Hello,
I'm trying to accomplish Multi-Master OpenLDAP Replication for 3 nodes, but it's not working.
Specifically, per The OpenLDAP 2.4 Administrator's Guide, Section 18.3.3 "N-Way Multi=Master", I have created the following LDIF file and slapd.conf file, but when I run slapadd to create my config database it fails.
Could you please advise?
Thank you very much.
Fal
(1) The slapadd command, I execute, and the error message I get: ================================================ sudo slapadd -l /home/ubuntu11/openldap-2.4.33/mmr_servers.ldif -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d [sudo] password for ubuntu11: 50dc0b31 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapadd: line 1: database #1 (dc=ldapservice,dc=hq,dc=mycompany,dc=com) not configured to hold "cn=config"; did you mean to use database #0 (cn=config)? _ 2.58% eta none elapsed none spd 1.1 M/s Closing DB...
(2) My LDIF File, mmr-servers.ldif ========================= # This sets up the config database: dn: cn=config objectClass: olcGlobal cn: config olcServerID: 1
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: secret
# second and third servers will have a different olcServerID obviously: dn: cn=config objectClass: olcGlobal cn: config olcServerID: 2
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: secret
dn: cn=config objectClass: olcGlobal cn: config olcServerID: 3
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: secret
# This sets up syncrepl as a provider (since these are all masters): dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/local/libexec/openldap olcModuleLoad: syncprov.la
# Now we setup the first Master Node # (replace $URI1, $URI2 and $URI3 etc. with your actual ldap urls): dn: cn=config changetype: modify replace: olcServerID ## olcServerID: 1 $URI1
olcServerID: 1 ldap://ldap.awshost.ldapservice.hq.mycompany.com ## olcServerID: 2 $URI2 olcServerID: 2 ldap://ldap.schost.ldapservice.hq.mycompany.com ## olcServerID: 3 $URI3 olcServerID: 3 ldap://ldap.sachost.ldapservice.hq.mycompany.com
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=003 provider=$URI3 binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
add: olcMirrorMode olcMirrorMode: TRUE
# Now start up the Master and a consumer/s; # also add the above LDIF to the first consumer, second consumer etc. # It will then replicate cn=config. # You now have N-Way Multimaster on the config database.
# We still have to replicate the actual data, not just the config; # so add to the master # (all active and configured consumers/masters will pull down this config, # as they are all syncing). # Also, replace all ${} variables with whatever is applicable to your setup: dn: olcDatabase={1}$BACKEND,cn=config objectClass: olcDatabaseConfig objectClass: olc${BACKEND}Config olcDatabase: {1}$BACKEND olcSuffix: $BASEDN olcDbDirectory: ./db olcRootDN: $MANAGERDN olcRootPW: $PASSWD olcLimits: dn.exact="$MANAGERDN" time.soft=unlimited time.hard=unlimited size.soft=unlimited olcSyncRepl: rid=004 provider=$URI1 binddn="$MANAGERDN" bindmethod=simple credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcSyncRepl: rid=005 provider=$URI2 binddn="$MANAGERDN" bindmethod=simple credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcSyncRepl: rid=006 provider=$URI3 binddn="$MANAGERDN" bindmethod=simple credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcMirrorMode: TRUE
dn: olcOverlay=syncprov,olcDatabase={1}${BACKEND},cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
# Note: All of your servers' clocks must be tightly synchronized using e.g. NTP. # Note: URLs specified in olcSyncRepl directives are the servers URLs to replicate from. # These must exactly match the URLs slapd listens on (-h in Command-Line Options). # Otherwise slapd may attempt to replicate from itself, causing a loop.
(3) My slapd.conf file: ================ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules: # modulepath /usr/local/libexec/openldap # moduleload back_bdb.la # moduleload back_hdb.la # moduleload back_ldap.la
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
####################################################################### # BDB database definitions ####################################################################### ## database bdb ## suffix "dc=my-domain,dc=com" ## rootdn "cn=Manager,dc=my-domain,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. ## rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. ## directory /usr/local/var/openldap-data # Indices to maintain ## index objectClass eq
## added for multimaster replication (prior to running slapadd to create db): database bdb # suffix <DN of root of subtree you are trying to create> suffix "dc=ldapservice,dc=hq,dc=mycompany,dc=com" rootdn "cn=admin,dc=ldapservice,dc=hq,dc=mycompany,dc=com" rootpw secret # directory for index files directory /usr/local/var/openldap-data # specify which indices you want to build index objectClass eq # loglevel 64
I have these additional questions also, please: * It's "refreshAndPersist" Provider Push replication I want to implement, not "refreshOnly" Consumer Poll Pull. So in my mmr-servers.ldif file, can/should I change all the "refreshOnly" clauses in the Data Replication part to "refreshAndPersist"?
* In the above LDIF file, in both the Config Replication section and the Data Replication section, why does it add MirrorMode and set it to True? It's N-Way Multi-Master replication I want to implement, not Mirror-Mode replication, so can/should I get rid of all those "Mirror Mode" clause statements?
Thank you once again.