Configure OpenLDAP replication on Debian 8 (Jessie)

Configure OpenLDAP replication on Debian 8 (Jessie)

Requirements

Two Debian 8 installation with OpenLDAP
A user account in the directory for the syncing
- This tutorial assumes cn=ldapsync,ou=people,dc=my,dc=domain,dc=tld
First server is configured per Install and configure OpenLDAP on Debian 8 (Jessie)
Other server is configured per Install and configure OpenLDAP on Debian 8 (Jessie), but only until (and including) the “Add some data” step.

Notes

This tutorial shows how to do master → slave replication. Only the master will accept writes!

Configure the Master

Give the sync account the necessary right to read everything. This includes passwords!
- Simply modify the access.ldif in the “Enforce Authorization” step to include the sync account like the admin account.
Create a syncmod.ldif, index.ldif file and a sync.ldif file:

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov.la

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID,entryCSN eq

dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

Apply them in that order with ldapmodify

Configure the Slave

Also apply the syncmod.ldif and index.ldif files.
Create a sync.ldif file:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldap://ip.of.your.server/
  bindmethod=simple
  binddn="cn=ldapsync,ou=people,dc=my,dc=domain,dc=tld"
  credentials=syncaccountpassword
  searchbase="dc=my,dc=domain,dc=tld"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:00:30
  starttls=yes
  tls_reqcert=allow

Apply it with ldapmodify

Table of Contents

Configure OpenLDAP replication on Debian 8 (Jessie)

Requirements

Notes

Configure the Master

Configure the Slave