Date: 01-13-2022

Multi-Master Replication (MMR)

Using slapd.conf

Configure the Producer Server

 Create a slapd.conf file. Copy slapd.conf.default to slapd.conf. Edit slapd.conf. Adjust credentials, URIs and directory paths as necessary.

cp /opt/symas/etc/openldap/slapd.conf.default\
   /opt/symas/etc/openldap/slapd.conf
vi /opt/symas/etc/openldap/slapd.conf

1. In the global section include the following: 

SyncProv and Accesslog Modules

moduleload     syncprov.la
moduleload     accesslog.la

2. In the mdb database section include the following:

Indexing

index entryCSN,entryUUID eq

SyncProv and Accesslog Overlays

overlay        syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 10000
overlay        accesslog
logdb          cn=accesslog
logops         writes
logsuccess     TRUE
logpurge       24:00 01+00:00

3. Create a new database section above the Monitor Database section that includes the following:

Accesslog database

database       mdb
rootdn         "cn=config"
directory      /var/symas/openldap-data/accesslog 
maxsize        5120000
suffix         "cn=accesslog"
index default eq
index objectClass
index entryCSN
index reqDN,reqEnd,reqResult,reqStart

4. Define the syncprov overlay for the Accesslog database:

overlay        syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE

Save changes and quit: ESC :wq

5. Create a new database directory to match the configuration setting:

mkdir /var/symas/openldap-data/accesslog 

Configure the Consumer server 

Adjust credentials, URIs and directory paths as necessary.

vi slapd.conf

1. In the global section include the following:

Back_LDAP Module

moduleload      back_ldap.la

Chain Overlay

overlay chain 
chain-url "ldap://producer.ldap/" 
chain-idassert-bind 
    bindmethod="simple" 
    binddn="dc=example,dc=com" 
    credentials="secret" 
    mode="self" 
chain-return-error TRUE

2. In the database section include the following:

Indexing

index entryCSN,entryUUID eq

Syncrepl

syncrepl
 rid=1
 provider="ldap://producer.ldap/"
 binddn="dc=example,dc=com"
 credentials=secret
 bindmethod=simple
 searchbase="dc=example,dc=com"
 type=refreshAndPersist
 retry="60 +"
 logbase="cn=accesslog"
 logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
 syncdata=accesslog
 schemachecking=on
 network-timeout=30
 keepalive=180:3:60

Update Referral

updateref     "ldap://producer.ldap/"

Save changes and quit: ESC :wq

3. Run slapindex on the slapd.conf file on both VMs:

slapindex -q

4. Run a slaptest on the slapd.conf file on both VMs to test for potential failures before starting the slapd (slapd daemon):

slaptest -f slapd.conf -d stats,sync

 5. Start slapd on both VMs:

service slapd start

Using slapd.d

This requires the cn=config database to be configured with a rootpw. In the examples below the rootdn is cn=config and the rootpw is secret.

Configure the Producer server

Adjust credentials, URIs and directory paths as necessary.

1. In the CN=Config section include the SyncProv and Accesslog Modules:

ldapmodify -x -H ldap://producer.ldap -D cn=config -w secret 
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleload
olcModuleload: syncprov.la
-
add: olcModuleload
olcModuleload: accesslog.la

2. In the Database={1}mdb section include the following:

Indexing

ldapmodify -x -H ldap://producer.ldap -D cn=config -w secret 
dn: olcDatabase={1}mdb,cn=config 
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq

SyncProv Overlay

ldapadd -x -H ldap://producer.ldap -D cn=config -w secret 
dn: olcOverlay={1}syncprov,olcDatabase={1}mdb,cn=config 
objectClass: olcSyncProvConfig 
objectClass: olcOverlayConfig 
olcOverlay: {1}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 10000

