Configure OpenLDAP replication on Debian 8 (Jessie)


  • This tutorial shows how to do master → slave replication. Only the master will accept writes!

  • Give the sync account the necessary right to read everything. This includes passwords!
    • Simply modify the access.ldif in the “Enforce Authorization” step to include the sync account like the admin account.
  • Create a syncmod.ldif, index.ldif file and a sync.ldif file:
  • dn: cn=module{0},cn=config
    changetype: modify
    add: olcModuleLoad
    olcModuleLoad: syncprov.la
  • dn: olcDatabase={1}mdb,cn=config
    changetype: modify
    add: olcDbIndex
    olcDbIndex: entryUUID,entryCSN eq
  • dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
    changetype: add
    objectClass: olcOverlayConfig
    objectClass: olcSyncProvConfig
    olcOverlay: syncprov
  • Apply them in that order with ldapmodify

  • Also apply the syncmod.ldif and index.ldif files.
  • Create a sync.ldif file:
  • dn: olcDatabase={1}mdb,cn=config
    changetype: modify
    add: olcSyncRepl
    olcSyncRepl: rid=001
      provider=ldap://ip.of.your.server/
      bindmethod=simple
      binddn="cn=ldapsync,ou=people,dc=my,dc=domain,dc=tld"
      credentials=syncaccountpassword
      searchbase="dc=my,dc=domain,dc=tld"
      scope=sub
      schemachecking=on
      type=refreshAndPersist
      retry="30 5 300 3"
      interval=00:00:00:30
      starttls=yes
      tls_reqcert=allow
  • Apply it with ldapmodify
  • tutorial/ldap/syncopenldap.txt
  • Last modified: 2017-06-16 22:00
  • by Nico Weichbrodt