Setup OpenLDAP Master-Slave Replication on CentOS 8

In this guide, we are going to learn how to setup OpenLDAP Master-Slave Replication on CentOS 8. In recent versions of OpenLDAP, the terms Master and Slave have been deprecated and the terms Provider and Consumer replaced them respectively. In such a setup, LDAP provider replicates directory updates to LDAP consumers i.e consumers receive replication updates from providers.

Apart from Provider-consumer (master-slave) replication, it is also possible to have other setups as multi-master (provider-provider) replication whereby replication updates received in a consumer can be further propagated by that consumer to other servers, so a consumer can also act simultaneously as a provider.

Setting up OpenLDAP Master-Slave Replication

In this demo, we are going to learn how to configure OpenLDAP Provider-Consumer (Master-Slave) replication on CentOS 8. Our LDAP servers are running on CentOS 8 systems.

Our Environment Setup:

  • LDAP Provider (Master): ldapmaster.kifarunix-demo.com
  • LDAP Consumer (Slave): ldapslave.kifarunix-demo.com

Ensure that the hostnames are resolvable. If you do not have a DNS server, simply update the hosts file with the individual server hostnames and IP addresses by running the command below on each server.

Replace the hostnames and IP addresses accordingly.

echo -e "192.168.56.100 ldapmaster.kifarunix-demo.com\n192.168.2.101 ldapslave.kifarunix-demo.com" >> /etc/hosts

Prerequisites

To begin with, install and configure the basic OpenLDAP settings on both the Provider and the Consumer servers. Follow the link below to learn how to install and configure OpenLDAP server on CentOS 8.

Install and Setup OpenLDAP on CentOS 8

If you are using LDAP with SSL/TLS certificates, you might want to use wildcard certificates in this case to avoid having to use multiple certificates on LDAP clients. In that case, please note that LDAPS does not work with wildcard ssl certificates.

Also, ensure that the time is synchronized between the Provider and the Consumer.

Backup OpenLDAP Provider Data and Configurations

If, however, you have made quite a number of configurations on your Provider, you can backup its configurations and data and restore it on the Consumer, but of course after installing and setting up OpenLDAP basics on the consumer.

If you followed our guide on setting up OpenLDAP on CentOS 8, you can stop after creating OpenLDAP SUDO schema.

To backup the OpenLDAP database configuration (to an LDIF file), simply execute either of the commands below;

slapcat -n 0 -l ldap-config.ldif

Or

slapcat -b cn=config -l ldap-config.ldif

To backup OpenLDAP data, simply run slapcat command as shown below;

slapcat -l ldap-data.ldif

Or

slapcat -n 1 -l ldap-data.ldif

Restore OpenLDAP Data and Configurations on Consumer

Assuming your OpenLDAP is installed and running on your Consumer server with all the settings similar to what is set on the Provider, like the relevant LDAP directories and permissions, you can proceed as follows to restore the Data and database configuration settings from the Provider.

Copy Data and Configuration Backup to OpenLDAP Consumer

Copy the data and configuration backup from the OpenLDAP Provider server to the OpenLDAP Consumer server.

scp {ldap-data.ldif,ldap-config.ldif} [email protected]:

Restore OpenLDAP Provider Data and Configs on Consumer

Once the copying is done, login to Consumer server and stop the LDAP service.

systemctl stop slapd

Ensure that the LDAP configuration and data directories are empty;

rm -rf /etc/openldap/slapd.d/*
rm -rf /var/lib/openldap/*

Restore the configuration backup by running either of the commands below;

slapadd -b cn=config -l ldap-config.ldif -F /etc/openldap/slapd.d/

or

slapadd -n 0 -l ldap-config.ldif -F /etc/openldap/slapd.d/

Restore the LDAP data directories by running the command;

slapadd -n 1 -l ldap-data.ldif -F /etc/openldap/slapd.d/

Set the proper ownership of the LDAP data and configuration directories

chown -R ldap:ldap /etc/openldap/slapd.d/ /var/lib/openldap/

Configure OpenLDAP with SSL/TLS

If your Provider is configured with SSL/TLS, then you need to copy the certificates from the master and place them on the appropriate locations on the slave;

scp root@ldapmaster.kifarunix-demo.com:/etc/pki/tls/ldapserver.{crt,key} /etc/pki/tls

