Terraform is excellent for provisioning the machine and network infrastructure, but it is
not a very good tool for managing LDAP replication. Adding a new DS to the replication
cluster involves not just changes to that new instance (creating the replication account,
replica, possibly changelog, etc.) but also to all of its replication partners. And of
course, Terraform does not really fix the configuration management issue, since not only
the Terraform configuration needs to be managed, but also its state. (Replform does not
need to store state, since it inspects the servers over LDAP to determine its plan.)
If you run it globally (‘--global’ ) you only need to maintain one configuration file at
If you run it on each host (our preferred way) there are number of ways you might manage
the replform configuration across all the LDAP hosts (eg, Puppet) but our normal practice
is simple: we keep the ‘replform’ configuration in source control and have a cron job on
each LDAP host that periodically checks for updates to the configuration and executes
‘replform’. This is all setup automatically when the host is provisioned by Terraform.
That works equally well for a new host that needs to configure replication from scratch
and for all the existing LDAP hosts which just need to create a replication agreement to
the new one.
From past experience, it is quite possible to bring Terraform, Vault, and ‘replform’
together to create an entire LDAP cluster, including issuing SSL certs and configuring MMR
replication, completely automated.
I’ll add an example cron script to GitHub on Monday for the replform part.
Thomas E Lackey
From: Michal Medvecky <michal(a)medvecky.net>
Sent: Friday, June 22, 2018 4:07 AM
To: General discussion list for the 389 Directory server project.
Subject: [389-users] Re: Master-slave replication procedure
19. 6. 2018 v 23:43, Thomas E Lackey <telackey(a)bozemanpass.com
By happy timing, we (Bozeman Pass) just added one of our in-house tools for configuring
replication to GitHub: <https://github.com/bozemanpass/replform>
I had a look at this but I don’t like the fact you need to statically define the
configuration. I have variable number of masters and variable number of slaves and if I
understand this correctly, adding a new backend server would need copypasting the replform
Have you considered creating LDAP providers for Terraform itself?