3. Create a new database that includes the following:

Accesslog database

ldapadd -x -H ldap://producer.ldap -D cn=config -w secret 
dn: olcDatabase={2}mdb,cn=config 
objectClass: olcMdbConfig
objectClass: olcDatabaseConfig olcDatabase: {2}mdb
olcDbDirectory: /var/symas/openldap-data/accesslog 
olcAddContentAcl: FALSE
olcDbIndex: default eq
olcDbIndex: objectClass eq
olcDbIndex: entryCSN eq
olcDbIndex: reqDN eq
olcDbIndex: reqStart eq
olcDbIndex: reqEnd eq
olcDbIndex: reqResult eq
olcDbMaxEntrySize: 0
olcDbMaxReaders: 0
olcDbMaxSize: 5120000
olcDbMode: 0600
olcDbMultivalHi: 4294967295
olcDbMultivalLo: 4294967295
olcDbNoSync: FALSE
olcDbRtxnSize: 10000
olcDbSearchStack: 16
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcMonitoring: TRUE
olcReadOnly: FALSE
olcRootDN: cn=config
olcSuffix: cn=accesslog
olcSyncUseSubentry: FALSE

4. Define only the syncprov overlay for the Accesslog database

ldapadd -x -H ldap://producer.ldap -D cn=config -w secret 
dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config 
objectClass: olcSyncProvConfig 
objectClass: olcOverlayConfig 
olcOverlay: {0}syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE

5. Add the Accesslog Overlay to Database={1}mdb

ldapadd -x -H ldap://producer.ldap -D cn=config -w secret 
dn: olcOverlay={0}accesslog,olcDatabase={1}mdb,cn=config 
objectClass: olcAccessLogConfig 
objectClass: olcOverlayConfig 
olcAccessLogDB: cn=accesslog
olcOverlay: {0}accesslog
olcAccessLogOps: writes
olcAccessLogPurge: 24:00 1+00:00
olcAccessLogSuccess: TRUE

6. Create a new database directory:

mkdir /var/symas/openldap-data/accesslog

Configure the Consumer server

Adjust credentials, URIs and directory paths as necessary. 

1. In the CN=Module include the following:

Back_LDAP Module

ldapmodify -x -H ldap://consumer.ldap -D cn=config -w secret 
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleload
olcModuleload: back_ldap.la

2. In the Database={-1}Frontend include the following:

Chaining Overlay

ldapadd -x -H ldap://consumer.ldap -D cn=config -w secret 
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config i
objectClass: olcChainConfig
objectClass: olcOverlayConfig 
olcOverlay: {0}chain
olcChainCacheURI: FALSE
olcChainMaxReferralDepth: 1
olcChainReturnError: TRUE
dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcChainDatabase 
objectClass: olcLDAPConfig
olcDatabase: {0}ldap
olcDbCancel: abandon
olcDbChaseReferrals: TRUE
olcDbConnectionPoolMax: 16
olcDbIDAssertBind: 
  mode=self 
  flags=prescriptive,proxy-authz-non-critical 
  bindmethod=simple 
  timeout=0 
  network-timeout=0
  binddn="dc=example,dc=com" 
  credentials="secret"
keepalive=0:0:0
olcDbKeepalive: 0:0:0
  olcDbNoRefs: FALSE
  olcDbNoUndefFilter: FALSE
  olcDbOnErr: continue
  olcDbProtocolVersion: 3
  olcDbProxyWhoAmI: FALSE
  olcDbRebindAsUser: FALSE
  olcDbSessionTrackingRequest: FALSE
  olcDbSingleConn: FALSE
  olcDbStartTLS: none starttls=no olcDbTFSupport: no
  olcDbURI: "ldap://producer.ldap"
  olcDbUseTemporaryConn: FALSE

3. In the Database={1}MDB section include the following:

Indexing

ldapmodify -x -H ldap://consumer.ldap -D cn=config -w secret 
dn: olcDatabase={1}mdb,cn=config 
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq

