How to set up OpenLDAP active-active with PCS

An OpenLDAP active-active deployment keeps directory lookups and authentication available during node failures while spreading client traffic across multiple servers.

In a Pacemaker cluster managed with pcs, the slapd daemon can be registered as a systemd resource and cloned so each cluster node runs its own instance. Health checks keep the service supervised, and failed instances can be restarted on the same node without affecting the remaining active nodes.

Active-active clustering does not replicate directory data, so multi-provider replication (syncrepl) must already be configured and healthy across all nodes for both configuration and database content. Client-side traffic distribution is external to Pacemaker (DNS or a load balancer), and some applications may require connection persistence to reduce read-after-write surprises during replication lag.

1. Confirm the cluster is online with quorum.

   $ sudo pcs status
   Cluster name: clustername
   Cluster Summary:
     * Stack: corosync (Pacemaker is running)
     * Current DC: node-01 (version 2.1.6-6fdc9deea29) - partition with quorum
     * Last updated: Thu Jan  1 04:44:33 2026 on node-01
     * Last change:  Thu Jan  1 04:44:31 2026 by root via cibadmin on node-01
     * 3 nodes configured
     * 0 resource instances configured
   
   Node List:
     * Online: [ node-01 node-02 node-03 ]
   
   Full List of Resources:
     * No resources
   
   Daemon Status:
     corosync: active/enabled
     pacemaker: active/enabled
     pcsd: active/enabled

   Related: How to check Pacemaker cluster status

2. Identify the OpenLDAP systemd unit name used for slapd.

   $ systemctl list-unit-files --type=service | grep -E '^slapd\.service'
   slapd.service                                generated       -

   Related: How to manage Pacemaker cluster services with systemctl in Linux

3. Disable the slapd unit to keep Pacemaker as the only service manager.

   $ sudo systemctl disable --now slapd
   slapd.service is not a native service, redirecting to systemd-sysv-install.
   Executing: /usr/lib/systemd/systemd-sysv-install disable slapd
   slapd.service is not a native service, redirecting to systemd-sysv-install.
   Executing: /usr/lib/systemd/systemd-sysv-install disable slapd
   slapd.service is not a native service, redirecting to systemd-sysv-install.
   Executing: /usr/lib/systemd/systemd-sysv-install disable slapd

   Leaving slapd enabled can start the daemon outside cluster control, triggering resource flapping and unexpected restarts during boot or rejoin.

4. Create the OpenLDAP systemd resource with a monitor operation.

   $ sudo pcs resource create ldap_service systemd:slapd op monitor interval=30s

   No output is typical when the resource definition is accepted.

   Related: How to create a Pacemaker resource

5. Clone the ldap_service resource to run one instance per node.

   $ sudo pcs resource clone ldap_service

   Clone instances default to one per node; tune clone-max and clone-node-max only when a subset of nodes should run slapd.

   Related: How to create a cloned resource in Pacemaker
   Related: How to set Pacemaker clone resource options

6. Verify the cloned resource is started on the expected nodes.

   $ sudo pcs status resources
     * Clone Set: ldap_service-clone [ldap_service]:
       * Started: [ node-01 node-02 node-03 ]

7. Confirm each node responds to LDAP queries.

   $ ldapsearch -x -H ldap://node-01.example.net -s base -b "" supportedLDAPVersion
   # extended LDIF
   #
   # LDAPv3
   # base <> with scope baseObject
   # filter: (objectclass=*)
   # requesting: supportedLDAPVersion 
   #
   
   #
   dn:
   supportedLDAPVersion: 3
   
   # search result
   search: 2
   result: 0 Success
   
   # numResponses: 2
   # numEntries: 1
   
   $ ldapsearch -x -H ldap://node-02.example.net -s base -b "" supportedLDAPVersion
   # extended LDIF
   #
   # LDAPv3
   # base <> with scope baseObject
   # filter: (objectclass=*)
   # requesting: supportedLDAPVersion 
   #
   
   #
   dn:
   supportedLDAPVersion: 3
   
   # search result
   search: 2
   result: 0 Success
   
   # numResponses: 2
   # numEntries: 1

   The root DSE query (-b "" -s base) validates connectivity without requiring a directory base DN.

8. Update client routing to distribute LDAP traffic across both active nodes.

   Traffic distribution is external to Pacemaker; ensure the client-facing hostname matches the TLS certificate when using LDAPS or StartTLS, and enable connection persistence when applications require read-after-write consistency.

   Related: How to plan traffic distribution for active-active PCS services

9. Run a failover test with traffic distribution enabled.

   Related: How to run a Pacemaker failover test with PCS