[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ldap Data Replication problem

To: Jim Roberts <jroberts@realmedia.com>
Subject: Re: Ldap Data Replication problem
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 07 Jun 2000 12:37:09 -0700
Cc: "Prashant K.S" <ksprashant@yahoo.com>, openldap-software@OpenLDAP.org
In-reply-to: <Pine.LNX.4.21.0006070752300.7179-100000@localhost.localdom ain>
References: <20000607105318.19937.qmail@web3102.mail.yahoo.com>

At 07:57 AM 6/7/00 -0400, Jim Roberts wrote:
>
>One mistake I made on this:  If you use the rootdn to  
>send an update to the slave, it WILL allow updates.  
>This is because slurpd has to have access to do updates.
>If you try to update with any other (non-root) dn, the 
>slave should return a referral to the master (not 
>accept the update, but tell the client to go to the 
>master).  At least, this is my understanding of it.

The slave should redirect any update request not coming
from the update DN to the master, including the root
DN if different from the update DN.

Yes, the update DN needs privs to write updates.  This
is best done via ACLs and NOT by rootdn access.  In fact,
root DN access should be disabled once you have loaded
initial entries (by restarting slapd with rootdn/pw commented
out).

>For one, I don't have any rules on the slave which allow 
>"write" permission, and I set up a "referral" line.  I'm 
>not sure that this is the proper way to do it, but it 
>seems to work.

It works, but I generally recommend avoid long term use
of the root dn.

References:
- Ldap Data Replication problem
  - From: "Prashant K.S" <ksprashant@yahoo.com>

Prev by Date: Re: Ldap Data Replication problem
Next by Date: Re: LDAP operations questions
Index(es):
- Chronological
- Thread