Configure OpenLDAP Master Slave replication Rocky Linux 8


Rocky Linux, OpenLDAP

OpenLDAP Master Slave replication - Overview

LDAP Sync replication is an object-based replication mechanism. When any attribute value in a replicated object is changed on the provider(Master), each consumer(Slave) fetches and processes the complete changed object, including both the changed and unchanged attribute values during replication.

The LDAP Sync replication engine, syncrepl for short, is a consumer-side replication engine that enables the consumer LDAP server to maintain a shadow copy of a Directory information tree (DIT) fragment. Syncrepl uses the LDAP Content Synchronization (or LDAP Sync for short) protocol as the replica synchronization protocol.

 

Lab Environment

We are using 3 servers for this lab. Configurations are as follows:

LDAP master Server (Read and Write):
OS: Rocky Linux release 8.4 (Green Obsidian)
Hostname: ldapmaster.example.com
IP Address: 192.168.1.101

LDAP Slave Server (Read-Only):
OS: Rocky Linux release 8.4 (Green Obsidian)
Hostname: ldapslave.example.com

LDAP Client Machine:
OS: Rocky Linux release 8.4 (Green Obsidian)
Hostname: ldapclient.example.com

 

Pre-requisites

Before starting the OpenLDAP Master Slave replication configurations, Please refer to the document Configure OpenLDAP on Rocky Linux 8 [Step-by-Step] and configure the OpenLDAP server on both LDAP master Server and LDAP Slave Server.

Also, Refer to the article 8 simple steps to configure ldap client RHEL/CentOS 8 to configure LDAP client on Rocky Linux 8

Once you configured all three servers, let us start configuring the OpenLDAP Master Slave replication.

 

1. Setup OpenLDAP Master Server

In this section, we will configure the LDAP master server  ldapmaster.example.com. As mentioned, once the OpenLDAP server is configured; let us create a user for replication. We can also use the LDAP admin user Manager. For security reasons, let us try creating a different user for replications. Using slappasswd we will be creating a password hash. Use your own password.

[root@ldapmaster ~]# slappasswd
New password: 
Re-enter new password: 
{SSHA}71hv5hDW6ODD0GIc17PVitLl4LQXNYZ4

 

1.1 Create replication user

Let us create a file addreplicauser.ldif and add the below content. Replace the userPassword hash with your own password hash.

dn: uid=replicauser,dc=example,dc=com
objectClass: simpleSecurityObject
objectclass: account
objectClass: shadowAccount
uid: replicauser
description: Replication  User
userPassword: {SSHA}71hv5hDW6ODD0GIc17PVitLl4LQXNYZ4

Once you create the above file run the below command to add the user. In the example, we have created a user replicauser

[root@ldapmaster ~]# ldapadd -x -D cn=Manager,dc=example,dc=com -W -f addreplicauser.ldif
Enter LDAP Password: 
adding new entry "uid=replicauser,dc=example,dc=com"

 

1.2 Configure syncprov module

The modules are available under the folder /usr/lib64/openldap after installing the OpenLDAP server. syncprov or Sync Provider is a module that implements the provider-side support for the LDAP Content Synchronization as well as syncrepl replication support, including persistent search functionality. We can enable the modules like below.

In the example, create a file syncprov_mod.ldif with the following contents.

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la

Now we can import the file syncprov_mod.ldif to the LDAP master server as below:

[root@ldapmaster ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

 

Create another file syncprov_enable.ldif with the below contents. We would require enabling syncprov for each directory like below:

dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100

Now run the file syncprov_enable.ldif to enable syncprov for directory olcDatabase={2}mdb.

[root@ldapmaster ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_enable.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={2}mdb,cn=config"

Now, we have configured the LDAP master server for replication using module syncprov.

 

2. Setup OpenLDAP Slave Server

In this section, we are configuring our second server, the replication server ldapslave.example.com. As mentioned in the beginning, this server also needs to be configured with OpenLDAP. Make sure you have updated the firewall and connection is working fine between the master and the slave

 

2.1 Configure replication

In the slave server, we need to configure the replication.

Let us create a file replication.ldif with the below contents. Make sure to change the most important configurations such as LDAP server URL, LDAP user, and password as per your configurations.

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldap://192.168.1.101:389/
  bindmethod=simple
  binddn="uid=replicauser,dc=example,dc=com"
  credentials=MyreplicaPassword
  searchbase="dc=example,dc=com"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:05:00

From the above configuration file

  • rid=001 is the ID of the replication. If you are having multiple replica nodes, Don’t forget to change the information, this should be unique for each server, a three-digit number.
  • provider=ldap://192.168.1.101:389/ is my LDAP master server IP. You can use your IP address or hostname here.
  • binddn - A bind DN is an object that you bind to inside LDAP to give you permission to do whatever you're trying to do. We have created a user for replication replicauser. Replace it with your username
  • credentials in the section for your password. Update your replicauser password here.

