I am going to share some user account & directory with NFS among 2~3 servers. Traditionally we can use NFS+NIS solution, but I would like to try out NFS+LDAP+PAM/NSS plus OpenLDAP mirror mode replication.
For LDAP + PAM/NSS, please refer to my other article: LDAP + Samba PDC + PAM/NSS on Debian Lenny HOWTO
Add OpenLDAP mirror mode replication to existing server
Refer to OpenLDAP Software 2.4 Administrator's Guide: Replication, just add the following EXTRA setup to /etc/ldap/slapd.conf:
# Global section
serverID 1
loglevel sync stats
moduleload syncprov
rootdn "cn=admin,dc=example,dc=com"
rootpw CHANGE
# syncprov specific indexing
index entryCSN eq
index entryUUID eq
# syncrepl Provider for primary db
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
# syncrepl directive
syncrepl rid=001
provider=ldap://server2.example.com
bindmethod=simple
binddn="cn=admin,dc=example,dc=com"
credentials=CHANGE
searchbase="dc=dc=example,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
mirrormode onCopy & paste this setup to your server2, change the serverID and provider accordingly.
My suggested procedure for deploy
- Shutdown both master/slave OpenLDAP server with:
/etc/init.d/slapd stop - Backup existing LDAP database under home directory:
slapcat > ~/master.ldif - Transfer the master.ldif to slave server.
- Transfer the master
/etc/ldap/slapd.confto slave server, and update it accordingly. - Flush and import existing LDAP database in slave server:
rm -rf /var/lib/ldap/*
slapadd -l ~/master.ldif
slapindex
chown -Rf openldap:openldap /var/lib/ldap - Start master server, and then slave server with:
/etc/init.d/slapd start
My main tips: Always BACKUP before critical action :D
Debug the replication
As we turn on the syslog of slapd, we can keep trace it with:
tail -f -n 50 /var/log/syslog | grep slapdTry to update some record from either master/slave server, check the log, and also browse the replication result in other server. Done :D
