Results 1 to 5 of 5

Thread: LDAP Replication Experiences

  1. #1
    Join Date
    Mar 2006
    Rep Power

    Default LDAP Replication Experiences

    I've had a lot of trouble getting a handle on LDAP replication with Zimbra multiserver, so I thought I'd share my experiences. The following applies to ZCS Network Edition 3.1.2.

    NodeA = LDAP Master
    NodeB = LDAP Slave/Replica

    Basic Procedure:

    1) (As root) Install ZCS on NodeA, choose to install LDAP and optionally SNMP if you want it. During the configuration supply your own LDAP password, leave everything else alone and apply the configuration. Ensure that the service comes up with 'zmcontrol status' or check 'ps' for slapd.

    2) (As root) Install ZCS on NodeB, chose to install LDAP along with any other options you want, such as an MTA. Set the "Ldap master host" to NodeA, change the "Ldap Password" to the password you set in step 1. Select "zimbra-ldap:" and toggle option "1" to Disable LDAP. Return to the main menu and apply the configuration.

    3) (As zimbra) On both NodeA and NodeB, run the "zmupdateauthkeys" to update the SSH Authorized Keys (passwordless ssh) for each node. Make sure it actually says "updating ..." for each node, if not there is a problem.

    4) (As zimbra) On NodeA, run "libexec/zmldapenablereplica". This will add the following lines to your slapd.conf:
    overlay syncprov
    syncprov-checkpoint 100 10
    syncprov-sessionlog 500

    Double check this addition before proceeding.

    NOTE: Zimbra uses the Sync Provider for replication, NOT SLURPD!

    5) (As zimbra) On NodeB, run "zmcreateca" and then "zmcreatecert". If you did not install Zimbra Store (mail box server) on NodeB you will get several errors related to java or jre or tomcat during the run of both these commands. This is NOT a problem. Don't let it panic you. The keys you need will still be created.

    6) (As zimbra) On NodeB, run "libexec/zmldapenablereplica". This will add several lines to your conf/slapd.conf, namely the "syncrepl ..." directive and an "updateref ldap://NodeA:389" line.

    7) (As zimbra) On NodeB, ensure that slapd is running either using "zmcontrol status" or "ps" for slapd. If slapd refuses to start, edit "bin/ldap" and add "-d 64" to the "sudo slapd..." line. The debugging information will tip you off to the cause.

    7) (As zimbra) At this point replication should be setup. slapd should be running on both nodes. You can check the LDAP directory replica on NodeB by running: "/opt/zimbra/openldap/sbin/slapcat -f /opt/zimbra/conf/slapd.conf"

    If slapcat returns a big LDIF output you have LDAP replication up and running properly. If not, try restarting LDAP on NodeA, and then NodeB, and looking again.

    To check LDAP replication funtionality I also like to use 'ldapsearch'. In the following example my LDAP password is "zimbra123":
    /opt/zimbra/openldap/bin/ldapsearch -h localhost -D 'uid=zimbra,cn=admins,cn=zimbra' -w 'zimbra123' -x -b 'cn=zimbra' -LLL '*'

    Run that check on both nodes, and then run it across nodes (ie: change "localhost" for "NodeA" from NodeB and vice versa).

    Finally, to make sure everything is _really_ ok, shut down the master ("zmcontrol stop" or "bin/ldap stop") and do your ldapsearch against NodeB again.

    I prefer using ldapsearch rather than zmprov for testing because I can specify exactly what to look at. Because you point the replica (NodeB) at the master even without enabling replication a "zmprov" command can appear to be working from NodeB when in fact its just requesting the infor from the master on NodeA.

    From time to time, using the ldapsearch above can also be handy for checking the consistancy of the replication. A little paranoia checking. Run the search against NodeA and redirect to a file, then again against NodeB, then simply 'diff' the two LDIF outputs. If they are identical than everything is good.

    A big stumbling block for me with understanding LDAP replication as Zimbra uses it was reguarding the Sync Provider method of replication. I was previously only aware of using 'slurpd' for replication. If you are new LDAP Sync as well, there is a great writeup in the OpenLDAP Admins Guide:

    Lastly, always make sure that each node in your ZCS multiserver setup has proper local configuration settings for ldap_url and ldap_master_url:
    ldap_master_url = ldap://NodeA:389
    ldap_url = ldap://NodeA ldap://NodeB:389

    Replication is written up in the docs, but hopefully this will clear up some points that slowed me down.
    Last edited by technikolor; 06-04-2006 at 03:49 AM.

  2. #2
    Join Date
    Aug 2005
    San Mateo, CA
    Rep Power


    On a side note it should be mentioned that LDAP replication is not working in 3.1.X There was at least one bug in OpenLDAP that casued errors and LDAP to crash. Unless there is no way around it you should wait for the next patch before using LDAP replication. This is currently slated for 3.1.3
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  3. #3
    Join Date
    Oct 2006
    Rep Power

    Default LDAP Replica does not work

    I am having problem starting the openldap service on replica server if the Master server is not reachable

    The ldap service fails to start on replica if the server is rebooted.

    Basic question is, can a replica server and its all other associated zimbra mail services operate if master ldap server is unreachable?

    Any input would be appreciated.


  4. #4
    Join Date
    Sep 2005
    Los Angeles
    Rep Power


    whilst i would venture to say yes the slave will run, the data will not be the same

    so if you share the mailstore bad voodoo.

  5. #5
    Join Date
    Aug 2008
    Rep Power

    Default Some question about Mutil-server ldap sync .

    zimbra edition:zcs509 oss, os : redhat as 5

    I installed two servers as multi-server,Server A is master,and Server B is replic, I import all the users into the servers, all there password are the same, "123456" . And I log in the administrator webmail , chose the "Must change password when first time login" . After this , half of users login ,and change the password , everything goes well. But the other half users have to wait for about 5 minutes , and then they can log in . Why ? How to explain this ?

    I think maybe is the question about ldap sync , maybe it will cost several minutes to sync the ldap info . And my question is : How often the replic server(or master server) sync the info from master server(or replic server) . And can i do this mannully ?

    thanks !
    Ask Forever...

Similar Threads

  1. Something's wrong with the LDAP replication Wiki
    By fajarpri in forum Installation
    Replies: 12
    Last Post: 07-29-2007, 04:59 PM
  2. Zimbra Install Problem - getDirectContext
    By bsimzer in forum Installation
    Replies: 27
    Last Post: 07-19-2007, 10:12 AM
  3. 3 testing: LDAP: 389 Failed when restore zimbra
    By victorLeong in forum Administrators
    Replies: 15
    Last Post: 05-24-2007, 06:45 AM
  4. Replies: 4
    Last Post: 11-15-2006, 11:16 AM
  5. LDAP Replication
    By rsharpe in forum Installation
    Replies: 3
    Last Post: 02-28-2006, 06:17 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts