Muli-master OpenLDAP with 3 or more nodes

Going from a two-nodes multi-master configuration to one with more than two nodes is not really complex, once you have understood what we do in two nodes configuration :

  • In the two nodes configuration, each node has a different ServerID, in N nodes too. To let the local LDAP differentiate between the various masters, the configuration will now list a ServerID directive by node followed by the LDAP URI to connect this LDAP server.

  • In the two nodes configuration, you setup a unique syncrepl directive because we just have 2 nodes talking to each other, schematically : 1 ↔ 2. In N nodes, you will setup a syncrepl directives to connect each other node, so basically N-1 syncrepl directives that will all differ based on their RID (replication ID).

And in fact you can write down N syncrepl directives in your configuration files (so including a replication pointing back to the node itself), it won’t break the configuration and then allow to use excatly the same configuration file on each nodes.

So, the configuration file slapd.conf looks now like this :

include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema

allow bind_v2

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

loglevel 16384

modulepath /usr/lib64/openldap
moduleload syncprov

serverID 1 ldap://ldap1/
serverID 2 ldap://ldap2/
serverID 3 ldap://ldap3/

#########################################
# Main LDAP database #
#########################################

database bdb
suffix "dc=begetest,dc=net"
checkpoint 1024 15
rootdn "cn=manager,dc=begetest,dc=net"
rootpw secret

directory /var/lib/ldap

# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index entryCSN,entryUUID eq

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

syncrepl rid=001
         provider=ldap://ldap1:389
         type=refreshAndPersist
         retry="60 +"
         searchbase="dc=begetest,dc=net"
         scope=sub
         schemachecking=on
         bindmethod=simple
         binddn="cn=manager,dc=begetest,dc=net"
         credentials=secret

syncrepl rid=002
         provider=ldap://ldap2:389
         type=refreshAndPersist
         retry="60 +"
         searchbase="dc=begetest,dc=net"
         scope=sub
         schemachecking=on
         bindmethod=simple
         binddn="cn=manager,dc=begetest,dc=net"
         credentials=secret

syncrepl rid=003
         provider=ldap://ldap3:389
         type=refreshAndPersist
         retry="60 +"
         searchbase="dc=begetest,dc=net"
         scope=sub
         schemachecking=on
         bindmethod=simple
         binddn="cn=manager,dc=begetest,dc=net"
         credentials=secret

mirrormode on

##################################################
# Database for the monitoring #
##################################################

database monitor
         access to *
         by dn.exact="cn=manager,dc=begetest,dc=net" read
         by * none

 

In bold, you have the parameters of interest. This configuration is the same on the three nodes of this sample setup where we have three hosts called ldap1, ldap2 and ldap3 with this name known by our DNS system.