389 DS (Directory Services) Multi-master replication setup

We need to implement multi-master replication between 2 LDAP servers (389-DS servers).

General (hi-level) steps

  1. Create supplier bind DN to be used on each server
  2. Enable replication change log (directory server, replication section, supplier tab), default location for files
  3. Enable multi-master replication, diferent ID for each server (directory server, replication section, userRoot subsection, Replication Settings tab)
  4. Create “Replication Agreement” on both servers

Detailed setup

### Create supplier bind DN for replication, on both servers

  1. STOP directory service:

    service dirsv stop

  2. Edit /etc/dirsrv/slapd-xxxxxx/dse.ldif and add following lines to the file

    dn: cn=replication manager,cn=config
    objectClass: inetorgperson
    objectClass: person
    objectClass: top
    cn: replication manager
    sn: RM
    userPassword: SOMECOMPLEXPASSWORD
    passwordExpirationTime: 20380119031407Z
    nsIdleTimeout: 0

    Watch for blank spaces at the end of each line – they MUST NOT exist, or directory service will not start later.
    Save the file, restart directory services

    service dirsv start

  3. Do the same changes on both servers.

 

### Enable replication change log

  1. Login to 389 console, click on “Directory Server”, click on “Open”, click on “Configuration” tab, click on “Replication” on the left, and click on the “Supplier Settings” tab on the right, enable default location for change log files
    389-repl1
    389-repl2
  2. Save changes.
  3. Do the same on second server

 

### Enable multi-master replication

  1. While still on “Configuration tab”, click on “Replication”, then on “userRoot” on the left.
  2. On the right side, enable “Multi Master” replication, enter “1” inside “Replica ID” field (“1” on first server, “2” on second) must NOT be identical on 2 servers.
  3. In the field “enter new suplier DN” enter “cn=replication manager,cn=config” (defined in step1 of replication), and click on ADD
    389-repl3
  4. Do the same on second server, just change “Replica ID” value to “2”.
  5. Save changes.

 

### Create “Replication Agreement” on both servers.

  1. While still selected/focused on “userRoot” on the left, expand DATA (click on + sign), and while still selected/focus on “userRoot”, right click on dc=DOMAIN,dc=COM and select “New replication agreement” (watch for your “domain” and “com”)
    389-repl4
  2. Put name “ToServer2” or similar, put some desctiption, click on Next.
  3. In the consumer section, click on “others” (new windows will popup) and enter IP or DNS name of server2 (your second LDAP server), and port 389. Click on OK.
  4. Leave default “Use LDAP (no encription)” option (we are using private network for replication, no need for encryption)
  5. In the “Bind as” field enter “cn=replication manager,cn=config”
  6. In the “Password” field enter the password you defined while changing /etc/dirsrv/slapd-xxxxx/dse.ldif file (we used “SOMECOMPLEXPASSWORD” in our example), and click on Next.
  7. Leave default sync/repl options for “Replication Atributes” page, click on Next.
  8. Leave default settings on “Replication Schedule” page, click on Next.
  9. For server1 (first master), select “Initialise Consumer Now”, click on Next, Next and Finish.
  10. When doing this step on server2 select “do not initialise consumer”, click on Next, Next and Finished.
  11. Click on the “Status” TAB, select “Replication status” on the left and click on Refresh, you should see successfull replication
    389-repl5
  12. For testing purposes, create one object (user) on server1, and search for it on server2 – delete that object (user) on server2, and search for it on server1 (should be deleted)

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: