Symas OpenLDAP Knowledge Base

Promoting Replicas to Providers (Single Provider)

Created by Greg Noe, last modified on Jul 16, 2015

This procedure is intended for single-provider environments using standard syncrepl.  The procedure for multi-provider environments is available here: [[[DRAFT] Procedure for Promoting Replicas to Providers (Multi-Provider)|3277165]]

  • Please consult the [[[DRAFT] Replication Best Practices|2719748]] guide for information on configuring replication for high availability. 
  • It is important to configure and test this promotion procedure as a part of your disaster recovery plan.

Background

When working in a replicated environment, it is sometimes necessary to promote a replication consumer to a replication provider due to a provider server going offline due to failure, maintenance or decommissioning.  

Back up all provider and consumer configurations prior to implementing any changes (See: [[Configuration Backup|Configuration-Backup_3277052]])

 

In this procedure, we’ll use one provider and two consumers with the following base configurations:

 

Example Base Configurations…

The provider/consumer example configurations in this document are based on the following:

cn=config Provider Consumers cn=config ————– olcServerID: 1   cn=module{0},cn=config ———————– olcModuleLoad: syncprov   olcDatabase={1}mdb,cn=config ————————————- olcDatabase: {1}mdb olcDbDirectory: /var/symas/openldap-data/example olcDbIndex: default eq olcDbIndex: cn,objectClass,entryCSN,entryUUID eq olcDbMaxSize: 1073741824 olcRootDN: cn=admin,dc=example,dc=com olcRootPW: secret olcSuffix: dc=example,dc=com   olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config ————————————————— olcSpCheckpoint: 1000 60 olcSpSessionlog: 100

cn=config
----------------
olcServerID: 2|3
 
olcDatabase={1}mdb,cn=config
-------------------------------------------------
olcDatabase: {1}mdb
olcDbDirectory: /var/symas/openldap-data/example
olcDbIndex: default eq
olcDbIndex: cn,objectClass,entryCSN,entryUUID eq
olcDbMaxSize: 1073741824
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: secret
olcSuffix: dc=example,dc=com
olcSyncrepl: rid=001 provider=ldap://server1/ 
  binddn="cn=admin,dc=example,dc=com" 
  bindmethod=simple credentials=secret 
  searchbase="dc=example,dc=com" 
  type=refreshAndPersist interval=00:00:00:10 
  retry="5 5 300 5" timeout=1

slapd.conf Provider Consumers # Global Definitions serverID 1 moduleload syncprov.la

# Database Definition
database  mdb
directory "/var/symas/openldap-data/example"
suffix    "dc=example,dc=com"
maxsize   1073741824
rootdn    "cn=admin,dc=example,dc=com"
rootpw    secret
index   default eq
index   cn objectClass,entryCSN,entryUUID

# Syncprov Definition
overlay syncprov
syncprov-checkpoint 1000 60
syncprov-sessionlog 100

# Global Definitions
serverID 2|3

# Database Definition
database  mdb
directory "/var/symas/openldap-data/example"
suffix    "dc=example,dc=com"
maxsize   1073741824
rootdn    "cn=admin,dc=example,dc=com"
rootpw    secret
index   default eq
index   cn objectClass,entryCSN,entryUUID

# Syncrepl Definition
syncrepl rid=001 provider=ldap://server1/ 
  binddn="cn=admin,dc=example,dc=com" 
  bindmethod=simple credentials=secret 
  searchbase="dc=example,dc=com" 
  type=refreshAndPersist interval=00:00:00:10 
  retry="5 5 300 5" timeout=1

 

 

Procedure for Promotion

  1. Back up all provider and consumer configurations prior to implementing any changes (See: [[Configuration Backup|Configuration-Backup_3277052]])

  2. Back up the data on your provider and consumer databases (See: [[Backup & Restore|3277177]] articles)

  3. If your consumers connect to your providers using SSL/TLS, ensure the correct certificates are in place to allow connections to the consumer being promoted. (See: [[SSL Certificate Maintenance|3277192]])

  4. Promoting the consumer:

    1. First remove all consumer related syncrepl settings:

      Syncrepl Removal - cn=config  Expand source

      # File: rmSR.ldif
      # Command Line Example:
      # ldapmodify -x -D "cn=admin,cn=config" -W -H ldap://server/ -f rmSR.ldif
      # -----------------------------------------------------------------------
      
      dn: olcDatabase={1}mdb,cn=config
      changetype: modify
      delete: olcSyncrepl
      -

      Syncrepl Removal - slapd.conf  Expand source

      # Remove/comment out the following:
      
      syncrepl rid=001 provider=ldap://server1/ 
        binddn="cn=admin,dc=example,dc=com" 
        bindmethod=simple credentials=secret 
        searchbase="dc=example,dc=com" 
        type=refreshAndPersist interval=00:00:00:10 
        retry="5 5 300 5" timeout=1
    2. Next, add/enable the syncprov overlay and match the configuration to the original provider:

