It’s interesting when you would like to improve the reliability of our LDAP servers or simply the number of queries has increased considerably you need to increase the number of ldap servers to balance the query request to the different servers. It’s also important to maintain the data is consistent between the servers and updated with the last changes. One solution may be partition the tree structure of our ldap database with the different data distributed between the different servers but still you have the problem of high availability. The solution to these problems is the replication, simply consist in maintain the same information between the different servers. LDAP offers different solutions for replication,one of them is slurpd that consist in push replication the new changes in the master slave and replicate the new data to the slave server, if you try to update the database in the slave server, it will send a reference to the master server indicating the correct server to do updates.Other solution the most used and integrated with LDAP called syncrepl, act as intermediary between the slapd core and the database backend, and all the data updates to the ldap tree are tracked by syncrepl. Syncrepl is initialized by the salve server called consumer and establishes a connection to the master server called provider.

You have two possibilities with syncrepl configuration one called refreshOnly the consumer receives all the alerts from the provider modified since the last update, also request a cookie from the provider with the last change and then the consumer disconnects from the provider. Other mode is refreshAndPersist, it’s like refreshOnly but the consumer doesn’t close the communication with the provider and any change is immediately received by the provider. With syncrepl, as mentioned above we have the role of master (provider) and slave (consumer), but it may be interesting to configure a multi-master servers to increase the reliability to our scenario for the reads and writes to the ldap tree. Simply consist in the both servers acts as master and slave in the same time and all the data maintains updated in both servers. In this scenario I’ll show the configuration with a basic ldap tree structure and a configuration with syncrepl multi-master:

– The root ldif schema of ldap used in this scenario:

dn: ou=groups,dc=opentodo,dc=net
objectClass: organizationalunit
ou: groups

dn: ou=people,dc=opentodo,dc=net
objectClass: organizationalunit
ou: people

dn: cn=sales,ou=groups,dc=opentodo,dc=net
objectclass: posixgroup
cn: sales
gidnumber: 10001

dn: cn=operations,ou=groups,dc=opentodo,dc=net
objectclass: posixgroup
cn: operations
gidnumber: 10002

dn: cn=john,ou=people,dc=opentodo,dc=net
objectclass: posixaccount
objectclass: inetorgperson
objectclass: shadowaccount
sn: john
cn: john
uid: john
uidnumber: 10001
gidnumber: 10001
homedirectory: /home/john
loginshell: /bin/bash
userpassword: {MD5}6ZoYxCjLONXyYIU2eJIuAw==

dn: cn=ivan,ou=people,dc=opentodo,dc=net
objectclass: posixaccount
objectclass: inetorgperson
objectclass: shadowaccount
sn: ivan
cn: ivan
uid: ivan
uidnumber: 100002
gidnumber: 100002
homedirectory: /home/ivan
loginshell: /bin/bash
userpassword: {MD5}6ZoYxCjLONXyYIU2eJIuAw==

Installing ldap server and utils

# apt-get install slapd ldap-utils

Reconfigure slapd package

# dpkg-reconfigure slapd

Edit /etc/ldap/slapd.conf configuration file in both servers

Server 1

#######################################################################
# Global Directives:
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/ppolicy.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
loglevel none

# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
moduleload syncprov

# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1

#######################################################################
# Specific Backend Directives for @[email protected]:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb

# Specific Directives for database #1, of type @[email protected]:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb

# The base of your directory in database #1
suffix "dc=opentodo,dc=net"

# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn "cn=admin,dc=opentodo,dc=net"
rootpw ldapadmin
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# The dbconfig settings are used to generate a DB_CONFIG file the first
# time slapd starts. They do NOT override existing an existing DB_CONFIG
# file. You should therefore change these settings in DB_CONFIG directly
# or remove DB_CONFIG and restart slapd for changes to take effect.

# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0

# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500

# Indexing options for database #1
index objectClass eq
# Necessary for syncprov specific indexes
index entryUUID eq
index entryCSN eq

# Save the time that the entry gets modified, for database #1
lastmod on

# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint 512 30

# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=opentodo,dc=net" write
by * read

#Replica LDAP
syncrepl rid=001
provider=ldap://172.16.0.101:389
type=refreshOnly
interval=00:00:00:01
searchbase="dc=opentodo,dc=net"
bindmethod=simple
binddn="cn=admin,dc=opentodo,dc=net"
credentials=ldapadmin
#mirror mode allow writes to the ldap tree
mirrormode true
#Sync provider directive must be declared for replica
overlay syncprov
#Checkpoints is produced after 100 write operations
#or after 10 minutes
syncprov-checkpoint 100 10

Server 2

#######################################################################
# Global Directives:
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/ppolicy.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
loglevel none

# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
moduleload syncprov

# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1

#######################################################################
# Specific Backend Directives for @[email protected]:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb

# Specific Directives for database #1, of type @[email protected]:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb

# The base of your directory in database #1
suffix "dc=opentodo,dc=net"

# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn "cn=admin,dc=opentodo,dc=net"
rootpw ldapadmin
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# The dbconfig settings are used to generate a DB_CONFIG file the first
# time slapd starts. They do NOT override existing an existing DB_CONFIG
# file. You should therefore change these settings in DB_CONFIG directly
# or remove DB_CONFIG and restart slapd for changes to take effect.

# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0

# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500

# Indexing options for database #1
index objectClass eq
# Necessary for syncprov specific indexes
index entryUUID eq
index entryCSN eq

# Save the time that the entry gets modified, for database #1
lastmod on

# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint 512 30

# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=opentodo,dc=net" write
by * read

#Replica LDAP
syncrepl rid=002
provider=ldap://172.16.0.100:389
type=refreshOnly
interval=00:00:00:01
searchbase="dc=opentodo,dc=net"
bindmethod=simple
binddn="cn=admin,dc=opentodo,dc=net"
credentials=ldapadmin
#mirror mode allow writes to the ldap tree
mirrormode true
#Sync provider directive must be declared for replica
overlay syncprov
#Checkpoints is produced after 100 write operations
#or after 10 minutes
syncprov-checkpoint 100 10

– Edit /etc/default/slapd:

SLAPD_CONF=/etc/ldap/slapd.conf

– Restart slapd:

# service slapd restart

Adding new user in one of the servers and test if sync successful

# vi users.ldif

dn: cn= tbombadil,ou=people,dc=opentodo,dc=net
objectclass: posixaccount
objectclass: inetorgperson
objectclass: shadowaccount
uid: tbombadil
homedirectory: /home/tbombadil
loginshell: /bin/bash
userpassword: {MD5}6ZoYxCjLONXyYIU2eJIuAw==
mail: [email protected]
uidnumber: 10005
gidnumber: 10001
cn: tbombadil
sn: tbombadil
# ldapadd -x -D "cn=admin,dc=opentodo,dc=net" -W -f users.ldif

Search user in both servers

# ldapsearch -x -D "cn=admin,dc=opentodo,dc=net" -b "dc=opentodo,dc=net" "uid=tbombadil" -w ldapadmin

ldap-replica
 Sources

http://www.zytrax.com/books/ldap/
http://www.ibm.com/developerworks/linux/tutorials/l-lpic3303/section3.html

Multi-Master LDAP replication
Tagged on:             

Leave a Reply

Follow

Get every new post delivered to your Inbox

Join other followers: