Highly Available LDAP

Creating a highly available authentication server using open-source software.
Recovery after a Failover

If updates have been made to the LDAP namespace while the master LDAP server is down, the LDAP databases must be resynchronized prior to restarting the master server. There are two methods for doing this. If a service interruption is possible, the databases can be hand-copied after the LDAP server has been stopped. (Data files are kept by default in /usr/local/var.)

You also can use OpenLDAP replication to restore the database without the service interruption. First, start the LDAP server on the former master node as a slave. Then start slurpd on the current master. Changes received while the former master was out of service are pushed from the new master. Finally, stop the slave LDAP server on the former master node, and start Heartbeat. This results in a failback to the original configuration.


This article outlines a simple example of using open-source software to create some highly available basic network services. Network services including LDAP seldom require huge servers. The additional reliability provided by clustering and the duplication of servers and data files can increase overall service availability. The system worked under all tests, with a failover of less than 15 seconds in all cases. Given a good understanding of system loads and utilization, failover time could be reduced below this threshold.


Thanks to Alan Robertson, IBM Linux Technology Center, for his helpful comments and review.


The foregoing article is based on laboratory tests undertaken in a laboratory environment. Results in particular customer installations may vary based on a number of factors, including workload and configuration in each particular installation. Therefore, the above information is provided on an AS IS basis. The WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE EXPRESSLY DISCLAIMED. Use of this information is at user's sole risk.


Jay D. Allen works by day on the leading edge of IT as a software engineer at the IBM Linux for Service Providers Lab (LSPL), working with Linux on Intel and RS/6000. By night he works on the trailing edge of IT, mostly with DEC PDP-11s and other antiques. He can be reached at allen5@us.ibm.com.

Cliff White is a member of the technical staff working for the Open Source Development Lab (www.osdl.org). He has worked with various flavors of UNIX and Linux since 1989. He authenticates himself each morning, just to be sure. He can be reached at cliffw@osdl.org.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Consistency of database

Anonymous's picture

Promoting LDAP SLAVE to MASTER can result in inconsistency of data ? can't it ?

Very nice article :)

Putting the LDAP database files on a NAS

buzz-lightyear's picture

I'm using LDAP for login authentication. I'd kinda wondered if I could avoid the LDAP Master/Slave business with slurpd by running two Masters - hang on that sounds bonkers. But what if they were configured with their database files on a shared NAS - even more stupid? But if Heartbeat is directing all LDAP traffic to one LDAP and then they failover cleanly, why wouldn't this work? Well if the "broken" server could still reach the database files on the NAS and you logged in at the console it would be bad. But the database files can only be reached via the network, and the "broken" server has no connection otherwise it would not have failedover. So the database files on the NAS are safe.

Good in theory. What do you think?

BTW. Very well written article. Thanks

Re: Highly Available LDAP

Anonymous's picture

"After compiling, we installed it in /etc/ha.d/resource.d/ and named it other_state."
After compiling api_test.c I find that the script api_test is not portable ! how did you get around this ?

Re: Highly Available LDAP

Anonymous's picture

Many a Thanks for sharing your experience and knowledge. Your article demistifies High Availability from cabala to very simple terms.

Manjunath Shastry

Re: Highly Available LDAP

Anonymous's picture

Cheers lads. Nice to see someone take the time to explain something in simple english. Too often Linux people take an arrogant approach to documentation. Not likely to entice many large corporations onto the scene. Well done on the article.

Re: Highly Available LDAP

Anonymous's picture

I really enjoyed this article the only thing is I would like to see the source code to the simple kde app that you used to query the ldap databases.

konetzed at fmlug dot org