Terraform is excellent for provisioning the machine and network infrastructure, but it is not a very good tool for managing LDAP replication.  Adding a new DS to the replication cluster involves not just changes to that new instance (creating the replication account, replica, possibly changelog, etc.) but also to all of its replication partners.  And of course, Terraform does not really fix the configuration management issue, since not only the Terraform configuration needs to be managed, but also its state.  (Replform does not need to store state, since it inspects the servers over LDAP to determine its plan.)

 

If you run it globally (‘--global’ ) you only need to maintain one configuration file at all.

 

If you run it on each host (our preferred way) there are number of ways you might manage the replform configuration across all the LDAP hosts (eg, Puppet) but our normal practice is simple: we keep the ‘replform’ configuration in source control and have a cron job on each LDAP host that periodically checks for updates to the configuration and executes ‘replform’.  This is all setup automatically when the host is provisioned by Terraform.  That works equally well for a new host that needs to configure replication from scratch and for all the existing LDAP hosts which just need to create a replication agreement to the new one.

From past experience, it is quite possible to bring Terraform, Vault, and ‘replform’ together to create an entire LDAP cluster, including issuing SSL certs and configuring MMR replication, completely automated.

 

I’ll add an example cron script to GitHub on Monday for the replform part.

 

Cheers,

 

--

Thomas E Lackey

 

From: Michal Medvecky <michal@medvecky.net>
Sent: Friday, June 22, 2018 4:07 AM
To: General discussion list for the 389 Directory server project. <389-users@lists.fedoraproject.org>
Subject: [389-users] Re: Master-slave replication procedure

 

Hello,



19. 6. 2018 v 23:43, Thomas E Lackey <telackey@bozemanpass.com>:

 

By happy timing, we (Bozeman Pass) just added one of our in-house tools for configuring replication to GitHub: https://github.com/bozemanpass/replform.

 

I had a look at this but I don’t like the fact you need to statically define the configuration. I have variable number of masters and variable number of slaves and if I understand this correctly, adding a new backend server would need copypasting the replform config.

 

Have you considered creating LDAP providers for Terraform itself?

 

Michal