Set proper ownership of the certificate and key above;

chown ldap:ldap /etc/pki/tls/ldapserver.{crt,key}

Start and enable LDAP service.

systemctl enable --now slapd

Allow OpenLDAP Service on Firewall

To allow remote clients to query OpenLDAP server, allow the ldap (389 UDP/TCP) and ldaps (636 UDP/TCP) service on firewall.

firewall-cmd --add-service={ldap,ldaps} --permanent
firewall-cmd --reload

Configure OpenLDAP Provider (Master) for Replication

Now that both the LDAP Provider and Consumer are in the same state of configuration, you can now proceed with replication setup.

Create a Read Only BindDN user

You need to have a read only user that can be used to read replicated entries. In our setup, we have a read only user;

cn=readonly,ou=system,dc=ldapmaster,dc=silensec,dc=com

Just as an example, below are the access control lists defined on our OpenLDAP Provider.

ldapsearch -Y EXTERNAL -H ldapi:/// -b "olcDatabase={1}mdb,cn=config" olcAccess -Q -LLL
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange,shadowExpire by self writ
 e by anonymous auth by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=ext
 ernal,cn=auth" manage by dn.subtree="ou=system,dc=ldapmaster,dc=kifarunix-dem
 o,dc=com" read by dn.subtree="ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=co
 m" read by * none
olcAccess: {1}to dn.subtree="ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com"
  by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mana
 ge by * none
olcAccess: {2}to dn.subtree="dc=ldapmaster,dc=kifarunix-demo,dc=com" by dn.sub
 tree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by user
 s read  by * none

Enable LDAP Sync Provider (syncprov) Overlay on Provider (Master)

In order to enable LDAP content synchronization (syncrepl replication) between the Provider and the Consumer, you need to enable syncprov Overlay module on the Provider (Master) server.

vim enable-syncprov.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov.la

Ensure that the module is available on the defined modules path;

slapcat -n 0 | grep -i modulepath
olcModulePath: /usr/libexec/openldap

Otherwise, you need to define a full path of the module in the ldif file above.

Update OpenLDAP database;

ldapadd -Y EXTERNAL -H ldapi:/// -f enable-syncprov.ldif

Configure Replication Settings on the Provider

Define the syncprov overlay replication settings on your LDAP Provider.

vim syncprov-options.ldif
dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpCheckpoint: 100 10
olcSpSessionlog: 100

Refer to man slapo-syncprov for descriptions of the options used above.

ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov-options.ldif

Enable Required syncprov Indexing

You need to enable the entryCSN and entryUID indexes to improve the database scan speed and the performance of the session log on the provider respectively.

vim enable-indexing.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq
ldapadd -Y EXTERNAL -H ldapi:/// -f enable-indexing.ldif

Configure OpenLDAP Consumer (Slave) for Replication

Next, proceed to configure your OpenLDAP Consumer to connect to the Provider to fetch any updates made. This can be done by enabling the olcSyncrepl attribute along its configuration options.

vim enable-syncrepl.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: 
  rid=001 
  provider=ldap://ldapmaster.kifarunix-demo.com
  binddn="cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com" 
  bindmethod=simple
  credentials="P@ssW0rd" 
  searchbase="dc=ldapmaster,dc=kifarunix-demo,dc=com" 
  type=refreshAndPersist 
  timeout=0 
  network-timeout=0 
  retry="60 +"

Replace the provider, binddn and the binddn credentials, the search base with appropriate values.

In this setup;

  • The consumer (ldap slave) connects to provider (master) to perform a refreshAndPersist polling whereby slave initiates a connection to the master for synchronization of DITs.. It then maintains the connection such that subsequent changes to the provider are immediately propagated to the consumer.
  • Bind user is cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com and password is specified and bind method is specified by credentials and bindmethod respectively.
  • Read more about syncrepl options OpenLDAP guide.

