How to Setup OpenLDAP Multi-Master Replication on CentOS 7

June 10, 2016 | By in LINUX HOWTO
| Reply More

OpenLDAP is an open source Address Directory software. It is "lightweight" or "smaller" when compared to the X.500 designed to run on smaller computers such as desktop computers. In OpenLDAP, data information are arranged like branches of a tree, one striking difference with other varieties of commonly used databases. In OpenLDAP access rights to address directory are based on two categories of functions in slapd, Access Control List and Authorization functions. In Linux/Unix, access rights to file systems are based on file/directory permissions. An LDAP client binds(logins) to an LDAP server that submits a query to request information or submits information to be updated. Then access rights are evaluated by the server and when granted, the server responds with answer or maybe with a referral to another LDAP server where the client can have the query serviced.

In this article we will be setting up Multi-Master replication of OpenLDAP server on CentOS 7. When your directory is very big with lots of client which creates lots of traffic on the directory server then it is very difficult to meet the SLA. So we have to distribiute the load of the clients with multiple servers with the help of Replication. Openldap have multiple replication configurations like Master-Master replication and Master-consumer replication are mostly used.

Basic Setup:

In the multi master replication topology, two or more than two servers can act as masters, all of these master servers are authoritative for any change in the directory server.

In this tutorial we are going use two test servers to make the process simple using following host names and IP addresses.


Login to your both servers using root user credentials, open the 'hosts' file to update your both server names with IP address so that they should be able to resolve the other systems hostnames.

#vim /etc/hosts localhost.localdomain localhost LDAP1.TEST.COM LDAP1 LDAP2.TEST.COM LDAP2

Installing OpenLDAP Server:

In order to setup multiple master OpenLDAP replication, first we will install and configure the Basic LDAP Server settings on both of our CentOS 7 server.

Let's run the below command to install OpenLDAP server packages.

# yum install openldap-servers openldap-clients

installing openldap

After installation, copy the sample openldap DB configurations into the following location as shown.

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Then change the file owner and and start 'slapd' services.

# chown ldap. /var/lib/ldap/DB_CONFIG

# systemctl start slapd

Start ldap services

Setup OpenLDAP Admin password:

Generate the encrypted password by running the slappasswd command and give the password, then copy the generated encrypted string and specify the password generated above for "olcRootPW" section .

# slappasswd
New password:
Re-enter new password:

#vim chrootpw.ldif

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW

Save and close the file and run below command to start authentication.

# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

openldap admin setup

Run below commands to import schemas.

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

import basic schemas

Domain name setup on LDAP DB:

Let's generate directory manager's password first and then open the 'chdomain.ldif' to put below text in it but make sure to replace your own domain name for "dc=***,dc=***" section and specify the password generated for "olcRootPW" section.

# slappasswd
New password:
Re-enter new password:

# vim chdomain.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=srv,dc=world" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=test,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=test,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}IcE0NEjoshYdxkvdBaudyuo8NA2IlisgsN7MvXT

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=test,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=test,dc=com" write by * read

Save the file and run below command to start authentication.

# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

domain setup

#vim basedomain.ldif

dn: dc=test,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Test Domain
dc: Test

dn: cn=Manager,dc=test,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=test,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=test,dc=com
objectClass: organizationalUnit
ou: Group

# ldapadd -x -D cn=Manager,dc=test,dc=com -W -f basedomain.ldif

Enter LDAP Password:
adding new entry "dc=test,dc=com objectClass: top objectClass: dcObject objectclass: organization o: Test Domain dc: Test"
adding new entry "cn=Manager,dc=test,dc=com"
adding new entry "ou=People,dc=test,dc=com"
adding new entry "ou=Group,dc=test,dc=com"

Repeat the steps on the other node, and lets move towards multi-master replication.

OpenLDAP Multi-Master Replication:

Once your basic LDAP settings are complete, do the following steps to configure and setup your Multi-master replication. To do so, first we will add 'syncprov' module by opening the below file and put the below configurations in it.

#vim mod_syncprov.ldif

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap

Save and close the file and run below command to start authentication.

# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif

Then open the given below file and put the mentioned configurations in it.

# vim syncprov.ldif

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100

Now again run below command after adding your configurations.

# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif

Add syncprov module

Now we will configure the replication by including the most important configurations by placing the below configurations into the file of each of your master node.

But don't forget to change the "olcServerID" and "provider=xxx" information acording to your server set different value on each server.

# vim ldap01.ldif

# create new
dn: cn=config
changetype: modify
replace: olcServerID
# specify unique ID number on each server
olcServerID: 0

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
# specify your LDAP server's URI

# your own domain name
# directory manager's password
# includes subtree
# [retry interval] [retry times] [interval of re-retry] [re-retry times]
retry="30 5 300 3"
# replication interval
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

After saving, close the file and run below command to start final authentication.

# ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap01.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifying entry "cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

That's it. OpenLDAP master replication setup is complete, now you can configure your LDAP Client to bind your LDAP master server by using below command on your client server.

# authconfig, --update


In this article you have learned about the basic concepts of OpenLDAP and its installation and Multi-master replication on CentOS 7. OpenLDAP supports a wide variety of replication topologies, these terms have been deprecated in favor of provider and consumer: A provider replicates directory updates to consumers; consumers receive replication updates from providers. Multi-Master replication is a replication technique using Syncrepl to replicate data to multiple provider ("Master") Directory servers which is best for Automatic failover/High Availability. In Multi-master replication, if any provider fails, other providers will continue to accept updates, avoiding a single point of failure, and providers can be located in several physical sites i.e. distributed across the network/globe. Thank you for reading please share your valuable comments and suggestions.


Share This :

Free Linux Ebook to Download

Leave a Reply

Commenting Policy:
Promotion of your products ? Comment gets deleted.
All comments are subject to moderation.