[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP instance as syncREPL replica and Slurpd master



Hi all,

i want to implement a specific openldap configuration with 3 instances:
1st is a master
2nd is a syncrepl replica "and" slurpd master
3rd is a slurpd replica
The reason why i want to implement this configuration is that i have
firewall restrictions:
Only the 2nd instance can establish TCP connections on 1st and 3rd
instances. TCP connections in the other direction is forbidden >:o .

The 1st instance sends updates correctly to the 2nd instance. But the
2nd instance doesn't generate replication log. So, i send nothing to the
3rd instance.

Here is an extract of my 2nd instance configuration:
database        bdb
suffix          "o=test"
rootdn          "cn=root DN, o=test"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          {SSHA}JDqRrNmZbCiInNsubLessizYPdmcwhgf
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /usr/products/freeware/openldap/var/openldap-slapd-pivot
#
# Changelog is check every 64 KB written or every 15 min
#
checkpoint      64      15

# password hash algorithm
password-hash   {SSHA}

#
# Set the entry cache size to 50000.
#
cachesize       50000
# Indexes to maintain
index   objectClass,entryCSN,entryUUID  eq
index   uid     pres,eq,sub
index   mail    pres,eq,sub
index   cn      pres,eq,sub
index   sn      pres,eq,sub

#
# Slurpd master replication parameters
#
replica uri=ldaps://localhost:1636/
        binddn="cn=Replicator, o=test"
        bindmethod=simple credentials=secret

replogfile     
/usr/products/freeware/openldap/var/replication/replication_pivot.log

#
# SyncREPL slave replication parameters
#
syncrepl rid=3
        provider=ldaps://10.1.1.69:636
        #type=refreshOnly
        type=refreshAndPersist
        #interval=01:00:00:00
        searchbase="o=test"
        filter="(objectClass=*)"
        scope=sub
        #attrs="cn,sn,ou,telephoneNumber,title,l"
        schemachecking=off
        bindmethod=simple
        binddn="cn=root DN, o=test"
        credentials=secret

So, my questions :
Can this architecture work ?
If yes, do you have a idea to solve the issue ?
If no, is there a solution according to the restriction ?

Rgds, Bruno.