web analytics


How To Setup A Backup LDAP Server Through LDAP Replication

Tags: ldap backupldap server replicationreplicationtls replication

Published on: July 5, 2012 by Scott S

How To Setup A Backup LDAP Server Through LDAP Replication


Since all the LDAP clients depend on the LDAP server for its functioning, it is very important that the LDAP server is available all the time to serve the request of the clients. In such an environment, it is a standard practice to setup LDAP backup server into LDAP setup to prevent the LDAP server becoming unresponsive. This is done through LDAP replication.

Replication is achieved via the Syncrepl engine. This allows changes to be synchronized using a Consumer-Provider model. A Consumer-Provider model means that our current LDAP server is the Provider and the new LDAP server to keep the replication is our Consumer. In this tutorial, the replication of the server is done by the Provider(current LDAP server), which pushes the changed entries to the Consumer as soon as they’re made, but only the actual changes will be sent and not the entire entries.

Here I’m assuming that my LDAP server (ldapserver.int.sages.com) is already setup following https://www.supportsages.com/2012/06/ldap-configuration-for-user-and-group-centralization-on-ubuntu-12-04-lts-part-1 . Note that ldapserver.int.sages.com is our Provider now.

So let us see the steps to setup LDAP backup server,

Provider configuration

Login to the LDAP Provider as root:


Create an LDIF file with the following contents and name it provider_sync.ldif:

root@ldapserver:]# vi provider_sync.ldif


dn: olcDatabase={1}hdb,cn=config

changetype: modify

add: olcDbIndex

olcDbIndex: entryCSN eq

add: olcDbIndex

olcDbIndex: entryUUID eq

#Load the syncprov and accesslog modules.

dn: cn=module{0},cn=config

changetype: modify

add: olcModuleLoad

olcModuleLoad: syncprov

add: olcModuleLoad

olcModuleLoad: accesslog

# Accesslog database definitions

dn: olcDatabase={2}hdb,cn=config

objectClass: olcDatabaseConfig

objectClass: olcHdbConfig

olcDatabase: {2}hdb

olcDbDirectory: /var/lib/ldap/accesslog

olcSuffix: cn=accesslog

olcRootDN: cn=admin,dc=int,dc=sages,dc=com

olcDbIndex: default eq

olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart

# Accesslog db syncprov.

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config

changetype: add

objectClass: olcOverlayConfig

objectClass: olcSyncProvConfig

olcOverlay: syncprov

olcSpNoPresent: TRUE

olcSpReloadHint: TRUE

# syncrepl Provider for primary db

dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config

changetype: add

objectClass: olcOverlayConfig

objectClass: olcSyncProvConfig

olcOverlay: syncprov

olcSpNoPresent: TRUE

# accesslog overlay definitions for primary db

dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config

objectClass: olcOverlayConfig

objectClass: olcAccessLogConfig

olcOverlay: accesslog

olcAccessLogDB: cn=accesslog

olcAccessLogOps: writes

olcAccessLogSuccess: TRUE

# scan the accesslog DB every day, and purge entries older than 7 days

olcAccessLogPurge: 07+00:00 01+00:00


Change the olcrootDN attribute in the LDIF file to match the one you have for your directory.

The apparmor profile /etc/apparmor.d/local/usr.sbin.slapd for slapd will need to be adjusted for the accesslog database location. You can read about apparmor from http://en.wikipedia.org/wiki/AppArmor.

If the below file is there in your system, edit /etc/apparmor.d/local/usr.sbin.slapd by adding the following:

root@ldapserver:]# vi /etc/apparmor.d/local/usr.sbin.slapd


/var/lib/ldap/accesslog/ r,

/var/lib/ldap/accesslog/** rwk,


Now create a directory and set up a database config file.

root@ldapserver:]# sudo -u openldap mkdir /var/lib/ldap/accesslog

root@ldapserver:]# sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog

Now reload the apparmor profile by:

root@ldapserver:]# /etc/init.d/apparmor reload

Now add the new content(due to the apparmor change) to the LDAP tree:

root@ldapserver:]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif

Restart slapd service:

root@ldapserver:]# /etc/init.d/slapd restart

Now we have the Provider configured and now lets proceed to the Consumer configurations.

