Setup OpenLDAP Master-Master Replication on CentOS 8

|
Last Updated:
|
|

In this guide, we are going to learn how to setup OpenLDAP Master-Master Replication on CentOS 8. OpenLDAP supports a wide variety of replication topologies such as provider-slave, provider-provider topologies. Multi-provider aka multi-master replication therefore, is a replication technique that use the LDAP Sync Replication engine(Syncrepl) to replicate data to multiple providers (“Masters”) Directory servers.

Setup OpenLDAP Master-Master Replication on CentOS 8

In our setup, we are using two OpenLDAP server nodes:

  • Provider Node 01: ldapmaster01.kifarunix-demo.com
  • Provider Node 02: ldapmaster02.kifarunix-demo.com

Our replication involves both OpenLDAP configuration (olcDatabase={0}config,cn=config) and database (olcDatabase={1}mdb,cn=config) replication.

Setup Time Synchronization

Before you can proceed to setup OpenLDAP multi-master replication, ensure that your OpenLDAP servers’ clocks are synchronized.

Refer to the links below to setup your NTP server on CentOS 8.

Setup NTP Server using Chrony on CentOS 8

Install and Setup OpenLDAP Server

In our setup, we are going to replicate entire OpenLDAP configuration and data directories. As such, install, setup and configure one of the Provider nodes. Follow the guide below to install OpenLDAP server on CentOS 8.

Install and Setup OpenLDAP on CentOS 8

Once one of the OpenLDAP nodes is configured, clone it to create a second node in the same state of configuration.

If you can’t clone the OpenLDAP node, simply install and setup other OpenLDAP nodes and then backup the configuration and data directories of the already setup node and restore it on other nodes. Ensure that all necessary directories, files and permissions are set accordingly.

Enable LDAP Sync Provider (syncprov) Overlay Module

In order to enable LDAP content synchronization (syncrepl replication), you need to enable syncprov Overlay module on all the Provider nodes.

To enable the Syncprov Overlay Module, you can create an LDIF file as shown below and use ldapmodify or ldapadd command to update the OpenLDAP database configuration.

vim enable-syncprov-module.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov.la

Note that this LDIF file assumes that the syncprov.la module is located under the defined modules path, /usr/libexec/openldap. To verify the modules path;

slapcat -n 0 | grep -i modulepath
olcModulePath: /usr/libexec/openldap

Update the OpenLDAP database configuration;

ldapadd -Y EXTERNAL -H ldapi:/// -f enable-syncprov-module.ldif

If you do not want to use LDIF file, simply execute the ldapadd command as shown below;

ldapadd -Y EXTERNAL -H ldapi:/// -Q

Once the command runs, paste the content below;

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov.la

Press ENTER and add modify the entry on the database.

modifying entry "cn=module{0},cn=config"

After the entry is added, press Ctrl+d to stop the command.

If you are creating a new module entry, simply use the content below either in an LDIF file or as input to ldapadd or ldapmodify command.

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/libexec/openldap
olcModuleLoad: syncprov.la

Assign the Server IDs

On each OpenLDAP node, you need to assign it an ID for uniquely identifying the providers. The server ID is specified in the format;

olcServerID: <integer> [<URL>]

Hence, on each node, run the command below to assign the ID.

vim assign-server-ID.ldif

On the both provider nodes;

dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 1 ldap://ldapmaster01.kifarunix-demo.com
olcServerID: 2 ldap://ldapmaster02.kifarunix-demo.com

Update the database configuration.

ldapadd -Y EXTERNAL -H ldapi:/// -f assign-server-ID.ldif

Setup OpenLDAP Master-Master Replication Settings

Once you have enable the Sync provider module and set the providers nodes IDs, proceed to configure replication settings.

Enable OpenLDAP Configuration Replication

To enable the replication of OpenLDAP configuration (olcDatabase={0}config,cn=config), create an LDIF file with the content below and update the OpenLDAP database on all provider nodes.

vim syncprov-config-options.ldif
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

Consult the man slapo-syncprov for descriptions of the options used above.

Update the OpenLDAP database with the replication options defined above.

ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov-options.ldif

Next, set the root DN password for the OpenLDAP configuration database on all provider nodes.

Since we do not have the OpenLDAP configuration RootDN password set as shown in the command below;

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={0}config olcRootDN olcRootPW -LLL -Q
dn: olcDatabase={0}config,cn=config
olcRootDN: cn=config
...

Generate password hash.

slappasswd
New password: P@ssWord
Re-enter new password: P@ssWord
{SSHA}tq3ZI0S1AyyeiAVuB2JZGfNaQ2RYVtZn

Set the database configuration password.

vim rootpwd.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}h97GS2nwkHFkwMCbhYmeoRqhJ2ROrMLJ

Add the database root password.

ldapmodify -Y EXTERNAL -H ldapi:/// -f rootpwd.ldif

Confirm;

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={0}config olcRootDN olcRootPW -LLL -Q
dn: olcDatabase={0}config,cn=config
olcRootDN: cn=config
olcRootPW: {SSHA}6Gdu7FnwaSRYpbCFwMastAyN1CAgHY4n

Next, enable the replication options for the OpenLDAP configuration on all nodes.

vim enable-config-replication.ldif

Be sure to replace the options used here according to your environment setup.

