Configure OpenLDAP Master-Slave Replication on CentOS 8

In this guide, we shall cover how to setup OpenLDAP Provider-Consumer replication (formally Master-Slave replication) on CentOS 8. In this kind of setup, OpenLDAP consumer/secondary server replicates directory changes and updates from the provider/master.

There is also a possibility of having a provider-provider kind of setup, which basically means that we can have a multi-master LDAP configuration with more than one primary/provider server.

For Master-Master replication: Setup OpenLDAP Multi-Master Replication on CentOS 8

Setup OpenLDAP Replication on CentOS 8

Let’s get to know how to do this. We will need two CentOS 8 servers, one will be the primary/provider and the other one will be the secondary/consumer server with the following hostnames;

1. LDAP Provider – ldapmaster.geeksforgeeks.org
2. LDAP Consumer – consumer.geeksforgeeks.org

Add the static hostnames to each of the server to make sure they’re resolvable.

$ sudo vim /etc/hosts
172.20.5.209 ldapmaster.geeksforgeeks.org
172.20.5.210 consumer.geeksforgeeks.org

The next step is to install and configure basic OpenLDAP server on both hosts. We had covered the steps for OpenLDAP configuration on CentOS 8 in the guide below:

• Install and Configure OpenLDAP Server on CentOS 8

For Consumer configuration, stop at the step Create OpenLDAP SUDO schema in the Install and Configure OpenLDAP Server on CentOS 8 tutorial.

NTP Synchronization

It is important to have time synchronization between the Provider and Consumer server.

RHEL/CentOS 8 uses Chrony for time synchronization.

Set timezone:

sudo timedatectl set-timezone Africa/Nairobi

Install Chrony NTP server package.

sudo yum -y install chrony

Configure NTP synchronization by adding the relevant NTP servers in the /etc/chrony.conf file.

$ sudo vi /etc/chrony.conf
server 0.africa.pool.ntp.org iburst
server 1.africa.pool.ntp.org iburst
server 2.africa.pool.ntp.org iburst
server 3.africa.pool.ntp.org iburst

You can also use a custom NTP server with the steps highlighted in the article below:

• Configure NTP Server Using Chrony on RHEL 8 / CentOS 8

Copy Configuration files

Copy data and configuration files from the primary server to the secondary server.

Run the following on the primary server to create a copy of the OpenLDAP database:

slapcat -b cn=config -l openldap-config.ldif

or

slapcat -n 0 -l openldap-config.ldif

Create a backup of OpenLDAP data :

slapcat -n 1 -l openldap-data.ldif

or

slapcat -l openldap-data.ldif

Copy the configuration files to the consumer server

scp {openldap-data.ldif, openldap-config.ldif} [email protected]:/opt

Copy SSL certificates from Master to consumer:

scp /etc/pki/tls/ldapserver.{crt,key} [email protected]:/etc/pki/tls

Restore Configuration files on Consumer server

With the LDAP database and data copied to the consumer, it’s time to restore them. Ensure the LDAP configuration directories are empty.

sudo rm -rf /etc/openldap/slapd.d/*
sudo rm -rf /var/lib/openldap/*

Restore the LDAP database:

cd /opt && sudo slapadd -b cn=config -l openldap-config.ldif -F /etc/openldap/slapd.d/
#or 
cd /opt && sudo slapadd -n 0 -l openldap-config.ldif -F /etc/openldap/slapd.d/

Restore OpenLDAP data:

cd /opt && sudo slapadd -n 1 -l openldap-data.ldif -F /etc/openldap/slapd.d/

Setup correct file ownership to the configuration files:

sudo chown -R ldap:ldap /etc/openldap/slapd.d/ /var/lib/openldap/
sudo chown ldap:ldap /etc/pki/tls/ldapserver.{crt,key}

Create LDAP Service

Create Systemd service for OpenLDAP:

$ sudo vim /etc/systemd/system/slapd.service
[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network-online.target
Documentation=man:slapd
Documentation=man:slapd-mdb

[Service]
Type=forking
PIDFile=/var/lib/openldap/slapd.pid
Environment="SLAPD_URLS=ldap:/// ldapi:/// ldaps:///"
Environment="SLAPD_OPTIONS=-F /etc/openldap/slapd.d"
ExecStart=/usr/libexec/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS

[Install]
WantedBy=multi-user.target

Restart Daemon:

sudo systemctl daemon-reload

Start and enable service

sudo systemctl enable --now slapd

Allow OpenLDAP service through Firewall

We need to allow connections to LDAP service through the firewall for client queries.

sudo firewall-cmd --add-service={ldap,ldaps} --permanent
sudo firewall-cmd --reload

Configure LDAP Replication on Provider/Master

We need to make our Master server aware of replication. We therefore need to enable LDAP content syncronization (syncrepl replication) on the master by enabling the Syncprov Overlay Module.

