LDAP replication setup using syncrepl

Once you installed LDAP server in your network and some of your mission critical services start using it, you probably will want to setup one or more of its replica to eliminate a single point of failure and to load balance.

Traditionally people use slurpd - Standalone LDAP Update Replication Daemon, but seems syncrepl is more advanced technology and have some advantages over slurpd. One thing i really like in syncrepl that you dont have to stop master server, copy content onto slave server(s) and so on - this is done automaticly with syncrepl. You dont have to run additional service (slurpd). In fact you even dont have to change anything on master server. syncrepl is a consumer-side replication engine. Syncrepl supports pull-based (RefreshOnly) and push-based (RefreshAndPersist) technics of synchronization.

Install slapd on your LDAP slave box. In Debian/Ubuntu it would be:

apt-get isntall slapd ldap-utils

Then edit /etc/ldap/slapd.conf and make it look similar to this:

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/dnsdomain2.schema

#schemacheck     on
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd.args
loglevel        256
modulepath      /usr/lib/ldap
moduleload      back_bdb

backend         bdb
checkpoint      512 30

database      bdb
suffix             "dc=example,dc=com"
directory       "/var/lib/ldap"
rootdn          "cn=replica,dc=example,dc=com"
rootpw          secret
lastmod         on

index           default                          pres,eq
index           uid
index           cn,email                        pres,eq,sub
index           associatedDomain        pres,eq
index           objectClass,entryCSN,entryUUID eq

syncrepl   rid=1
                provider=ldap://10.1.1.1
                type=refreshOnly
                interval=00:00:05:00
                searchbase="dc=example,dc=com"
                filter="(objectClass=*)"
                attrs="*"
                scope=sub
                schemachecking=off
                updatedn="cn=replica,dc=example,dc=com"
                bindmethod=simple
                binddn="cn=replica,dc=example,dc=com"
                credentials="secret"

updateref       ldap://10.1.1.1

access to attrs=userPassword
        by dn="cn=admin,dc=example,dc=com" write
        by anonymous auth
        by self write
        by * none

access to dn.children="ou=dns,dc=example,dc=com"
        by dn="cn=dnsadmin,ou=people,dc=example,dc=com" write
        by * read

access to dn.base="" by * read

access to *
        by dn="cn=admin,dc=example,dc=com" write
        by * read

It almost identical to master's slapd.conf. The main difference is the following fragment:

syncrepl   rid=1
                provider=ldap://10.1.1.1
                type=refreshOnly
                interval=00:00:05:00
                searchbase="dc=example,dc=com"
                filter="(objectClass=*)"
                attrs="*"
                scope=sub
                schemachecking=off
                updatedn="cn=replica,dc=example,dc=com"
                bindmethod=simple
                binddn="cn=replica,dc=example,dc=com"
                credentials="secret"

updateref       ldap://10.1.1.1

You just need to make sure you can bind to master as "cn=replica,dc=example,dc=com" and are able read.

Note: You must have lastmod turned on on master in order to have entryCSN and entryUUID fields added. They're required for syncrepl to work. It should add them automaticly as it said in documentation:

The provider slapd (8) is not required to be restarted. contextCSN is 
automatically generated as needed: it might be originally contained in 
the LDIF file, generated by slapadd (8), generated upon changes in the
context, or generated when the first LDAP Sync search arrives at the provider.

But in my case (Debian 3.1, slapd 2.2.23-8) they appeared only after i had turned lastmod on