Table of Contents
Multi-master replication with OpenLDAP - Overview
OpenLDAP has various configuration options for creating a replicated directory. The LDAP Sync protocol allows a client to maintain a synchronized copy of a DIT fragment. The LDAP Sync operation is defined as a set of controls and other protocol elements which extend the LDAP search operation. When any attribute value in a replicated object is changed on the provider, each consumer fetches and processes the changed object, including both the changed and unchanged attribute values, during replication.
Multi-master replication is a replication technique using Syncrepl to replicate data to multiple provider ("Provider") Directory servers. Under the Multi-master OpenLDAP configuration, all the nodes are writable. Where the network traffic and write load spread across all the servers, the same as for single-provider.
Benefits of Multi-Master Replication in OpenLDAP
The following are the benefits of Multi-master replication:
- If one master node fails, the other nodes still accept the connections and changes.
- Multi-master replication avoids single point of failure
- Under Multi-master replication, we can place the servers on different locations and networks. This helps if one network area fails, the other will still serve the services.
- It is good for the High availability of LDAP services.
Lab Environment
LDAP master Server1 (Read and Write):
OS: Rocky Linux release 8.4 (Green Obsidian)
Hostname : ldapmaster1.example.com
IP Address: 192.168.1.101
LDAP master Server2 (Read and Write):
OS: Rocky Linux release 8.4 (Green Obsidian)
Hostname : ldapmaster2.example.com
IP Address: 192.168.1.102
LDAP Client Machine:
OS: Rocky Linux release 8.4 (Green Obsidian)
Hostname : ldapclient.example.com
Prerequisites
Before starting the Multi-master replication with OpenLDAP, Please refer to the document Configure OpenLDAP on Rocky Linux 8 [Step-by-Step] and configure the basic OpenLDAP server on both LDAP master Server1 and LDAP master Server2
Refer to the article 8 simple steps to configure ldap client RHEL/CentOS 8 to configure LDAP client on Rocky Linux 8
Multi-master replication is a method of replication that allows data to be stored by a group of computers, and updated by any member of the group. In this article, we are configuring OpenLDAP with 2 servers. So that If one master node fails, the other nodes still accept the connections and changes.
Update the /etc/hosts file on both server names with IP addresses so that they should be able to resolve the other system's hostnames.
192.168.1.101 ldapmaster1.example.com 192.168.1.102 ldapmaster2.example.com
Step-1: Configure syncprov module on all servers.
The syncprov (Sync Provider) overlay implements the provider-side support for the LDAP Content Synchronization. The syncprov (Sync Provider) overlay implements the provider-side support for the LDAP Content Synchronization. In the master-slave replication, we have configured the syncprov only on the master node. In this multi-master configuration, we need to enable the syncprov on all the master nodes.
1.1 Enable syncprov module
Create a file syncprov_mod.ldif on both ldapmaster1 and ldapmaster1 with the following contents
dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: syncprov.la
Run the syncprov_mod.ldif file on both the servers. The result will be like below:
[root@ldapmaster1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
1.2 Enable olcDatabase
Once the module is loaded, let create another file syncprov_enable.ldif with contents below.
dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpSessionLog: 100
Import the syncprov_enable.ldif file on both on both ldapmaster1 and ldapmaster1. The result will be like below:
[root@ldapmaster2 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_enable.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={2}mdb,cn=config"
Step-2: Configure Multi-Master settings on all servers
Once the syncprov module and the database to sync are configured, we need to update the settings for Multi-Master replications. To configure the master server, create a file ldapmaster.ldif with the following contents on both the servers with proper values.
dn: cn=config changetype: modify replace: olcServerID olcServerID: 101 dn: olcDatabase={2}mdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://ldapmaster2.example.com:389/ bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials=testuser searchbase="dc=example,dc=com" scope=sub schemachecking=on type=refreshAndPersist retry="30 5 300 3" interval=00:00:05:00 - add: olcMirrorMode olcMirrorMode: TRUE dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
From the above file
- olcServerID - Specify an integer ID from 0 to 4095 for this server (limited to 3 hexadecimal digits). These IDs are required when using multi-master replication, and each master must have a unique ID.
