Configure multi-master replication OpenLDAP [Step-by-Step]

Multi-master replication with OpenLDAP - Overview

OpenLDAP has various configuration options for creating a replicated directory. The LDAP Sync protocol allows a client to maintain a synchronized copy of a DIT fragment. The LDAP Sync operation is defined as a set of controls and other protocol elements which extend the LDAP search operation. When any attribute value in a replicated object is changed on the provider, each consumer fetches and processes the changed object, including both the changed and unchanged attribute values, during replication.

Multi-master replication is a replication technique using Syncrepl to replicate data to multiple provider ("Provider") Directory servers. Under the Multi-master OpenLDAP configuration, all the nodes are writable. Where the network traffic and write load spread across all the servers, the same as for single-provider.

Advertisement

 

Benefits of Multi-Master Replication in OpenLDAP

The following are the benefits of Multi-master replication:

  • If one master node fails, the other nodes still accept the connections and changes.
  • Multi-master replication avoids single point of failure
  • Under Multi-master replication, we can place the servers on different locations and networks. This helps if one network area fails, the other will still serve the services.
  • It is good for the High availability of LDAP services.

 

Lab Environment

LDAP master Server1 (Read and Write):
OS: Rocky Linux release 8.4 (Green Obsidian)
Hostname : ldapmaster1.example.com
IP Address: 192.168.1.101

LDAP master Server2 (Read and Write):
OS: Rocky Linux release 8.4 (Green Obsidian)
Hostname : ldapmaster2.example.com
IP Address: 192.168.1.102

LDAP Client Machine:
OS: Rocky Linux release 8.4 (Green Obsidian)
Hostname : ldapclient.example.com

 

Prerequisites

Before starting the Multi-master replication with OpenLDAP, Please refer to the document Configure OpenLDAP on Rocky Linux 8 [Step-by-Step] and configure the basic OpenLDAP server on both LDAP master Server1 and LDAP master Server2

Refer to the article 8 simple steps to configure ldap client RHEL/CentOS 8 to configure LDAP client on Rocky Linux 8

Advertisement

Multi-master replication is a method of replication that allows data to be stored by a group of computers, and updated by any member of the group. In this article, we are configuring OpenLDAP with 2 servers. So that If one master node fails, the other nodes still accept the connections and changes.

Update the /etc/hosts file on both server names with IP addresses so that they should be able to resolve the other system's hostnames.

192.168.1.101 ldapmaster1.example.com
192.168.1.102 ldapmaster2.example.com

 

Step-1: Configure syncprov module on all servers.

The syncprov (Sync Provider) overlay implements the provider-side support for the LDAP Content Synchronization.  The syncprov (Sync Provider) overlay implements the provider-side support for the LDAP Content Synchronization. In the master-slave replication, we have configured the syncprov only on the master node. In this multi-master configuration, we need to enable the syncprov on all the master nodes.

 

1.1 Enable syncprov module

Create a file syncprov_mod.ldif on both ldapmaster1 and ldapmaster1 with the following contents

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la

Run the syncprov_mod.ldif file on both the servers. The result will be like below:

[root@ldapmaster1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

 

1.2 Enable olcDatabase

Once the module is loaded, let create another file syncprov_enable.ldif with contents below.

dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100

Import the syncprov_enable.ldif file on both on both ldapmaster1 and ldapmaster1. The result will be like below:

[root@ldapmaster2 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_enable.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={2}mdb,cn=config"

 

Step-2: Configure Multi-Master settings on all servers

Once the syncprov module and the database to sync are configured, we need to update the settings for Multi-Master replications. To configure the master server, create a file ldapmaster.ldif with the following contents on both the servers with proper values.

