[bitnami/openldap] Multi Master replication works only on start-up

[ftheault]

Name and Version

bitnami/openldap:2.6.3

What architecture are you using?

amd64

What steps will reproduce the bug?

I have two openldap running under docker with bitnami image. I'm trying to set up a multi-master replication on database between the two.

For this I add (ldapadd) in order the ldifs below:

#100-syncprov-add.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov

#101-serverId.ldif
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 21 ldaps://:636/
olcServerID: 11 ldaps://{URI}:636/

#102-syncprov-db-conf.ldif
dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

#103-data-replication-conf.ldif
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl: rid=210 provider=ldaps://:636/ binddn="cn=svc-replication-int,ou=bindaccounts,o=oneaccess" bindmethod=simple credentials={cred} searchbase="o=oneaccess" type=refreshAndPersist retry="60 10 300 5" timeout=10
olcSyncRepl: rid=110 provider=ldaps://{URI} binddn="cn=svc-replication-int,ou=bindaccounts,o=oneaccess" bindmethod=simple credentials={cred} searchbase="o=oneaccess" type=refreshAndPersist  retry="60 10 300 5" timeout=10

I apply this on both my openldap. by changing "{URI}".
Note: in the “serverId” and “provider” I put “ldaps://:636/” to match the slapd listening urls of the running openLDAP.

Then I restart the containers to take the changes into account. And I have a rather strange behavior, because the replication seems to work at startup then stops working. For example, if I add an entry in openLDAP1, it is not replicated on openLDAP2. However, if I restart the openLDAP2 container, the entry is replicated.
I don't see any particular error in the logs, except: "connection_read(15) : input error=-2"

if it helps here is my docker-compose.yml :

services:
  hubdir:
    container_name: hubdir-openldap
    build: .
    restart: unless-stopped
    ports:
      - '636:636'
    environment:
      - LDAP_ROOT=o=example
      - LDAP_ADMIN_USERNAME=admin
      - LDAP_ADMIN_PASSWORD=changeit
      - LDAP_SKIP_DEFAULT_TREE=yes
      - LDAP_LOGLEVEL=256
      - LDAP_ENABLE_TLS=yes
      - LDAP_REQUIRE_TLS=yes
      - LDAP_LDAPS_PORT_NUMBER=636
      - LDAP_TLS_CERT_FILE=/opt/bitnami/openldap/servercerts/cert.pem
      - LDAP_TLS_KEY_FILE=/opt/bitnami/openldap/servercerts/cert.key
      - LDAP_TLS_CA_FILE=/opt/bitnami/openldap/cacerts/ca.pem
    volumes:
      - /data/dir/openldap:/bitnami/openldap
      - /data/dir/cacerts:/opt/bitnami/openldap/cacerts
      - /data/dir/servercerts:/opt/bitnami/openldap/servercerts
      - ldap_status:/heartbeat/

Thank you in advance for your help!

What is the expected behavior?

No response

What do you see instead?

The replication seems to work at startup then stops working. For example, if I add an entry in openLDAP1, it is not replicated on openLDAP2. However, if I restart the openLDAP2 container, the entry is replicated.

Additional information

No response

[javsalgar]

Hi,

It seems that OpenLDAP is consuming the configuration files you shared, so it is not clear to me if this is an issue with the Bitnami packaging or the application itself. Did you check with the upstream openldap developers?

[ftheault]

Hi,

Thank you for your answer, indeed you are right and I contacted them.

Do you know if it is possible to modify the slapd listening urls ? Bitnami doesn't offer an environment variable to do this, and modifying the contents of /opt/bitnami/openldap/var/run/slapd.arg (pointed by olcArgsFile) via docker volume does not work.

[javsalgar]

Hi,

In cases where we don't provide an env var, you can use an init script to perform that modification.
https://github.com/bitnami/containers/tree/main/bitnami/openldap#initializing-a-new-instance