Setup OpenLDAP Multi-Master Replication on CentOS 8

In the previous articles we covered how to install OpenLDAP on CentOS 8 and how to setup OpenLDAP Provider-Consumer replication. This guide we shall cover how to setup master-master replication or Consumer-consumer kind of setup.

OpenLDAP ships with a module called LDAP SYNC Replication Engine (syncrepl) which is responsible for multi-master replication.

Configure OpenLDAP Master-Master Replication on CentOS 8

Before we can proceed, we need to prepare our hosts. In our setup, we have the following hosts:

1. ldapmaster.computingforgeeks.com – Existing OpenLDAP node
2. ldapmaster02.computingforgeeks.com – New host that will be used as a second Provider.

Replication in OpenLDAP involves synchronization of the LDAP database and the data.

Configure NTP synchronization

We need to have the servers’ time synchronized. We use NTP for time synchronization. The article below covers how to setup NTP synchronization in CentOS 8.

How To Configure NTP Server Using Chrony on RHEL 8 / CentOS 8

Install and Configure OpenLDAP on CentOS 8

Follow the steps highlighted in the guide below to install and configure OpenLDAP directories on CentOS 8 for both servers.

Install and Configure OpenLDAP Server on CentOS 8

If you have an existing OpenLDAP instance and you would like to setup a parallel provider, you will have to create a backup of the existing OpenLDAP data and database then restore it on the new node that you are preparing.

Follow the steps below to create and restore a backup of OpenLDAP configurations:

Copy data and configuration files from the existing server to the new server.

Run the following on the existing server to create a copy of the OpenLDAP database:

slapcat -b cn=config -l openldap-config.ldif

slapcat -n 0 -l openldap-config.ldif

Create a backup of OpenLDAP data :

slapcat -n 1 -l openldap-data.ldif

slapcat -l openldap-data.ldif

Copy the configuration files to the new server

scp {openldap-data.ldif, openldap-config.ldif} [email protected]:/opt

Copy SSL certificates from existing server.

scp /etc/pki/tls/ldapserver.{crt,key} [email protected]:/etc/pki/tls

Restore Configuration files on New Master server

Run the commands below on the new master to restore the configuration we just copied over in the above steps.

sudo rm -rf /etc/openldap/slapd.d/*
sudo rm -rf /var/lib/openldap/*

Restore the LDAP database:

cd /opt
sudo slapadd -b cn=config -l openldap-config.ldif -F /etc/openldap/slapd.d/
#or 
cd /opt && sudo slapadd -n 0 -l openldap-config.ldif -F /etc/openldap/slapd.d/

Restore OpenLDAP data:

cd /opt && sudo slapadd -n 1 -l openldap-data.ldif -F /etc/openldap/slapd.d/

Setup correct file ownership to the configuration files:

sudo chown -R ldap:ldap /etc/openldap/slapd.d/ /var/lib/openldap/
sudo chown ldap:ldap /etc/pki/tls/ldapserver.{crt,key}

OpenLDAP Replication on CentOS 8

After a successful installation and restoration of configuration files on the two servers, we can now proceed to configuring replication.

Enable OpenLDAP Content Synchronization

We need to enable content synchronization between the two nodes (syncrepl replication) by enabling syncprov overlay module on both servers.

To do this, create an LDIF file with the contents below on both nodes then update ldap database.

# vim syncprov.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov.la

Update the database:

ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif

Define Server IDs

It is important to have server IDs for the sake of identification of the servers. Create a configuration file with the nodes and update the database as below:

# vim server-id.ldif
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 0 ldap://ldapmaster.computingforgeeks.com
olcServerID: 1 ldap://ldapmaster02.computingforgeeks.com

Update database:

ldapadd -Y EXTERNAL -H ldapi:/// -f server-id.ldif

Remeber to use your hostnames for the server IDs above.

Enable OpenLDAP Configuration Replication

The next step is to enable configuration replication on both nodes. To do this, create a file on each of the servers and add the content below then update their databases.

# vim syncprov-conf.ldif
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

Update the database:

ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov-conf.ldif

Create a rootDN password

Create a rootDN password on each node. Create a password hash as below:

# slappasswd
New password: StR0ngP@ssWord
Re-enter new password: StR0ngP@ssWord
{SSHA}h3B6R1AyyeiAVuB2JZGfNaQ2RYysN

You should use a strong password of your choice to generate the hash.

Set the password using ldif file:

# vim rootdn.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}h3B6R1AyyeiAVuB2JZGfNaQ2RYysN

Update the database on each node:

ldapmodify -Y EXTERNAL -H ldapi:/// -f rootdn.ldif

Add the configuration file below on each node to enable configuration replication between the nodes. Remember to update the hostnames and credentials to match your environment.

# vim replication.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: 
  rid=001
  provider=ldaps://ldapmaster.computingforgeeks.com
  binddn="cn=config"
  bindmethod=simple
  credentials="StR0ngP@ssWord" 
  searchbase="cn=config"
  type=refreshAndPersist 
  timeout=0 
  network-timeout=0 
  retry="30 5 300 +"
olcSyncRepl: 
  rid=002
  provider=ldaps://ldapmaster02.computingforgeeks.com
  binddn="cn=config"
  bindmethod=simple
  credentials="StR0ngP@ssWord" 
  searchbase="cn=config"
  type=refreshAndPersist 
  timeout=0 
  network-timeout=0 
  retry="30 5 300 +"
-
add: olcMirrorMode
olcMirrorMode: TRUE

Update the ldap database on each node:

ldapadd -Y EXTERNAL -H ldapi:/// -f replication.ldif

Enable Database Replication for OpenLDAP

Enable database replication across the two nodes by adding the following configuration to the database on both nodes

# vim db-sync.ldif
dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionlog: 100

Update the database:

ldapadd -Y EXTERNAL -H ldapi:/// -f db-sync.ldif

Enable entryCSN snd entryUID indexes to improve database performance:

# vim indexes.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq

Update databases:

ldapadd -Y EXTERNAL -H ldapi:/// -f indexes.ldif

Define database replication options on all nodes:

# vim db_options.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: 
  rid=003 
  provider=ldaps://ldapmaster.computingforgeeks.com
  binddn="cn=admin,dc=ldapmaster,dc=computingforgeeks,dc=com" 
  bindmethod=simple
  credentials="StR0ngP@ssW0rd" 
  searchbase="dc=ldapmaster,dc=computingforgeeks,dc=com" 
  type=refreshAndPersist 
  timeout=0 
  network-timeout=0 
  retry="30 5 300 +"
olcSyncrepl: 
  rid=004 
  provider=ldaps://ldapmaster02.computingforgeeks.com
  binddn="cn=admin,dc=ldapmaster,dc=computingforgeeks,dc=com" 
  bindmethod=simple
  credentials="StR0ngP@ssW0rd" 
  searchbase="dc=ldapmaster,dc=computingforgeeks,dc=com" 
  type=refreshAndPersist 
  timeout=0 
  network-timeout=0 
  retry="30 5 300 +"
-
add: olcMirrorMode
olcMirrorMode: TRUE

Update database:

ldapadd -Y EXTERNAL -H ldapi:/// -f db_options.ldif

At this point, we have successfully configured replication across the two nodes and both can be used as masters. In which case, database updates can be done on any node and the replication will take place to the other server.

Testing OpenLDAP Multi-Master Replication

The last step is to verify that our configuration is working correctly. To do this, we will modify a user password from one node and see if we can authenticate with the new password on the other node. We will also try the inverse and see if it also works.

we have the following user:

uid=vshamallah,ou=people,dc=ldapmaster,dc=computingforgeeks,dc=com

We can modify the password on ldapmaster.computingforgeeks.com

[root@ldapmaster ~]# ldappasswd -H ldapi:/// -Y EXTERNAL -S "uid=vshamallah,ou=people,dc=ldapmaster,dc=computingforgeeks,dc=com"

Enter the new password on the prompt.

New password: N3wP@ssw0rd
Re-enter new password: N3wP@ssw0rd
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0

Verify the password on ldapmaster02.computingforgeeks.com:

[root@ldapmaster02 ~]# ldapwhoami -x -h ldapmaster.computingforgeeks.com -D "uid=vshamallah,ou=people,dc=ldapmaster,dc=computingforgeeks,dc=com" -W

You will be prompted to input the password. If the changes have been effected, the output will give you the details of the user.

Enter LDAP Password: N3wP@ssw0rd
dn:uid=vshamallah,ou=people,dc=ldapmaster,dc=computingforgeeks,dc=com

Similarly, if you do the same thing in reverse where you reset the password on ldapmaster02.computingforgeeks.com, then verify from ldapmaster.computingforgeeks.com, you should get the same output.

That marks the end of our guide. Thanks for following through and please check out the other related guides below:

Install and Configure OpenLDAP Server on CentOS 8

How To Configure OpenLDAP Server Replication on CentOS 8