Replication of LDAP data

By: Hernan Quevedo user 04 Jul 2017 at 9:07 p.m. CDT

18 Responses
Hernan Quevedo gravatar
Hi. I was wondering if users created on the Gluu server, plus all of the necessary configuration data, could be replicated from one datacenter to another, by means of replication mechanisms like AWS S3 or anything of the sort. We currently have an AWS infrastructure that replicates online and makes an image in case of an outage, and I would like to know if data created in the LDAP inside Gluu could be put inside this scheme, or could be replicated to the other infrastructure by exporting apps, secret ids and user data. Thanks.
CentOS67
closed

Answers

By Mohib Zico staff 05 Jul 2017 at 1:24 a.m. CDT

Copy
Mohib Zico gravatar
Hi Hernan, I am sorry but I think I didn't understand your question. Can you please explain a bit?

By Hernan Quevedo user 05 Jul 2017 at 9:02 a.m. CDT

Copy
Hernan Quevedo gravatar
Hi, Mohib. The thing is I have two "datacenters", a first site and a second. Between those, I have MySQL native replication online, and I was wondering if Gluu server have something like that, or, I can say Amazon to put in place a mechanism in order to backup Gluu-LDAP user data in some file system path, so it can be written to S3 in the event of an outage of the whole principal site. That way I can have a copy of the data in S3 and can be replicated into the second site, where another instance of Gluu is running. That way, the same users that existed in the first site when the outage ocurred can log into the second site. Thanks.

By Mohib Zico staff 05 Jul 2017 at 9:10 a.m. CDT

Copy
Mohib Zico gravatar
Thanks for clarification. I have changed the 'Category' a bit from "Outages" to "Maintenance". For Gluu Servers HA, here is what we generally do: - A cluster setup which has a minimum 2 Gluu server ( note: Full Gluu Server ) with same hostname, both are active-active mode; behind a Load balancer. - These two Gluu Servers are synced. Synced means... LDAP replication, File system replication etc. - Clustering are different for Gluu Server v2.4 and v3.0. - For v3.0: It's called [Cluster Manager](https://gluu.org/docs/cm/alpha/) which can create a multi-master topology for all Gluu Servers who are behind LB. - For v2.4: LDAP are replicated with standard replication method ( It's Multi-Master too ). File system are replication are maintained by CSync2 tool. Please note that, if you want HA or failover; you need the full package of Gluu Server; that means... fully installed Gluu Server with all it's component. If you have further question or if my comment didn't answer your question please feel free to let us know.

By Hernan Quevedo user 05 Jul 2017 at 9:36 a.m. CDT

Copy
Hernan Quevedo gravatar
Thanks for your answer. Now, when you say full Gluu Server, what exactly does that mean? I installed 2.4.4.2 with yum, what does this lack from? What are the differences?

By Mohib Zico staff 05 Jul 2017 at 9:52 a.m. CDT

Copy
Mohib Zico gravatar
That will do. I emphasized on 'full Gluu Server' because I thought you were giving importance on LDAP data only. :-)

By Hernan Quevedo user 05 Jul 2017 at 10:14 a.m. CDT

Copy
Hernan Quevedo gravatar
Oh, ok, great. Now, do you have a link for the csync2 tool working with Gluu server? Like an example or a proof of concept?

By Mohib Zico staff 05 Jul 2017 at 10:15 a.m. CDT

Copy
Mohib Zico gravatar
It's in the doc. Check out 'Cluster configuration' for 2.4.x series.

By Hernan Quevedo user 05 Jul 2017 at 10:58 a.m. CDT

Copy
Hernan Quevedo gravatar
Excellent. Now, just clarify, this tool can be configured so that between both clusters, a user created or modified in the first one, is instantly replicated in the other cluster, right? At a first glance, I see that this is done with a cronjob, but, generally speaking, this would be how it would work?

By Mohib Zico staff 05 Jul 2017 at 11 a.m. CDT

Copy
Mohib Zico gravatar
>> this tool can be configured so that between both clusters, a user created or modified in the first one, is instantly replicated in the other cluster, right? Yes, that's the job of ldap replication. >> At a first glance, I see that this is done with a cronjob No. CSync2 is running from cronjob to maintain a timeframe... 1st, 3rd, 5th mins etc.

