OpenLDAP Replication and Server Configuration
Overview
https://devproj.inf.ed.ac.uk/project/show/15 provides the details for the project.
Investigation
Investigations into master-server replication are summarised here:
http://www.dice.inf.ed.ac.uk/units/infrastructure/Projects/openldap-replication-conclusions.html
Implementation
Configuration
The master server (or "provider" in syncrepl terminology) is configured using the following header file:
dice/options/openldap-syncrepl-master-server.h
The slave servers (or "consumers") are configured using the following:
#define _NO_OPENLDAP_SLAPREPL_SLAVE_SERVER
#define _OPENLDAP_SYNCREPL_RID 112
#include
Note that _OPENLDAP_SYNCREPL_RID must be set to a unique value for each consumer connecting to the same provider.
Authentication
Connections between the slave servers and the master server are authenticated via SASL/GSSAPI, using the ldaprep/hostname.inf.ed.ac.uk principal for each slave. Due to the way in which security contexts work with MIT Kerberos, it is necessary for slapd to be restarted daily on the slave servers to establish new credentials. This is done via a cron job, running at midnight.
Monitoring
A script, syncrepl-check, runs daily on each slave and checks that the LDAP database is in sync with the master. The LDAP service itself is monitored on all slaves and master using Nagios.
Work to be done
The script syncrepl-check should be properly packaged and distributed to slave servers.
--
TobyBlake - 04 Mar 2008
Topic revision: r2 - 24 Apr 2008 - 11:35:47 -
TobyBlake