High Availability for OpenLDAP
Quick Guide to LDAP

High Availability

One of the dangers of centralizing authentication against an LDAP server is that if the server goes down, everything goes down. Single points of failure are not a good thing. To overcome this issue, we utilize redundant servers.

There are many ways to achieve redundancy, but since this is a quick tutorial I will only describe the way I decided to do it.

The primary issue is maintaining consistency between the servers. I took the easy route: one server is read/write and all the other servers are read-only. The read/write server is named ldapmaster, all adds/modifies are sent to this server. The master LDAP server and all of the slave LDAP servers are CNAME'd ldap.mesd.k12.or.us using round-robin DNS. All queries are then sent to ldap.mesd.k12.or.us.

All writes are sent to one server, but reads are available from many different servers. Any of the slave servers can fail without affecting availability. 99.9% reliability can be achieved on LDAP reads, which is required for authenticating users. Writes have a lower reliability, but that's not much of an issue for us since adding users and changing passwords can mostly likely be delayed for a short period of time; in the event of a failure of the master LDAP server, one of the slaves can quickly be reconfigured to be the master.

Here's a sample slapd.conf for the master server:

and here's the corresponding slapd.conf for the slave:

As you can see, setting up the master and slaves is very straight forward.

On the slaves, all you need to add is an updatedn entry (typically the same as the rootdn) for the master to bind to and readonly on to make sure that all writes occur on the master.

On the master, you need to add a replica entry for every slave. The replica entry must contain the hostname of the slave(host), the binddn for the slave (same value as updatedn in the slave's slapd.conf), and the credentials required to bind to the slave (same value as rootpw in the slave's slapd.conf). The replogfile specifies where the replication log is stored on the master.

Once you have your master and slaves configured, start up LDAP on all the servers and insert your data into the master server. The data will automatically be replicated to the slaves.

If you already have data entered into your master server and want to add an additional slave: 1) shutdown the master server (or put it in readonly mode), 2) copy the database files (usually /var/ldap/* or /var/lib/ldap/*) to the corresponding directory on the slave, 3) start LDAP on the slave, and then 4) restart LDAP on the master. Once the database files have been copied to the slave, all changes to the master will be automatically be replicated to the new slave.

That's it!

back to the main page