By Hernan Quevedo user 05 Jul 2017 at 11:35 a.m. CDT

Copy
Hernan Quevedo gravatar
Mohib, thank you very much. Clearified. Now, depending on the LDAP user base, the bandwidth and CPU taken by this process, could be accounted for inside a capacity planning? Like, typically, for a user base of 500 to 600 users, the cronjob timeframe could take a noticiable amount of CPU and bandwidth? Do this update the new or modified entries only or replicates the total user base?

By Mohib Zico staff 05 Jul 2017 at 11:39 a.m. CDT

Copy
Mohib Zico gravatar
I think there is some misunderstanding there. That cron job is for 'CSync', not LDAP replication. LDAP replication is different section and not only user information but all kind of ldap information are shared and updated in real time between all nodes of cluster.

By Hernan Quevedo user 05 Jul 2017 at 3:36 p.m. CDT

Copy
Hernan Quevedo gravatar
Hmm, ok. So let me get this straight: one creates a cronJob in order to set up csync tool to replicate filesystem data of Gluu server, right? This filesystem data includes all the data configured through the Gluu server console, like applications registered, clientIds, secretIds, etc..., right? And, one also should create another job for LDAP replication which includes what you say, is that right?

By Mohib Zico staff 05 Jul 2017 at 3:39 p.m. CDT

Copy
Mohib Zico gravatar
>> one creates a cronJob in order to set up csync tool to replicate filesystem data of Gluu server, right? Yes. >> This filesystem data includes all the data configured through the Gluu server console, like applications registered, clientIds, secretIds, etc..., right? No. >> one also should create another job for LDAP replication which includes what you say, is that right? No.

By Hernan Quevedo user 06 Jul 2017 at 9:27 a.m. CDT

Copy
Hernan Quevedo gravatar
All right. So, in order to replicate the LDAP user data in both instances of Gluu server, do I need both the filesystem replication and LDAP replication? Sorry, I'm a bit confused. Another question is, what's the difference between the mechanism you gave and this: [Setting-up-LDAP-replication](https://gluu.org/docs/cm/alpha/replication/Setting-up-LDAP-replication/)

By Mohib Zico staff 06 Jul 2017 at 9:31 a.m. CDT

Copy
Mohib Zico gravatar
>> So, in order to replicate the LDAP user data in both instances of Gluu server, do I need both the filesystem replication and LDAP replication? No, just LDAP-replication will do replication of ldap data. >> what's the difference between the mechanism you gave and this: Setting-up-LDAP-replication 3.x is using OpenLDAP, 2.x using OpenDJ. Types of replication are different for OpenLDAP and OpenDJ.

By Hernan Quevedo user 06 Jul 2017 at 12:13 p.m. CDT

Copy
Hernan Quevedo gravatar
Perfect. What if I want to make sure one user created on the principal Gluu server was in fact replicated in the contingency Gluu server? What command can I give in the contingency Gluu server?

By Mohib Zico staff 06 Jul 2017 at 12:16 p.m. CDT

Copy
Mohib Zico gravatar
>> What if I want to make sure one user created on the principal Gluu server was in fact replicated in the contingency Gluu server? What command can I give in the contingency Gluu server? Create one user from first Gluu Server using GUI, search for that user in 2nd Gluu Server using GUI. Other than that... there are ldapsearch ( for OpenDJ / OpenLDAP ) command to do lookup any LDAP server; you can use that command to search any entry.

By Hernan Quevedo user 06 Jul 2017 at 5:53 p.m. CDT

Copy
Hernan Quevedo gravatar
Of course. Mohib, you've very helpful. Thanks for everything, this is excellent support. I'm gonna be setting up this LDAP synchronization soon, and hopefully, I won't be opening any more tickets. Otherwise, I know I can count on this awesome support. Most likely, I'm gonna setup a call to know more about the basic VIP support. Thanks again.

Post an answer