In this article we will describe the different replication mechanisms provided by a directory, and especially by the open source OpenLDAP.
OpenLDAP is an open source derivative of the first independent LDAP server, created by the University of Michigan (1996). Many improvements were made. OpenLDAP strengths are :
- Many backends.
- Advanced security options.
- Many extensions implemented.
- Supported on many platforms.
Version 2.4.31 is now the latest stable version of OpenLDAP.
Replication mechanism OpenLDAP
To ensure load balancing among multiple servers and / or fault tolerance, it is necessary to have multiple identical LDAP directories .
In this article we will describe the different replication mechanisms offered by the open source OpenLDAP directory.
Earlier versions of OpenLdap used a mechanism called slurpd (Standalone LDAP Update Replication Daemon). slurpd was replaced by syncrepl from version 2.4 of openLDAP (LDAP Sync Replication engine).
Syncrepl is more robust and can implement much more complex architectures. It is also standardized by the IETF (Internet Engineering Task Force) by RFC 4533.
The directory OpenLdap offers various types of architectures.
- Replication Master – Slave (OpenLDAP language : Provider – Consumers).
- A multi-master replication.
- Replication in mirror mode (two nodes that are synchronized to each other).
Replication Provider – Consumers
In this mode, there is a a master (the provider), on which the entries are written, and the slaves (consumers) that will synchronize from the master (continuously or periodically). The slaves are read-only basis.
- Ability to add new consumers.
- Possibility of realizing the delta-syncrepl: attribute replication, instead of entire entry replication (not supported by the multi-master replication).
- If the master is down, no slave can easily take its place: you must go through a reconfiguration phase of the directory.
Multi master replication
In this model, several masters have been living together on the network. Changes may be made on all network directories, and updates are bidirectional. This type of replication is supported since version 2.4 of OpenLDAP.
- Useful for high availability.
- Delta sync not available: the inputs are fully replicated: if an attribute has changed, the entire entry is replicated.
- If two changes are made “shortly” one after an other (before replication could take place), a change will be lost.
A mirror is composed of only two nodes. Both nodes are configured in both master and slave. In this mode, both nodes are identical at all times. They are writable and it is possible to update either one or the other.
- If a node is down, on his return, it automatically updates;
- If the data files of a node is destroyed, when it restarts, it will synchronize completely from the other node;
- A node is configured as a master. It is possible to connect consumers.
- Mass treatment of update of a node are longer in fashion provider / consumers, because the two nodes are updated simultaneously and in full mode.
Below is an example of mixed architecture by taking advantages of different modes of synchronization:
The configuration is as follows:
- Two nodes in mirror mode for writes: an active server and a passive server.
- A “consumer” read-only to be synchronous (real time or periodically depending on the configuration chosen) with the active node. Both nodes are in mirror mode to be positioned on two separate sites.
A solution of load balancing and fail over (type F5) can be implemented to achieve the following:
- Fail over to support the entries.
- Support the Fail over and load balancing on the consumer and the passive node for reads.
In a future article, we will take a focus on load balancing and fail over with OpenLDAP.