OpenLDAP Master Slave replication - Overview
LDAP Sync replication is an object-based replication mechanism. When any attribute value in a replicated object is changed on the provider(Master), each consumer(Slave) fetches and processes the complete changed object, including both the changed and unchanged attribute values during replication.
The LDAP Sync replication engine, syncrepl for short, is a consumer-side replication engine that enables the consumer LDAP server to maintain a shadow copy of a Directory information tree (DIT) fragment. Syncrepl uses the LDAP Content Synchronization (or LDAP Sync for short) protocol as the replica synchronization protocol.
Lab Environment
We are using 3 servers for this lab. Configurations are as follows:
LDAP master Server (Read and Write):
OS: Rocky Linux release 8.4 (Green Obsidian)
Hostname: ldapmaster.example.com
IP Address: 192.168.1.101
LDAP Slave Server (Read-Only):
OS: Rocky Linux release 8.4 (Green Obsidian)
Hostname: ldapslave.example.com
LDAP Client Machine:
OS: Rocky Linux release 8.4 (Green Obsidian)
Hostname: ldapclient.example.com
Pre-requisites
Before starting the OpenLDAP Master Slave replication configurations, Please refer to the document Configure OpenLDAP on Rocky Linux 8 [Step-by-Step] and configure the OpenLDAP server on both LDAP master Server and LDAP Slave Server.
Also, Refer to the article 8 simple steps to configure ldap client RHEL/CentOS 8 to configure LDAP client on Rocky Linux 8
Once you configured all three servers, let us start configuring the OpenLDAP Master Slave replication.
1. Setup OpenLDAP Master Server
In this section, we will configure the LDAP master server ldapmaster.example.com. As mentioned, once the OpenLDAP server is configured; let us create a user for replication. We can also use the LDAP admin user Manager. For security reasons, let us try creating a different user for replications. Using slappasswd we will be creating a password hash. Use your own password.
[root@ldapmaster ~]# slappasswd
New password:
Re-enter new password:
{SSHA}71hv5hDW6ODD0GIc17PVitLl4LQXNYZ4
1.1 Create replication user
Let us create a file addreplicauser.ldif and add the below content. Replace the userPassword hash with your own password hash.
dn: uid=replicauser,dc=example,dc=com
objectClass: simpleSecurityObject
objectclass: account
objectClass: shadowAccount
uid: replicauser
description: Replication User
userPassword: {SSHA}71hv5hDW6ODD0GIc17PVitLl4LQXNYZ4
Once you create the above file run the below command to add the user. In the example, we have created a user replicauser
[root@ldapmaster ~]# ldapadd -x -D cn=Manager,dc=example,dc=com -W -f addreplicauser.ldif
Enter LDAP Password:
adding new entry "uid=replicauser,dc=example,dc=com"
1.2 Configure syncprov module
The modules are available under the folder /usr/lib64/openldap after installing the OpenLDAP server. syncprov or Sync Provider is a module that implements the provider-side support for the LDAP Content Synchronization as well as syncrepl replication support, including persistent search functionality. We can enable the modules like below.
In the example, create a file syncprov_mod.ldif with the following contents.
dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: syncprov.la
Now we can import the file syncprov_mod.ldif to the LDAP master server as below:
[root@ldapmaster ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
Create another file syncprov_enable.ldif with the below contents. We would require enabling syncprov for each directory like below:
dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpSessionLog: 100
Now run the file syncprov_enable.ldif to enable syncprov for directory olcDatabase={2}mdb.
[root@ldapmaster ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_enable.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={2}mdb,cn=config"
Now, we have configured the LDAP master server for replication using module syncprov.
2. Setup OpenLDAP Slave Server
In this section, we are configuring our second server, the replication server ldapslave.example.com. As mentioned in the beginning, this server also needs to be configured with OpenLDAP. Make sure you have updated the firewall and connection is working fine between the master and the slave
2.1 Configure replication
In the slave server, we need to configure the replication.
Let us create a file replication.ldif with the below contents. Make sure to change the most important configurations such as LDAP server URL, LDAP user, and password as per your configurations.
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://192.168.1.101:389/
bindmethod=simple
binddn="uid=replicauser,dc=example,dc=com"
credentials=MyreplicaPassword
searchbase="dc=example,dc=com"
scope=sub
schemachecking=on
type=refreshAndPersist
retry="30 5 300 3"
interval=00:00:05:00
From the above configuration file
- rid=001 is the ID of the replication. If you are having multiple replica nodes, Don’t forget to change the information, this should be unique for each server, a three-digit number.
- provider=ldap://192.168.1.101:389/ is my LDAP master server IP. You can use your IP address or hostname here.