$ vim enable-syncprov.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov.la

Confirm that the module is available:

sudo slapcat -n 0 | grep -i modulepath

Desired output:

olcModulePath: /usr/libexec/openldap

Update the OpenLDAP database:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f enable-syncprov.ldif

Configure syncprov replication settings as below:

$ vim syncprov-options.ldif
dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpCheckpoint: 100 10
olcSpSessionlog: 100

Apply changes to database:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov-options.ldif

Enable database indexing

Enable entryUID and entryCSN indexes to improve database performance and scan speed.

$ vim indexing.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq

Apply the configuration:

ldapadd -Y EXTERNAL -H ldapi:/// -f indexing.ldif

Configure OpenLDAP Replication on Consumer

We then need to configure the consumer server to obtain updates from the Provider server through enabling olcSyncrepl and setting it up with the right configuration.

vim enable-syncrepl.ldif

Here are the contents:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: 
  rid=001 
  provider=ldap://ldapmaster.geeksforgeeks.org
  binddn="cn=readonly,ou=system,dc=ldapmaster,dc=neveropen,dc=com" 
  bindmethod=simple
  credentials="Y0urP@ssW0rd" 
  searchbase="dc=ldapmaster,dc=neveropen,dc=com" 
  type=refreshAndPersist 
  timeout=0 
  network-timeout=0 
  retry="60 +"

Replace Provider, binddn ,binddn credentials and searchbase with your details. Note that the binddn credentials are obtained from the step Create LDAP Bind user in Install and Configure OpenLDAP Server on CentOS 8.

Update the database:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f enable-syncrepl.ldif

Restart LDAP service to apply these changes:

sudo systemctl restart slapd

Test OpenLDAP Replication

With our replication set and ready, we can test if the configuration is really working by adding a new user on the Provider and see if the user details will be updated on the consumer server.

vim test-user.ldif

Modify below on the configurations

dn: uid=usertest,ou=people,dc=ldapmaster,dc=neveropen,dc=com
cn: usertest
gidnumber: 10050
homedirectory: /home/usertest
loginshell: /bin/bash
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: shadowAccount
shadowinactive: 7
shadowlastchange: 0
shadowmax: 60
shadowmin: 1
shadowwarning: 7
sn: Doe
uid: usertest
uidnumber: 10050
userpassword: {SSHA}vg5PjAkA2mKNjrxAg5hgrwm06yf87ybfu

dn: cn=usertest,ou=groups,dc=ldapmaster,dc=neveropen,dc=com
cn: usertest
gidnumber: 10050
memberuid: usertest
objectclass: posixGroup

Add the entry:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f test-user.ldif

Now check on the consumer if the new entry has been added:

sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b "ou=people,dc=ldapmaster,dc=neveropen,dc=com" dn -Q -LLL

My output:

dn: uid=vshamallah,ou=people,dc=ldapmaster,dc=neveropen,dc=com
dn: uid=usertest,ou=people,dc=ldapmaster,dc=neveropen,dc=com

We can confirm that the user usertest has been replicated on the consumer server.

We can also try resetting the password for the user and check if we can authenticate from the consumer server.

On the master:

[root@ldapmaster ~]# ldappasswd -x -h ldapmaster.geeksforgeeks.org \
-D "cn=admin,dc=ldapmaster,dc=neveropen,dc=com" \
-S "uid=usertest,ou=people,dc=ldapmaster,dc=neveropen,dc=com" -W

Use the ldapwhoami command on the consumer server to determine the response from the user we have just reset the password:

[root@consumer ~]# ldapwhoami -x -h consumer.geeksforgeeks.org -D "uid=usertest,ou=people,dc=ldapmaster,dc=neveropen,dc=com" -W -vvv
ldap_initialize( ldap://consumer.geeksforgeeks.org )
Enter LDAP Password: 
dn:uid=usertest,ou=people,dc=ldapmaster,dc=neveropen,dc=com
Result: Success (0)

The output for the above command should return Result: Success (0) for a successful request. This means that the password change update from the provider has been replicated on the consumer server.

That therefore confirms that our Provider-Consumer replication is working as required.

Please check other related guides below:

Configure LDAP Client on Ubuntu

Install LDAP Account Manager on CentOS 8