{"id":4941,"date":"2020-02-27T22:24:23","date_gmt":"2020-02-27T19:24:23","guid":{"rendered":"https:\/\/kifarunix.com\/?p=4941"},"modified":"2024-03-14T19:24:07","modified_gmt":"2024-03-14T16:24:07","slug":"setup-openldap-master-slave-replication-on-centos-8","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/setup-openldap-master-slave-replication-on-centos-8\/","title":{"rendered":"Setup OpenLDAP Master-Slave Replication on CentOS 8"},"content":{"rendered":"\n<p>In this guide, we are going to learn how to setup OpenLDAP Master-Slave Replication on CentOS 8. In recent versions of OpenLDAP, the terms Master and Slave have been deprecated and the terms <a rel=\"noreferrer noopener\" aria-label=\"Provider and Consumer (opens in a new tab)\" href=\"https:\/\/www.openldap.org\/doc\/admin24\/replication.html\" target=\"_blank\">Provider and Consumer<\/a> replaced them respectively. In such a setup, LDAP provider replicates directory updates to LDAP consumers i.e consumers receive replication updates from providers.<\/p>\n\n\n\n<p>Apart from Provider-consumer (master-slave) replication, it is also possible to have other setups as multi-master (provider-provider) replication whereby replication updates received in a consumer can be further propagated by that consumer to other servers, so a consumer can also act simultaneously as a provider.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Setting up OpenLDAP Master-Slave Replication<\/h2>\n\n\n\n<p>In this demo, we are going to learn how to configure OpenLDAP Provider-Consumer (Master-Slave) replication on CentOS 8. Our LDAP servers are running on CentOS 8 systems.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Our Environment Setup:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>LDAP Provider (Master):<\/strong> ldapmaster.kifarunix-demo.com<\/li>\n\n\n\n<li><strong>LDAP Consumer (Slave):<\/strong> ldapslave.kifarunix-demo.com<\/li>\n<\/ul>\n\n\n\n<p>Ensure that the hostnames are resolvable. If you do not have a DNS server, simply update the hosts file with the individual server hostnames and IP addresses by running the command below on each server.<\/p>\n\n\n\n<p><strong>Replace the hostnames and IP addresses accordingly<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo -e \"192.168.56.100 ldapmaster.kifarunix-demo.com\\n192.168.2.101 ldapslave.kifarunix-demo.com\" &gt;&gt; \/etc\/hosts<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Prerequisites<\/h2>\n\n\n\n<p>To begin with, <strong>install and configure the basic OpenLDAP settings on both the Provider and the Consumer servers.<\/strong> Follow the link below to learn how to install and configure OpenLDAP server on CentOS 8.<\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\"Install and Setup OpenLDAP on CentOS 8 (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-setup-openldap-on-centos-8\/\" target=\"_blank\">Install and Setup OpenLDAP on CentOS 8<\/a><\/p>\n\n\n\n<p>If you are using LDAP with SSL\/TLS certificates, you might want to use wildcard certificates in this case to avoid having to use multiple certificates on LDAP clients. In that case, please note that <strong>LDAPS does not work with wildcard ssl certificates.<\/strong><\/p>\n\n\n\n<p>Also, ensure that the time is synchronized between the Provider and the Consumer.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Backup OpenLDAP Provider Data and Configurations<\/h3>\n\n\n\n<p>If, however, you have made quite a number of configurations on your Provider, you can <strong>backup<\/strong> its configurations and data and <strong>restore<\/strong> it on the Consumer, but of course after installing and setting up OpenLDAP basics on the consumer.<\/p>\n\n\n\n<p>If you followed <a rel=\"noreferrer noopener\" aria-label=\"our guide on setting up OpenLDAP on CentOS 8 (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-setup-openldap-on-centos-8\/\" target=\"_blank\">our guide on setting up OpenLDAP on CentOS 8<\/a>, you can stop after creating OpenLDAP SUDO schema.