Symas OpenLDAP Knowledge Base

OpenLDAP NTP and Replication

Created by Greg Noe, last modified on Nov 11, 2016


Replication depends on tight clock synchronization between all replication providers and consumers (within milliseconds).  Poorly synchronized clocks can cause inconsistent replication behavior.  Symptoms of poor clock synchronization include:

  • Changes not being replicated to consumers
  • Providers repeatedly replicating changes between each other
  • Large numbers of err=53 messages in your slapd logs

Checking synchronization using NTP (Network Time Protocol)

NTP is a service that synchronizes the system clock on a server with one or more authoritative time servers.  NTP is an optional service that may need to be installed and/or configured to start at system startup. 

To check if NTP is installed and running on your system use the command “ntpq -p” . 

  • If the ntpq command is not found, contact your system administrator to have NTP installed. 
  • If NTP is installed but not running, you will get the following error: “ntpq: read: connection refused”. Start the service using root privileges with the following command “service ntp|ntpd start
Configuring NTP to compare LDAP servers

NTP can be configured to compare an LDAP server’s system clock with one or more remote LDAP server with the ntpq command.  To do this, add the list of remote LDAP servers to the server list in the /etc/ntp.conf file.  Set the “noselect” option on each LDAP server listed; this prevents the LDAP servers from being used as an authoritative time source.  This type of configuration allows non-root user to use the ntpq command.  The NTP service must be restarted after any changes to the configuration.

/etc/ntp.conf for

# Authoritative time sources
server iburst
server iburst
server iburst
server iburst

# LDAP servers (do not include config for localhost, this is defined elsewhere)
# server noselect
server noselect
server noselect
server noselect

Apply this configuration to each LDAP server.

Using the ntpq command

To check the time synchronization between servers, use the command: ntpq -p . The resulting output is this:

Output from “ntpq -d”

     remote           refid      st t when poll reach   delay   offset  jitter
+    2 u    5   64  377    1.993    26.910   1.033
*ip180.208-100-2    2 u    6   64  377   52.610    31.289   1.110
-    3 u   13   64  377   40.032    30.124   1.584    2 u    9   64  377   45.072    28.076   1.618
 provider-02.exa    2 u   59   64  377    0.134    16.230   1.016
 consumer-01.exa    2 u   40   64  377    0.128    10.030   1.025
 consumer-02.exa    2 u   15   64  377    0.130   -18.432   1.501

The last three lines of the example are the remote LDAP servers added to /etc/ntp.conf.  The column to look at is the offset column.  The values are the differences between the local and remote server’s system clocks, measured in milliseconds.  A positive offset is is the number of milliseconds the server is ahead of the remote server.  A negative offset is the number of milliseconds the server is behind the remote server.  The closer a positive or negative offset is to 0.00, the closer the two server’s clocks are together.

Ideally, the offset between LDAP servers should be 0.00, however this can be difficult, especially with LDAP servers hosted on virtual machines.  An offset within 1-2 milliseconds is generally acceptable.  If the offset is larger than that, contact your system administrator.



NTP configuration on AWS