Skip to content

Latest commit

 

History

History
278 lines (226 loc) · 9.54 KB

multi-server-multi-master-ldap-replication.adoc

File metadata and controls

278 lines (226 loc) · 9.54 KB

Configuring Multi-Master Replication

Set up multi-master LDAP replication to have a copy of the LDAP database saved on each server in a group of LDAP servers identified for multi-master replication (MMR). The database can be updated by any member of the group. If one master fails, the other masters continue to update the database.

The {product-short} install program is used to configure the multi-master LDAP servers. Each master LDAP server is given an unique identifier when they are configured and zmlocalconfig is used to add the ldap server to the multi- master group.

You can also promote an existing replica to be part of the multi-master group.

Managing Multiple Master LDAP Servers

When you enable multi-master replication, you assign a server ID to each master server to identify them in the group. This is used to distinguish the servers in the group and to help resolve conflicts that might occur.

In addition, each server is configured to assign internal replication ID’s that are unique to that specific server. Other LDAP master server can use the same replication ID, but within the server, these replication IDs must be unique.

You can run the {product-abbrev} multiple master CLI, zmldapquery-mmr from a specific master to see the server ID for that master and all multi-master servers that are in the group and to see the replication ID values for those masters.

On the server, enter the command as:

/opt/zimbra/libexec/zmldapquery-mmr

Before you can enable the multi-master replication feature, you must know the hostname of the first secondary master that is being added to the group. The hostname is entered when you enable the feature. Once you enable the multi- master replication feature, you do not need to run the command again.

When zmlocalconfig is run the first time, the master LDAP servers are configured as follows:

  • The first master LDAP server ID is set to 1.

  • The master LDAP server is put in a group with a secondary master that is listening to LDAP on port 389.

  • The replication ID is set to 100 by default on the secondary master.

  • Writes initiated from the server go to the LDAP master-1 by default. If LDAP master-1 is down, writes move to ldap master-2.

    1. To enable the feature run:

      ./libexec/zmldapenable-mmr -s 1 -m ldap://<<master-2.example.com>>:389/
    2. Once the feature is enabled use the zmlocalconfig command to add the LDAP servers to a group.

      zmlocalconfig -e ldap_master_url="ldap://<<master-1.example.com>>:389 ldap://<<master-2.example.com>>:389"

Installing a Secondary Master LDAP Server

The master LDAP server must be running when you install the secondary LDAP servers. You run the {product-abbrev} install program on the secondary master LDAP servers to install the LDAP package.

Passwords Required to Install the Secondary Master

Note

Before you install a secondary master, you must know the following passwords:

  • {product-short} admin LDAP password

  • LDAP replication password

  • NGINX LDAP password

  • Amavis LDAP password

  • Postfix LDAP password

To find these passwords, on the {product-abbrev} server run:

zmlocalconfig -s | grep passw | grep ldap

Setting Up a Secondary Master LDAP Server

  1. Follow steps 1 through 4 in [starting_multiple_server_install] to open a SSH session to the LDAP server, log on to the server as root, and unpack the {product-short} software.

  2. Type Y and press Enter to install the zimbra-ldap package.

  3. Type Y, and press Enter to modify the system. The selected packages are installed. The Main menu shows the default entries for the LDAP server.

  4. Type 1 to display the Common Configuration submenu.

    1. Type 2 to change the LDAP Master host name to the name of the primary master’s hostname; e.g., master-1.example.com.

    2. Type 4 to change the LDAP admin password to the {product-short} admin password of the primary master.

    3. Type r to return to the main menu.

  5. Type 2 to display the LDAP configuration submenu.

    1. Type 4 to change the type to mmr.

      Note
      Item 5, LDAP Server ID, is set to 2. If this is the second master, leave it unchanged. If it the third or later master, select 5 and update the server ID accordingly.

      The next four steps are to change the default passwords on this server to match the passwords on the master-1 LDAP server.

    2. Type 7 to change the LDAP replication password.

    3. Type 8 to change the LDAP postfix password.

    4. Type 9 to change the LDAP amavis password.

    5. Type 10 to change the LDAP NGINX password.

    6. Type r to return to the main menu.

  6. Type a to apply the configuration changes. Press Enter to save the configuration data.

  7. When Save Configuration data to a file appears, press Enter.

  8. When The system will be modified - continue? appears, type y and press Enter.

    Note
    The server is modified. Installing all the components and configuring the server can take a few minutes.
  9. When Installation complete - press return to exit displays, press Enter. The installation is complete.