<\/p>\n\n\n\n<p>To backup the OpenLDAP database configuration (to an LDIF file), simply execute either of the commands below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>slapcat -n 0 -l ldap-config.ldif<\/code><\/pre>\n\n\n\n<p>Or<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>slapcat -b cn=config -l ldap-config.ldif<\/code><\/pre>\n\n\n\n<p>To backup OpenLDAP data, simply run slapcat command as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>slapcat -l ldap-data.ldif<\/code><\/pre>\n\n\n\n<p>Or<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>slapcat -n 1 -l ldap-data.ldif<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Restore OpenLDAP Data and Configurations on Consumer<\/h3>\n\n\n\n<p>Assuming your OpenLDAP is installed and running on your Consumer server with all the settings similar to what is set on the Provider, like the relevant LDAP directories and permissions, you can proceed as follows to restore the Data and database configuration settings from the Provider.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Copy Data and Configuration Backup to OpenLDAP Consumer<\/h4>\n\n\n\n<p>Copy the data and configuration backup from the OpenLDAP Provider server to the OpenLDAP Consumer server.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>scp {ldap-data.ldif,ldap-config.ldif} root@ldapslave.kifarunix-demo.com:<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Restore OpenLDAP Provider Data and Configs on Consumer<\/h4>\n\n\n\n<p>Once the copying is done, login to Consumer server and stop the LDAP service.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl stop slapd<\/code><\/pre>\n\n\n\n<p>Ensure that the LDAP configuration and data directories are empty;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>rm -rf \/etc\/openldap\/slapd.d\/*<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>rm -rf \/var\/lib\/openldap\/*<\/code><\/pre>\n\n\n\n<p>Restore the configuration backup by running either of the commands below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>slapadd -b cn=config -l ldap-config.ldif -F \/etc\/openldap\/slapd.d\/<\/code><\/pre>\n\n\n\n<p>or<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>slapadd -n 0 -l ldap-config.ldif -F \/etc\/openldap\/slapd.d\/<\/code><\/pre>\n\n\n\n<p>Restore the LDAP data directories by running the command;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>slapadd -n 1 -l ldap-data.ldif -F \/etc\/openldap\/slapd.d\/<\/code><\/pre>\n\n\n\n<p>Set the proper ownership of the LDAP data and configuration directories<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>chown -R ldap:ldap \/etc\/openldap\/slapd.d\/ \/var\/lib\/openldap\/<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Configure OpenLDAP with SSL\/TLS<\/h3>\n\n\n\n<p>If your Provider is configured with SSL\/TLS, then you need to copy the certificates from the master and place them on the appropriate locations on the slave;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><code>scp root@ldapmaste<\/code>r.kifarunix-demo.com<code>:\/etc\/pki\/tls\/ldapserver.{crt,key}<\/code> \/etc\/pki\/tls<\/code><\/pre>\n\n\n\n<p>Set proper ownership of the certificate and key above;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>chown ldap:ldap \/etc\/pki\/tls\/ldapserver.{crt,key}<\/code><\/pre>\n\n\n\n<p>Start and enable LDAP service.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl enable --now slapd<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Allow OpenLDAP Service on Firewall<\/h3>\n\n\n\n<p>To allow remote clients to query OpenLDAP server, allow the&nbsp;<code>ldap<\/code>&nbsp;<strong>(389 UDP\/TCP)<\/strong>&nbsp;and&nbsp;<code>ldaps<\/code>&nbsp;(636 UDP\/TCP) service on firewall.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>firewall-cmd --add-service={ldap,ldaps} --permanent<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>firewall-cmd --reload<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Configure OpenLDAP Provider (Master) for Replication<\/h2>\n\n\n\n<p>Now that both the LDAP Provider and Consumer are in the same state of configuration, you can now proceed with replication setup.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Create a Read Only BindDN user<\/h3>\n\n\n\n<p>You need to have a read only user that can be used to read replicated entries. In our setup, we have a read only user;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cn=readonly,ou=system,dc=ldapmaster,dc=silensec,dc=com<\/code><\/pre>\n\n\n\n<p>Just as an example, below are the access control lists defined on our  OpenLDAP Provider.