How to Setup OpenLDAP Multi-Master Replication on CentOS 7

June 10, 2016 | By
| 7 Replies More

OpenLDAP is an open source Address Directory software. It is "lightweight" or "smaller" when compared to the X.500 designed to run on smaller computers such as desktop computers. In OpenLDAP, data information are arranged like branches of a tree, one striking difference with other varieties of commonly used databases. In OpenLDAP access rights to address directory are based on two categories of functions in slapd, Access Control List and Authorization functions. In Linux/Unix, access rights to file systems are based on file/directory permissions. An LDAP client binds(logins) to an LDAP server that submits a query to request information or submits information to be updated. Then access rights are evaluated by the server and when granted, the server responds with answer or maybe with a referral to another LDAP server where the client can have the query serviced.

In this article we will be setting up Multi-Master replication of OpenLDAP server on CentOS 7. When your directory is very big with lots of client which creates lots of traffic on the directory server then it is very difficult to meet the SLA. So we have to distribiute the load of the clients with multiple servers with the help of Replication. Openldap have multiple replication configurations like Master-Master replication and Master-consumer replication are mostly used.

Basic Setup:

In the multi master replication topology, two or more than two servers can act as masters, all of these master servers are authoritative for any change in the directory server.

In this tutorial we are going use two test servers to make the process simple using following host names and IP addresses.

LDAP1.TEST.COM IP address 172.25.10.176
LDAP2.TEST.COM IP address 192.25.10.177

Login to your both servers using root user credentials, open the 'hosts' file to update your both server names with IP address so that they should be able to resolve the other systems hostnames.

#vim /etc/hosts

127.0.0.1 localhost.localdomain localhost
172.25.10.176 LDAP1.TEST.COM LDAP1
192.25.10.177 LDAP2.TEST.COM LDAP2

Installing OpenLDAP Server:

In order to setup multiple master OpenLDAP replication, first we will install and configure the Basic LDAP Server settings on both of our CentOS 7 server.

Let's run the below command to install OpenLDAP server packages.

# yum install openldap-servers openldap-clients

installing openldap

After installation, copy the sample openldap DB configurations into the following location as shown.

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Then change the file owner and and start 'slapd' services.

# chown ldap. /var/lib/ldap/DB_CONFIG

# systemctl start slapd

Start ldap services

Setup OpenLDAP Admin password:

Generate the encrypted password by running the slappasswd command and give the password, then copy the generated encrypted string and specify the password generated above for "olcRootPW" section .

# slappasswd
New password:
Re-enter new password:
{SSHA}xcsCNH2eMVrNsf4dU7LRJFY5kULU01p4

#vim chrootpw.ldif

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW:{SSHA}xcsCNH2eMVrNsf4dU7LRJFY5kULU01p4

Save and close the file and run below command to start authentication.

# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

openldap admin setup

Run below commands to import schemas.

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

import basic schemas

Domain name setup on LDAP DB:

Let's generate directory manager's password first and then open the 'chdomain.ldif' to put below text in it but make sure to replace your own domain name for "dc=***,dc=***" section and specify the password generated for "olcRootPW" section.

# slappasswd
New password:
Re-enter new password:
{SSHA}xIE0NEjoshYdxkvdBaudyuo8NA2IlisgsN7MvXT

# vim chdomain.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=srv,dc=world" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=test,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=test,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}IcE0NEjoshYdxkvdBaudyuo8NA2IlisgsN7MvXT

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=test,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=test,dc=com" write by * read

Save the file and run below command to start authentication.

# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

domain setup

#vim basedomain.ldif

dn: dc=test,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Test Domain
dc: Test

dn: cn=Manager,dc=test,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=test,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=test,dc=com
objectClass: organizationalUnit
ou: Group

# ldapadd -x -D cn=Manager,dc=test,dc=com -W -f basedomain.ldif

Enter LDAP Password:
adding new entry "dc=test,dc=com objectClass: top objectClass: dcObject objectclass: organization o: Test Domain dc: Test"
adding new entry "cn=Manager,dc=test,dc=com"
adding new entry "ou=People,dc=test,dc=com"
adding new entry "ou=Group,dc=test,dc=com"

Repeat the steps on the other node, and lets move towards multi-master replication.

OpenLDAP Multi-Master Replication:

Once your basic LDAP settings are complete, do the following steps to configure and setup your Multi-master replication. To do so, first we will add 'syncprov' module by opening the below file and put the below configurations in it.

