OPENLDAP MULTI-MASTER REPLICATION CONFIGURATION

Before we start our article, let's talk a bit about the requirements.

• At least 2 virtual machines with openLDAP installed. We will use debian 10 in our article. It is strongly recommended to use the same distributions.

• A functional and synchronized NTP server installed on all virtual machines that we will use.
  
  

What is LDAP?

Lightweight Directory Access Protocol or simply LDAP (*Simple Index Access Protocol*) is an application layer protocol used for querying and modifying index services running over TCP/IP.

This protocol is used by index servers such as OpenLDAP, Sun Directory Server, and Microsoft Active Directory. At the outset, we can say it is structured similarly to a database, but its fundamental difference from a database is that it is not hierarchical.

The LDAP protocol is a message-oriented protocol. This means that: the client creates an LDAP message containing a request and sends the message to the server, which processes this request and sends the result back to the client as one or more LDAP messages.

Since LDAP is a message-based protocol, a client can make multiple requests at once. For example, a client can perform two search operations simultaneously. The ability to handle multiple operations at the same time makes LDAP a more flexible and efficient protocol compared to HTTP and similar protocols, which do not allow this.

What is OpenLDAP?

OpenLDAP is an application of LDAP developed by the OpenLDAP Project. OpenLDAP uses a BSD-like license known as the OpenLDAP Public License. It is a platform-independent protocol. Many Linux distributions that are in use host the OpenLDAP software for LDAP support.

What is NTP?

NTP is a sequential time distribution system with excess capacity. It measures the algorithms and delays on the network and on the target machine. By using these techniques, it can synchronize clocks to milliseconds. NTP settings are made from either /etc/ntp.conf or /etc/xntp.conf depending on which distribution is being used.

In most basic configured ntp.conf files, there are two server names. One is the name of the server whose time is to be set, and the other is a dummy IP address.
The dummy IP address is used in case of network problems or if the NTP server is down/crashed. The NTP application on the system will adjust the system time accordingly when the remote NTP server comes up. The first of these two servers acts as the primary server, while the second is for backup purposes. Additionally, the location of the target file must also be specified. Over time, NTP will "learn" the error rate in the system clock and adjust itself accordingly.

Now we can start the configuration. Before starting, let's install openLDAP.

apt -y install slapd ldap-utils

1. First, we will start with the NTP server configuration. All NTP servers must have the same configuration and be synchronized, otherwise replication will not occur.

apt -y install ntp

Now we will configure the NTP servers we have installed to be synchronized with each other. In our article, we will use the Asia NTP servers.

nano /etc/ntp.conf

server 0.asia.pool.ntp.org iburst
server 1.asia.pool.ntp.org iburst
server 2.asia.pool.ntp.org iburst
server 3.asia.pool.ntp.org iburst

After editing the conf file, we save it and restart the NTP service.

/etc/init.d/ntp restart

2. All servers must recognize each other

All the servers we use must recognize each other and communicate smoothly. If available, you can use local DNS. In our example, since we do not own a DNS, we will configure the hosts file.

nano /etc/hosts

10.0.0.1 ldap1.master.com ldap1
10.0.0.2 ldap2.master.com ldap2

It is important to note that all configurations we will make must be done completely on all servers DO NOT FORGET.
Now you can try to ping.

3. We must edit the slapd default configuration.

In the /etc/default/slapd file, there should be entries matching the hostnames of the servers. If you do not do this step, you are likely to get a read_config serverID/URL match found error.

nano /etc/default/slapd
SLAPD_SERVICES="ldapi:/// ldap://ldap1.master.com"

nano /etc/default/slapd
SLAPD_SERVICES="ldapi:/// ldap://ldap2.master.com"

4. Configuring cn=config replication

I strongly recommend that you open a new ldif file at each step. This will greatly help with your comfort of working and seeing what you did. First, we will start by loading the syncprov module.

*nano syncprov.ldif*

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov

ldapmodify -Y EXTERNAL -H ldapi:/// -f syncprov.ldif

We add our configurations to the server with ldapmodify. Remember that you need to perform the same operations on all servers.

