LDAP replication will need atleast two openldap servers, one Master, one Slave, so when an entry in one of the servers is changed it is automatically changed in the other server.
This is handy so you can distribute the load between the two servers, use one of the servers for one set of programs and use the other server for a different set of programs.
*Assuming that we have openldap installed, configured and added with entries already; we will here focus only on replication.
1. Setting up the Master LDAP
On the master ldap server, edit /etc/openldap/slapd.conf file in master ldap and add/edit these lines
A. For the access permission to the ldap base distinguished name, we allow self write, read by users and anonymous to go through auth
# access to dn.base=”" by * read
# access to dn.base=”cn=Subschema” by * read
# access to *
# by self write
# by users read
# by anonymous auth
B. Configure the replication log file so that the slave ldap server can get updated changes
# The replication log file
replogfile /var/lib/ldap/openldap-master-replog
C. Let master ldap know the replication slave, the bind method is simple and root credentials of ldap are provided.
# Replicas of this database
replica host=X.X.X.X:389
bindmethod=simple
binddn=”dc=somedomain,dc=com”
credentials=somepassword
* X.X.X.X is the IP address of the Slave LDAP server
2. Setting up the Slave LDAP
Edit /etc/openldap/slapd.conf on Slave ldap server and add/edit the following
A. Access permissions analogous to the master setup
access to *
by self write
by users read
by anonymous auth
B. Let Slave server know the location of master and the distinguished name to update
# LDAP slave
updatedn dc=somedomain,dc=com
updateref ldap://Y.Y.Y.Y
* Y.Y.Y.Y is the IP address of the Master LDAP server
After configuring this, stop both the ldap servers and copy the master ldap data into the slave server.
Both LDAP servers must be at the same state of data before replication. Refer How-to on copying the data from master to slave.
After successfully adding the master data to the slave server, start LDAP on both servers using
# /sbin/service ldap start
You can see the replications being pushed to slave by the entries in file /var/lib/ldap/openldap-master-replog
NOTE: /var/lib/ldap/openldap-master-replog and /var/lib/ldap/replica should have user root and group ldap with permission 664 atleast.
