The central element of every identity management system is usually a directory service, a repository that stores and manages information like user profiles and access privileges, and network resources. Univention Corporate Server (UCS) uses OpenLDAP for this task.
If the directory service is down, many other services are no longer available. In this article we are going to show you how to plan a fail-safe environment for your UCS domain with LDAP replication, i.e., storing an exact copy of the data on multiple servers – this improves the reliability as well as the performance.
Advantages of LDAP Replication
Especially larger companies or organizations located in several geographies should consider their fail-safe and load-balancing strategies, but it also makes sense for smaller environments. LDAP replication automatically distributes all data between the servers which means that all databases are always up-to-date. If the primary server with the directory service is down, another server can step in and take over. Having a second machine can also improve general performance.
It’s not very complicated to set up LDAP replication in a UCS domain, merely use the Univention Management Console (UMC). Before we explain the detailed configuration, let’s have a look at the UCS system roles
For those of you who have little technical knowledge in UCS, the article explains the terms LDAP / OpenLDAP, as they are the cornerstones of our central IAM system…. read more
DC Master, DC Backup, and DC Slave
The domain controller master (DC master) provides the only writable copy of the LDAP directory, so it’s the server where changes to the LDAP directory happen. There can only be one master domain controller. The master also contains sensitive information. It stores (and changes upon request) the users’ passwords and provides the CA (Certificate Authority) for SSL certificates in the UCS domain.
A DC backup contains an exact copy of the master (including all passwords and SSL certificates) and can, therefore, replace the DC master in case of emergency. The backup server can work as a fallback and take over the master’s job.
The DC slave is a read-only copy. Unlike the DC backup, the slave doesn’t contain all the SSL certificates and can therefore never take over as master. However, the slave stores all data necessary to provide local LDAP services without network latencies, for example for groupware applications that send out frequent requests.
Please note that the order of servers matter in a replication setup: Changes happen on the master. One or more DC backup systems replicate from the master. The slaves replicate from one of the backups or directly from the master.
Configuration of LDAP Replication
The first UCS you install automatically gets the system role DC master. Other computers joining an existing UCS domain can be assigned the roles DC backup, DC slave, or member server (systems without a local LDAP server).
UCS automatically configures LDAP replication and uses its own listener/notifier mechanism. The listener service runs on all UCS systems, the notifier, on the other hand, is only active on the DC master (and DC backup systems, if present). The notifier service monitors changes in the LDAP directory and transmits them to all listeners.
During the installation of a new UCS machine, it’s important to assign the correct system role. The first computer is the DC master, and for every other machine, you can select an existing UCS server from the Network menu as the domain controller. When the setup wizard asks you to choose a system role, first join an existing UCS domain and then choose between DC backup and DC slave.
After that enter the password for the Administrator account. Alternatively, you can enter another username of an account that’s a member of the two groups Domain Administrators and Backup-Join. That’s all – UCS automatically configures everything else when you join a domain.
Monitoring the LDAP Replication
Of course, LDAP replication is only useful if it continuously distributes the data from the master to the other servers. Network problems may disturb the data transfer. In most cases the replication is self-healing, so you don’t have to intervene.
If you’re looking for a monitoring software that checks the replication status and sends out an alert when something goes wrong, have a look at Nagios in the Univention App Center. During the installation of the monitoring software, it creates several checks for the computers in the UCS domain and automatically starts monitoring the LDAP servers and the replication status.
It’s straight forward to set up a fail-safe environment and LDAP replication in UCS – no matter how many servers, desktops, and users you have in your domain. No special knowledge is required because of the automatic setup: High availability, load balancing, and replication are just a few clicks away!