OpenLDAP Consumer Replica

Question

I have a Cluster OpenLDAP setup with 2 OpenLDAP servers running syncrepl on config and data, providing LDAP authentication to specific systems running various embedded OS.

Now I was asked to add a Consumer replica with a subset of users and groups from the Cluster setup, running on a remote site.

I used the Ubuntu documentation as a reference. https://ubuntu.com/server/docs/service-ldap-replication

Provider and Consumer have the indexes needed according to the documentation.

SyncRepl configuration on Consumer.

dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcSyncrepl olcSyncrepl: rid=123 provider=ldap://DNSNAME.Cluster.Ldap bindmethod=simple binddn="cn=admin,dc=ldap,dc=test" credentials=secret searchbase="dc=ldap,dc=test" schemachecking=on type=refreshOnly interval=00:00:05:00

The issue is that changes to group membership do not get synchronized before I restart the SLAPD service.

I have tried with a filter, permissions on what the Consumer can read on Cluster, or just replicate the entire database.

Any pointers to what I can have missed ?

Answer 1

This isn't the problem you asked about, however, your posted question has your sending a cleartext password across whatever you link is between the provider and the consumer, and it looks like you're doing so with what's probably olcRoot. Might want to get at least some TLS on that.

---

Either use type=refreshAndPersist or wait out your set interval (looks to be 5 minutes). You might want to set a retry as a general measure, but especially if you do end up using refreshAndPresist.

---

If you're not already logging it's past time to start.

`/etc/rsyslog.d/slapd.conf`

# Don't forget to restart rsyslog after adding this.
# You'll also need an appropriate olcLogLevel. E.g., olcLoglevel: config sync
local4.*        /var/log/syslog