Hello,
I'm trying to accomplish Multi-Master OpenLDAP Replication for 3 nodes, but it's not working.
Specifically, per The OpenLDAP 2.4 Administrator's Guide, Section 18.3.3 "N-Way Multi=Master", I have created the following LDIF file and slapd.conf file, but when I run slapadd to create my config database it fails.
Could you please advise?
Thank you very much.
Fal
(1) The slapadd command, I execute, and the error message I get:
================================================
sudo slapadd -l /home/ubuntu11/openldap-2.4.33/mmr_servers.ldif -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d
[sudo] password for ubuntu11:
50dc0b31 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
slapadd: line 1: database #1 (dc=ldapservice,dc=hq,dc=mycompany,dc=com) not configured to hold "cn=config"; did you mean to use database #0 (cn=config)?
_ 2.58% eta none elapsed none spd 1.1 M/s
Closing DB...
(2) My LDIF File, mmr-servers.ldif
=========================
# This sets up the config database:
dn: cn=config
objectClass: olcGlobal
cn: config
olcServerID: 1
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootPW: secret
# second and third servers will have a different olcServerID obviously:
dn: cn=config
objectClass: olcGlobal
cn: config
olcServerID: 2
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootPW: secret
dn: cn=config
objectClass: olcGlobal
cn: config
olcServerID: 3
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootPW: secret
# This sets up syncrepl as a provider (since these are all masters):
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/local/libexec/openldap
olcModuleLoad: syncprov.la
# Now we setup the first Master Node
# (replace $URI1, $URI2 and $URI3 etc. with your actual ldap urls):
dn: cn=config
changetype: modify
replace: olcServerID
## olcServerID: 1 $URI1
olcServerID: 1 ldap://ldap.awshost.ldapservice.hq.mycompany.com
## olcServerID: 2 $URI2
olcServerID: 2 ldap://ldap.schost.ldapservice.hq.mycompany.com
## olcServerID: 3 $URI3
olcServerID: 3 ldap://ldap.sachost.ldapservice.hq.mycompany.com
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple
credentials=secret searchbase="cn=config" type=refreshAndPersist
retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple
credentials=secret searchbase="cn=config" type=refreshAndPersist
retry="5 5 300 5" timeout=1
olcSyncRepl: rid=003 provider=$URI3 binddn="cn=config" bindmethod=simple
credentials=secret searchbase="cn=config" type=refreshAndPersist
retry="5 5 300 5" timeout=1
add: olcMirrorMode
olcMirrorMode: TRUE
# Now start up the Master and a consumer/s;
# also add the above LDIF to the first consumer, second consumer etc.
# It will then replicate cn=config.
# You now have N-Way Multimaster on the config database.
# We still have to replicate the actual data, not just the config;
# so add to the master
# (all active and configured consumers/masters will pull down this config,
# as they are all syncing).
# Also, replace all ${} variables with whatever is applicable to your setup:
dn: olcDatabase={1}$BACKEND,cn=config
objectClass: olcDatabaseConfig
objectClass: olc${BACKEND}Config
olcDatabase: {1}$BACKEND
olcSuffix: $BASEDN
olcDbDirectory: ./db
olcRootDN: $MANAGERDN
olcRootPW: $PASSWD
olcLimits: dn.exact="$MANAGERDN" time.soft=unlimited time.hard=unlimited size.soft=unlimited olcSyncRepl: rid=004 provider=$URI1 binddn="$MANAGERDN" bindmethod=simple
credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcSyncRepl: rid=005 provider=$URI2 binddn="$MANAGERDN" bindmethod=simple
credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcSyncRepl: rid=006 provider=$URI3 binddn="$MANAGERDN" bindmethod=simple
credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcMirrorMode: TRUE
dn: olcOverlay=syncprov,olcDatabase={1}${BACKEND},cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
# Note: All of your servers' clocks must be tightly synchronized using e.g. NTP.
# Note: URLs specified in olcSyncRepl directives are the servers URLs to replicate from.
# These must exactly match the URLs slapd listens on (-h in Command-Line Options).
# Otherwise slapd may attempt to replicate from itself, causing a loop.
(3) My slapd.conf file:
================
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_hdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
## database bdb
## suffix "dc=my-domain,dc=com"
## rootdn "cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
## rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
## directory /usr/local/var/openldap-data
# Indices to maintain
## index objectClass eq
## added for multimaster replication (prior to running slapadd to create db):
database bdb
# suffix <DN of root of subtree you are trying to create>
suffix "dc=ldapservice,dc=hq,dc=mycompany,dc=com"
rootdn "cn=admin,dc=ldapservice,dc=hq,dc=mycompany,dc=com"
rootpw secret
# directory for index files
directory /usr/local/var/openldap-data
# specify which indices you want to build
index objectClass eq
# loglevel 64
I have these additional questions also, please:
* It's "refreshAndPersist" Provider Push replication I want to implement, not "refreshOnly" Consumer Poll Pull.
So in my mmr-servers.ldif file, can/should I change all the "refreshOnly" clauses in the Data Replication part to "refreshAndPersist"?
* In the above LDIF file, in both the Config Replication section and the Data Replication section, why does it add MirrorMode and set it to True?
It's N-Way Multi-Master replication I want to implement, not Mirror-Mode replication, so can/should I get rid of all those "Mirror Mode" clause statements?
Thank you once again.