- provider - specify another LDAP server's URI. For example, the above script has the provider set to ldapmaster2.example.com which is the second server's host address. So, when you are running the same file in ldapmaster2, you need to use the provider ldapmaster1.example.com
- binddn - The bindDN DN is basically the credential you are using to authenticate against an LDAP.. In the example, we have used the admin user 'Manager' for authentication. We can use the same on both servers.
- credentials - Password for the binddn user.
- rid - (Replica ID) is a unique 3-digit that identifies the replica. Each consumer should have at least one rid
Make the above necessary changes and import the ldapmaster.ldif file using ldapmodify on both ldapmaster1 and ldapmaster2. The result would be like below:
[root@ldapmaster2 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f ldapmaster.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={2}mdb,cn=config"
[root@ldapmaster2 ~]#
In our article, we have only two master servers. If you need more than two master servers, you need to add another olcSyncRepl section in ldapmaster.ldif file with a new Replica ID. In the below example file, I have added another server ldapmaster3.example.com with rid=003
dn: cn=config changetype: modify replace: olcServerID olcServerID: 100 dn: olcDatabase={2}mdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://ldapmaster2.example.com:389/ bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials=testuser searchbase="dc=example,dc=com" scope=sub schemachecking=on type=refreshAndPersist retry="30 5 300 3" interval=00:00:05:00 olcSyncRepl: rid=003 provider=ldap://ldapmaster3.example.com:389/ bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials=testuser searchbase="dc=example,dc=com" scope=sub schemachecking=on type=refreshAndPersist retry="30 5 300 3" interval=00:00:05:00 - add: olcMirrorMode olcMirrorMode: TRUE dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
Step-3: Test LDAP multi-master Replication
Let’s create a user in LDAP and test the replications. Log in to both ldapmaster1 and ldapmaster2 , create users on each master server. Under multi-master Replication, all the master servers are writable. Once you make the changes, you test it on the same server as well as another server. Configurations must be synced between servers.
Please refer to the article to manage users in OpenLDAP: Managing User accounts to the OpenLDAP Server
In the example, I have followed the above article and created an LDAP user testuser5 on ldapmaster1 and tested the configurations usingldapsearch command on both the servers. I could confirm that the user is synced on both servers.
On ldapmaster1:
[root@ldapmaster1 ~]# ldapsearch -x cn=testuser5 -b dc=example,dc=com | head
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: cn=testuser5
# requesting: ALL
#
# testuser6, People, example.com
dn: uid=testuser6,ou=People,dc=example,dc=com
On ldapmaster2:
[root@ldapmaster2 ~]# ldapsearch -x cn=testuser5 -b dc=example,dc=com | head
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: cn=testuser5
# requesting: ALL
#
# testuser6, People, example.com
dn: uid=testuser6,ou=People,dc=example,dc=com
Step-4: Configure OpenLDAP client
We have configured OpenLDAP multi-master replication. Now, let us configure the OpenLDAP client to use both servers. Refer to the article for Configure LDAP client on Rocky Linux 8 to configure the LDAP client.
To use both OpenLDAP master and slave servers, you need to update the configurations as follows.
Edit the file /etc/openldap/ldap.conf and update the URI
URI ldap://ldapmaster1.example.com/ ldap://ldapmaster2.example.com/
Also, Edit the file /etc/sssd/sssd.conf and update the ldap_uri
ldap_uri =ldap://ldapmaster1.example.com/,ldap://ldapmaster2.example.com/
Summary
In this tutorial, We have learned to set up OpenLDAP multi-master Replication on Rocky Linux 8. We can also use the same configurations on RHEL/CentOS 7/8 servers too.
What’s Next
Configure OpenLDAP Master Slave replication [Step-by-Step]
Reference
Replication - OpenLDAP Software 2.4 Administrator's Guide