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapsearch -Y EXTERNAL -H ldapi:\/\/\/ -b \"olcDatabase={1}mdb,cn=config\" olcAccess -Q -LLL<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dn: olcDatabase={1}mdb,cn=config\nolcAccess: {0}to attrs=userPassword,shadowLastChange,shadowExpire by self writ\n e by anonymous auth by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=ext\n ernal,cn=auth\" manage by dn.subtree=\"ou=system,dc=ldapmaster,dc=kifarunix-dem\n o,dc=com\" read by dn.subtree=\"ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=co\n m\" read by * none\nolcAccess: {1}to dn.subtree=\"ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\"\n  by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" mana\n ge by * none\nolcAccess: {2}to dn.subtree=\"dc=ldapmaster,dc=kifarunix-demo,dc=com\" by dn.sub\n tree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage by user\n s read  by * none<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Enable LDAP Sync Provider (syncprov) Overlay on Provider (Master)<\/h3>\n\n\n\n<p>In order to enable LDAP content synchronization (syncrepl replication) between the Provider and the Consumer, you need to enable <a href=\"https:\/\/www.zytrax.com\/books\/ldap\/ch6\/syncprov.html\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"syncprov Overlay module (opens in a new tab)\">syncprov Overlay module<\/a> on the Provider (Master) server.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim enable-syncprov.ldif<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: cn=module{0},cn=config\nchangetype: modify\nadd: olcModuleLoad\nolcModuleLoad: syncprov.la<\/code><\/pre>\n\n\n\n<p>Ensure that the module is available on the defined modules path;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>slapcat -n 0 | grep -i modulepath<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><strong>olcModulePath: \/usr\/libexec\/openldap<\/strong><\/code><\/pre>\n\n\n\n<p>Otherwise, you need to define a full path of the module in the ldif file above.<\/p>\n\n\n\n<p>Update OpenLDAP database;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f enable-syncprov.ldif<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Configure Replication Settings on the Provider<\/h3>\n\n\n\n<p>Define the syncprov overlay replication settings on your LDAP Provider.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim syncprov-options.ldif<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config\nchangetype: add\nobjectClass: olcOverlayConfig\nobjectClass: olcSyncProvConfig\nolcOverlay: syncprov\nolcSpNoPresent: TRUE\nolcSpCheckpoint: 100 10\nolcSpSessionlog: 100<\/code><\/pre>\n\n\n\n<p>Refer to <code><strong>man slapo-syncprov<\/strong><\/code> for descriptions of the options used above.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f syncprov-options.ldif<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Enable Required syncprov Indexing<\/h3>\n\n\n\n<p>You need to enable the <code><strong>entryCSN<\/strong><\/code> and <code><strong>entryUID<\/strong><\/code> indexes to improve the database scan speed and the performance of the session log on the provider respectively.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim enable-indexing.ldif<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dn: olcDatabase={1}mdb,cn=config\nchangetype: modify\nadd: olcDbIndex\nolcDbIndex: entryCSN eq\n-\nadd: olcDbIndex\nolcDbIndex: entryUUID eq<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f enable-indexing.ldif<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Configure OpenLDAP Consumer (Slave) for Replication<\/h3>\n\n\n\n<p>Next, proceed to configure your OpenLDAP Consumer to connect to the Provider&nbsp;to fetch any updates made. This can be done by enabling the <code><strong>olcSyncrepl<\/strong><\/code> attribute along its configuration options.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim enable-syncrepl.ldif<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dn: olcDatabase={1}mdb,cn=config\nchangetype: modify\nadd: olcSyncrepl\nolcSyncrepl: \n  rid=001 \n  provider=ldap:\/\/ldapmaster.kifarunix-demo.com\n  binddn=\"cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\" \n  bindmethod=simple\n <strong> <\/strong>credentials=\"P@ssW0rd\"<strong> <\/strong>\n  searchbase=\"dc=ldapmaster,dc=kifarunix-demo,dc=com\" \n  type=refreshAndPersist \n  timeout=0 \n  network-timeout=0 \n  retry=\"60 +\"<\/code><\/pre>\n\n\n\n<p>Replace the <strong>provider, binddn and the binddn credentials, the search base<\/strong> with appropriate values.