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: 
  rid=001
  provider=ldaps://ldapmaster01.kifarunix-demo.com
  binddn="cn=config"
  bindmethod=simple
  credentials="P@ssWord" 
  searchbase="cn=config"
  type=refreshAndPersist 
  timeout=0 
  network-timeout=0 
  retry="30 5 300 +"
olcSyncRepl: 
  rid=002
  provider=ldaps://ldapmaster02.kifarunix-demo.com
  binddn="cn=config"
  bindmethod=simple
  credentials="P@ssWord" 
  searchbase="cn=config"
  type=refreshAndPersist 
  timeout=0 
  network-timeout=0 
  retry="30 5 300 +"
-
add: olcMirrorMode
olcMirrorMode: TRUE

Update the OpenLDAP database with the replication settings above.

ldapadd -Y EXTERNAL -H ldapi:/// -f enable-config-replication.ldif

Enable OpenLDAP Database Replication

To enable the replication of OpenLDAP database, simply create an LDIF file with the content below. Be sure to make the necessary changes on the defined options.

NOTE that in our case, we already have a Root DN bind user and the password set for the data store database.

ldapsearch -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}mdb,cn=config  olcRootDN olcRootPW -LLL -Q
dn: olcDatabase={1}mdb,cn=config
olcRootDN: cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com
olcRootPW: {SSHA}DoFW9xVBNRBy4it31167J82ZJ83Qoj1v
...

If you do not have Root DN user and password, create one or reser before you continue.

Enable sync provider for the OpenLDAP databases on all providers.

vim enabl-mdb-syncprov.ldif
dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionlog: 100
ldapadd -Y EXTERNAL -H ldapi:/// -f enabl-mdb-syncprov.ldif

Enable the entryCSN and entryUID indexes to improve the database scan speed and the performance of the session log on the provider respectively.

vim enable-indexing.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq
ldapadd -Y EXTERNAL -H ldapi:/// -f enable-indexing.ldif

Next, define the database replication options on all providers.

vim enable-database-repl.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: 
  rid=003 
  provider=ldaps://ldapmaster01.kifarunix-demo.com
  binddn="cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com" 
  bindmethod=simple
  credentials="P@ssW0rd" 
  searchbase="dc=ldapmaster,dc=kifarunix-demo,dc=com" 
  type=refreshAndPersist 
  timeout=0 
  network-timeout=0 
  retry="30 5 300 +"
olcSyncrepl: 
  rid=004 
  provider=ldaps://ldapmaster02.kifarunix-demo.com
  binddn="cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com" 
  bindmethod=simple
  credentials="P@ssW0rd" 
  searchbase="dc=ldapmaster,dc=kifarunix-demo,dc=com" 
  type=refreshAndPersist 
  timeout=0 
  network-timeout=0 
  retry="30 5 300 +"
-
add: olcMirrorMode
olcMirrorMode: TRUE

Update the database.

ldapadd -Y EXTERNAL -H ldapi:/// -f enable-data-replication.ldif

Consult man slapd-config for the replication options used in the above LDIF files.

Verifying OpenLDAP Master-Master Replication

The OpenLDAP provider-provider (master-master) replication configuration is now done. To confirm that, try to make any changes on one of the providers.

For example, add users, reset password, update any acl. This should be reflected on either of the providers.

For the purposes of demonstration, let us reset the password for the user entry below on Provider 01, ldapmaster01.kifarunix-demo.com.

uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
[root@ldapmaster01 ~]# ldappasswd -H ldapi:/// -Y EXTERNAL -S "uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"
New password: newpassword
Re-enter new password: newpassword
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0

Verify the password changes on the Provider 02, ldapmaster02.kifarunix-demo.com.

[root@ldapmaster02 ~]# ldapwhoami -x -h ldapmaster01.kifarunix-demo.com -D "uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" -W
Enter LDAP Password: newpass
dn:uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

Similarly, try to reset the user password on Provider 02, ldapmaster02.kifarunix-demo.com.

[root@ldapmaster02 ~]# ldappasswd -H ldapi:/// -Y EXTERNAL -S "uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"
New password: mypassword
Re-enter new password: mypassword
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0

Verify on Provider 01;

[root@ldapmaster01 ~]# ldapwhoami -x -h ldapmaster01.kifarunix-demo.com -D "uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" -W
Enter LDAP Password: mypassword
dn:uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

Great. You have successfully setup OpenLDAP Master-master (provider-provider) on CentOS 8.

That marks the end of our guide on how to install and setup OpenLDAP Master-Master Replication on CentOS 8.

Reference:

OpenLDAP Replication

Related Guide

Setup OpenLDAP Master-Slave Replication on CentOS 8

How to Configure DokuWiki OpenLDAP Authentication

Implement OpenLDAP Password Policies

How to Configure SUDO via OpenLDAP Server

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
koromicha
I am the Co-founder of Kifarunix.com, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

3 thoughts on “Setup OpenLDAP Master-Master Replication on CentOS 8”

  1. Hi, Thanx for the guide.
    I’ve implemented based on it but I have error on my ldap master nodes:
    server 1: slap_client_connect: URI=ldaps://ldapmaster02.kifarunix-demo.com DN=”cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com” ldap_sasl_bind_s failed (-1)
    server2: slap_client_connect: URI=ldaps://ldapmaster02.kifarunix-demo.com DN=”cn=config” ldap_sasl_bind_s failed (-1)

    Reply
    • Hi, you might need to check if actually the ports are opened on each node, check if SSL cert is generated correctly with same CN, and most likely the replication password.

      Reply

Leave a Comment