I've had a lot of trouble getting a handle on LDAP replication with Zimbra multiserver, so I thought I'd share my experiences. The following applies to ZCS Network Edition 3.1.2.
NodeA = LDAP Master
NodeB = LDAP Slave/Replica
1) (As root) Install ZCS on NodeA, choose to install LDAP and optionally SNMP if you want it. During the configuration supply your own LDAP password, leave everything else alone and apply the configuration. Ensure that the service comes up with 'zmcontrol status' or check 'ps' for slapd.
2) (As root) Install ZCS on NodeB, chose to install LDAP along with any other options you want, such as an MTA. Set the "Ldap master host" to NodeA, change the "Ldap Password" to the password you set in step 1. Select "zimbra-ldap:" and toggle option "1" to Disable LDAP. Return to the main menu and apply the configuration.
3) (As zimbra) On both NodeA and NodeB, run the "zmupdateauthkeys" to update the SSH Authorized Keys (passwordless ssh) for each node. Make sure it actually says "updating ..." for each node, if not there is a problem.
4) (As zimbra) On NodeA, run "libexec/zmldapenablereplica". This will add the following lines to your slapd.conf:
syncprov-checkpoint 100 10
Double check this addition before proceeding.
NOTE: Zimbra uses the Sync Provider for replication, NOT SLURPD!
5) (As zimbra) On NodeB, run "zmcreateca" and then "zmcreatecert". If you did not install Zimbra Store (mail box server) on NodeB you will get several errors related to java or jre or tomcat during the run of both these commands. This is NOT a problem. Don't let it panic you. The keys you need will still be created.
6) (As zimbra) On NodeB, run "libexec/zmldapenablereplica". This will add several lines to your conf/slapd.conf, namely the "syncrepl ..." directive and an "updateref ldap://NodeA:389" line.
7) (As zimbra) On NodeB, ensure that slapd is running either using "zmcontrol status" or "ps" for slapd. If slapd refuses to start, edit "bin/ldap" and add "-d 64" to the "sudo slapd..." line. The debugging information will tip you off to the cause.
7) (As zimbra) At this point replication should be setup. slapd should be running on both nodes. You can check the LDAP directory replica on NodeB by running: "/opt/zimbra/openldap/sbin/slapcat -f /opt/zimbra/conf/slapd.conf"
If slapcat returns a big LDIF output you have LDAP replication up and running properly. If not, try restarting LDAP on NodeA, and then NodeB, and looking again.
To check LDAP replication funtionality I also like to use 'ldapsearch'. In the following example my LDAP password is "zimbra123":
/opt/zimbra/openldap/bin/ldapsearch -h localhost -D 'uid=zimbra,cn=admins,cn=zimbra' -w 'zimbra123' -x -b 'cn=zimbra' -LLL '*'
Run that check on both nodes, and then run it across nodes (ie: change "localhost" for "NodeA" from NodeB and vice versa).
Finally, to make sure everything is _really_ ok, shut down the master ("zmcontrol stop" or "bin/ldap stop") and do your ldapsearch against NodeB again.
I prefer using ldapsearch rather than zmprov for testing because I can specify exactly what to look at. Because you point the replica (NodeB) at the master even without enabling replication a "zmprov" command can appear to be working from NodeB when in fact its just requesting the infor from the master on NodeA.
From time to time, using the ldapsearch above can also be handy for checking the consistancy of the replication. A little paranoia checking. Run the search against NodeA and redirect to a file, then again against NodeB, then simply 'diff' the two LDIF outputs. If they are identical than everything is good.
A big stumbling block for me with understanding LDAP replication as Zimbra uses it was reguarding the Sync Provider method of replication. I was previously only aware of using 'slurpd' for replication. If you are new LDAP Sync as well, there is a great writeup in the OpenLDAP Admins Guide:
Lastly, always make sure that each node in your ZCS multiserver setup has proper local configuration settings for ldap_url and ldap_master_url:
ldap_master_url = ldap://NodeA:389
ldap_url = ldap://NodeA ldap://NodeB:389
Replication is written up in the docs, but hopefully this will clear up some points that slowed me down.