Re: Setting up "slave" OpenLDAP server

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Tuesday 08 July 2008 19:58:24 John Oliver wrote:
> I know nothing about LDAP / OpenLDAP.  With that out of the way...
>
> I have a CentOS 5 machine running openldap-2.3.27-8  I just built a
> CentOS 5.2 machine with openldap-2.3.27-8.el5_1.3  My goal is to have
> the LDAP on the first machine synch with, and stay synched to, the LDAP
> on the second machine, so if the first machine dies I can bring up an
> interface with it's IP on the second and get authentication working
> again.

Well, you should rather configure any LDAP clients to fail over to the second 
LDAP server, so no intervention is required.

> I've Googled "LDAP replication" and "LDAP synchronization".

Why did you not consult the documentation for the software you are using?

http://www.openldap.org/doc/admin23/syncrepl.html#Configuring%20Syncrepl

BTW, there are probably some best practice issues that aren't covered there. 
If you have configured your provider well, it is actually quite trivial to 
add a new consumer without requiring any configuration changes on the 
provider. The issues to take into account are:

-Ensuring the identity used by a new consumer has access to all the content 
that you wish it to replicate (suggestion: add a group-based ACL allowing 
read access to all entries)
-Ensuring the identity used by a new consumer has unlimited (size/time) access 
to all the content that you wish to replicate (suggestion: add group-based 
limit statements).

Then, adding a new consumer is reduced to adding an identity for the consumer 
to use for replication, adding it to the appropriate group, and starting 
slapd with a suitable configuration on the consumer.

Regards,
Buchan