      Add Syncprov - cn=config  Expand source

      # File: addSP.ldif
      # Command Line Example:
      # ldapmodify -x -D "cn=admin,cn=config" -W -H ldap://server/ -f addSP.ldif
      # ------------------------------------------------------------------------
      dn: cn=module{0},cn=config
      changetype: modify
      add: olcModuleLoad
      olcModuleLoad: syncprov.la
      -
      
      dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
      changetype: add
      objectClass: olcOverlayConfig
      objectClass: olcConfig
      objectClass: top
      objectClass: olcSyncProvConfig
      olcOverlay: syncprov
      olcSpCheckpoint: 1000 60
      olcSpSessionlog: 100

      Add Syncprov - slapd.conf  Expand source

      # Global Config
      moduleload syncprov.la
      
      # Syncprov Definition
      database mdb
      ...
      overlay syncprov
      syncprov-checkpoint 1000 60
      syncprov-sessionlog 100
      
      # Restart slapd daemon to activate changes
  5. On all other consumers, update the provider URI in the syncrepl setting to point to the new provider:

    Update Provider URI - cn=config  Expand source

    # File: updURI.ldif
    # Command Line Example:
    # ldapmodify -x -D "cn=admin,cn=config" -W -H ldap://server/ -f updURI.ldif
    # -------------------------------------------------------------------------
    
    dn: olcDatabase={1}mdb,cn=config
    changetype: modify
    replace: olcSyncrepl
    olcSyncrepl: rid=001 provider=ldap://server2/ binddn="cn=admin,
     dc=example,dc=com" bindmethod=simple credentials=secret searchbase="dc=exampl
     e,dc=com" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeo
     ut=1
    -

    Update Provider URI - slapd.conf  Expand source

    # Syncrepl Definition
    syncrepl rid=001 provider=ldap://server2/ binddn="cn=admin,dc=example,dc=com" 
      bindmethod=simple credentials=secret searchbase="dc=example,dc=com" 
      type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1
    
    # Restart slapd daemon to activate changes
  6. Once the consumer configurations are updated (and slapd is restarted if the server uses slapd.conf), the promotion will be complete.

Converting the original provider to a consumer

If the original provider is being converted to a consumer, follow these steps:

  1. Remove the syncprov overlay and related settings

    Syncprov Overlay Removal - cn=config  Expand source

    # Back up the cn=config database using the slapcat utility:
    
        slapcat -n0 -l server1_backup_orig.ldif
    
    # Make a copy of the cn=config database backup ldif:
    
        cp server1_config_orig.ldif new_config.ldif
    
    # Open the backup ldif (new_config.ldif) and delete the 
    # syncprov overlay section:
    
        dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config
    
    # If the syncprov overlay is not being used for any other 
    # database on the server, remove the following from the 
    # 'dn: cn=module{0},cn=config' section:
      olcModuleLoad: {N}syncprov.la
    
    # Stop the slapd daemon
    
    # Delete the contents of the slapd dynamic 
    # configuration directory:
    
      rm -rf /opt/symas/etc/openldap/slapd.d/*
    
    # Import the modified new_config.ldif:
    
      slapadd -n0 -F /opt/symas/etc/openldap/slapd.d -l new_config.ldif
    
    # Start the slapd daemon

    Syncprov Overlay Removal - slapd.conf  Expand source

    # Remove/comment out all instances of the following:
    
    moduleload syncprov.la
    overlay syncprov
    syncprov-checkpoint 1000 60
    syncprov-sessionlog 100
    syncprov-nopresent [TRUE|FALSE]
    syncprov-reloadhint [TRUE|FALSE]
  2. Next, add the syncrepl configuration

    Add Syncrepl - cn=config  Expand source

    # File: addSR.ldif
    # Command Line Example: 
    # ldapmodify -x -D "cn=admin,cn=config" -W -H ldap://myserver/ -f addSR.ldif
    # --------------------------------------------------------------------------
    dn: olcDatabase={1}mdb,cn=config
    changetype: add
    objectClass: olcSyncrepl
    olcSyncrepl: rid=001 provider=ldap://server2/ binddn="cn=admin,
     dc=example,dc=com" bindmethod=simple credentials=secret searchbase="dc=exampl
     e,dc=com" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeo
     ut=1
    -

    Add Syncrepl - slapd.conf  Expand source

    # Syncrepl Definition
    syncrepl rid=001 provider=ldap://server2/ binddn="cn=admin,dc=example,dc=com" 
      bindmethod=simple credentials=secret searchbase="dc=example,dc=com" 
      type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1
    
    # Start the slapd daemon
  3. The conversion is now complete