[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5746) Guide updates

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5746) Guide updates
From: ghenry@OpenLDAP.org
Date: Fri, 17 Oct 2008 19:06:31 GMT

----- quanah@zimbra.com wrote:

> Full_Name: Quanah Gibson-Mount
> Version: 2.4.12
> OS: NA
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (75.111.29.239)
> 
> 
> In looking at the admin guide sections on replication, I notice the
> following:
> 
> (a) The syncrepl configuration suggests using the rootdn on the
> consumer, which
> we advise people *not* to do.
> 
> http://www.openldap.org/doc/admin24/replication.html#Syncrepl
> 
> "The consumer uses the rootdn to write to its database so it always
> has full
> permissions to write all content."
> 
> (b) It makes no mention of using the "limits" option in slapd.conf to
> bypass
> sizelimit/timelimit restrictions on a non-rootdn user

Eh? It says no such thing Quanah?

"In this example, the consumer will connect to the provider slapd(8) at port 389 of ldap://provider.example.com to perform a polling (refreshOnly) mode of synchronization once a day. It will bind as cn=syncuser,dc=example,dc=com using simple authentication with password "secret". Note that the access control privilege of cn=syncuser,dc=example,dc=com should be set appropriately in the provider to retrieve the desired replication content. Also the search limits must be high enough on the provider to allow the syncuser to retrieve a complete copy of the requested content. The consumer uses the rootdn to write to its database so it always has full permissions to write all content."

It binds to the remote db as "cn=syncuser,dc=example,dc=com", but writes to its own db as the rootdn, as per Syncrepl. 

-- 
Kind Regards,

Gavin Henry.
OpenLDAP Engineering Team.

E ghenry@OpenLDAP.org

Community developed LDAP software.

http://www.openldap.org/project/

Prev by Date: Re: (ITS#5746) Guide updates
Next by Date: Re: (ITS#5746) Guide updates
Index(es):
- Chronological
- Thread