[Date Prev][Date Next]
Re: (ITS#5746) Guide updates
----- email@example.com wrote:
> Full_Name: Quanah Gibson-Mount
> Version: 2.4.12
> OS: NA
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (220.127.116.11)
> In looking at the admin guide sections on replication, I notice the
> (a) The syncrepl configuration suggests using the rootdn on the
> consumer, which
> we advise people *not* to do.
> "The consumer uses the rootdn to write to its database so it always
> has full
> permissions to write all content."
> (b) It makes no mention of using the "limits" option in slapd.conf to
> sizelimit/timelimit restrictions on a non-rootdn user
Eh? It says no such thing Quanah?
"In this example, the consumer will connect to the provider slapd(8) at port 389 of ldap://provider.example.com to perform a polling (refreshOnly) mode of synchronization once a day. It will bind as cn=syncuser,dc=example,dc=com using simple authentication with password "secret". Note that the access control privilege of cn=syncuser,dc=example,dc=com should be set appropriately in the provider to retrieve the desired replication content. Also the search limits must be high enough on the provider to allow the syncuser to retrieve a complete copy of the requested content. The consumer uses the rootdn to write to its database so it always has full permissions to write all content."
It binds to the remote db as "cn=syncuser,dc=example,dc=com", but writes to its own db as the rootdn, as per Syncrepl.
OpenLDAP Engineering Team.
Community developed LDAP software.