<\/p>\n\n\n\n<p>In this setup;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The consumer (ldap slave) connects to provider (master) to perform a <strong>refreshAndPersist<\/strong> polling whereby slave initiates a connection to the master for synchronization of DITs.. It then maintains the connection such that subsequent changes to the provider are immediately propagated to the consumer.<\/li>\n\n\n\n<li>Bind user is <code>cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/code> and <strong>password<\/strong> is specified and <strong>bind method<\/strong> is specified by <strong>credentials<\/strong> and <strong>bindmethod<\/strong> respectively.<\/li>\n\n\n\n<li>Read more about syncrepl options <a rel=\"noreferrer noopener\" aria-label=\"OpenLDAP guide (opens in a new tab)\" href=\"http:\/\/www.restart.be\/openldap\/slapdconfig.html#syncrepl\" target=\"_blank\">OpenLDAP guide<\/a>.<\/li>\n<\/ul>\n\n\n\n<p>Update the Consumer database with sync replication information.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f enable-syncrepl.ldif<\/code><\/pre>\n\n\n\n<p>The Provider-Consumer (Master-Slave) replication setup is now done.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Configure OpenLDAP Logging<\/h3>\n\n\n\n<p>In our setup, logging was already configured before the backup is done, hence, we can confirm the same on OpenLDAP slave;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>slapcat -n 0 | grep -i loglevel<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><strong>olcLogLevel: stats<\/strong><\/code><\/pre>\n\n\n\n<p>Thus, all you need to do is to configure Rsyslog to enable OpenLDAP to log to a specific file. By default, OpenLDAP logs to&nbsp;<code>local4<\/code>&nbsp;facility.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo \"local4.* \/var\/log\/slapd.log\" &gt;&gt; \/etc\/rsyslog.conf<\/code><\/pre>\n\n\n\n<p>Restart Rsyslog<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart rsyslog<\/code><\/pre>\n\n\n\n<p>Restart LDAP server service.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart slapd<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Verifying OpenLDAP Replication Status<\/h3>\n\n\n\n<p>Now that our provider-consumer replication setup is done, it is now time to verify if everything works as expected.<\/p>\n\n\n\n<p>To begin with, try to add new entries on the OpenLDAP Provider (Master) for example, new user entry. At the same time, tail the OpenLDAP Consumer logs to check replication status.<\/p>\n\n\n\n<p>On OpenLDAP Consumer;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim new-user.ldif<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\ncn: koromicha\ngidnumber: 10050\nhomedirectory: \/home\/koromicha\nloginshell: \/bin\/bash\nobjectclass: inetOrgPerson\nobjectclass: posixAccount\nobjectclass: shadowAccount\nshadowinactive: 7\nshadowlastchange: 0\nshadowmax: 60\nshadowmin: 1\nshadowwarning: 7\nsn: Doe\nuid: koromicha\nuidnumber: 10050\nuserpassword: {SSHA}vg3PjAkA2mKNjrxAg5ucywm06yf8h8pO\n\ndn: cn=koromicha,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\ncn: koromicha\ngidnumber: 10050\nmemberuid: koromicha\nobjectclass: posixGroup<\/code><\/pre>\n\n\n\n<p>Add the new entry to OpenLDAP Provider database.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f new-user.ldif<\/code><\/pre>\n\n\n\n<p>You can now read the log file,&nbsp;<code>\/var\/log\/slapd.log<\/code> and look for the keyword, <strong>do_syncrepl<\/strong>.<\/p>\n\n\n\n<p>Also, search for the new entry on the OpenLDAP consumer;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapsearch -Y EXTERNAL -H ldapi:\/\/\/ -b \"ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\" dn -Q -LLL<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\n\ndn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\n\ndn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\n\n<strong>dn: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong><\/code><\/pre>\n\n\n\n<p>Reset the password for the user on OpenLDAP provider and verify it on OpenLDAP Consumer;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>[root@ldapmaster ~]# <strong>ldappasswd -x -h ldapmaster.kifarunix-demo.com -D \"cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com\" -S \"uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\" -W<\/strong><\/code><\/pre>\n\n\n\n<p>Once the password is reset, you can verify using the <code>ldapwhoami<\/code> command a shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>[root@ldapslave ~]# <strong>ldapwhoami -x -h ldapslave.kifarunix-demo.com -D \"uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\" -W -vvv<\/strong>\nldap_initialize( ldap:\/\/ldapslave.kifarunix-demo.com )\nEnter LDAP Password: \n<strong>dn:uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nResult: Success (0)<\/strong>\n[root@ldapslave ~]#<\/code><\/pre>\n\n\n\n<p>Great. You now have a functional OpenLDAP provider-consumer (Master-Slave) replication set.<\/p>\n\n\n\n<p>But what the cons of Master-Slave OpenLDAP setup? Well, according to <a href=\"https:\/\/www.zytrax.com\/books\/ldap\/ch7\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Zytrax (opens in a new tab)\">Zytrax<\/a>;<\/p>\n\n\n\n<p>Master-Slave (or provider-consumer) configurations have two obvious shortcomings:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Multiple locations<\/strong>. If all or most clients have the need to update the DIT then either they will have to access one server (running the slave DIT) for normal read access and another server (running the master DIT) to perform updates. Alternatively the clients can always access the server running the master DIT. In this latter case replication provides backup functionality only.<\/li>\n\n\n\n<li><strong>Resilience<\/strong>. Since there is only one server containing a master DIT it represents a single point of failure.<\/li>\n<\/ul>\n\n\n\n<p>That marks the of our guide on how to setup setting up OpenLDAP Master-Slave Replication. In our next guide, we will cover how to setup Provider-Provider OpenLDAP server replication.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Reference<\/h3>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\"Replication - OpenLDAP Software 2.4 Administrator&#039;s Guide (opens in a new tab)\" href=\"https:\/\/www.openldap.org\/doc\/admin24\/replication.html\" target=\"_blank\">Replication &#8211; OpenLDAP Software 2.4 Administrator&#8217;s Guide<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Related Tutorials<\/h3>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\"Setup OpenLDAP Server with SSL\/TLS on Debian 10 (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/setup-openldap-server-with-ssl-tls-on-debian-10\/\" target=\"_blank\">Setup OpenLDAP Server with SSL\/TLS on Debian 10<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-setup-freeipa-server-on-centos-8\/\" target=\"_blank\">Install and Setup FreeIPA Server on CentOS 8<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/setup-ldap-self-service-password-tool-on-centos-8\/\" target=\"_blank\">Setup LDAP Self Service Password Tool on CentOS 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-phpldapadmin-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Install phpLDAPadmin on CentOS 8<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/implement-openldap-password-policies\/\" target=\"_blank\">Implement OpenLDAP Password Policies<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this guide, we are going to learn how to setup OpenLDAP Master-Slave Replication on CentOS 8. In recent versions of OpenLDAP, the terms Master<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,285,1099],"tags":[1296,1295,248,1292,1293,1291,1294],"class_list":["post-4941","post","type-post","status-publish","format-standard","hentry","category-howtos","category-directory-server","category-openldap","tag-centos-8-openldap","tag-consumer","tag-ldap","tag-openldap-master-slave-replication","tag-openldap-provider-consumer-setup","tag-openldap-replication","tag-provider","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4941"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=4941"}],"version-history":[{"count":16,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4941\/revisions"}],"predecessor-version":[{"id":21326,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4941\/revisions\/21326"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=4941"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=4941"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=4941"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}