OpenLDAP Replication and Server Configuration

Overview

https://devproj.inf.ed.ac.uk/project/show/15 provides the details for the project.

Investigation

Investigations into master-server replication are summarised here: http://www.dice.inf.ed.ac.uk/units/infrastructure/Projects/openldap-replication-conclusions.html

Implementation

Configuration

The master server (or "provider" in syncrepl terminology) is configured using the following header file:

dice/options/openldap-syncrepl-master-server.h

The slave servers (or "consumers") are configured using the following:

#define _NO_OPENLDAP_SLAPREPL_SLAVE_SERVER
#define _OPENLDAP_SYNCREPL_RID 112

#include 

Note that _OPENLDAP_SYNCREPL_RID must be set to a unique value for each consumer connecting to the same provider.

Authentication

Connections between the slave servers and the master server are authenticated via SASL/GSSAPI, using the ldaprep/hostname.inf.ed.ac.uk principal for each slave. Due to the way in which security contexts work with MIT Kerberos, it is necessary for slapd to be restarted daily on the slave servers to establish new credentials. This is done via a cron job, running at midnight.

Monitoring

A script, syncrepl-check, runs daily on each slave and checks that the LDAP database is in sync with the master. The LDAP service itself is monitored on all slaves and master using Nagios.

Work to be done

The script syncrepl-check should be properly packaged and distributed to slave servers.

-- TobyBlake - 04 Mar 2008