Openldap and Multi-Master Replication in FreeBSD – Part III: Replication

openldap logo

Replication using Syncrepl N-Way Multi-Master:

 

In Part II of this series, phpLDAPadmin was installed and configured to manage an OpenLDAP Directory.  Part III will demonstration OpenLDAP Replication using Syncrepl N-Way Multi-Master configuration.

 

Below is an example of a Multi-Master dual data center configuration using a mixture of hardware load balancing and OpenLDAP Replicas – source www.openldap.org:

 

multimaster
From: www.openldap.org

 

Although the above example is significantly more complex than the configuration contain in this post, it does demonstrate what are the possibilities in creating a high availability OpenLDAP environment.

 

Notes:  Before using Syncrepl consider the following:

  • The rid parameter must be unique within the server’s slap.conf file.  The ServerID parameter must be unique to each server and there is no relationship between the rid parameter and the ServerID values in the slap.conf file.
  • Multi-Master Replication requires each server to have accurate time.  Ensure each server’s time is updated using a facility such as ntp.  Having correct time on each of the OpenLDAP Servers reduces contention issues.
  • The mirrormode true directive is required for multi-master settings. It must appear after all the syncrepl directives in the database section. Omitting this directive in any master configuration will cause all updates to fail.

 

Settings for Server 1:

Below is the /usr/local/etc/openldap/slapd.conf file for server ldap1.loga.us:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
# referral ldap://root.openldap.org

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
 
loglevel 256

# Load dynamic backend modules:

modulepath /usr/local/libexec/openldap
#moduleload back_bdb
moduleload back_mdb
# moduleload back_hdb
# moduleload back_ldap

serverID 001

allow bind_v2

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database mdb 

suffix "dc=loga,dc=us"
rootdn "cn=Manager,dc=loga,dc=us"

# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret

# For Now Use a Clear Text Password:
rootpw   secret
#rootpw {SSHA}A6ia1SPQlY4J5qWBUkPg1qqiwZHrL0mb 
#password-hash {SSHA}

# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.

directory /var/db/openldap-data
maxsize 1073741824

syncrepl rid=000
 provider=ldap://192.168.0.222
 type=refreshAndPersist
 retry="5 5 300 +"
 searchbase="dc=loga,dc=us"
 attrs="*,+"
 bindmethod=simple
 binddn="cn=Manager,dc=loga,dc=us"
 credentials=secret

# Indices to maintain
index default pres,eq
index uid,memberUid,gidNumber

# Create indexes for attribute cn (commonname) and givenName
# EQUALITY, SUBSTR searches and provides optimization
# for sc=a* type searches
index cn,givenName eq,sub,subinitial

# Create indexes for sn (surname) on
# EQUALITY and SUBSTR searches
index sn eq,sub

# Creates indexes for attribute mail on
# presence, EQUALITY and SUBSTR
index mail pres,eq,sub

# Optimises searches of form objectclass=person
index objectclass eq

# Syncprov indexes
index entryCSN eq
index entryUUID eq
# Mirror mode essential to allow writes 
# and must appear after all syncrepl directives 
mirrormode TRUE 

# Define the provider to use the syncprov overlay 
# (last directives in database section) 
overlay syncprov 

# contextCSN saved to database every 100 updates or 10 mins. 
syncprov-checkpoint 100 
10 syncprov-sessionlog 100

 

Settings for Server 2:

Below is the /usr/local/etc/openldap/slapd.conf file for server ldap2.loga.us:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

loglevel 256

# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
#moduleload back_bdb
moduleload back_mdb
# moduleload back_hdb
# moduleload back_ldap

serverID 002

allow bind_v2

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database mdb

suffix "dc=loga,dc=us"
rootdn "cn=Manager,dc=loga,dc=us"

# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret

# For Now Use a Clear Text Password:
rootpw   secret
#rootpw {SSHA}GgBPwusIQQpVPoT3Ycsalhwocqbfk+Lp
#password-hash {SSHA}

# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.

directory /var/db/openldap-data
maxsize 10737441824

syncrepl rid=000
 provider=ldap://192.168.0.220
 type=refreshAndPersist
 retry="5 5 300 +"
 searchbase="dc=loga,dc=us"
 attrs="*,+"
 bindmethod=simple
 binddn="cn=Manager,dc=loga,dc=us"
 credentials=secret

# Indices to maintain
index default pres,eq
index uid,memberUid,gidNumber

# Create indexes for attribute cn (commonname) and givenName
# EQUALITY, SUBSTR searches and provides optimization
# for sc=a* type searches
index cn,givenName eq,sub,subinitial

# Create indexes for sn (surname) on
# EQUALITY and SUBSTR searches
index sn eq,sub

# Creates indexes for attribute mail on
# presence, EQUALITY and SUBSTR
index mail pres,eq,sub

# Optimises searches of form objectclass=person
index objectclass eq

# Syncprov indexes
index entryCSN eq
index entryUUID eq
# Mirror mode essential to allow writes 
# and must appear after all syncrepl directives 
mirrormode TRUE 

# Define the provider to use the syncprov overlay 
# (last directives in database section) 
overlay syncprov 

# contextCSN saved to database every 100 updates or 10 mins. 
syncprov-checkpoint 100 10 
syncprov-sessionlog 100

 

slapindex:

 

Note:  When indices are added to slapd.conf the command slapindex must be executed as follows:

# service slapd stop
# slapindex
# service slapd start

 

Summary:

At this point, updating either OpenLDAP Server 1 or Server 2 via phpLDAPadmin or by importing a ldif file, will propagate the changes to the other server.  If this is not the case, please review the log files and the slapd.conf files of each server.

This article has shown how to configure two OpenLDAP nodes to provide N-Way Multi-Master Replication between each other.

N-Way Multi-Master Replication has many practical uses where simultaneous directory reads occur. The master can easily be failed over to the second node via a load-balancer or DNS when a failure occurs.

In Part IV, a Name Server Switch (NSS) module, nss-pam-ldapd, is utilized to allow an OpenLDAP Server to provide user account data, host name, groups, etc.

 

Additional Resources:

http://www.openldap.org

http://www.zytrax.com

http://www.tokiwinter.com/openldap-multi-master-replication/

http://www.alwina.org/?p=209

Leave a Reply

Your email address will not be published.