OpenLDAP NTP and Replication
Created by Greg Noe, last modified on Nov 11, 2016
Problem
Replication depends on tight clock synchronization between all replication providers and consumers (within milliseconds). Poorly synchronized clocks can cause inconsistent replication behavior. Symptoms of poor clock synchronization include:
- Changes not being replicated to consumers
- Providers repeatedly replicating changes between each other
- Large numbers of err=53 messages in your slapd logs
Checking synchronization using NTP (Network Time Protocol)
NTP is a service that synchronizes the system clock on a server with one or more authoritative time servers. NTP is an optional service that may need to be installed and/or configured to start at system startup.
To check if NTP is installed and running on your system use the
command “ntpq -p” .
- If the
ntpqcommand is not found, contact your system administrator to have NTP installed. - If NTP is installed but not running, you will get the following
error: “
ntpq: read: connection refused”. Start the service using root privileges with the following command “service ntp|ntpd start”
Configuring NTP to compare LDAP servers
NTP can be configured to compare an LDAP server’s system clock with
one or more remote LDAP server with the ntpq command. To
do this, add the list of remote LDAP servers to the server list in the
/etc/ntp.conf file. Set the “noselect” option on each LDAP
server listed; this prevents the LDAP servers from being used as an
authoritative time source. This type of configuration allows non-root
user to use the ntpq command. The NTP service must be
restarted after any changes to the configuration.
/etc/ntp.conf for provider-01.example.org
# Authoritative time sources
server 0.debian.pool.ntp.org iburst
server 1.debian.pool.ntp.org iburst
server 2.debian.pool.ntp.org iburst
server 3.debian.pool.ntp.org iburst
# LDAP servers (do not include config for localhost, this is defined elsewhere)
# server provider-01.example.org noselect
server provider-02.example.org noselect
server consumer-01.example.org noselect
server consumer-02.example.org noselectApply this configuration to each LDAP server.
Using the ntpq command
To check the time synchronization between servers, use the command: ntpq -p . The resulting output is this:
Output from “ntpq -d”
remote refid st t when poll reach delay offset jitter
==============================================================================
+108.61.194.85.v 200.23.51.102 2 u 5 64 377 1.993 26.910 1.033
*ip180.208-100-2 216.86.146.46 2 u 6 64 377 52.610 31.289 1.110
-4.144.155.104.b 198.82.247.71 3 u 13 64 377 40.032 30.124 1.584
+ntp1.wiktel.com 132.163.4.101 2 u 9 64 377 45.072 28.076 1.618
provider-02.exa 198.60.22.240 2 u 59 64 377 0.134 16.230 1.016
consumer-01.exa 198.60.22.240 2 u 40 64 377 0.128 10.030 1.025
consumer-02.exa 198.60.22.240 2 u 15 64 377 0.130 -18.432 1.501The last three lines of the example are the remote LDAP servers added to /etc/ntp.conf. The column to look at is the offset column. The values are the differences between the local and remote server’s system clocks, measured in milliseconds. A positive offset is is the number of milliseconds the server is ahead of the remote server. A negative offset is the number of milliseconds the server is behind the remote server. The closer a positive or negative offset is to 0.00, the closer the two server’s clocks are together.
Ideally, the offset between LDAP servers should be 0.00, however this can be difficult, especially with LDAP servers hosted on virtual machines. An offset within 1-2 milliseconds is generally acceptable. If the offset is larger than that, contact your system administrator.
Check