[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Partial replication

To: Howard Chu <hyc@symas.com>
Subject: Re: Partial replication
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Tue, 6 Apr 2010 13:30:10 +0100
Cc: Joe Friedeggs <friedeggs44@hotmail.com>, Zdenek Styblik <stybla@turnovfree.net>, openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <4BB523EC.9010802@symas.com>
References: <4BB264E4.3050207@turnovfree.net> <BLU143-W144F7D19E7127423CA4E92A51F0@phx.gbl> <4BB2EF07.1010106@turnovfree.net> <20100401194338.GA14745@slab.skills-1st.co.uk> <4BB523EC.9010802@symas.com>
User-agent: Mutt/1.5.17 (2007-11-01)

On Thu, Apr 01, 2010 at 03:53:32PM -0700, Howard Chu wrote:

> Multiple agreements with the same provider won't work, since there will 
> only be one contextCSN sent from the master. After the first consumer runs, 
> the second one will assume it is up to date.

Good point - I had forgotten that.

> The correct solution here is to use a extended filter with dnSubtreeMatch 
> on each desired branch.

So in this case with the tree:

dc=example,dc=com
    |
    +--o=support
    |
    +--o=location_A
    |
    +--o=location_B
    |
    +--o=location_C

the syncrepl clause on the location A slave would contain something like
this:

	searchbase="dc=example,dc=com"
	filter="(|(entrydn:dnSubtreeMatch:=o=support,dc=example,dc=com)(entrydn:dnSubtreeMatch:=o=location_A,dc=example,dc=com))

Unfortunately, when I look back at the original question I see that the
slave server is physically located at location A and the security
policy does not permit people at that location to see any data belonging
to the other locations. Limiting the replication by this method leaves
open the possibility that someone at location A might change the config
to allow them to see data from location B, so the master server is still
going to need ACLs to prevent that.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

References:
- Re: Partial replication
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: Partial replication
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Using "overlay dynlist" with Ubuntu Karmic 9.10 LDAP server using slapd.d (not slapd.conf) ?
Next by Date: Re: forgotten rootdn psw
Index(es):
- Chronological
- Thread