On Thu, Jul 17, 2025 at 08:40:23AM -0000, vithal.akun...@tdsynnex.com wrote: > Hi, > > openldap-stack-ha was deployed as stateful set of 4 on multi region > Kubernetes ( micro K8s ) cluster with 2 nodes in each region with > multi master configuration. Application connections to LDAP are > managed through kubernetes service. Multiple issues are noticed with > this setup and would like to seek some guidance and feedback. > > 1. Frequent replication issues : For monitoring, script is being > executed every 1 hour to check the replication status using > check_syncrepl_extended command between all the providers and > consumers. Is there any better to monitor the replication lag ? To > recover from this issue, the pods are being recycled on the provider > host which is out of sync.
Hi Vithal, there's syncmonitor[0] for a more intelligent replication level monitoring, or you can read cn=monitor for basic self-reported statistics (last contact, syncrepl session state, etc.) If you're experiencing replication issues, definitely investigate the cause. Sometimes it's operational procedures (e.g. don't use slapadd -w or equivalent to populate a replica) sometimes it's configuration (e.g. ACLs), sometimes it's enabling behaviours that aren't safe in a multi-provider environment (refint-like features etc.). Also make sure time synchronisation between nodes is "tight enough", if there's even a slight chance that a replication message comes with a timestamp from "the future" and another write comes that the node is happy to assign an "older" timestamp to, you will get into trouble. > Is there any guidance of deploying LDAP in multi region ? Is multi > master recommended in production environment for resiliency and > performance? Depends what you mean performance. Having multiple providers will not gain you throughput (everything needs to be written everywhere eventually) but might shorten your latency if the environments are far away and you need to attain millisecond-level response times. On the other hand you need to make sure you don't modify the same entries on multiple servers "at the same time", since only one of the two versions of that entry can win. Things are slightly more nuanced with deltasync but the general sentiment still holds. > 2. Bulk upload : Is there any guidance on doing bulk upload into LDAP > in this current setup? Everything still needs to be replicated afterwards, correct? Then not really. But if you mean to get set up quicker from zero, a slapcat or even an mdb_copy is a good point to bootstrap a node with. [0]. https://git.openldap.org/openldap/syncmonitor Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
