Since all the LDAP clients depend on the LDAP server for its functioning, it is very important that the LDAP server is available all the time to serve the request of the clients. In such an environment, it is a standard practice to setup LDAP backup server into LDAP setup to prevent the LDAP server becoming unresponsive. This is done through LDAP replication.
Replication is achieved via the Syncrepl engine. This allows changes to be synchronized using a Consumer-Provider model. A Consumer-Provider model means that our current LDAP server is the Provider and the new LDAP server to keep the replication is our Consumer. In this tutorial, the replication of the server is done by the Provider(current LDAP server), which pushes the changed entries to the Consumer as soon as they’re made, but only the actual changes will be sent and not the entire entries.
Here I’m assuming that my LDAP server (ldapserver.int.sages.com) is already setup following https://www.supportsages.com/2012/06/ldap-configuration-for-user-and-group-centralization-on-ubuntu-12-04-lts-part-1 . Note that ldapserver.int.sages.com is our Provider now.
So let us see the steps to setup LDAP backup server,
Provider configuration
Login to the LDAP Provider as root:
root@ldapserver:]#
Create an LDIF file with the following contents and name it provider_sync.ldif:
root@ldapserver:]# vi provider_sync.ldif
===============================================
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
–
add: olcDbIndex
olcDbIndex: entryUUID eq
#Load the syncprov and accesslog modules.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
–
add: olcModuleLoad
olcModuleLoad: accesslog
# Accesslog database definitions
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=int,dc=sages,dc=com
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
# Accesslog db syncprov.
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
# syncrepl Provider for primary db
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
# accesslog overlay definitions for primary db
dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
olcAccessLogPurge: 07+00:00 01+00:00
===============================================
Change the olcrootDN attribute in the LDIF file to match the one you have for your directory.
The apparmor profile /etc/apparmor.d/local/usr.sbin.slapd for slapd will need to be adjusted for the accesslog database location. You can read about apparmor from http://en.wikipedia.org/wiki/AppArmor.
If the below file is there in your system, edit /etc/apparmor.d/local/usr.sbin.slapd by adding the following:
root@ldapserver:]# vi /etc/apparmor.d/local/usr.sbin.slapd
===============================================
/var/lib/ldap/accesslog/ r,
/var/lib/ldap/accesslog/** rwk,
===============================================
Now create a directory and set up a database config file.
root@ldapserver:]# sudo -u openldap mkdir /var/lib/ldap/accesslog
root@ldapserver:]# sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog
Now reload the apparmor profile by:
root@ldapserver:]# /etc/init.d/apparmor reload
Now add the new content(due to the apparmor change) to the LDAP tree:
root@ldapserver:]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif
Restart slapd service:
root@ldapserver:]# /etc/init.d/slapd restart
Now we have the Provider configured and now lets proceed to the Consumer configurations.
Consumer Configuration
Install Ubuntu 12.04 Server edition on a new machine which is our LDAP replication server or the Consumer: I’ve configured the LDAPreplication server with hostname ldapreplserver.int.sages.com
Follow https://www.supportsages.com/2012/06/ldap-configuration-for-user-and-group-centralization-on-ubuntu-12-04-lts-part-1 and do all the steps for LDAP SERVER CONFIGURATION on the new machine. Make sure that the slapd-config databse is identical to the Provider’s. In particular, make sure schemas and the database suffix are the same.
Once you have finished the steps you will have the same base tree as your Providers in our new machine(Consumer).
Create an LDIF file with the following contents and name it consumer_sync.ldif:
root@ldapserver:]# vi consumer_sync.ldif
===============================================
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
–
add: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://ldapserver.int.sages.com bindmethod=simple binddn=”cn=admin,dc=int,dc=sages,dc=com credentials=sages123 searchbase=”dc=int,dc=sages,dc=com” logbase=”cn=accesslog” logfilter=”(&(objectClass=auditWriteObject)(reqResult=0))” schemachecking=on type=refreshAndPersist retry=”60 +” syncdata=accesslog
–
add: olcUpdateRef
olcUpdateRef: ldap://ldapserver.int.sages.com
===============================================
Make sure the following attributes have the correct values:
• provider (Provider server’s hostname — ldapserver.int.sages.com in this example — or IP address)
• binddn (the admin DN you’re using)
• credentials (the admin DN password you’re using)
• searchbase (the database suffix you’re using)
• olcUpdateRef (Provider server’s hostname or IP address)
• rid (Replica ID, an unique 3-digit that identifies the replica. Each consumer should have at least one rid)
Add the new content to the LDAP tree:
root@ldapserver:]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif
You’re done. The two databases (suffix: dc=int,dc=sages,dc=com) should now be synchronizing.
Testing
Once replication starts, you can monitor it by running:
root@ldapserver:]# ldapsearch -z1 -LLLQY EXTERNAL -H ldapi:/// -s base contextCSN
dn: dc=int,dc=sages,dc=com
You will see an output similar the one given below:
===============================================
contextCSN: 20120201193408.178454Z#000000#000#000000
===============================================
on both the provider and the consumer.
Once the output (20120201193408.178454Z#000000#000#000000 in the above example) for both machines match, you have the replication. Every time a change is done in the provider, this value will change and so should the one in the consumer.
If your connection is slow or your LDAP database is too large, it might take a while for the consumer’s contextCSN match the provider’s. But, you will know it is progressing since the consumer’s contextCSN will be steadly increasing.
If the consumer’s contextCSN is missing or does not match the provider, there is no replication and you should stop and figure out the issue before continuing. Try checking the slapd (syslog) and the auth log files in the provider to see if the consumer’s authentication requests were successful or its requests to retrieve data return no errors.
To test if it worked simply query, on the Consumer, the DNs in the database:
root@ldapserver:]# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b dc=int,dc=sages,dc=com dn
You should see the user ‘testuser‘ and the group ‘testgroup‘ as well as the nodes ‘People’ and ‘Groups’ which we created as in https://www.supportsages.com/2012/06/ldap-configuration-for-user-and-group-centralization-on-ubuntu-12-04-lts-part-1.
an you