  10. Update the ldap_master_url attribute to contain both masters, enter this new master as the first master in the list.

    zmlocalconfig -e ldap_master_url="ldap://<<master-2.example.com>>:389 ldap://<<master-1.example.com>>:389"

Promote Existing Replicas to Multi-Master LDAP Servers

In an existing {product-abbrev} setup where there is already a single master and multiple replicas, you can promote an existing replica to become a secondary master.

  1. On the master LDAP server find the LDAP replication, Postfix, Amavis, and NGINX passwords.

    zmlocalconfig -s | grep passw | grep ldap
  2. Change the LDAP passwords on the server you are promoting to be the same as the first master LDAP server.

    • LDAP replication password = zmldappasswd -l <password>

    • LDAP postfix password = zmldappasswd -p <password>

    • LDAP amavis password = zmldappasswd -a <password>

    • LDAP NGINX password = zmldappasswd -n <password>

  3. Assign the next Server ID to this master. This example is 3

    /opt/zimbra/libexec/zmldappromote-replica-mmr -s 3
  4. Update the ldap_master_url attribute to add the master to the list.

    zmlocalconfig -e ldap_master_url="ldap://<<master-1.example.com>>:389 \
      ldap://<<master-2.example.com>>:389 ldap://<<master-3.example.com>>:389"

This updates the replica to be a multi-master replica, enabled with a server ID. It is automatically configured to be a paired master with the master it was previously replicating from.

Deleting a Multi-Master Replication Node

To delete a multi-master replication (MMR) node, use the following steps.

Note
Deleting an MMR node can only be performed in {product-abbrev} 8.0.7 and later.
  1. Update the ldap_master_url and ldap_url on every node, removing the LDAP MMR node that will be shut down.

  2. Wait 5-10 minutes to ensure the modification is in place.

  3. Monitor /var/log/zimbra.log on the MMR node that will be shut down and confirm it is no longer receiving modification traffic.

  4. Run ldap stop on the MMR node that is being shut down.

  5. Log into the remaining MMR nodes and perform the following:

    1. /opt/zimbra/libexec/zmldapmmrtool -q

    2. Find the matching RID for the MMR node you shut down.

    3. /opt/zimbra/libexec/zmldapmmrtool -d -o RID

Example of Deleting an MMR Node

The following is an example of using zmldapmmrtool.

  1. There are three MMR servers, ldap-1.example.com, ldap-2.example.com, ldap-3.example.com, with ldap-3.example.com being shut down.

    zimbra@ldap-1:/tmp/mmr$ ./zmldapmmrtool -q
    Master replication information
    Master replica 1
    rid: 100 URI: ldap://ldap-2.example.com:389/ TLS: critical Master replica 2
    rid: 101 URI: ldap://ldap-3.example.com:389/ TLS: critical
  2. The RID being used by ldap-3.example.com is 101. This agreement can be deleted with:

    zimbra@ldap-1:/tmp/mmr$ ./zmldapmmrtool -d -o 101
  3. Confirm the deletion.

    zimbra@ldap-1:/tmp/mmr$ ./zmldapmmrtool -q
    Master replication information
    Master replica 1
    rid: 100 URI: ldap://ldap-2.example.com:389/ TLS: critical zimbra@ldap-1:/tmp/mmr
  4. Repeat on the remaining node(s).

Monitoring Multiple LDAP Master Status

The Monitoring LDAP Replication Status feature monitors the change sequence number (CSN) values between an LDAP master server and an LDAP replica server. The replica server is considered a shadow copy of the master server. If the servers become out of sync, the monitoring feature indicates the problem. The out of sync time period is typically five minutes, although this value is configurable.

Feature Requirement

Run the script zmreplchk located in /opt/zimbra/libexec.

Important
This script must be run on a {product-abbrev} server that has a localconfig value set for ldap_url that includes all of the master servers.

For example, ldap-2.example.com is the master server, and ldap-3.example.com and ldap-4.example.com are additional servers. The following screen-shot shows the additional master servers are in sync with the master server, as indicated by the Code:0 and Status: In Sync, and master server ldap005 is currently down, as indicated by Code: 4 and Status: Server down.

zimbra@ldap-2.example.com
Master: ldap://ldap-3.example.com:389 Code: 0 Status: In Sync CSN: 20120528123456.123456Z#000000#001#000000
Master: ldap://ldap-4.example.com:389 Code: 0 Status: In Sync CSN: 20120528123456.123456Z#000000#001#000000
Master: ldap://ldap-5.example.com:389 Code: 4 Status: Server down