- binddn - A bind DN is an object that you bind to inside LDAP to give you permission to do whatever you're trying to do. We have created a user for replication replicauser. Replace it with your username
- credentials in the section for your password. Update your replicauser password here.
Once the file is created, send the slave configuration to the LDAP server as below
[root@ldapslave ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f replication.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}mdb,cn=config"
We have completed the basic master-slave replication here. Once the configurations are successfully completed, The slave server will start replicating the master. In this kind of Master-Slave setup, the slave server will be read-only, and we can only write new changes to the master server only.
3. Test OpenLDAP Master Slave Replication
Let’s create a user in LDAP and test the replications. Log in to the master LDAP server and create an LDAP user. Please refer the article to manage users in OpenLDAP: Managing User accounts to the OpenLDAP Server
Once the user is created on the master server, you should be able to search for the user on both the servers like below:
On the Master server:
[root@ldapmaster ~]# ldapsearch -x cn=testuser -b dc=example,dc=com | head
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: cn=testuser
# requesting: ALL
#
# testuser, People, example.com
dn: uid=testuser,ou=People,dc=example,dc=com
On the slave server:
[root@ldapslave ~]# ldapsearch -x cn=testuser -b dc=example,dc=com | head
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: cn=testuser
# requesting: ALL
#
# testuser, People, example.com
dn: uid=testuser,ou=People,dc=example,dc=com
In the example, we have created the user on the master node and ldapslave node is able to replicate the user configurations.
4. Configure OpenLDAP client
We have created an OpenLDAP master and a slave server. Now, let us configure the OpenLDAP client to use both servers. Refer the article for Configure LDAP client on Rocky Linux 8 to configure the LDAP client.
To use both OpenLDAP master and slave servers, you need to update the configurations as follows.
Edit the file /etc/openldap/ldap.conf
and update the URI
URI ldap://ldapmaster.example.com/ ldap://ldapslave.example.com/
Also, Edit the file /etc/sssd/sssd.conf
and update the ldap_uri
ldap_uri =ldap://ldapmaster.example.com/,ldap://ldapslave.example.com/
Alternatively, you can also use the commands authconfig or authselect to update the configurations. You just need to install the commands if it does not exist.
Please refer to the URL for more information about this Configuring authentication and authorization in RHEL
[root@ldapclient ~]# dnf install authconfig -y [root@ldapclient ~]# authconfig --enableldap --enableldapauth --ldapserver=ldapmaster.example.com,ldapslave.example.com --ldapbasedn="dc=example,dc=com" --enablemkhomedir --update Running authconfig compatibility tool. The purpose of this tool is to enable authentication against chosen services with authselect and minimum configuration. It does not provide all capabilities of authconfig. IMPORTANT: authconfig is replaced by authselect, please update your scripts. See man authselect-migration(7) to help you with migration to authselect Executing: /usr/bin/authselect check Executing: /usr/bin/authselect current --raw Executing: /usr/bin/authselect select sssd with-mkhomedir --force Executing: /usr/bin/systemctl enable sssd.service Executing: /usr/bin/systemctl stop sssd.service Executing: /usr/bin/systemctl start sssd.service Executing: /usr/bin/systemctl enable oddjobd.service Executing: /usr/bin/systemctl stop oddjobd.service Executing: /usr/bin/systemctl start oddjobd.service
Once the above script is executed, you should be able to check the configurations like
[root@ldapclient ~]# cat /etc/sssd/conf.d/authconfig-sssd.conf [sssd] domains = default [domain/default] id_provider = ldap ldap_uri = ldapmaster.example.com,ldapslave.example.com ldap_search_base = dc=example,dc=com
Summary
In this tutorial, We have learned to Setup OpenLDAP Master Slave Replication on Rocky Linux 8. We can also use the same configurations on RHEL/CentOS 7/8 servers too.
References
Replication - OpenLDAP Software 2.4 Administrator's Guide
Hey!
I followed this guide to set up a replication client and it almost worked. The slave or replication client duplicates most of the directory except for userPassword attributes from master. Thus, if I use the replication client for authentication, authentication never succeeds. Any idea how to fix it so that the replication client copies the userPassword object attritube?
The replication client (aka slave) duplicated the directory except it has no userPassword attributes for any of the users. Thus, when I use the replication client ldap server, authentication never succeeds. I’m using ApacheDirStudio to browse both master and slave. Any idea how to fix so that slave gets userPassword fields for user objects?
we need to guide for openldap configuration,
we have required to create total 8 Master server with multi master replication,configuration, and 20 Slave for read only mode work so need you guide it is very help full for me.