Configure Delta-Syncrepl
Producer/Consumer Replication (PCR)
Using SLAPD.conf
Configure the Producer server (adjusting Credentials, URIs and Directory paths as necessary)
vi slapd.conf
In the global section include the following: SyncProv and Accesslog Modules
moduleload syncprov.la
moduleload accesslog.la
In the mdb database section include the following:
Indexing
index entryCSN,entryUUID eq
SyncProv and Accesslog Overlays
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 10000
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
logpurge 24:00 01+00:00
Create a new database section above the Monitor Database section that includes the following:
Accesslog database
database mdb
rootdn "cn=config"
directory /var/symas/openldap-data/accesslog
maxsize 5120000
suffix "cn=accesslog"
index default eq
index objectClass
index entryCSN
index reqDN,reqEnd,reqResult,reqStart
Define the syncprov overlay for the Accesslog database
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
ESC :wq Save changes and quit)
Create a new database directory to match the configuration setting
mkdir /var/symas/openldap-data/accesslog
- Configure the Consumer server (adjusting Credentials, URIs and Directory paths as necessary) vi slapd.conf
In the global section include the following:
Back_LDAP Module
moduleload back_ldap.la
Chaining Overlay overlay chain chain-url “ldap://producer.ldap/” chain-idassert-bind bindmethod=“simple” binddn=“dc=example,dc=com” credentials=“secret” mode=“self” chain-return-error TRUE
In the database section include the following:
Indexing
index entryCSN,entryUUID eq
Syncrepl
syncrepl
rid=1
provider="ldap://producer.ldap/"
binddn="dc=example,dc=com"
credentials=secret
bindmethod=simple
searchbase="dc=example,dc=com"
type=refreshAndPersist
retry="60 +"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
syncdata=accesslog
schemachecking=on
network-timeout=30
keepalive=180:3:60
Update Referral
updateref "ldap://producer.ldap/"
ESC :wq (Save changes and quit)
Run slapindex on the slapd.conf file on both VMs
slapindex -q
Run a slaptest on the slapd.conf file on both VMs to test for potential failures before starting the solserver (slapd service)
slaptest -f slapd.conf -d stats,sync 5. Start solserver on both VMs service solserver start
Using SLAPD.D
This requires the cn=config database to be configured with a rootpw. In the examples below the rootdn is cn=config and the rootpw is secret
- Configure the Producer server (adjusting Credentials, URIs and Directory paths as necessary)
In the CN=Config section include the SyncProv and Accesslog Modules
ldapmodify -x -H ldap://producer.ldap -D cn=config -w secret
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleload
olcModuleload: syncprov.la
-
add: olcModuleload
olcModuleload: accesslog.la
In the Database={1}mdb section include the following:
Indexing
ldapmodify -x -H ldap://producer.ldap -D cn=config -w secret
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq
SyncProv Overlay
ldapadd -x -H ldap://producer.ldap -D cn=config -w secret
dn: olcOverlay={1}syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcSyncProvConfig
objectClass: olcOverlayConfig
olcOverlay: {1}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 10000
Create a new database that includes the following:
Accesslog database
ldapadd -x -H ldap://producer.ldap -D cn=config -w secret
dn: olcDatabase={2}mdb,cn=config
objectClass: olcMdbConfig
objectClass: olcDatabaseConfig olcDatabase: {2}mdb
olcDbDirectory: /var/symas/openldap-data/accesslog
olcAddContentAcl: FALSE
olcDbIndex: default eq
olcDbIndex: objectClass eq
olcDbIndex: entryCSN eq
olcDbIndex: reqDN eq
olcDbIndex: reqStart eq
olcDbIndex: reqEnd eq
olcDbIndex: reqResult eq
olcDbMaxEntrySize: 0
olcDbMaxReaders: 0
olcDbMaxSize: 5120000
olcDbMode: 0600
olcDbMultivalHi: 4294967295
olcDbMultivalLo: 4294967295
olcDbNoSync: FALSE
olcDbRtxnSize: 10000
olcDbSearchStack: 16
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcMonitoring: TRUE
olcReadOnly: FALSE
olcRootDN: cn=config
olcSuffix: cn=accesslog
olcSyncUseSubentry: FALSE
Define only the syncprov overlay for the Accesslog database
ldapadd -x -H ldap://producer.ldap -D cn=config -w secret
dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcSyncProvConfig
objectClass: olcOverlayConfig
olcOverlay: {0}syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
Add the Accesslog Overlay to Database={1}mdb
ldapadd -x -H ldap://producer.ldap -D cn=config -w secret
dn: olcOverlay={0}accesslog,olcDatabase={1}mdb,cn=config
objectClass: olcAccessLogConfig
objectClass: olcOverlayConfig
olcAccessLogDB: cn=accesslog
olcOverlay: {0}accesslog
olcAccessLogOps: writes
olcAccessLogPurge: 24:00 1+00:00
olcAccessLogSuccess: TRUE
Create a new database directory mkdir /var/symas/openldap-data/accesslog
- Configure the Consumer (adjusting Credentials, URIs and Directory paths as necessary)
In the CN=Module include the following:
Back_LDAP Module
ldapmodify -x -H ldap://consumer.ldap -D cn=config -w secret
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleload
olcModuleload: back_ldap.la
In the Database={-1}Frontend include the following:
Chaining Overlay
ldapadd -x -H ldap://consumer.ldap -D cn=config -w secret
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config i
objectClass: olcChainConfig
objectClass: olcOverlayConfig
olcOverlay: {0}chain
olcChainCacheURI: FALSE
olcChainMaxReferralDepth: 1
olcChainReturnError: TRUE
dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcChainDatabase
objectClass: olcLDAPConfig
olcDatabase: {0}ldap
olcDbCancel: abandon
olcDbChaseReferrals: TRUE
olcDbConnectionPoolMax: 16
olcDbIDAssertBind: mode=self flags=prescriptive,proxy-authz-non-critical bindmethod=
simple timeout=0 network-timeout=0binddn="dc=example,dc=com" credentials="secret"
keepalive=0:0:0
olcDbKeepalive: 0:0:0
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbOnErr: continue
olcDbProtocolVersion: 3
olcDbProxyWhoAmI: FALSE
olcDbRebindAsUser: FALSE
olcDbSessionTrackingRequest: FALSE
olcDbSingleConn: FALSE
olcDbStartTLS: none starttls=no olcDbTFSupport: no
olcDbURI: "ldap://producer.ldap"
olcDbUseTemporaryConn: FALSE
In the Database={1}MDB section include the following:
Indexing
ldapmodify -x -H ldap://consumer.ldap -D cn=config -w secret
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq
Syncrepl
ldapmodify -x -H ldap://consumer.ldap -D cn=config -w secret
dn:olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: rid=001 provider=ldap://producer.ldap bindmethod=simple
binddn="dc=example,dc=com"
credentials="secret" searchbase="dc=example,dc=com"
type=refreshAndPersist retry="60 +" logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
syncdata=accesslog schemachecking=on network-timeout=30
keepalive=180:3:60
Update Referral
ldapmodify -x -H ldap://consumer.ldap -D cn=config -w secret
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcUpdateRef
olcUpdateRef: ldap://producer.ldap/
Run a slaptest of slapd.d on both VMs to test for potential failures before starting the solserver (slapd service)
slaptest -F slapd.d -d stats,sync
Multi-Master Replication (MMR) Using SLAPD.conf
Configure the First Producer server (adjusting Credentials, URIs and Directory paths as necessary)
vi slapd.conf
In the global section include the following:
Server ID (place as the first line of the file)
serverid 001 ldap://producer.ldap/
SyncProv and Accesslog Modules
moduleload syncprov.la
moduleload accesslog.la
In the mdb database section include the following:
Indexing
index entryCSN,entryUUID eq
Syncrepl
syncrepl
rid=1
provider="ldap://consumer.ldap/"
binddn="dc=example,dc=com"
credentials=secret
bindmethod=simple
searchbase="dc=example,dc=com"
type=refreshAndPersist
retry="60 +"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
syncdata=accesslog
schemachecking=on
network-timeout=30
keepalive=180:3:60
mirrormode TRUE
SyncProv and Accesslog Overlays
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 10000
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
logpurge 24:00 01+00:00
Create a new database section above the Monitor Database section that
includes the following:
Accesslog database
database mdb
rootdn "cn=config"
directory /var/symas/openldap-data/accesslog
maxsize 5120000
suffix "cn=accesslog"
index default eq
index objectClass
index entryCSN
index reqDN,reqEnd,reqResult,reqStart