Syncrepl

ldapmodify -x -H ldap://consumer.ldap -D cn=config -w secret 
dn:olcDatabase={1}mdb,cn=config 
changetype: modify
add: olcSyncrepl
olcSyncrepl: rid=001 provider=ldap://producer.ldap bindmethod=simple
binddn="dc=example,dc=com"
credentials="secret" searchbase="dc=example,dc=com"
type=refreshAndPersist retry="60 +" logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
syncdata=accesslog schemachecking=on network-timeout=30
keepalive=180:3:60

Update Referral

ldapmodify -x -H ldap://consumer.ldap -D cn=config -w secret 
dn: olcDatabase={1}mdb,cn=config 
changetype: modify
add: olcUpdateRef
olcUpdateRef: ldap://producer.ldap/

4. Run a slaptest of slapd.d on both VMs to test for potential failures before starting the slapd daemon

slaptest -F slapd.d -d stats,sync 

Multi-Master Replication (MMR) Using slapd.conf

Configure the First Producer server 

Adjust credentials, URIs and directory paths as necessary.

vi slapd.conf

1. In the global section include the following:

Server ID (place as the first line of the file)

serverid        001        ldap://producer.ldap/

SyncProv and Accesslog Modules

moduleload      syncprov.la
moduleload      accesslog.la

2. In the mdb database section include the following:

Indexing

index entryCSN,entryUUID eq

Syncrepl

syncrepl
  rid=1
  provider="ldap://consumer.ldap/"
  binddn="dc=example,dc=com"
  credentials=secret
  bindmethod=simple
  searchbase="dc=example,dc=com"
  type=refreshAndPersist
  retry="60 +"
  logbase="cn=accesslog"
  logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
  syncdata=accesslog
  schemachecking=on
  network-timeout=30
  keepalive=180:3:60
  mirrormode     TRUE

SyncProv and Accesslog Overlays

overlay      syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 10000
overlay      accesslog
logdb        cn=accesslog
logops       writes
logsuccess   TRUE
logpurge     24:00 01+00:00

3. Create a new database section above the Monitor Database section that includes the following:

Accesslog database

database     mdb
rootdn       "cn=config"
directory    /var/symas/openldap-data/accesslog 
maxsize      5120000
suffix       "cn=accesslog"
index default eq
index objectClass
index entryCSN
index reqDN,reqEnd,reqResult,reqStart 

4. Define only the syncprov overlay for the Accesslog database

overlay      syncprov
syncprov-nopresent   TRUE
syncprov-reloadhint  TRUE

Save changes and quit: ESC :wq

5. Create the accesslog database directory

mkdir /var/symas/openldap-data/accesslog 

Configure the Second Producer server

vi slapd.conf

1. In the global section include the following:

Server ID 

Place as the first line of the file:

serverid      002      ldap://consumer.ldap/

SyncProv and Accesslog Modules

moduleload    syncprov.la
moduleload    accesslog.la

2. In the mdb database section include the following:

Indexing

index entryCSN,entryUUID eq

Syncrepl

syncrepl
  rid=1
  provider="ldap://producer.ldap/"
  binddn="dc=example,dc=com"
  credentials=secret
  bindmethod=simple
  searchbase="dc=example,dc=com"
  type=refreshAndPersist
  retry="60 +"
  logbase="cn=accesslog"
  logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
  syncdata=accesslog
  schemachecking=on
  network-timeout=30
  keepalive=180:3:60
mirrormode   TRUE

SyncProv and Accesslog Overlays

overlay      syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 10000
overlay      accesslog
logdb        cn=accesslog
logops       writes
logsuccess   TRUE
logpurge     24:00 01+00:00

3. Create a new database section above the Monitor Database section that includes the following:

Accesslog database

database     mdb
rootdn       "cn=config"
directory    /var/symas/openldap-data/accesslog 
maxsize      5120000
suffix       "cn=accesslog"
index default eq
index objectClass
index entryCSN,entryUUID
index reqEnd,reqResult,reqStart 

4. Define only the syncprov overlay for the Accesslog database

overlay      syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE

Save changes and quit: ESC :wq

5. Create a new database directory

mkdir /var/symas/openldap-data/accesslog

6. Run slapindex and a slaptest on the slapd.conf file on both VMs to test for potential failures before starting the slapd daemon

slapindex -q
slaptest -f slapd.conf -d stats,sync 

7. Start slapd on both VMs

service slapd start

Multi-Master Replication (MMR) Using slapd.d

This requires the cn=config database to be configured with a rootpw. In the examples below the rootdn is cn=config and the rootpw is secret.

