LDAP Replication Experiences

[technikolor]

I've had a lot of trouble getting a handle on LDAP replication with Zimbra multiserver, so I thought I'd share my experiences. The following applies to ZCS Network Edition 3.1.2.

NodeA = LDAP Master
NodeB = LDAP Slave/Replica

Basic Procedure:

1) (As root) Install ZCS on NodeA, choose to install LDAP and optionally SNMP if you want it. During the configuration supply your own LDAP password, leave everything else alone and apply the configuration. Ensure that the service comes up with 'zmcontrol status' or check 'ps' for slapd.

2) (As root) Install ZCS on NodeB, chose to install LDAP along with any other options you want, such as an MTA. Set the "Ldap master host" to NodeA, change the "Ldap Password" to the password you set in step 1. Select "zimbra-ldap:" and toggle option "1" to Disable LDAP. Return to the main menu and apply the configuration.

3) (As zimbra) On both NodeA and NodeB, run the "zmupdateauthkeys" to update the SSH Authorized Keys (passwordless ssh) for each node. Make sure it actually says "updating ..." for each node, if not there is a problem.

4) (As zimbra) On NodeA, run "libexec/zmldapenablereplica". This will add the following lines to your slapd.conf:
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 500

Double check this addition before proceeding.

NOTE: Zimbra uses the Sync Provider for replication, NOT SLURPD!

5) (As zimbra) On NodeB, run "zmcreateca" and then "zmcreatecert". If you did not install Zimbra Store (mail box server) on NodeB you will get several errors related to java or jre or tomcat during the run of both these commands. This is NOT a problem. Don't let it panic you. The keys you need will still be created.

6) (As zimbra) On NodeB, run "libexec/zmldapenablereplica". This will add several lines to your conf/slapd.conf, namely the "syncrepl ..." directive and an "updateref ldap://NodeA:389" line.

7) (As zimbra) On NodeB, ensure that slapd is running either using "zmcontrol status" or "ps" for slapd. If slapd refuses to start, edit "bin/ldap" and add "-d 64" to the "sudo slapd..." line. The debugging information will tip you off to the cause.

7) (As zimbra) At this point replication should be setup. slapd should be running on both nodes. You can check the LDAP directory replica on NodeB by running: "/opt/zimbra/openldap/sbin/slapcat -f /opt/zimbra/conf/slapd.conf"

If slapcat returns a big LDIF output you have LDAP replication up and running properly. If not, try restarting LDAP on NodeA, and then NodeB, and looking again.


To check LDAP replication funtionality I also like to use 'ldapsearch'. In the following example my LDAP password is "zimbra123":
/opt/zimbra/openldap/bin/ldapsearch -h localhost -D 'uid=zimbra,cn=admins,cn=zimbra' -w 'zimbra123' -x -b 'cn=zimbra' -LLL '*'

Run that check on both nodes, and then run it across nodes (ie: change "localhost" for "NodeA" from NodeB and vice versa).

Finally, to make sure everything is _really_ ok, shut down the master ("zmcontrol stop" or "bin/ldap stop") and do your ldapsearch against NodeB again.

I prefer using ldapsearch rather than zmprov for testing because I can specify exactly what to look at. Because you point the replica (NodeB) at the master even without enabling replication a "zmprov" command can appear to be working from NodeB when in fact its just requesting the infor from the master on NodeA.

From time to time, using the ldapsearch above can also be handy for checking the consistancy of the replication. A little paranoia checking. Run the search against NodeA and redirect to a file, then again against NodeB, then simply 'diff' the two LDIF outputs. If they are identical than everything is good.

A big stumbling block for me with understanding LDAP replication as Zimbra uses it was reguarding the Sync Provider method of replication. I was previously only aware of using 'slurpd' for replication. If you are new LDAP Sync as well, there is a great writeup in the OpenLDAP Admins Guide:
http://www.openldap.org/doc/admin23/syncrepl.html

Lastly, always make sure that each node in your ZCS multiserver setup has proper local configuration settings for ldap_url and ldap_master_url:
ldap_master_url = ldap://NodeA:389
ldap_url = ldap://NodeA ldap://NodeB:389



Replication is written up in the docs, but hopefully this will clear up some points that slowed me down.

[KevinH]

On a side note it should be mentioned that LDAP replication is not working in 3.1.X There was at least one bug in OpenLDAP that casued errors and LDAP to crash. Unless there is no way around it you should wait for the next patch before using LDAP replication. This is currently slated for 3.1.3

[KPX]

I am having problem starting the openldap service on replica server if the Master server is not reachable

The ldap service fails to start on replica if the server is rebooted.

Basic question is, can a replica server and its all other associated zimbra mail services operate if master ldap server is unreachable?

Any input would be appreciated.

Thanks.

[riegersteve]

whilst i would venture to say yes the slave will run, the data will not be the same

so if you share the mailstore bad voodoo.

[marisu]

zimbra edition:zcs509 oss, os : redhat as 5

I installed two servers as multi-server,Server A is master,and Server B is replic, I import all the users into the servers, all there password are the same, "123456" . And I log in the administrator webmail , chose the "Must change password when first time login" . After this , half of users login ,and change the password , everything goes well. But the other half users have to wait for about 5 minutes , and then they can log in . Why ? How to explain this ?

I think maybe is the question about ldap sync , maybe it will cost several minutes to sync the ldap info . And my question is : How often the replic server(or master server) sync the info from master server(or replic server) . And can i do this mannully ?

thanks !