deandra.homeip.net

OpenLDAP, with its single master and multiple read-only slaves, is generally very robust. However, there are times when you might have to kill your master replica and promote one of its slaves in place. Here's a brief rundown on how to do that.

Disclaimer: I've not actually done this, so I don't know if it really works. I take no responsibility for what you do before or after reading this document.

Note also that this does not cover partitioned replicas. Due to the lightness of LDAP, I found no need to partition my replicas.

Note also that this covers replication done with slurpd, not syncrepl. Syncrepl is the new standard as of OpenLDAP 2.4, and slurpd has been removed entirely. So, if you're using syncrepl, this information is not going to be of much use to you.

Let's say you're depurposing the machine housing the master replica, and you want to move the authority to another host. The first step is to stop the master slapd, so that it doesn't mess anything up during this process. Once the master slapd is shut down, no changes can be made to the LDAP database until another master is brought online.

The next step is to configure one of the slaves as a master. This means removing the updatedn and updateref lines from the slapd.conf, and adding a replogfile and one replica line for each slave. If you can, copy the existing lines from the old master.

Now, you need to change the updateref line in each of the slave slapd.conf files, so the server will refer clients to the new master instead of the old one when changes are requested.

After this is done, restart the newly promoted master LDAP server, and replication will proceed from the new master

Now, you have to update your client programs so that they'll know how to modify the directory. I believe libnss-ldap and libpam-ldap will chase referrals, but for smbldap-tools on Debian, you'll need to modify /etc/smbldap-tools/smbldap.conf and change the masterLDAP line