LDAP replication with OpenLDAP 2.3 and Centos/RHEL 5

OpenLDAP version 2.3 comes with new LDAP Content Synchronization protocol which is described in RFC 4533 and is generally known as syncrepl. The older slurpd approach is obsolete and isn’t supported from OpenLDAP 2.4

Although syncrepl supports both master-slave and multi-master replications, there is only support for master-slave in OpenLDAP version 2.3 which also is part of RHEL5.

syncrepl documentation can be found here and as you can see it’s not so difficult to setup functional LDAP master-slave replication. There are only two syncrepl parameters for the master:

  • contextCSN checkpoint interval: syncprov-checkpoint <ops> <minutes>
    Checkpoints are only tested after successful write operations. If <ops> operations or more than <minutes> time has passed since the last checkpoint, a new checkpoint is performed.
  • session log configuration: syncprov-sessionlog <size>
    <size> is the maximum number of session log entries the session log can record. When a session log is configured, it is automatically used for all LDAP Sync searches within the database.

You also need to configure overlay to make the replication work (overlay syncprov line must be the last line in database configuration section).

Very important for replication is sizelimit directive set on LDAP master. It’s set to 500 by default and specifies the maximum number of entries to return from a search operation. Once you have more entries in your LDAP and start new LDAP slave which is supposed to fetch all data from master it will fetch just first 500 entries making you crazy about finding out why slave doesn’t work as supposed.

This is the working configuration of slapd.conf on master LDAP server:

sizelimit 100000
database bdb
suffix          "dc=example,dc=com"
rootdn          "cn=root,dc=example,dc=com"
rootpw          rootpasswd
directory       /srv/ldap
loglevel        256

# allows read access from slave LDAP
access to * by dn.base="cn=ldap_slave,ou=users,dc=example,dc=com" read

# define the provider to use the syncprov overlay
# (last directives in database section)
overlay syncprov
# allows contextCSN to saves to database every 100 updates or ten minutes
syncprov-checkpoint 100 10

There is simple syncrepl directive with few parameters to configure whole LDAP slave replication. Worth mentioning is the type parameter which defines whether the slave fetches the data from master at the beginning and keep the persistent connection to master to perform database updates immediately(refreshAndPersist) or whether it fetches the data from master and next synchronization searches are periodically rescheduled at interval time(refreshOnly).

updateref directive is only applicable in a slave slapd and specifies the URL to return to clients which submit update requests upon the replica. As the slave can’t write to database we redirect clients to LDAP master server.

For complete documentation of syncrepl parameters check out the official documentation.

This is the working configuration on slave LDAP server:

database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=root,dc=example,dc=com"
rootpw          rootpasswd
directory       /srv/ldap
loglevel        256

syncrepl rid=000
provider=ldap://master.example.com
type=refreshAndPersist
retry="5 5 300 +"
searchbase="dc=example,dc=com"
attrs="*,+"
bindmethod=simple
binddn="cn=ldap_slave,ou=users,dc=example,dc=com"
credentials=secretpassword

updateref ldap://master.example.com

 

Posted in Server administration

One Response to “LDAP replication with OpenLDAP 2.3 and Centos/RHEL 5”


Leave a Reply