Now we need to configure the database for replication on all servers. Change the olcServerID value separately for each server. For the first server, for instance, it would be 1, for the second server it would be 2.

nano olcserverID.ldif

dn: cn=config
changeType: modify
add: olcServerID
olcServerID: 1

After this step, if you have not set one, you will need to set the password. You can do this with the slappasswd command.

ldappasswd
New password:
Re-enter new password:
{SSHA}Sg545Nmjhedxfdd5895fMRD6d4RcLkslkeD8

It is very important that you do this step on all servers. Even if you set the same password, under no circumstances copy the key; do it separately on each server. Now add your password to the configuration.

dn: cn=config
changeType: modify
dn: olcDatabase={0}config,cn=config
add: olcRootPW
olcRootPW: {SSHA}Sg545Nmjhedxfdd5895fMRD6d4RcLkslkeD8

If you did everything correctly, you can connect to the database with ldapmodify. If you enter the password incorrectly, you will get an error. If you entered it correctly and it is working, nothing will happen.

Now we will add the replication configuration for all servers. We will do this with the olcServerID values we defined earlier.

nano olc.ldif

dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://ldap1.master.com
olcServerID: 2 ldap://ldap2.master.com

ldapmodify -Y EXTERNAL -H ldapi:/// -f olc.ldif

Now we will add the syncprov configuration to all servers.

nano syncprovconf.ldif

dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

ldapmodify -Y EXTERNAL -H ldapi:/// -f syncprovconf.ldif

The last step is to add the SyncRepl configuration between the servers.

nano syncrepl.ldif

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://ldap1.master.com binddn="cn=admin,cn=config" bindmethod=simple credentials=*Your Password* searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=ldap://ldap2.master.com binddn="cn=admin,cn=config" bindmethod=simple credentials=*Your Password* searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE

ldapmodify -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif

If you have completed the configuration accurately and correctly, you can test the connection between servers using the netstat command. If the netstat command does not work, you need to install the net-tools service.

apt -y install net-tools

afterwards

netstat -a | egrep ":ldap"
tcp 0 0 0.0.0.0:ldap 0.0.0.0:* LISTEN
tcp 0 0 ldap.master.com:57116 ldap1.master.com:ldap ESTABLISHED
tcp 0 0 ldap.master.com:ldap ldap1.master.com:35382 ESTABLISHED
tcp 0 0 ldap.master.com:57120 ldap1.master.com:ldap ESTABLISHED
tcp 0 0 ldap.master.com:ldap ldap1.master.com:35388 ESTABLISHED
tcp6 0 0 [::]:ldap [::]:* LISTEN

You should receive output similar to the above if there is a connection.

NOTE: this operation does not prove that replication is working, it only shows that the servers are communicating with each other.

Now we are ready to test whether the replication is working. We can test this by adding a dummy olcServerID into the configuration. We will check the dummy configuration we added on the first device on the second server. We can easily find out by using the slapcat command. Let's create the following ldif file on ldap1 and update the configuration.

nano fake.ldif

dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://ldap1.master.com
olcServerID: 2 ldap://ldap2.master.com
olcServerID: 3 ldap://fake.ldap.com

ldapmodify -Y EXTERNAL -H ldapi:/// -f fake.ldif

If replication is working, we will see the fake address on the second server. We run the following command on the ldap2 server and examine the output.

slapcat -b "cn=config" > dump
cat dump | egrep "olcServerID"

olcServerID: 1 ldap://ldap1.master.com
olcServerID: 2 ldap://ldap2.master.com
olcServerID: 3 ldap://fake.ldap.com

If we see the fake address, it means your cn=config configuration is complete. We can move on to the next step, which is the configuration of the other databases.

5. Replication of other databases

Since we performed server replication in the previous step, carrying out the following steps on a single server will be sufficient for updating the others. Now we will add the syncprov module for our MDB database as we did before.

nano mdb.ldif

dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

ldapmodify -Y EXTERNAL -H ldapi:/// -f mdb.ldif

Now we are adding the syncrepl configuration.

nano syncrepl.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=003 provider=ldap://ldap1.master.com binddn="cn=admin,dc=master,dc=com" bindmethod=simple credentials=*Your Password* searchbase="dc=master,dc=com" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcSyncRepl: rid=004 provider=ldap://ldap2.master.com binddn="cn=admin,dc=master,dc=com" bindmethod=simple credentials=*Your Password* searchbase="dc=master,dc=com" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1

ldapmodify -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif

Now we are configuring the index for MDB.

nano indexmdb.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexmdb.ldif

If all steps have been correctly performed up to this point, you will have successfully completed the master replication running actively on both servers. To test whether the MDB database replication works as expected, let's open an ldif file, add an entry, and check it on our other server.

nano base.ldif

dn: ou=People, dc=master, dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=master,dc=com
objectClass: organizationalUnit
ou:Group

ldapadd -x -W -D "cn=admin,dc=master,dc=com" -f base.ldif

Now let's go to our ldap2 server and run the slapcat command. If we can see the new group and People values we added, it means replication is complete and working actively.