Setting up an LDAP server with OpenLDAP provides a replication configuration recipe. We advise using Apache Directory Studio in favour of ldapmodify and friends.


  1. Depending on your database backend choice during server installation you may have to alter the installation procedure by replacing hdb with mdb accordingly both on the provider and the consumer side.

  2. You may want to add the value sync to the olcLogLevel attribute. This will create related messages in /var/log/syslog.

  3. Activating the syncprov overlay requires an additional olcModuleLoad ❶ value:

    dn: cn=module{0},cn=config
    objectClass: olcModuleList
    cn: module{0}
    olcModuleLoad: {0}back_mdb
    olcModuleLoad: {1}syncprov ❶
    olcModulePath: /usr/lib/ldap
  4. Adding the olcSyncProvConfig objectclass property requires hitting the reload icon in Apache Directory Studio.

Check for provider changes being propagated to the consumer by e.g. creating an organisationalUnit entry.


The current configuration contains a serious security flaw: The credentials are being sent in clear text and are thus subject to network sniffing (e.g. by using .Wireshark) attacks. In a professional setup you will have to configure TLS for encrypting your communication channel.