Replicated open ldap servers improves the failover performance of ldap service and can be load banlanced to cope heavy tasks. There are two methods to set up replication for ldap. One is a push based program named slurpd, which records all the changes made to a master ldap server and send them to all the slave ldap servers. The other and newer one is syncrepl, which would automatically sync the slave server to the master server independent of the state of the slave server. The slurpd method is simple, stable and works for new and old version of openldap but not as flexible as syncrepl since it requires the two servers must be at the same state before replication starts. In this section, both methods of replication are presented.
slurpd works by recording the changes of the master ldap directory using ldif format and push the change to the slave ldap server. Since only the changes are recorded and pushed, the slave ldap server must have the same directory and configuration before slurpd is implemented.
1. Export all the data on the master database, since the database is very simple at the moment,
ldapsearch -x -D "cn=Manager, dc=blueprint,dc=org" -W > database.ldif
command is able to export all the data in the database. If the data are complicated,
ldapcat command may be a better way.
2. Stop the master openldap server by
service ldap stop
3. Set up a new ldapserver with exactly same configuration of the master server by copying the /etc/openldap/slapd.conf file.
4. Import the database.ldif file to the slave server by
ldapadd -x -D "cn=Manager,dc=blueprint,dc=org" -W -f database.ldif
5. Add the following lines to the /etc/openldap/slapd.conf of the server machine,
replogfile /var/lib/ldap/replog
replica uri=ldap://brass.blueprint.org
binddn="cn=Manager,dc=blueprint,dc=org"
bindmethod=simple
credentials=testing
repologfile directive specifies the position where the logfile for the changes that needs to be pushed. The uri is the address of the slave server and the credentials is the password for the manager of the slave server. If more secured methods are needed, SACL can be used to anthenticate the user.
6.Add the following lines to the /etc/openldap/slapd.conf
updatedn "cn=Manager,dc=blueprint,dc=org"
updateref sophia.blueprint.org
7. After this, restart the slave server and then start the master server. If everything works, slurpd would start automatically with slapd and send all the changes of the master server to the slave when there's a change. A slurpd -d 65535 command can be used for debugging.
syncrepl is the newly introduced tool for synchronizing openldap servers.
The main advantage of syncrepl is that it does not require the directory on the slave server to have the same state as the muster server prior to syncronizing, i.e. syncrepl could syncronize the slave server from scratch. This makes it a more robust method of replication.
on the master server add the following line below the backend definition (database bdb), and put entryUUID and entryCSN as indexed attributes:
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
on the client server:
syncrepl rid=123
provider=ldap://sophia.blueprint.org:389
type=refreshAndPersist
interval=01:00:00:00
searchbase="dc=blueprint,dc=org"
filter="(objectClass=*)"
attrs="*"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=Manager,dc=blueprint,dc=org"
credentials=secret
starttls=yes
updateref ldap://sophia.blueprint.org