4

We currently have a single OpenLDAP server using the cn=config backend. We'd like to add a second OpenLDAP server and configure them for multimaster replication. What do we need to do to

  1. enable replication on the existing server and
  2. initialize the new server with the existing data

So far what I've done (following this guide) is:

Syncing configuration

dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://foo.example.com
olcServerID: 2 ldap://bar.example.com
-
replace: olcSaslSecProps
olcSaslSecProps: noanonymous

dn: cn=module,cn=config
changetype: modify
olcModuleLoad: syncprov

dn: olcDatabase=config,cn=config
changetype: modify
olcRootDN: cn=admin,cn=config
olcRootPW: abc123
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://foo.example.com bindmethod=simple
  binddn="cn=admin,cn=config" credentials=abc123 searchbase="cn=config" 
  type=refreshAndPersist retry="5 5 300 5" timeout=3
olcSyncRepl: rid=002 provider=ldap://bar.example.com bindmethod=simple 
  binddn="cn=admin,cn=config" credentials=abc123 searchbase="cn=config" 
  type=refreshAndPersist retry="5 5 300 5" timeout=3
-
add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov, olcDatabase=config, cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

This got configuration syncing working on both directions.

Syncing data

dn: olcDatabase=bdb,cn=config
changetype: modify
add: olcMirrorMode
olcMirrorMode: TRUE
-
add: olcSyncrepl
olcSyncrepl: rid=001 provider=ldap://foo.example.com searchbase=dc=example,dc=com binddn="uid=ldapsync,ou=Special Accounts,dc=example,dc=com" credentials=xyz123
olcSyncrepl: rid=002 provider=ldap://bar.example.com searchbase=dc=example,dc=com binddn="uid=ldapsync,ou=Special Accounts,dc=example,dc=com" credentials=xyz123

dn: olcOverlay=syncprov, olcDatabase=bdb, cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

I verified that these changes were synced to the second server, and that the ldapsync user can authenticate and can see all the data it needs to. However, the bdb data doesn't seem to be syncing in either direction. What am I missing?

Brad Mace
  • 1,006
  • 3
  • 17
  • 31

1 Answers1

2

This thread led me to the idea that the olcMirrorMode definition needs to be placed after the olcSyncrepl lines. I stopped the ldap servers and edited the olcDatabase ldif files manually. This seems to have gotten replication of the data working in both directions now.

Brad Mace
  • 1,006
  • 3
  • 17
  • 31