user in the slave server.

Extras:

Configure LDAP client to bind to the new master server, too.

authconfig --enableldap --enableldapauth --ldapserver=ldpsrv1.itzgeek.local,ldpsrv2.itzgeek.local --ldapbasedn="dc=itzgeek,dc=local" --enablemkhomedir --update

That’s All.

 

ADVERTISEMENT

POSTS YOU MAY LIKE -:)

Share This Post

Shares