Advertisement
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 101

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldap://ldapmaster2.example.com:389/
  bindmethod=simple
  binddn="cn=Manager,dc=example,dc=com"
  credentials=testuser
  searchbase="dc=example,dc=com"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

 

From the above file

  • olcServerID - Specify an integer ID from 0 to 4095 for this server (limited to 3 hexadecimal digits). These IDs are required when using multi-master replication, and each master must have a unique ID.
  • provider - specify another LDAP server's URI. For example, the above script has the provider set to ldapmaster2.example.com which is the second server's host address. So, when you are running the same file in ldapmaster2, you need to use the provider ldapmaster1.example.com
  • binddn - The bindDN DN is basically the credential you are using to authenticate against an LDAP.. In the example, we have used the admin user 'Manager' for authentication. We can use the same on both servers.
  • credentials - Password for the binddn user.
  • rid - (Replica ID) is a unique 3-digit that identifies the replica. Each consumer should have at least one rid

 

Make the above necessary changes and import the ldapmaster.ldif file using ldapmodify on both ldapmaster1 and ldapmaster2. The result would be like below:

[root@ldapmaster2 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f ldapmaster.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

adding new entry "olcOverlay=syncprov,olcDatabase={2}mdb,cn=config"

[root@ldapmaster2 ~]#

 

In our article, we have only two master servers. If you need more than two master servers, you need to add another  olcSyncRepl section in ldapmaster.ldif file with a new Replica ID. In the below example file, I have added another server ldapmaster3.example.com with rid=003

dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 100

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldap://ldapmaster2.example.com:389/
  bindmethod=simple
  binddn="cn=Manager,dc=example,dc=com"
  credentials=testuser
  searchbase="dc=example,dc=com"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:05:00
olcSyncRepl: rid=003
  provider=ldap://ldapmaster3.example.com:389/
  bindmethod=simple
  binddn="cn=Manager,dc=example,dc=com"
  credentials=testuser
  searchbase="dc=example,dc=com"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

 

Step-3: Test LDAP multi-master Replication

Let’s create a user in LDAP and test the replications. Log in to both ldapmaster1 and ldapmaster2 , create users on each master server. Under multi-master Replication, all the master servers are writable. Once you make the changes, you test it on the same server as well as another server. Configurations must be synced between servers.

Please refer to the article to manage users in OpenLDAP: Managing User accounts to the OpenLDAP Server

In the example, I have followed the above article and created an LDAP user testuser5 on ldapmaster1 and tested the configurations usingldapsearch command on both the servers. I could confirm that the user is synced on both servers.

On ldapmaster1:

[root@ldapmaster1 ~]# ldapsearch -x cn=testuser5 -b dc=example,dc=com | head
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: cn=testuser5
# requesting: ALL
#

# testuser6, People, example.com
dn: uid=testuser6,ou=People,dc=example,dc=com

 

On ldapmaster2:

[root@ldapmaster2 ~]# ldapsearch -x cn=testuser5 -b dc=example,dc=com | head
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: cn=testuser5
# requesting: ALL
#

# testuser6, People, example.com
dn: uid=testuser6,ou=People,dc=example,dc=com

 

Step-4: Configure OpenLDAP client

We have configured OpenLDAP multi-master replication. Now, let us configure the OpenLDAP client to use both servers. Refer to the article for Configure LDAP client on Rocky Linux 8 to configure the LDAP client.

To use both OpenLDAP master and slave servers, you need to update the configurations as follows.

Edit the file /etc/openldap/ldap.conf and update the URI

URI ldap://ldapmaster1.example.com/ ldap://ldapmaster2.example.com/

Also, Edit the file /etc/sssd/sssd.conf and update the ldap_uri

ldap_uri =ldap://ldapmaster1.example.com/,ldap://ldapmaster2.example.com/

 

Summary

In this tutorial, We have learned to set up OpenLDAP multi-master Replication on Rocky Linux 8. We can also use the same configurations on RHEL/CentOS 7/8 servers too.

 

What's Next

Configure OpenLDAP Master Slave replication [Step-by-Step]

 

Reference

Replication - OpenLDAP Software 2.4 Administrator's Guide

 

Didn't find what you were looking for? Perform a quick search across GoLinuxCloud

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can either use the comments section or contact me form.

Thank You for your support!!

Leave a Comment