Define only the syncprov overlay for the Accesslog database
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
ESC :wq (Save changes and quit)
Create the accesslog database directory
mkdir /var/symas/openldap-data/accesslog
Configure the Second Producer server
vi slapd.conf
In the global section include the following:
Server ID (place as the first line of the file)
serverid 002 ldap://consumer.ldap/
SyncProv and Accesslog Modules
moduleload syncprov.la
moduleload accesslog.la
In the mdb database section include the following:
#####Indexing
index entryCSN,entryUUID eq
Syncrepl
syncrepl
rid=1
provider="ldap://producer.ldap/"
binddn="dc=example,dc=com"
credentials=secret
bindmethod=simple
searchbase="dc=example,dc=com"
type=refreshAndPersist
retry="60 +"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
syncdata=accesslog
schemachecking=on
network-timeout=30
keepalive=180:3:60
mirrormode TRUE
SyncProv and Accesslog Overlays
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 10000
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
logpurge 24:00 01+00:00
Create a new database section above the Monitor Database section that
includes the following:
Accesslog database
database mdb
rootdn "cn=config"
directory /var/symas/openldap-data/accesslog
maxsize 5120000
suffix "cn=accesslog"
index default eq
index objectClass
index entryCSN,entryUUID
index reqEnd,reqResult,reqStart
Define only the syncprov overlay for the Accesslog database
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
ESC :wq (Save changes and quit)
Create a new database directory
mkdir /var/symas/openldap-data/accesslog
Run slapindex and a slaptest on the slapd.conf file on both VMs to test for potential failures before starting the solserver (slapd service)
slapindex -q slaptest -f slapd.conf -d stats,sync
Start solserver on both VMs
service solserver start
##Using SLAPD.D
This requires the cn=config database to be configured with a rootpw. In the examples below the rootdn is cn=config and the rootpw is secret
1.Configure the 1st Producer server (adjusting Credentials, URIs and Directory paths as necessary)
In the CN=Config section include the following:
Server ID (place as the first line of the file)
ldapmodify -x -H ldap://producer.ldap -D cn=config -w secret
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 001 ldap://producer.ldap/
SyncProv and Accesslog Modules
ldapmodify -x -H ldap://producer.ldap -D cn=config -w secret
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleload
olcModuleload: syncprov.la
-
add: olcModuleload
olcModuleload: accesslog.la
In the Database={1}MDB section include the following:
Indexing
ldapmodify -x -H ldap://producer.ldap -D cn=config -w secret
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq
Syncrepl
ldapmodify -x -H ldap://producer.ldap -D cn=config -w secret
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: rid=001 provider=ldap://consumer.ldap
bindmethod=simple binddn="dc=example,dc=com"
credentials="secret" searchbase="dc=example,dc=com"
type=refreshAndPersist retry="60 +" logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
syncdata=accesslog schemachecking=on network-timeout=30
keepalive=180:3:60
-
add: olcMirrorMode
olcMirrorMode: TRUE
SyncProv Overlay
ldapadd -x -H ldap://producer.ldap -D cn=config -w secret
dn: olcOverlay={1}syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcSyncProvConfig
objectClass: olcOverlayConfig
olcOverlay: {1}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 10000
Create a new database that includes the following:
Accesslog database
ldapadd -x -H ldap://producer.ldap -D cn=config -w secret
dn: olcDatabase={2}mdb,cn=config
objectClass: olcMdbConfig
objectClass: olcDatabaseConfig
olcDatabase: {2}mdb
olcDbDirectory: /var/symas/openldap-data/accesslog
olcAddContentAcl: FALSE
olcDbIndex: default eq
olcDbIndex: objectClass eq
olcDbIndex: entryCSN eq
olcDbIndex: reqDN eq
olcDbIndex: reqStart eq
olcDbIndex: reqEnd eq
olcDbIndex: reqResult eq
olcDbMaxEntrySize: 0
olcDbMaxReaders: 0
olcDbMaxSize: 5120000
olcDbMode: 0600
olcDbMultivalHi: 4294967295
olcDbMultivalLo: 4294967295
olcDbNoSync: FALSE
olcDbRtxnSize: 10000
