This guide assumes you're familiar with OpenLDAP replication, want to use Syncrepl, are using RHEL 6 for your master and your slave(s), and have already got your directory working on the master, set permissions etc.
Step 1 - Create a read only replication account
Using your favourite tools, create a new account (objectclass = account) in your directory, with a suitable name (eg uid=replication or some such). Set a secure password on it, and make a note of that. Next, edit /etc/openldap/slapd.d/cn=config/olcDatab
olcAccess: {0}to attrs=userPassword by self =xw by dn.exact="uid=pwreset,dc=example,dc=org" =xw by dn.exact="uid=replicate,dc=example,dc=org" read by anonymous auth by * none olcAccess: {1}to * by anonymous auth by self write by dn.exact="uid=replicate,dc=example,dc=org" read by users read by * none
Step 2 - Enable the syncprov module
On all machines (master and slaves), create a new file /etc/openldap/slapd.d/cn=config/ called cn=module{0}.ldif . Into it place:
dn: cn=module{0} objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib64/openldap olcModuleLoad: {0}back_bdb olcModuleLoad: {1}syncprovNote that if you're on a 32 bit system, you'll need /usr/lib/openldap not lib64. This file will trigger the loading of the syncprov module, and the bdb one if needed. If you want to add more modules later for other things, you can either add them to the ordered olcModuleLoad list, or add cn=module{1}.ldif and list them in there
Step 3 - Turn on syncprov for each directory
syncprov needs to be enabled for each directory, which in the default config would mean for olcDatabase={2}bdb, and possibly olcDatabase={0}config too. For now, I've opted to enable syncprov for both, but only pull the former, but I may change that in time.
Firstly, create two new directories, /etc/openldap/slapd.d/cn=config/olcDatab
dn: olcOverlay={0}syncprov objectClass: olcOverlayConfig objectClass: olcSyncProvConfig # # Sync Setup for the main LDAP Database # olcOverlay: {0}syncprov # Sync Checkpoints every 20 changes or 1 hour olcSpCheckpoint: 20 60 # Keep a fair number of operations in the log olcSpSessionlog: 1000Restart slapd on the master server, and ensure it starts without error.
Step 4 - Configure the slave(s) to poll the master
Finally, on each slave we need to configure the directory to pull from the master. This will use the syncprov module load we setup earlier in step 2, which needs to be done for each server!
Edit your database config file, eg /etc/openldap/slapd.d/cn=config/olcDatab
olcSyncrepl: rid=135 provider="ldaps://ldap-master.example.org:389/" type=refreshAndPersist retry="60 30 300 +" searchbase="dc=example,dc=org" bindmethod=simple binddn="uid=replicate,dc=example,dc=org" credentials=MYsecurePASSWORDThe rid needs to be unique per slave, and needs to be a three digit number, I've found a suitable part of the IP address to be a good option to go for!
On each slave, ensure there's an empty directory, then start slapd. Within a short while, a search should then show all the data from the master, and you're good to go!
If you hit problems, try running /usr/sbin/slapd -h ldap:/// ldaps:/// ldapi:/// -u ldap -d 255 to start the server in debug mode with logging to the console. The logs can be a little cryptic, but with googling you ought to be able to work out what's wrong and fix!