The central element of every identity management system is usually a directory service, a repository that stores and manages information like user profiles and access privileges, and network resources. Univention Corporate Server (UCS) uses OpenLDAP for this task.
If the directory service is down, many other services are no longer available. In this article we are going to show you how to plan a fail-safe environment for your UCS domain with LDAP replication, i.e., storing an exact copy of the data on multiple servers – this improves the reliability as well as the performance.
Advantages of LDAP Replication
Especially larger companies or organizations located in several geographies should consider their fail-safe and load-balancing strategies, but it also makes sense for smaller environments. LDAP replication automatically distributes all data between the servers which means that all databases are always up-to-date. If the primary server with the directory service is down, another server can step in and take over. Having a second machine can also improve general performance.
It’s not very complicated to set up LDAP replication in a UCS domain, merely use the Univention Management Console (UMC). Before we explain the detailed configuration, let’s have a look at the UCS system roles
DC Master, DC Backup, and DC Slave
The domain controller master (DC master) provides the only writable copy of the LDAP directory, so it’s the server where changes to the LDAP directory happen. There can only be one master domain controller. The master also contains sensitive information. It stores (and changes upon request) the users’ passwords and provides the CA (Certificate Authority) for SSL certificates in the UCS domain.
A DC backup contains an exact copy of the master (including all passwords and SSL certificates) and can, therefore, replace the DC master in case of emergency. The backup server can work as a fallback and take over the master’s job.
The DC slave is a read-only copy. Unlike the DC backup, the slave doesn’t contain all the SSL certificates and can therefore never take over as master. However, the slave stores all data necessary to provide local LDAP services without network latencies, for example for groupware applications that send out frequent requests.
Please note that the order of servers matter in a replication setup: Changes happen on the master. One or more DC backup systems replicate from the master. The slaves replicate from one of the backups or directly from the master.
Configuration of LDAP Replication
The first UCS you install automatically gets the system role DC master. Other computers joining an existing UCS domain can be assigned the roles DC backup, DC slave, or member server (systems without a local LDAP server).
UCS automatically configures LDAP replication and uses its own listener/notifier mechanism. The listener service runs on all UCS systems, the notifier, on the other hand, is only active on the DC master (and DC backup systems, if present). The notifier service monitors changes in the LDAP directory and transmits them to all listeners.
During the installation of a new UCS machine, it’s important to assign the correct system role. The first computer is the DC master, and for every other machine, you can select an existing UCS server from the Network menu as the domain controller. When the setup wizard asks you to choose a system role, first join an existing UCS domain and then choose between DC backup and DC slave.