Ldap replication with syncrepl and ssl

In this post I’m going to describe how I use ldap replication to sync user accounts from my web server to my home server.
On my home server I’m going to setup a ldap server as well. As the user accounts on the “web server” are already stored in a ldap it seems logical to use ldap replication to keep both servers in sync. The ldap on the “web server” (my rented server running mail server, web server, onwcloud etc.) will be used as master, the home server will be the slave. It seems now to be common to talk about provider and consumer instead of master and slave. By the way I consider these terms to be more apropriate for the situation they describe.

I’ve found a quite good tutorial here: http://documentation.fusiondirectory.org/en/documentation/replication_syncrepl. Here just a short write up off my steps:
Both servers are running debian, but this should work similar on every linux system running openldap >2.4

1. setup up ldap replication on the provider

First create a directory for the accesslog:

aptitude install slapd ldap-utils

Then create a user synchronisator. For example create a file synchronisator.ldif:

dpkg-reconfigure slapd

Then add these changes to the ldap:

BASE    dc=example,dc=com
URI     ldap://homeserver.localdomain

We’ll need some indexes and modules for replication. To enables these create a file provider.ldif:

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,cn=config
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}8S1oP5BG2cYEpxQYcc2YbQxwUBZwxR7v
dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess

In my case line 11 has to look like


as dovecot as well has to be able to read user passwords.

Apply these changes by

ldapadd -Y EXTERNAL -H ldapi:/// -f config.ldif

Now the provider side should already be working. However we can’t test it without a consumer.

5 thoughts on “Ldap replication with syncrepl and ssl

  1. Pingback: ldap user login | cbjck.de

  2. Pingback: Samba shares with LDAP

  3. Philipp Reply

    Hi, there seem’s to be a bug:
    rm -rf /etc/ldap/slapd.d/cn=config/oclDatabase*hdb*
    doesn’t work because “oclDatabase” should be “olcDatabase”

    But if you correct this typo and remove those files, applying consumer.ldif doesn’t work.

    • Jan Post authorReply

      Thanks for your comment.

      I see two possibilities:

      • either I’ve used the rm command as printed and didn’t delete anything and it works.
      • or I did delete those files and it somehow worked for me.
      • As it’s quite a long time ago I last did this I don’t remember. My guess would be I didn’t delete the files. Maybe you also try that.
        In any case: do you get any error message?

  4. ZoZo Reply

    warning !
    if you are a big directory change olcLimits on the master
    replication may not work when this happens, entries such as the following appear the log:
    slapd[209]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT (4) Size limit exceeded
    slapd[209]: do_syncrep2: rid=001 (4) Size limit exceeded
    (in the slave)

    conn=1013 op=1 SEARCH RESULT tag=101 err=4 nentries=500 text=
    (in the master)

    This can occur if a replica is created when there are more than 500 objects in the LDAP.
    500 is the default maximum number of objects that can returned in a search.

    Change the value :
    dn: olcDatabase={-1}frontend,cn=config
    changetype: modify
    replace: olcSizeLimit
    olcSizeLimit: 50000

Leave a Reply

Your email address will not be published. Required fields are marked *