Enable peer to peer replication with crypto and data sync

Basic guide to configure IBM SDS peer to peer replication.


Author(s): Tamas Bures, Peter Kovacsics | Created: 27 September 2019 | Last modified: 27 September 2019
Tested on: IBM Security Directory Server V6.4 FP 17

Enable peer to peer replication with crypto and data sync

In this short guide we will show you how to enable peer to peer (master-master) replication on an existing environment.

In this guide:

  • server1.hu.ibm.com is an existing LDAP server with data
  • server2.hu.ibm.com is a freshly installed, empty LDAP server
  • O=IBM,C=HU is the top level entry
  • /opt/IBM/ldap/V6.4 is the installation location on both servers
  • sdsinst is the instance name on both servers
  • /home/sdsinst/idsslapd-sdsinst is the instance location on both servers

Backup data on both servers

Create a backup LDIF export about the content of server 1:

/opt/IBM/ldap/V6.4/sbin/idsdb2ldif -I sdsinst -o /opt/backup/sdsinst_export_server1.ldif
/opt/IBM/ldap/V6.4/sbin/idsdb2ldif -I sdsinst -o /opt/backup/sdsinst_export_server2.ldif

Replace salt and seed in export file

In order to properly load passwords from server 1 to server 2, you need to replace the seed and salt value in the export file (sdsinst_export_server1.ldif) with server 2's settings.

This step is optional if you installed server 2 with the same encryption salt and seed like server 1.

  1. Get server 2 settings:

     /opt/IBM/ldap/V6.4/bin/ldapsearch -D cn=root -w ? -h server2.hu.ibm.com -p 389 -s base -b cn=crypto,cn=localhost cn=*

    Example output:

     ibm-sldapdCryptoSync=<sync_value>
     ibm-sldapdCryptoSalt=<salt_value>
  2. Open the export file from server with a text editor and replace the values. Be careful, the export file using the:

     attribute: value

    format, instead of:

     attribute=value
  3. Save the file and upload to server 2.

  4. If you have customized schema, copy the modifications from server 1 to server 2.

  5. Stop server.

     /opt/IBM/ldap/V6.4/sbin/idsslapd -k

Load data to server 2

  1. Load data:

     /opt/IBM/ldap/V6.4/sbin/idsldif2db -i /opt/backup/sdsinst_export_server1.ldif -I sdsinst
  2. Start server:

     /opt/IBM/ldap/V6.4/sbin/idsslapd start

    Add bind user configuration on both servers

  3. Open the instance configuration file with a text editor on server 1 (/home/sdsinst/idsslapd-sdsinst/ibmslapd.conf) and replace the following:

     ibm-slapdServerId: <random and long letters and numbers>

    to:

     ibm-slapdServerId: Peer1
  4. Add the following content to the end of the file:

     dn: cn=Master server, cn=configuration
     cn: master server
     ibm-slapdMasterDN: cn=ldap_bind_user
     ibm-slapdMasterPW: ldap_bind_user_password
     ibm-slapdMasterReferral: ldap://server2.hu.ibm.com:389
     objectclass: ibm-slapdReplication
  5. Save the file.

  6. Open the instance configuration file with a text editor on server 2 (/home/sdsinst/idsslapd-sdsinst/ibmslapd.conf) and replace the following:

     ibm-slapdServerId: <random and long letters and numbers>

    to:

     ibm-slapdServerId: Peer2
  7. Add the following content to the end of the file:

     dn: cn=Master server, cn=configuration
     cn: master server
     ibm-slapdMasterDN: cn=ldap_bind_user
     ibm-slapdMasterPW: ldap_bind_user_password
     ibm-slapdMasterReferral: ldap://server1.hu.ibm.com:389
     objectclass: ibm-slapdReplication
  8. Save the file.

  9. Restart both servers:

     /opt/IBM/ldap/V6.4/sbin/idsslapd -k
     /opt/IBM/ldap/V6.4/sbin/idsslapd start

Create peer to peer configuration LDIF file

This is a fully configured peer to peer configuration file and need to be loaded on both servers.

dn: O=IBM,C=HU
changetype: modify
add: objectclass
objectclass: ibm-replicationContext

dn: ibm-replicaGroup=default,O=IBM,C=HU
changetype: add
objectclass: top
objectclass: ibm-replicaGroup
ibm-replicaGroup: default

dn: ibm-replicaServerId=Peer1,ibm-replicaGroup=default,O=IBM,C=HU
changetype: add
objectclass: top
objectclass: ibm-replicaSubentry
ibm-replicaServerId: Peer1
ibm-replicationServerIsMaster: true
cn: Peer1
description: Subentry for Peer1.

dn: ibm-replicaServerId=Peer2,ibm-replicaGroup=default,O=IBM,C=HU
changetype: add
objectclass: top
objectclass: ibm-replicaSubentry
ibm-replicaServerId: Peer2
ibm-replicationServerIsMaster: true
cn: Peer2
description: Subentry for Peer2.

dn: cn=ReplicaBindCredentials,O=IBM,C=HU
changetype: add
objectclass: ibm-replicationCredentialsSimple
cn: ReplicaBindCredentials
replicaBindDN: cn=ldap_bind_user
replicaCredentials: ldap_bind_user_password
description: Bind Credentials on peer1 and peer2 to bind to each other.

dn: cn=Peer2, ibm-replicaServerId=Peer1,ibm-replicaGroup=default,O=IBM,C=HU
changetype: add
objectclass: top
objectclass: ibm-replicationAgreement
cn: Peer2
ibm-replicaConsumerId: Peer2
ibm-replicaUrl: ldap://server2.hu.ibm.com:389
ibm-replicaCredentialsDN: cn=ReplicaBindCredentials,O=IBM,C=HU
description: Replication agreement from peer1 to peer2.

dn: cn=Peer1, ibm-replicaServerId=Peer2,ibm-replicaGroup=default,O=IBM,C=HU
changetype: add
objectclass: top
objectclass: ibm-replicationAgreement
cn: Peer1
ibm-replicaConsumerId: Peer1
ibm-replicaUrl: ldap://server1.hu.ibm.com:389
ibm-replicaCredentialsDN: cn=ReplicaBindCredentials,O=IBM,C=HU
description: Replication agreement from peer2 to peer1.
  1. First, load it into server 2:

     /opt/IBM/ldap/V6.4/bin/ldapmodify -D cn=root -w ? -k -l -i /install/peertopeer.ldif
  2. Then to server 1:

     /opt/IBM/ldap/V6.4/bin/ldapmodify -D cn=root -w ? -k -l -i /install/peertopeer.ldif
  3. Start replication on server 2:

     /opt/IBM/ldap/V6.4/bin/ldapexop -D cn=root -w ? -op repltopology -rc O=IBM,C=HU

    Verify replication is working

    You can verify replication is working between the two servers by issuing the following command against both servers:

     /opt/IBM/ldap/V6.4/bin/idsldapsearch -h server1.hu.ibm.com -p 389 -D cn=root -w ? -b "" -s sub objectclass=ibm-replicationAgreement ibm-replicationState ibm-replicationPendingChangeCount
     /opt/IBM/ldap/V6.4/bin/idsldapsearch -h server2.hu.ibm.com -p 389 -D cn=root -w ? -b "" -s sub objectclass=ibm-replicationAgreement ibm-replicationState ibm-replicationPendingChangeCount

Both commands should report that O=IBM,C=HU replication context is READY and ChangeCount is 0.

Final step is to modify an entry on server 1 and verify on server 2 that the change is replicated, then vica versa.

Happy replication!