[Date Prev][Date Next] [Chronological] [Thread] [Top]

slave ldap server and replication question



Warning: LDAP newbie alert. Two questions.

Setup: openldap 1.2.9 on Digital Unix 4.0f & RH Linux 6.0, master slapd
and two slave slapds (all three on decunix), to be used, amongst other
things, for user authentication & automount maps, to replace NIS. Users on
decunix use the Compaq LDAP authentication stuff, pam_ldap/nss_ldap on
Linux.

First question: Master and slave are set up and working fine. Changes sent
directly to the master are replicated to the slaves with no problems. I
wish to point my client systems at "HOST slave1 slave2 master", so that if
slave1 is down, slave2 is used, etc. This works well.

The problem is when a user wishes to change their password, or a client
administrator wants to change anything at all. The slave server that they
contact by virtue of the /etc/ldap.conf entry knows that it is a slave and
sends a referral to the master. The openldap clients then attempt the
modification on the master, but by binding anonymously. This is not going
to work unless I apply an ACL that allows write access to anything by
anyone; the ldap clients appear not to call ldap_set_rebind_proc()
anywhere. This is clearly a no-no. Obviously I can point my administrators
at the master, but a client embedded inside a passwd command appears to
have no such option. I can't point my clients all at the master though as
they may be several hundred miles apart over a low-bandwidth link. Thus,
the use of a slave to which clients are pointed initially cannot be done
at all in this scenario, if I use openldap. Am I right? Hopefully not.

Second question: I can get replication to work using bindmethod=simple
only if I also use credentials=clear-text-password in the master's
slapd.conf file. Using credentials={crypt}encrypted-password does not work
at all, even though the database contains an encrypted {crypt}xxxxx
userpassword for the cn=replicator entry. Bug or feature?

TIA,
-steve
------------------------------------------------------------------------------
Steve Thompson                 Internet:   smt@corning.com
@ Corning, Inc.                Phone:      (607) 974 2659
Data Center, Sullivan Park     FAX:        (607) 974 3964
Painted Post, NY 14870
    "186,300 miles per second: it's not just a good idea, it's the law"
------------------------------------------------------------------------------