Simple Directory Server 5.2 Master Replication

Posted November 17, 2006 by mcdsco in Solaris

This Tech-Recipe provides a simple way to replicate LDAP servers. Do your homework to ensure that this is going to give you all that you need to protect your LDAP world. The steps below will help you to get started in the right direction.


This tutorial was created by Scott McDuff, CISSP SCSA MCSE+I TCA.
([email protected])

Before we begin, you might want to refer to another one of my Tech-Recipes that covers building an LDAP server. This tutorial provides a robust directory server installation if you are not familiar with the installation process.

1. You first need to build two LDAP servers (e.g., ldapserver1 and ldapserver2). One can have your data in it, and the other can be empty. Make sure they can resolve each other’s names either through a DNS server or /etc/hosts. The /etc/hosts entry should include the following format:

#
# Internet hosts table
#
127.0.0.1 localhost loghost
192.168.1.101 ldapserver1.domain.com ldapserver1
192.168.1.102 ldapserver2.domain.com ldapserver2

Note: This is a good time to configure SSH on these servers to allow logins without passwords since you will be going between the servers often. This is optional, but recommended.

2. Next, I access my first server called ldapserver1 by issuing the following command:

# ssh -X [email protected]

The “-X” enables tunneling Xwin through ssh. If this does not work, then you might need to enhance your /etc/sshd_config.

3. After you access the first server, launch directory server console.

# /var/Sun/mps/startconsole &

4. Launch directory server console

# /var/Sun/mps/startconsole &

The Sun Java System Server Console will start and display your domain, and below, it will show your server which, in this example, is ldapserver1.domain.com. Click the symbol by ldapserver1 to expand Expand Server Group, and then select Directory Server. Then click on the Open button in the right panel at the top.

This opens a new window. Since we are going to enable replication, we want to click on the Configuration Tab –> Expand Data –>, and then expand the domain (domain.com). Click on Replication (Disabled) and then click on the Enable replication button. Select the Master Replication radio button. Choose a Replication ID to this master replica (an integer between 1 and 65534). I will choose 777. The default changelog should be fine for your purposes. Next -= Creating –> You should be prompted to enter a password here. I entered it earlier, so it did not prompt me. Next you should receive a message stating that Replication is now enabled. Close the window.

Now, repeat the same steps for ldapserver2, starting at Step 3, but enter a different Replication ID (I used 777 on ldapserver1, and now I will use 778 for ldapserver2).

5. Now, we are going to set up a master replication. Basically, we are going to have the two ldapservers push data to each other when it changes. Here we go.

    1. Open the ldapserver1 console. You should still have Replication selected. Click on the New button on the right panel. Click the Other button, and enter ldapserver2.domain.com with a port number of 389. Click OK. In the Password window, type the password you assigned during the replication wizard. I used Password#1. Then click the OK button. It now asks if you want to check. Select Yes. You should get a message stating that you can connect. Click OK.
    2. Repeat one, but reverse consoles.
    3. Click on ldapserver2.domain.com in the replication window, click on the Action button in the right panel at the bottom, and select Initialize Remote replica. Click on the Yes button. (DATA WILL BE REPLACED IN LDAPSERVER2. Make sure this is correct.)

Now, we have one way replication working. This is the way I am going to leave it. Do all of your administration from LDAP1, and it will automatically push the data to ldapserver2.

Lastly, we need to change our clients to point to both servers. Here is the original client command from my first document. Add the second server with a comma and no spaces as follows. You will have to go back and change the /etc/nsswitch.conf:

# ldapclient init -a profileName=default \
-a domainName=domain.com \
-a proxyDN=cn=proxyagent,ou=profile,dc=domain,dc=com \
-a proxyPassword=differentpasswd \
-a defaultServerList=192.168.1.101,192.168.1.102

(This should be successfully configured.)

# vi /etc/nssitch.conf –> It should look like this:

passwd: files ldap
group: files ldap
hosts: files
ipnodes: files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files ldap
automount: files ldap
aliases: files ldap
services: files ldap
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap

The Conversation

Follow the reactions below and share your own thoughts.