LDAP slave provides a local copy of the LDAP directory that can be used even when connection to Puavo and LDAP master is down. Replication is provided by OpenLDAP's syncrepl module that replicates changes from the master database almost in realtime when the connection is up. If the connection is lost, it catches up when the connection comes back up.
LDAP slave can be configured using puavo-ds-slave package. Note that it overwrites all local slapd configuration so it currently cannot co-exist with other LDAP databases.
To install the packages, just install the puavo-ds-slave package that has e.g. slapd as its dependency:
sudo apt-get install puavo-ds-slave
OpenLDAP uses TLS to encrypt the connection to the master server. The address of the master server is read from /etc/puavo/ldap/master and the hostname in the certificate of the server needs to match that address. If the address is not found in public DNS servers, you need to write it in local /etc/hosts file:
/etc/hosts
10.10.10.10 ldap1.fqdn
Configuration is done with pavo-init-ldap-slave command:
sudo puavo-init-ldap-slave
If the database is already configured and for some reason it needs to resynchronised, the easiest way is to reconfigure it. This deletes the local copy of the database and the whole database is resynchronised.
sudo puavo-init-ldap-slave --force
To see the local ldap directory contents, you can run the slapcat command.
To make ldapsearch and other tools use the local LDAP server as the default, modify the /etc/ldap/ldap.conf file with the server information:
/etc/ldap/ldap.conf
BASE <ldap base from /etc/puavo/ldap/base>
URI ldap://<hostname from /etc/puavo/hostname>.<puavo domain from /etc/puavo/domain>/
TLS_CACERT /etc/puavo/certs/rootca.pem
Replace
10.10.10.20 testserver.test.domain.org
This is needed because the OpenLDAP server uses TLS encryption and the certificate has that name in it. The certificate is provided by Puavo.