[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: multimaster configuration of openldap-2.0.25

To: rmoats@lemurnetworks.net
Subject: Re: multimaster configuration of openldap-2.0.25
From: Pierangelo Masarati <masarati@aero.polimi.it>
Date: Mon, 02 Sep 2002 19:03:13 +0200
Cc: openldap-software@OpenLDAP.org
Organization: Dipartimento di Ingegneria Aerospaziale
References: <9F028CC77827D611ACEE0002A5F12F075022AB@semldsntmsx208.seml.astrazeneca.net> <2804.192.168.2.6.1030733222.squirrel@www.doublesparks.net> <courier.3D6FE46E.00002BBC@mailsrv.aero.polimi.it> <20020901142113.C9072@privateer.local.windrose.omaha.ne.us>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020408

Ryan Moats wrote:

On Fri, Aug 30, 2002 at 09:32:30PM +0000, Pierangelo Masarati wrote: | Alan Sparks writes: | | > Keep in mind I've done this in 2.1.x, not 2.0.x, but the advice may be | > useful: | > | > 1) I'm not sure that --enable-multimaster is a really valid configure | > option. Suggest that, after running the configure command, you manually | > edit the include/portable.h file and make sure SLAPD_MULTIMASTER is | > defined. Then 'make depend && make'. | > | | I think at some time there was an --enable-multimaster switch, | but it was removed because it is experimental and caused some | complaints. You can also do (with bash; appropriate solutions | must be applied to different shells): | | prompt$ CPPFLAGS=-DSLAPD_MULTIMASTER ./configure | | > 2) You should use an updatedn in both server configs. I use the same DN | > on both servers, a different one than the rootdn. In other words, I have | > the same updatedn config directive on both servers. | > | > If you're using access control lists, I've noted that the ACLs need to | > allow the updatedn write access explicitly. (no different than | > single-master replication). It's been suggested that updatedn is treated | > specially, but that hasn't worked for me-- and I don't see the special | > allowance for it in the code like I do for rootdn. | | It is treated differently (can modify some NO-USER-MODIFICATION | attributes, and its changes are not propagated to slaves); however | it is not treated any specially with regard to ACLs (though it could, | to ease 99% of the administration needs). | | Everything else looks correct.

Not unless there has been some changes to the multimaster code. When I looked at the latest versions recently, enabling multimaster lets *anyone* modify no-user-modification attributes. This is *very* broken.

I posted something on openldap-devel about this back in July.


Did you file an ITS? If you didn't, then
your message probably wend unnoticed.
Please do.

Pierangelo.

--
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
mailto:pierangelo.masarati@polimi.it  | fax:   +39 02 2399 8334
http://www.aero.polimi.it/~masarati
Dip. Ing. Aerospaziale Politecnico di Milano,
via La Masa 34, 20156 Milano, Italy

References:
- Re: multimaster configuration of openldap-2.0.25
  - From: Ryan Moats <rmoats@lemurnetworks.net>

Prev by Date: AW: passwd with pam_ldap and open ldap
Next by Date: Re: ldap_add: Operations error (FreeBSD/openldap-2.0.25_1)
Index(es):
- Chronological
- Thread