[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: write only referrals - possible?

To: Tomasz Chmielewski <mangoo@interia.pl>
Subject: Re: write only referrals - possible?
From: Buchan Milne <bgmilne@obsidian.co.za>
Date: Thu, 28 Oct 2004 15:27:36 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <4180EC95.9050005@interia.pl>
References: <4180EC95.9050005@interia.pl>
User-agent: Mozilla Thunderbird 0.7.3 (X11/20040806)

Tomasz Chmielewski wrote:

In my case, I use OpenLDAP for Samba authentication and would like to use one central OpenLDAP server for storing usernames and their passwords for all office branches - from central server they would be replicated to all slaves in branch offices.

Sounds very easy, but I would like to allow users to change their passwords, without having them to drive to where the central server is :)


Do you have connectivity between the offices?

It is acceptable to have:
-account creation
-password changes
be unavailable in the case of connectivity problems?

If so, you can do this all with almost any version of openldap and any version of samba after about 2.2.6 (although 3.0.x is suggested of course).

The whole process should look like below - taken from chapter 13.1 of Admin's Guide:
1. The LDAP client submits an LDAP modify operation to the slave slapd.
2. The slave slapd returns a referral to the LDAP client referring the client to the master slapd.
3. The LDAP client submits the LDAP modify operation to the master slapd.


Yes, samba chases referrals.

4. The master slapd performs the modify operation, writes out the change to its replication log file and returns a success code to the client.


Yes, slapd writes the replication log, and slurpd replicates it to slaves.


Does it mean that it is possible to construct a "write only" referral?


That's what the updateref parameter is for ...

For example, I would like to have a write-only referral (reading should be done from a slave) for:
uid=<EVERYUSER>,ou=Users,dc=example,dc=com
and from there, only attributes "sambaLMPassword" and "sambaNTPassword".
Is it possible? If so, how?

Samba chases referalls automatically, so I don't see the problem. Samba also has a configureable "ldap replication sleep", so you can make samba wait for replication of account additions it may require before doing any other changes.

Regards,
Buchan

--
Buchan Milne                      Senior Support Technician
Obsidian Systems                  http://www.obsidian.co.za
B.Eng                                RHCE (803004789010797)

References:
- write only referrals - possible?
  - From: Tomasz Chmielewski <mangoo@interia.pl>

Prev by Date: Re: write only referrals - possible?
Next by Date: Re: write only referrals - possible?
Index(es):
- Chronological
- Thread