Hello,

I'm trying to accomplish Multi-Master OpenLDAP Replication for 3 nodes, but it's not working.

Specifically, per The OpenLDAP 2.4 Administrator's Guide, Section 18.3.3 "N-Way Multi=Master", I have created the following LDIF file and slapd.conf file, but when I run slapadd to create my config database it fails.

Could you please advise?

Thank you very much.

Fal

(1)  The slapadd command, I execute, and the error message I get:
================================================
sudo slapadd -l /home/ubuntu11/openldap-2.4.33/mmr_servers.ldif -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d
[sudo] password for ubuntu11:
50dc0b31 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
slapadd: line 1: database #1 (dc=ldapservice,dc=hq,dc=mycompany,dc=com) not configured to hold "cn=config"; did you mean to use database #0 (cn=config)?
_                       2.58% eta   none elapsed            none spd   1.1 M/s
Closing DB...



(2)  My LDIF File, mmr-servers.ldif
=========================
# This sets up the config database:
dn: cn=config
objectClass: olcGlobal
cn: config
olcServerID: 1

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootPW: secret

# second and third servers will have a different olcServerID obviously:
dn: cn=config
objectClass: olcGlobal
cn: config
olcServerID: 2

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootPW: secret

dn: cn=config
objectClass: olcGlobal
cn: config
olcServerID: 3

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootPW: secret

# This sets up syncrepl as a provider (since these are all masters):
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/local/libexec/openldap
olcModuleLoad: syncprov.la

# Now we setup the first Master Node
# (replace $URI1, $URI2 and $URI3 etc. with your actual ldap urls):
dn: cn=config
changetype: modify
replace: olcServerID
## olcServerID: 1 $URI1

olcServerID: 1 ldap://ldap.awshost.ldapservice.hq.mycompany.com
## olcServerID: 2 $URI2
olcServerID: 2 ldap://ldap.schost.ldapservice.hq.mycompany.com
## olcServerID: 3 $URI3
olcServerID: 3 ldap://ldap.sachost.ldapservice.hq.mycompany.com

dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple
credentials=secret searchbase="cn=config" type=refreshAndPersist
retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple
credentials=secret searchbase="cn=config" type=refreshAndPersist
retry="5 5 300 5" timeout=1
olcSyncRepl: rid=003 provider=$URI3 binddn="cn=config" bindmethod=simple
credentials=secret searchbase="cn=config" type=refreshAndPersist
retry="5 5 300 5" timeout=1

add: olcMirrorMode
olcMirrorMode: TRUE

# Now start up the Master and a consumer/s;
# also add the above LDIF to the first consumer, second consumer etc.
# It will then replicate cn=config.
# You now have N-Way Multimaster on the config database.

# We still have to replicate the actual data, not just the config;
# so add to the master
# (all active and configured consumers/masters will pull down this config,
# as they are all syncing).
# Also, replace all ${} variables with whatever is applicable to your setup:
dn: olcDatabase={1}$BACKEND,cn=config
objectClass: olcDatabaseConfig
objectClass: olc${BACKEND}Config
olcDatabase: {1}$BACKEND
olcSuffix: $BASEDN
olcDbDirectory: ./db
olcRootDN: $MANAGERDN
olcRootPW: $PASSWD
olcLimits: dn.exact="$MANAGERDN" time.soft=unlimited time.hard=unlimited size.soft=unlimited olcSyncRepl: rid=004 provider=$URI1 binddn="$MANAGERDN" bindmethod=simple
credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcSyncRepl: rid=005 provider=$URI2 binddn="$MANAGERDN" bindmethod=simple
credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcSyncRepl: rid=006 provider=$URI3 binddn="$MANAGERDN" bindmethod=simple
credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={1}${BACKEND},cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

# Note: All of your servers' clocks must be tightly synchronized using e.g. NTP.
# Note: URLs specified in olcSyncRepl directives are the servers URLs to replicate from.
# These must exactly match the URLs slapd listens on (-h in Command-Line Options).
# Otherwise slapd may attempt to replicate from itself, causing a loop.



(3)  My slapd.conf file:
================
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
# moduleload    back_hdb.la
# moduleload    back_ldap.la

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################
## database     bdb
## suffix               "dc=my-domain,dc=com"
## rootdn               "cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
## rootpw               secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
## directory    /usr/local/var/openldap-data
# Indices to maintain
## index        objectClass     eq

## added for multimaster replication (prior to running slapadd to create db):
database bdb
# suffix <DN of root of subtree you are trying to create>
suffix "dc=ldapservice,dc=hq,dc=mycompany,dc=com"
rootdn "cn=admin,dc=ldapservice,dc=hq,dc=mycompany,dc=com"
rootpw secret
# directory for index files
directory /usr/local/var/openldap-data
# specify which indices you want to build
index   objectClass     eq
# loglevel 64



I have these additional questions also, please:
*  It's "refreshAndPersist" Provider Push replication I want to implement, not "refreshOnly" Consumer Poll Pull.
So in my mmr-servers.ldif file, can/should I change all the "refreshOnly" clauses in the Data Replication part to "refreshAndPersist"?

*  In the above LDIF file, in both the Config Replication section and the Data Replication section, why does it  add MirrorMode and set it to True?
It's N-Way Multi-Master replication I want to implement, not Mirror-Mode replication, so can/should I get rid of all those "Mirror Mode" clause statements?

Thank you once again.