Hi,
I am currently working on trying to configure replication between 2 ldap servers. Here is my current setup....
2 servers, ldap01 and ldap02, both running centos 5.2 x86_64 with openldap2.4 installed from http://staff.telkomsa.net/packages/rhel5/openldap/x86_64/
openldap2.4-servers-2.4.11-1.rhel5
my slapd.conf on ldap01 is:
modulepath /usr/lib64/openldap2.4 moduleload syncprov.la TLSCertificateFile /etc/ssl/openldap2.4/ldap.pem TLSCertificateKeyFile /etc/ssl/openldap2.4/ldap.pem TLSCACertificateFile /etc/ssl/openldap2.4/ldap.pem loglevel 32 256 1024 database bdb suffix "dc=example,dc=net" rootdn "cn=Manager,dc=example,dc=net" rootpw directory /var/lib/ldap2.4 checkpoint 256 5 index objectClass eq index cn,mail,surname,givenname eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember eq index uid eq,subinitial index sambaSID,sambaDomainName,displayName eq index entryCSN,entryUUID eq overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 200
slapd.conf on ldap02 is":
directory /var/lib/ldap2.4 checkpoint 256 5 index objectClass eq index cn,mail,surname,givenname eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember eq index uid eq,subinitial index sambaSID,sambaDomainName,displayName eq referral ldaps://ldap01/ syncrepl rid=123 provider=ldaps://ldap01/ type=refreshAndPersist searchbase="dc=example,dc=net" scope=sub schemachecking=off bindmethod=simple binddn="cn=manager,dc=example,dc=net" attrs="*" credentials=
This appears to work but it seems after some time the replication stops working , not seeing anything in the logs either.
Also with this setup, given a situation where ldap01 died and ldap02 took over, when I brought ldap01 back online, would configuration changes need to be made to ensure any changes that were made to ldap02 were replicated back properly or am I not using the proper replication technique for this situation? I'm still a bit new to OpenLDAP so I apologize if I explained anything incorrrectly. My end goal is to have 2 ldap servers in place where in the event of a failure the secondary could take over and when the primary is restored, have it fail back over without any loss of changes.
- Justin Lintz
Sorry I just realized those configurations were incomplete
ldap01: include /usr/share/openldap2.4/schema/core.schema include /usr/share/openldap2.4/schema/cosine.schema include /usr/share/openldap2.4/schema/corba.schema include /usr/share/openldap2.4/schema/inetorgperson.schema include /usr/share/openldap2.4/schema/java.schema include /usr/share/openldap2.4/schema/krb5-kdc.schema include /usr/share/openldap2.4/schema/kerberosobject.schema include /usr/share/openldap2.4/schema/misc.schema include /usr/share/openldap2.4/schema/nis.schema include /usr/share/openldap2.4/schema/openldap.schema include /usr/share/openldap2.4/schema/autofs.schema include /usr/share/openldap2.4/schema/samba.schema include /usr/share/openldap2.4/schema/kolab.schema include /usr/share/openldap2.4/schema/evolutionperson.schema include /usr/share/openldap2.4/schema/calendar.schema include /usr/share/openldap2.4/schema/sudo.schema include /usr/share/openldap2.4/schema/dnszone.schema include /usr/share/openldap2.4/schema/dhcp.schema include /etc/openldap2.4/schema/local.schema include /etc/openldap2.4/slapd.access.conf pidfile /var/run/ldap2.4/slapd.pid argsfile /var/run/ldap2.4/slapd.args modulepath /usr/lib64/openldap2.4 moduleload syncprov.la TLSCertificateFile /etc/ssl/openldap2.4/ldap.pem TLSCertificateKeyFile /etc/ssl/openldap2.4/ldap.pem TLSCACertificateFile /etc/ssl/openldap2.4/ldap.pem loglevel 32 256 1024 database bdb suffix "dc=example,dc=net" rootdn "cn=Manager,dc=example,dc=net" rootpw directory /var/lib/ldap2.4 checkpoint 256 5 index objectClass eq index cn,mail,surname,givenname eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember eq index uid eq,subinitial index sambaSID,sambaDomainName,displayName eq index entryCSN,entryUUID eq overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 200
ldap02:
include /usr/share/openldap2.4/schema/core.schema include /usr/share/openldap2.4/schema/cosine.schema include /usr/share/openldap2.4/schema/corba.schema include /usr/share/openldap2.4/schema/inetorgperson.schema include /usr/share/openldap2.4/schema/java.schema include /usr/share/openldap2.4/schema/krb5-kdc.schema include /usr/share/openldap2.4/schema/kerberosobject.schema include /usr/share/openldap2.4/schema/misc.schema include /usr/share/openldap2.4/schema/nis.schema include /usr/share/openldap2.4/schema/openldap.schema include /usr/share/openldap2.4/schema/autofs.schema include /usr/share/openldap2.4/schema/samba.schema include /usr/share/openldap2.4/schema/kolab.schema include /usr/share/openldap2.4/schema/evolutionperson.schema include /usr/share/openldap2.4/schema/calendar.schema include /usr/share/openldap2.4/schema/sudo.schema include /usr/share/openldap2.4/schema/dnszone.schema include /usr/share/openldap2.4/schema/dhcp.schema include /etc/openldap2.4/schema/local.schema include /etc/openldap2.4/slapd.access.conf pidfile /var/run/ldap2.4/slapd.pid argsfile /var/run/ldap2.4/slapd.args modulepath /usr/lib64/openldap2.4 moduleload syncprov.la TLSCertificateFile /etc/ssl/openldap2.4/ldap.pem TLSCertificateKeyFile /etc/ssl/openldap2.4/ldap.pem TLSCACertificateFile /etc/ssl/openldap2.4/ldap.pem loglevel 32 256 1024 database bdb suffix "dc=example,dc=net" rootdn "cn=Manager,dc=example,dc=net" rootpw directory /var/lib/ldap2.4 checkpoint 256 5 index objectClass eq index cn,mail,surname,givenname eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember eq index uid eq,subinitial index sambaSID,sambaDomainName,displayName eq limits group="cn=Replicator,ou=Group,dc=example,dc=com" size=unlimited time=unlimited
referral ldaps://ldap01.sec.example.net/ syncrepl rid=123 provider=ldaps://ldap01.sec.example.net/ type=refreshAndPersist searchbase="dc=example,dc=net" scope=sub schemachecking=off bindmethod=simple binddn="cn=manager,dc=example,dc=net" attrs="*" credentials=
- Justin Lintz
On Tue, Dec 9, 2008 at 4:45 PM, Justin Lintz jlintz@gmail.com wrote:
Hi,
I am currently working on trying to configure replication between 2 ldap servers. Here is my current setup....