olcDbSearchStack: 16
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcMonitoring: TRUE
olcReadOnly: FALSE
olcRootDN: cn=config
olcSuffix: cn=accesslog
olcSyncUseSubentry: FALSE
Define only the syncprov overlay for the Accesslog database
ldapadd -x -H ldap://producer.ldap -D cn=config -w secret
dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcSyncProvConfig
objectClass: olcOverlayConfig
olcOverlay: {0}syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
Add the AccessLog Overlay to the MDB database
ldapadd -x -H ldap://producer.ldap -D cn=config -w secret
dn: olcOverlay={0}accesslog,olcDatabase={1}mdb,cn=config
objectClass: olcAccessLogConfig
objectClass: olcOverlayConfig
olcAccessLogDB: cn=accesslog
olcOverlay: {0}accesslog
olcAccessLogOps: writes
olcAccessLogPurge: 24:00 1+00:00
olcAccessLogSuccess: TRUE
Create a new database directory
rm -rf /var/symas/openldap-data/accesslog/
mkdir /var/symas/openldap-data/accesslog
- Configure the 2nd Producer server (adjusting Credentials, URIs and Directory paths as necessary)
In the CN=Config section include the following:
Server ID (place as the first line of the file)
ldapmodify -x -H ldap://consumer.ldap -D cn=config -w secret
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 002 ldap://consumer.ldap/
SyncProv and Accesslog Modules
ldapmodify -x -H ldap://consumer.ldap -D cn=config -w secret
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleload
olcModuleload: syncprov.la
-
add: olcModuleload
olcModuleload: accesslog.la
In the Database={1}MDB section include the following:
Indexing
ldapmodify -x -H ldap://consumer.ldap -D cn=config -w secret
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq
Syncrepl
ldapmodify -x -H ldap://consumer.ldap -D cn=config -w secret
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: rid=001 provider=ldap://producer.ldap bindmethod=simple
binddn="dc=example,dc=com"
credentials="secret" searchbase="dc=example,dc=com"
type=refreshAndPersist retry="60 +" logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
syncdata=accesslog schemachecking=on network-timeout=30
keepalive=180:3:60
-
add: olcMirrorMode
olcMirrorMode: TRUE
SyncProv Overlay
ldapadd -x -H ldap://consumer.ldap -D cn=config -w secret
dn: olcOverlay={1}syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcSyncProvConfig
objectClass: olcOverlayConfig
olcOverlay: {1}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 10000
Create a new database that includes the following:
Accesslog database
ldapadd -x -H ldap://consumer.ldap -D cn=config -w secret
dn: olcDatabase={2}mdb,cn=config
objectClass: olcMdbConfig
objectClass: olcDatabaseConfig
olcDatabase: {2}mdb
olcDbDirectory: /var/symas/openldap-data/accesslog
olcAddContentAcl: FALSE
olcDbIndex: default eq
olcDbIndex: objectClass eq
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
olcDbIndex: reqStart eq
olcDbIndex: reqEnd eq
olcDbIndex: reqResult eq
olcDbIndex: reqDN
olcDbMaxEntrySize: 0
olcDbMaxReaders: 0
olcDbMaxSize: 5120000
olcDbMode: 0600
olcDbMultivalHi: 4294967295
olcDbMultivalLo: 4294967295
olcDbNoSync: FALSE
olcDbRtxnSize: 10000
olcDbSearchStack: 16
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcMonitoring: TRUE
olcReadOnly: FALSE
olcRootDN: cn=config
olcSuffix: cn=accesslog
olcSyncUseSubentry: FALSE
Define only the syncprov overlay for the Accesslog database
ldapadd -x -H ldap://consumer.ldap -D cn=config -w secret
dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcSyncProvConfig
objectClass: olcOverlayConfig
olcOverlay: {0}syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
Add the AccessLog Overlay to the MDB Database
ldapadd -x -H ldap://consumer.ldap -D cn=config -w secret
dn: olcOverlay={0}accesslog,olcDatabase={1}mdb,cn=config
objectClass: olcAccessLogConfig
objectClass: olcOverlayConfig
olcAccessLogDB: cn=accesslog
olcOverlay: {0}accesslog
olcAccessLogOps: writes
olcAccessLogPurge: 24:00 1+00:00
olcAccessLogSuccess: TRUE
Create a new database directory
mkdir /var/symas/openldap-data/accesslog
Run a slaptest on the slapd.conf file on both VMs to test for potential failures before starting the solserver (slapd service)
slaptest -F slapd.d -d stats,sync