Consumer Configuration

Install Ubuntu 12.04 Server edition on a new machine which is our LDAP replication server or the Consumer: I’ve configured the LDAPreplication server with hostname ldapreplserver.int.sages.com

Follow https://www.supportsages.com/2012/06/ldap-configuration-for-user-and-group-centralization-on-ubuntu-12-04-lts-part-1 and do all the steps for LDAP SERVER CONFIGURATION on the new machine. Make sure that the slapd-config databse is identical to the Provider’s. In particular, make sure schemas and the database suffix are the same.

Once you have finished the steps you will have the same base tree as your Providers in our new machine(Consumer).

Create an LDIF file with the following contents and name it consumer_sync.ldif:

root@ldapserver:]# vi consumer_sync.ldif


dn: cn=module{0},cn=config

changetype: modify

add: olcModuleLoad

olcModuleLoad: syncprov

dn: olcDatabase={1}hdb,cn=config

changetype: modify

add: olcDbIndex

olcDbIndex: entryUUID eq

add: olcSyncRepl

olcSyncRepl: rid=0 provider=ldap://ldapserver.int.sages.com bindmethod=simple binddn=”cn=admin,dc=int,dc=sages,dc=com credentials=sages123 searchbase=”dc=int,dc=sages,dc=com” logbase=”cn=accesslog” logfilter=”(&(objectClass=auditWriteObject)(reqResult=0))” schemachecking=on type=refreshAndPersist retry=”60 +” syncdata=accesslog

add: olcUpdateRef

olcUpdateRef: ldap://ldapserver.int.sages.com


Make sure the following attributes have the correct values:

provider (Provider server’s hostname — ldapserver.int.sages.com in this example — or IP address)

binddn (the admin DN you’re using)

credentials (the admin DN password you’re using)

searchbase (the database suffix you’re using)

olcUpdateRef (Provider server’s hostname or IP address)

rid (Replica ID, an unique 3-digit that identifies the replica. Each consumer should have at least one rid)

Add the new content to the LDAP tree:

root@ldapserver:]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif

You’re done. The two databases (suffix: dc=int,dc=sages,dc=com) should now be synchronizing.


Once replication starts, you can monitor it by running:

root@ldapserver:]# ldapsearch -z1 -LLLQY EXTERNAL -H ldapi:/// -s base contextCSN

dn: dc=int,dc=sages,dc=com

You will see an output similar the one given below:


contextCSN: 20120201193408.178454Z#000000#000#000000


on both the provider and the consumer.

Once the output (20120201193408.178454Z#000000#000#000000 in the above example) for both machines match, you have the replication. Every time a change is done in the provider, this value will change and so should the one in the consumer.

If your connection is slow or your LDAP database is too large, it might take a while for the consumer’s contextCSN match the provider’s. But, you will know it is progressing since the consumer’s contextCSN will be steadly increasing.

If the consumer’s contextCSN is missing or does not match the provider, there is no replication and you should stop and figure out the issue before continuing. Try checking the slapd (syslog) and the auth log files in the provider to see if the consumer’s authentication requests were successful or its requests to retrieve data return no errors.

To test if it worked simply query, on the Consumer, the DNs in the database:

root@ldapserver:]# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b dc=int,dc=sages,dc=com dn

You should see the user ‘testuser‘ and the group ‘testgroup‘ as well as the nodes ‘People’ and ‘Groups’ which we created as in https://www.supportsages.com/2012/06/ldap-configuration-for-user-and-group-centralization-on-ubuntu-12-04-lts-part-1.

an you

Category : General, Howtos, Linux, Training

Scott S

Scott S

Scott follows his heart and enjoys design and implementation of advanced, sophisticated enterprise solutions. His never ending passion towards technological advancements, unyielding affinity to perfection and excitement in exploration of new areas, helps him to be on the top of everything he is involved with. This amateur bike stunting expert probably loves cars and bikes much more than his family. He currently spearheads the Enterprise Solutions and Infrastructure Consultancy wing of SupportSages.

You may also read:


Add new commentSIGN IN

  • divya

    Hi ,
    I am unable to test consumer. i am not getting contextCSN

Let's Connect

Get new updates


$0.000 items