Enable peer to peer replication with crypto and data sync

Basic guide to configure IBM SDS peer to peer replication.

Author(s): Tamas Bures, Peter Kovacsics | Created: 27 September 2019 | Last modified: 27 September 2019

Tested on: IBM Security Directory Server V6.4 FP 17

Table of contents

Enable peer to peer replication with crypto and data sync
Backup data on both servers
Replace salt and seed in export file
Load data to server 2
Add bind user configuration on both servers
Create peer to peer configuration LDIF file
Verify replication is working

Enable peer to peer replication with crypto and data sync↑

In this short guide we will show you how to enable peer to peer (master-master) replication on an existing environment.

In this guide:

server1.hu.ibm.com is an existing LDAP server with data
server2.hu.ibm.com is a freshly installed, empty LDAP server
O=IBM,C=HU is the top level entry
/opt/IBM/ldap/V6.4 is the installation location on both servers
sdsinst is the instance name on both servers
/home/sdsinst/idsslapd-sdsinst is the instance location on both servers

Backup data on both servers↑

Create a backup LDIF export about the content of server 1:

/opt/IBM/ldap/V6.4/sbin/idsdb2ldif -I sdsinst -o /opt/backup/sdsinst_export_server1.ldif

/opt/IBM/ldap/V6.4/sbin/idsdb2ldif -I sdsinst -o /opt/backup/sdsinst_export_server2.ldif

Replace salt and seed in export file↑

In order to properly load passwords from server 1 to server 2, you need to replace the seed and salt value in the export file (sdsinst_export_server1.ldif) with server 2's settings.

This step is optional if you installed server 2 with the same encryption salt and seed like server 1.

Get server 2 settings:

 /opt/IBM/ldap/V6.4/bin/ldapsearch -D cn=root -w ? -h server2.hu.ibm.com -p 389 -s base -b cn=crypto,cn=localhost cn=*

Example output:

 ibm-sldapdCryptoSync=<sync_value>
 ibm-sldapdCryptoSalt=<salt_value>

Open the export file from server with a text editor and replace the values. Be careful, the export file using the:
```
 attribute: value
```
format, instead of:
```
 attribute=value
```
Save the file and upload to server 2.
If you have customized schema, copy the modifications from server 1 to server 2.
Stop server.
```
 /opt/IBM/ldap/V6.4/sbin/idsslapd -k
```

Load data to server 2↑

Load data:

 /opt/IBM/ldap/V6.4/sbin/idsldif2db -i /opt/backup/sdsinst_export_server1.ldif -I sdsinst

Start server:
```
 /opt/IBM/ldap/V6.4/sbin/idsslapd start
```
Add bind user configuration on both servers↑
Open the instance configuration file with a text editor on server 1 (/home/sdsinst/idsslapd-sdsinst/ibmslapd.conf) and replace the following:
```
 ibm-slapdServerId: <random and long letters and numbers>
```
to:
```
 ibm-slapdServerId: Peer1
```

Add the following content to the end of the file:

 dn: cn=Master server, cn=configuration
 cn: master server
 ibm-slapdMasterDN: cn=ldap_bind_user
 ibm-slapdMasterPW: ldap_bind_user_password
 ibm-slapdMasterReferral: ldap://server2.hu.ibm.com:389
 objectclass: ibm-slapdReplication

Save the file.
Open the instance configuration file with a text editor on server 2 (/home/sdsinst/idsslapd-sdsinst/ibmslapd.conf) and replace the following:
```
 ibm-slapdServerId: <random and long letters and numbers>
```
to:
```
 ibm-slapdServerId: Peer2
```

Add the following content to the end of the file:

 dn: cn=Master server, cn=configuration
 cn: master server
 ibm-slapdMasterDN: cn=ldap_bind_user
 ibm-slapdMasterPW: ldap_bind_user_password
 ibm-slapdMasterReferral: ldap://server1.hu.ibm.com:389
 objectclass: ibm-slapdReplication

Save the file.

