LDAPS Multi-master replication

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>

Subject: LDAPS Multi-master replication

From: Клеусов Владимир Сергеевич <Kleusov.Vladimir@wildberries.ru>

Date: Mon, 27 Jan 2020 12:04:50 +0000

Accept-language: ru-RU, en-US

Content-language: ru-RU

Dkim-signature: v=1; a=rsa-sha256; d=wildberries.ru; s=mail; c=simple/simple; t=1580126690; h=from:subject:to:date:message-id; bh=oq/PvWUxWp7T9665mOQBIjNSb/Bt4kr4oJUDpmK6Wfg=; b=idU0guf3RFzZgYaWgfhQQoW+b+Paeat/8Tmd7qfXsYrfhELFZmA0PRuJMrhKnOBtYZMKiqsNx2Z hWZFth/V8chcvl3BiCgW6sS8LDpP2nP++mTaKWWiSARmd2EDpZ0oXeNb8yD3pN5D1MmDu4uKGymnV hEbsyKvW34JWQjInfes=

Thread-index: AQHV1Qn5hCnJTAlqNk+knNGUOBhUwQ==

Thread-topic: LDAPS Multi-master replication

I plan to configure Multi-master replication LDAPS on 3 servers. Are my steps correct ?

1) On each server

dn: cn=module{0},cn=config

changetype: modify

add: olcModuleLoad

olcModuleLoad: syncprov

2) On server 1

dn: cn=config

changeType: modify

add: olcServerID

olcServerID: 1

3) On server 2

dn: cn=config

changeType: modify

add: olcServerID

olcServerID: 2

4) On server 3

dn: cn=config

changeType: modify

add: olcServerID

olcServerID: 3

4) On each server

dn: olcDatabase={0}config,cn=config

changetype: modify

add: olcRootPW

olcRootPW: 5fX?BLR2

5) On each server

 dn:
 cn=config

changetype: modify

replace: olcServerID

olcServerID: 1 
ldaps://infa1.domain.com

olcServerID: 2 
ldaps://infra2.domain.com

olcServerID: 3 
ldaps://infra3.domain.com

6) On each server

dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config

changetype: add

objectClass: olcOverlayConfig

objectClass: olcSyncProvConfig

olcOverlay: syncprov

7) On each server

dn: olcDatabase={0}config,cn=config

changetype: modify

replace: olcSyncRepl

olcSyncRepl: rid=001 provider=ldaps://infra1.domain.com binddn="cn=admin,cn=config" bindmethod=sasl

saslmech=EXTERNAL

starttls=no

tls_cert="/etc/ldap/sasl2/cert.ru.crt"

tls_key="/etc/ldap/sasl2/cert.ru.crt"

tls_cacert="/etc/ldap/sasl2/comodo.crt"

tls_reqcert=allow

credentials=5fX?BLR2 searchbase="cn=config" type=refreshAndPersist

retry="5 5 300 5" timeout=1

olcSyncRepl: rid=002 provider=ldaps://infra2.domain.comn binddn="cn=admin,cn=config" bindmethod=sasl

saslmech=EXTERNAL

starttls=no

tls_cert="/etc/ldap/sasl2/cert.ru.crt"

tls_key="/etc/ldap/sasl2/cert.ru.crt"

tls_cacert="/etc/ldap/sasl2/comodo.crt"

tls_reqcert=allow

credentials=5fX?BLR2 searchbase="cn=config" type=refreshAndPersist

retry="5 5 300 5" timeout=1

olcSyncRepl: rid=003 provider=ldaps://infra3.domain.com binddn="cn=admin,cn=config" bindmethod=sasl

saslmech=EXTERNAL

starttls=no

tls_cert="/etc/ldap/sasl2/cert.ru.crt"

tls_key="/etc/ldap/sasl2/cert.ru.crt"

tls_cacert="/etc/ldap/sasl2/comodo.crt"

tls_reqcert=allow

credentials=5fX?BLR2 searchbase="cn=config" type=refreshAndPersist

retry="5 5 300 5" timeout=1

add: olcMirrorMode

olcMirrorMode: TRUE

Is this correct ?

Follow-Ups:

Re: LDAPS Multi-master replication
- From: Quanah Gibson-Mount <quanah@symas.com>