Configure the first Producer server

Adjust credentials, URIs and directory paths as necessary. 

1. In the cn=config section include the following:

Server ID

2. Place as the first line of the file:

ldapmodify -x -H ldap://producer.ldap -D cn=config -w secret 
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 001    ldap://producer.ldap/

SyncProv and Accesslog Modules

ldapmodify -x -H ldap://producer.ldap -D cn=config -w secret 
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleload
olcModuleload: syncprov.la
-
add: olcModuleload
olcModuleload: accesslog.la

3. In the Database={1}MDB section include the following:

Indexing

ldapmodify -x -H ldap://producer.ldap -D cn=config -w secret 
dn: olcDatabase={1}mdb,cn=config 
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq

Syncrepl

ldapmodify -x -H ldap://producer.ldap -D cn=config -w secret 
dn: olcDatabase={1}mdb,cn=config 
changetype: modify
add: olcSyncrepl
olcSyncrepl:     rid=001   provider=ldap://consumer.ldap 
bindmethod=simple             binddn="dc=example,dc=com"
credentials="secret"    searchbase="dc=example,dc=com"
type=refreshAndPersist retry="60 +" logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
syncdata=accesslog    schemachecking=on    network-timeout=30
keepalive=180:3:60
-
add: olcMirrorMode
olcMirrorMode: TRUE

SyncProv Overlay

ldapadd -x -H ldap://producer.ldap -D cn=config -w secret 
dn: olcOverlay={1}syncprov,olcDatabase={1}mdb,cn=config 
objectClass: olcSyncProvConfig 
objectClass: olcOverlayConfig 
olcOverlay: {1}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 10000

4. Create a new database that includes the following:

Accesslog database

ldapadd -x -H ldap://producer.ldap -D cn=config -w secret 
dn: olcDatabase={2}mdb,cn=config 
objectClass: olcMdbConfig
objectClass: olcDatabaseConfig 
olcDatabase: {2}mdb
olcDbDirectory: /var/symas/openldap-data/accesslog 
olcAddContentAcl: FALSE
olcDbIndex: default eq
olcDbIndex: objectClass eq
olcDbIndex: entryCSN eq
olcDbIndex: reqDN eq
olcDbIndex: reqStart eq
olcDbIndex: reqEnd eq
olcDbIndex: reqResult eq
olcDbMaxEntrySize: 0
olcDbMaxReaders: 0
olcDbMaxSize: 5120000
olcDbMode: 0600
olcDbMultivalHi: 4294967295
olcDbMultivalLo: 4294967295
olcDbNoSync: FALSE
olcDbRtxnSize: 10000
olcDbSearchStack: 16
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcMonitoring: TRUE
olcReadOnly: FALSE
olcRootDN: cn=config
olcSuffix: cn=accesslog
olcSyncUseSubentry: FALSE

5. Define only the syncprov overlay for the Accesslog database

ldapadd -x -H ldap://producer.ldap -D cn=config -w secret 
dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config 
objectClass: olcSyncProvConfig 
objectClass: olcOverlayConfig 
olcOverlay: {0}syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE

6. Add the AccessLog Overlay to the MDB database

ldapadd -x -H ldap://producer.ldap -D cn=config -w secret 
dn: olcOverlay={0}accesslog,olcDatabase={1}mdb,cn=config 
objectClass: olcAccessLogConfig 
objectClass: olcOverlayConfig 
olcAccessLogDB: cn=accesslog
olcOverlay: {0}accesslog
olcAccessLogOps: writes
olcAccessLogPurge: 24:00 1+00:00
olcAccessLogSuccess: TRUE

7. Create a new database directory

rm -rf /var/symas/openldap-data/accesslog/
mkdir /var/symas/openldap-data/accesslog 

Configure the second Producer server

Adjust credentials, URIs and directory paths as necessary. 

1. In the CN=Config section include the following:

Server ID 

2. Place as the first line of the file:

ldapmodify -x -H ldap://consumer.ldap -D cn=config -w secret 
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 002    ldap://consumer.ldap/

SyncProv and Accesslog Modules

ldapmodify -x -H ldap://consumer.ldap -D cn=config -w secret 
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleload
olcModuleload: syncprov.la
-
add: olcModuleload
olcModuleload: accesslog.la

3. In the Database={1}MDB section include the following:

Indexing

ldapmodify -x -H ldap://consumer.ldap -D cn=config -w secret 
dn: olcDatabase={1}mdb,cn=config 
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq

Syncrepl

ldapmodify -x -H ldap://consumer.ldap -D cn=config -w secret 
dn: olcDatabase={1}mdb,cn=config 
changetype: modify
add: olcSyncrepl
olcSyncrepl: rid=001 provider=ldap://producer.ldap bindmethod=simple
binddn="dc=example,dc=com"
credentials="secret" searchbase="dc=example,dc=com"
type=refreshAndPersist retry="60 +" logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
syncdata=accesslog schemachecking=on network-timeout=30
keepalive=180:3:60
-
add: olcMirrorMode
olcMirrorMode: TRUE

SyncProv Overlay

ldapadd -x -H ldap://consumer.ldap -D cn=config -w secret 
dn: olcOverlay={1}syncprov,olcDatabase={1}mdb,cn=config 
objectClass: olcSyncProvConfig 
objectClass: olcOverlayConfig 
olcOverlay: {1}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 10000

4. Create a new database that includes the following:

Accesslog database

ldapadd -x -H ldap://consumer.ldap -D cn=config -w secret 
dn: olcDatabase={2}mdb,cn=config 
objectClass: olcMdbConfig
objectClass: olcDatabaseConfig 
olcDatabase: {2}mdb
olcDbDirectory: /var/symas/openldap-data/accesslog 
olcAddContentAcl: FALSE
olcDbIndex: default eq
olcDbIndex: objectClass eq
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
olcDbIndex: reqStart eq
olcDbIndex: reqEnd eq
olcDbIndex: reqResult eq
olcDbIndex: reqDN
olcDbMaxEntrySize: 0
olcDbMaxReaders: 0
olcDbMaxSize: 5120000
olcDbMode: 0600
olcDbMultivalHi: 4294967295
olcDbMultivalLo: 4294967295
olcDbNoSync: FALSE
olcDbRtxnSize: 10000
olcDbSearchStack: 16
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcMonitoring: TRUE
olcReadOnly: FALSE
olcRootDN: cn=config
olcSuffix: cn=accesslog
olcSyncUseSubentry: FALSE

5. Define only the syncprov overlay for the Accesslog database

ldapadd -x -H ldap://consumer.ldap -D cn=config -w secret 
dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config 
objectClass: olcSyncProvConfig 
objectClass: olcOverlayConfig 
olcOverlay: {0}syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE

6. Add the AccessLog Overlay to the MDB Database

ldapadd -x -H ldap://consumer.ldap -D cn=config -w secret 
dn: olcOverlay={0}accesslog,olcDatabase={1}mdb,cn=config 
objectClass: olcAccessLogConfig 
objectClass: olcOverlayConfig 
olcAccessLogDB: cn=accesslog
olcOverlay: {0}accesslog
olcAccessLogOps: writes
olcAccessLogPurge: 24:00 1+00:00
olcAccessLogSuccess: TRUE

7. Create a new database directory

mkdir /var/symas/openldap-data/accesslog

8. Run a slaptest on the slapd.conf file on both VMs to test for potential failures before starting the slapd daemon (slapd service)

slaptest -F slapd.d -d stats,sync