#vim mod_syncprov.ldif

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la

Save and close the file and run below command to start authentication.

# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif

Then open the given below file and put the mentioned configurations in it.

# vim syncprov.ldif

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100

Now again run below command after adding your configurations.

# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif

Add syncprov module

Now we will configure the replication by including the most important configurations by placing the below configurations into the file of each of your master node.

But don't forget to change the "olcServerID" and "provider=xxx" information acording to your server set different value on each server.

# vim ldap01.ldif

# create new
dn: cn=config
changetype: modify
replace: olcServerID
# specify unique ID number on each server
olcServerID: 0

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
# specify your LDAP server's URI
provider=ldap://ldap1.test.com:389/
bindmethod=simple

# your own domain name
binddn="cn=Manager,dc=test,dc=com"
# directory manager's password
credentials=xxxxxx
searchbase="dc=test,dc=com"
# includes subtree
scope=sub
schemachecking=on
type=refreshAndPersist
# [retry interval] [retry times] [interval of re-retry] [re-retry times]
retry="30 5 300 3"
# replication interval
interval=00:00:05:00
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

After saving, close the file and run below command to start final authentication.

# ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap01.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config"

That's it. OpenLDAP master replication setup is complete, now you can configure your LDAP Client to bind your LDAP master server by using below command on your client server.

# authconfig --ldapserver=ldap1.test.com,ldap2.test.com --update

Conclusion:

In this article you have learned about the basic concepts of OpenLDAP and its installation and Multi-master replication on CentOS 7. OpenLDAP supports a wide variety of replication topologies, these terms have been deprecated in favor of provider and consumer: A provider replicates directory updates to consumers; consumers receive replication updates from providers. Multi-Master replication is a replication technique using Syncrepl to replicate data to multiple provider ("Master") Directory servers which is best for Automatic failover/High Availability. In Multi-master replication, if any provider fails, other providers will continue to accept updates, avoiding a single point of failure, and providers can be located in several physical sites i.e. distributed across the network/globe. Thank you for reading please share your valuable comments and suggestions.

Filed Under : LINUX HOWTO

Tagged With : ,

Free Linux Ebook to Download

Comments (7)

Trackback URL | Comments RSS Feed

  1. loan thai says:

    Hi,

    When executing this command: > ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap01.ldif
    i received this error:

    [root@ldap2 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap01.ldif
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    modifying entry "cn=config"

    ldapmodify: invalid format (line 13) entry: "olcDatabase={2}hdb,cn=config"

    I checked line 13 on ldap01.ldif but did not find any thing wrong, coule you please help. Thanks.

    THis is a section of ldap01.ldif, and line 13 point to my ldap01.domain.com:

    dn: olcDatabase={2}hdb,cn=config
    changetype: modify
    add: olcSyncRepl
    olcSyncRepl: rid=001
    # specify your LDAP server's URI
    provider=ldap://ldap1.domain.com:389/
    bindmethod=simple

  2. loan thai says:

    I followed exactly the step: # vim ldap01.ldif
    to create the ldap01.ldif. Only replace dc=xxx, .... with my domain.

  3. loan thai says:

    Fixed. It is really a syntax error.

    • Bobbin Zachariah says:

      Excellent. Good to hear

      • blah says:

        What was the syntax error I have same problem

        • lit_aaron says:

          You must leave least two spaces after “olcSyncRepl: rid=001“ line until the next add/replace action
          ------------------------------------
          # create new
          dn: cn=config
          changetype: modify
          replace: olcServerID
          # specify unique ID number on each server
          olcServerID: 0

          dn: olcDatabase={2}hdb,cn=config
          changetype: modify
          add: olcSyncRepl
          olcSyncRepl: rid=001
          provider=ldap://ldap1.test.com:389/
          bindmethod=simple
          binddn="cn=Manager,dc=test,dc=com"
          credentials=xxxx
          searchbase="dc=test,dc=com"
          scope=sub
          schemachecking=on
          type=refreshAndPersist
          retry="30 5 300 3"
          interval=00:00:05:00
          -
          replace: olcMirrorMode
          olcMirrorMode: TRUE

          dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
          changetype: add
          objectClass: olcOverlayConfig
          objectClass: olcSyncProvConfig
          olcOverlay: syncprov

Leave a Reply

All comments are subject to moderation.