Update the Consumer database with sync replication information.

ldapadd -Y EXTERNAL -H ldapi:/// -f enable-syncrepl.ldif

The Provider-Consumer (Master-Slave) replication setup is now done.

Configure OpenLDAP Logging

In our setup, logging was already configured before the backup is done, hence, we can confirm the same on OpenLDAP slave;

slapcat -n 0 | grep -i loglevel
olcLogLevel: stats

Thus, all you need to do is to configure Rsyslog to enable OpenLDAP to log to a specific file. By default, OpenLDAP logs to local4 facility.

echo "local4.* /var/log/slapd.log" >> /etc/rsyslog.conf

Restart Rsyslog

systemctl restart rsyslog

Restart LDAP server service.

systemctl restart slapd

Verifying OpenLDAP Replication Status

Now that our provider-consumer replication setup is done, it is now time to verify if everything works as expected.

To begin with, try to add new entries on the OpenLDAP Provider (Master) for example, new user entry. At the same time, tail the OpenLDAP Consumer logs to check replication status.

On OpenLDAP Consumer;

vim new-user.ldif
dn: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
cn: koromicha
gidnumber: 10050
homedirectory: /home/koromicha
loginshell: /bin/bash
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: shadowAccount
shadowinactive: 7
shadowlastchange: 0
shadowmax: 60
shadowmin: 1
shadowwarning: 7
sn: Doe
uid: koromicha
uidnumber: 10050
userpassword: {SSHA}vg3PjAkA2mKNjrxAg5ucywm06yf8h8pO

dn: cn=koromicha,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
cn: koromicha
gidnumber: 10050
memberuid: koromicha
objectclass: posixGroup

Add the new entry to OpenLDAP Provider database.

ldapadd -Y EXTERNAL -H ldapi:/// -f new-user.ldif

You can now read the log file, /var/log/slapd.log and look for the keyword, do_syncrepl.

Also, search for the new entry on the OpenLDAP consumer;

ldapsearch -Y EXTERNAL -H ldapi:/// -b "ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" dn -Q -LLL
dn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

dn: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

Reset the password for the user on OpenLDAP provider and verify it on OpenLDAP Consumer;

[root@ldapmaster ~]# ldappasswd -x -h ldapmaster.kifarunix-demo.com -D "cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com" -S "uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" -W

Once the password is reset, you can verify using the ldapwhoami command a shown below;

[root@ldapslave ~]# ldapwhoami -x -h ldapslave.kifarunix-demo.com -D "uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" -W -vvv
ldap_initialize( ldap://ldapslave.kifarunix-demo.com )
Enter LDAP Password: 
dn:uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
Result: Success (0)
[root@ldapslave ~]#

Great. You now have a functional OpenLDAP provider-consumer (Master-Slave) replication set.

But what the cons of Master-Slave OpenLDAP setup? Well, according to Zytrax;

Master-Slave (or provider-consumer) configurations have two obvious shortcomings:

  • Multiple locations. If all or most clients have the need to update the DIT then either they will have to access one server (running the slave DIT) for normal read access and another server (running the master DIT) to perform updates. Alternatively the clients can always access the server running the master DIT. In this latter case replication provides backup functionality only.
  • Resilience. Since there is only one server containing a master DIT it represents a single point of failure.

That marks the of our guide on how to setup setting up OpenLDAP Master-Slave Replication. In our next guide, we will cover how to setup Provider-Provider OpenLDAP server replication.

Reference

Replication – OpenLDAP Software 2.4 Administrator’s Guide

Related Tutorials

Setup OpenLDAP Server with SSL/TLS on Debian 10

Install and Setup FreeIPA Server on CentOS 8

Setup LDAP Self Service Password Tool on CentOS 8

Install phpLDAPadmin on CentOS 8

Implement OpenLDAP Password Policies

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
koromicha
I am the Co-founder of Kifarunix.com, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

Leave a Comment