Restart both servers:

 /opt/IBM/ldap/V6.4/sbin/idsslapd -k

 /opt/IBM/ldap/V6.4/sbin/idsslapd start

Create peer to peer configuration LDIF file↑

This is a fully configured peer to peer configuration file and need to be loaded on both servers.

dn: O=IBM,C=HU
changetype: modify
add: objectclass
objectclass: ibm-replicationContext

dn: ibm-replicaGroup=default,O=IBM,C=HU
changetype: add
objectclass: top
objectclass: ibm-replicaGroup
ibm-replicaGroup: default

dn: ibm-replicaServerId=Peer1,ibm-replicaGroup=default,O=IBM,C=HU
changetype: add
objectclass: top
objectclass: ibm-replicaSubentry
ibm-replicaServerId: Peer1
ibm-replicationServerIsMaster: true
cn: Peer1
description: Subentry for Peer1.

dn: ibm-replicaServerId=Peer2,ibm-replicaGroup=default,O=IBM,C=HU
changetype: add
objectclass: top
objectclass: ibm-replicaSubentry
ibm-replicaServerId: Peer2
ibm-replicationServerIsMaster: true
cn: Peer2
description: Subentry for Peer2.

dn: cn=ReplicaBindCredentials,O=IBM,C=HU
changetype: add
objectclass: ibm-replicationCredentialsSimple
cn: ReplicaBindCredentials
replicaBindDN: cn=ldap_bind_user
replicaCredentials: ldap_bind_user_password
description: Bind Credentials on peer1 and peer2 to bind to each other.

dn: cn=Peer2, ibm-replicaServerId=Peer1,ibm-replicaGroup=default,O=IBM,C=HU
changetype: add
objectclass: top
objectclass: ibm-replicationAgreement
cn: Peer2
ibm-replicaConsumerId: Peer2
ibm-replicaUrl: ldap://server2.hu.ibm.com:389
ibm-replicaCredentialsDN: cn=ReplicaBindCredentials,O=IBM,C=HU
description: Replication agreement from peer1 to peer2.

dn: cn=Peer1, ibm-replicaServerId=Peer2,ibm-replicaGroup=default,O=IBM,C=HU
changetype: add
objectclass: top
objectclass: ibm-replicationAgreement
cn: Peer1
ibm-replicaConsumerId: Peer1
ibm-replicaUrl: ldap://server1.hu.ibm.com:389
ibm-replicaCredentialsDN: cn=ReplicaBindCredentials,O=IBM,C=HU
description: Replication agreement from peer2 to peer1.

First, load it into server 2:

 /opt/IBM/ldap/V6.4/bin/ldapmodify -D cn=root -w ? -k -l -i /install/peertopeer.ldif

Then to server 1:

 /opt/IBM/ldap/V6.4/bin/ldapmodify -D cn=root -w ? -k -l -i /install/peertopeer.ldif

Start replication on server 2:

 /opt/IBM/ldap/V6.4/bin/ldapexop -D cn=root -w ? -op repltopology -rc O=IBM,C=HU

Verify replication is working↑

You can verify replication is working between the two servers by issuing the following command against both servers:

 /opt/IBM/ldap/V6.4/bin/idsldapsearch -h server1.hu.ibm.com -p 389 -D cn=root -w ? -b "" -s sub objectclass=ibm-replicationAgreement ibm-replicationState ibm-replicationPendingChangeCount
 /opt/IBM/ldap/V6.4/bin/idsldapsearch -h server2.hu.ibm.com -p 389 -D cn=root -w ? -b "" -s sub objectclass=ibm-replicationAgreement ibm-replicationState ibm-replicationPendingChangeCount

Both commands should report that O=IBM,C=HU replication context is READY and ChangeCount is 0.

Final step is to modify an entry on server 1 and verify on server 2 that the change is replicated, then vica versa.

Happy replication!