 

Once the file is created, send the slave configuration to the LDAP server as below

[root@ldapslave ~]# ldapmodify -Y EXTERNAL  -H ldapi:/// -f replication.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}mdb,cn=config"

We have completed the basic master-slave replication here. Once the configurations are successfully completed, The slave server will start replicating the master. In this kind of Master-Slave setup, the slave server will be read-only, and we can only write new changes to the master server only.

 

3. Test OpenLDAP Master Slave Replication

Let’s create a user in LDAP and test the replications. Log in to the master LDAP server and create an LDAP user. Please refer the article to manage users in OpenLDAP: Managing User accounts to the OpenLDAP Server

Once the user is created on the master server, you should be able to search for the user on both the servers like below:

On the Master server:

[root@ldapmaster ~]# ldapsearch -x cn=testuser -b dc=example,dc=com | head
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: cn=testuser
# requesting: ALL
#

# testuser, People, example.com
dn: uid=testuser,ou=People,dc=example,dc=com

On the slave server:

[root@ldapslave ~]# ldapsearch -x cn=testuser -b dc=example,dc=com | head
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: cn=testuser
# requesting: ALL
#

# testuser, People, example.com
dn: uid=testuser,ou=People,dc=example,dc=com

In the example, we have created the user on the master node and ldapslave node is able to replicate the user configurations.

 

4. Configure OpenLDAP client

We have created an OpenLDAP master and a slave server. Now, let us configure the OpenLDAP client to use both servers. Refer the article for Configure LDAP client on Rocky Linux 8 to configure the LDAP client.

To use both OpenLDAP master and slave servers, you need to update the configurations as follows.

Edit the file /etc/openldap/ldap.conf and update the URI

URI ldap://ldapmaster.example.com/ ldap://ldapslave.example.com/

 

Also, Edit the file /etc/sssd/sssd.conf and update the ldap_uri

ldap_uri =ldap://ldapmaster.example.com/,ldap://ldapslave.example.com/

 

Alternatively, you can also use the commands authconfig or authselect  to update the configurations. You just need to install the commands if it does not exist

Please refer to the URL for more information about this Configuring authentication and authorization in RHEL

[root@ldapclient ~]# dnf install authconfig -y


[root@ldapclient ~]# authconfig --enableldap --enableldapauth --ldapserver=ldapmaster.example.com,ldapslave.example.com --ldapbasedn="dc=example,dc=com" --enablemkhomedir --update
Running authconfig compatibility tool.
The purpose of this tool is to enable authentication against chosen services with authselect and minimum configuration. It does not provide all capabilities of authconfig.

IMPORTANT: authconfig is replaced by authselect, please update your scripts.
See man authselect-migration(7) to help you with migration to authselect

Executing: /usr/bin/authselect check
Executing: /usr/bin/authselect current --raw
Executing: /usr/bin/authselect select sssd with-mkhomedir --force
Executing: /usr/bin/systemctl enable sssd.service
Executing: /usr/bin/systemctl stop sssd.service
Executing: /usr/bin/systemctl start sssd.service
Executing: /usr/bin/systemctl enable oddjobd.service
Executing: /usr/bin/systemctl stop oddjobd.service
Executing: /usr/bin/systemctl start oddjobd.service

Once the above script is executed, you should be able to check the configurations like

[root@ldapclient ~]# cat /etc/sssd/conf.d/authconfig-sssd.conf 
[sssd]
domains = default

[domain/default]
id_provider = ldap
ldap_uri = ldapmaster.example.com,ldapslave.example.com
ldap_search_base = dc=example,dc=com

 

Summary

In this tutorial, We have learned to Setup OpenLDAP Master Slave Replication on Rocky Linux 8. We can also use the same configurations on RHEL/CentOS 7/8 servers too.

 

References

Replication - OpenLDAP Software 2.4 Administrator's Guide

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

3 thoughts on “Configure OpenLDAP Master Slave replication Rocky Linux 8”

  1. Hey!

    I followed this guide to set up a replication client and it almost worked. The slave or replication client duplicates most of the directory except for userPassword attributes from master. Thus, if I use the replication client for authentication, authentication never succeeds. Any idea how to fix it so that the replication client copies the userPassword object attritube?

    Reply
  2. The replication client (aka slave) duplicated the directory except it has no userPassword attributes for any of the users. Thus, when I use the replication client ldap server, authentication never succeeds. I’m using ApacheDirStudio to browse both master and slave. Any idea how to fix so that slave gets userPassword fields for user objects?

    Reply
  3. we need to guide for openldap configuration,

    we have required to create total 8 Master server with multi master replication,configuration, and 20 Slave for read only mode work so need you guide it is very help full for me.

    Reply

Leave a Comment