OpenLDAP: recommended way to add a new server to a replicated multi-master setup

openldapreplication

I have previously set up two servers with multi-master replication, using the cn=config configuration format (I think I've seen it referred to as 'OLC'?). It was a process similar to this (although this is not the guide I followed):

http://www.opensolutions.ie/blog/2013/01/multi-master-ldap-replication/

Both my configuration database and actual user database are replicated between both, and I have tested that changes work as expected in both directions.

I need to add a third host into the replication. (Ultimately I am removing one server and replacing it with the third, but there will be a few months of overlap.) I have not been able to find any information on the recommended way to add a new server into a multi-master setup. Is it possible, and if so, what is the recommended way?

Best Answer

In essence do the same thing you did to get Multi-Master running in the first place.

  1. On your new server make sure that all necessary certificate, keytab, module paths and db directories are created/populated as as they are on your existing servers.
    • They have to be the same as slapd-config only distinguishes servers for replication, not configuration.
    • This is easier if all of your servers are running the same distribution.
    • If each server has its own certificate, symlinks are your friend. (You probably already know this if you had to do it for your original setup.)
    • Don't copy the files (except DB_CONFIG, if you use it) from your olcDbDirectory.
  2. On one of your existing servers make sure the new server's syncrepl dn, whatever it will to be, has read access to your entire directory.
    • It's best to do this the same way you're doing it for your existing servers.
  3. On one of your existing servers add the new server's olcServerID and olcSyncrepl entries.
    • Your new server's slapd should not be running at this time.
    • Depending on the settings of your olcSyncrepl retry your existing servers may give up trying to contact your new server. You may want to set retry for the new server to unlimited (i.e. +) during this time.
    • For what should be obvious reasons, your existing servers will not be able to connect to your new server yet. Don't worry about log messages about this except as it relates to the previous point.
  4. Replace the slapd.d directory on your new server one from one existing servers.
    • Make sure the permissions allow the slapd daemon to write to the directory.
  5. Start your new server.
  6. Wait for your new server to finish syncing.
    • You may want to add sync to your olcLogLevel during this time.
Related Topic