2 servers, ldap01 and ldap02, both running centos 5.2 x86_64 with openldap2.4 installed from http://staff.telkomsa.net/packages/rhel5/openldap/x86_64/
openldap2.4-servers-2.4.11-1.rhel5
my slapd.conf on ldap01 is:
modulepath /usr/lib64/openldap2.4 moduleload syncprov.la TLSCertificateFile /etc/ssl/openldap2.4/ldap.pem TLSCertificateKeyFile /etc/ssl/openldap2.4/ldap.pem TLSCACertificateFile /etc/ssl/openldap2.4/ldap.pem loglevel 32 256 1024 database bdb suffix "dc=example,dc=net" rootdn "cn=Manager,dc=example,dc=net" rootpw directory /var/lib/ldap2.4 checkpoint 256 5 index objectClass eq index cn,mail,surname,givenname eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember eq index uid eq,subinitial index sambaSID,sambaDomainName,displayName eq index entryCSN,entryUUID eq overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 200
slapd.conf on ldap02 is":
directory /var/lib/ldap2.4 checkpoint 256 5 index objectClass eq index cn,mail,surname,givenname eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember eq index uid eq,subinitial index sambaSID,sambaDomainName,displayName eq referral ldaps://ldap01/ syncrepl rid=123 provider=ldaps://ldap01/ type=refreshAndPersist searchbase="dc=example,dc=net" scope=sub schemachecking=off bindmethod=simple binddn="cn=manager,dc=example,dc=net" attrs="*" credentials=
This appears to work but it seems after some time the replication stops working , not seeing anything in the logs either.
Also with this setup, given a situation where ldap01 died and ldap02 took over, when I brought ldap01 back online, would configuration changes need to be made to ensure any changes that were made to ldap02 were replicated back properly or am I not using the proper replication technique for this situation? I'm still a bit new to OpenLDAP so I apologize if I explained anything incorrrectly. My end goal is to have 2 ldap servers in place where in the event of a failure the secondary could take over and when the primary is restored, have it fail back over without any loss of changes.
- Justin Lintz
--On Tuesday, December 09, 2008 4:45 PM -0500 Justin Lintz jlintz@gmail.com wrote:
Hi,
I am currently working on trying to configure replication between 2 ldap servers. Here is my current setup....
slapd.conf on ldap02 is":
directory /var/lib/ldap2.4 checkpoint 256 5 index objectClass eq index cn,mail,surname,givenname eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember eq index uid eq,subinitial index sambaSID,sambaDomainName,displayName eq referral ldaps://ldap01/ syncrepl rid=123 provider=ldaps://ldap01/ type=refreshAndPersist searchbase="dc=example,dc=net" scope=sub schemachecking=off bindmethod=simple binddn="cn=manager,dc=example,dc=net" attrs="*" credentials=
You should specify an attrs= line unless you know what you're doing. You should just leave it empty and accept the default (which is "*,+" btw). Right now you are excluding all the operational attrs, so it loses its ability to track where it is at replication wise. If you can identify where you got the idea to use that line, that'd be great so we can kill it, unless of course it came from offsite documentation.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Tuesday, December 09, 2008 6:05 PM -0800 Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Tuesday, December 09, 2008 4:45 PM -0500 Justin Lintz jlintz@gmail.com wrote:
Hi,
I am currently working on trying to configure replication between 2 ldap servers. Here is my current setup....
slapd.conf on ldap02 is":
directory /var/lib/ldap2.4 checkpoint 256 5 index objectClass eq index cn,mail,surname,givenname eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember eq index uid eq,subinitial index sambaSID,sambaDomainName,displayName eq referral ldaps://ldap01/ syncrepl rid=123 provider=ldaps://ldap01/ type=refreshAndPersist searchbase="dc=example,dc=net" scope=sub schemachecking=off bindmethod=simple binddn="cn=manager,dc=example,dc=net" attrs="*" credentials=
You should specify an attrs= line unless you know what you're doing. You
s/should/should NOT/
:)
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Justin Lintz -
Quanah Gibson-Mount