[Date Prev][Date Next] [Chronological] [Thread] [Top]
ITS#7434

To: openldap-its@OpenLDAP.org
Subject: ITS#7434
From: blance3459@hotmail.com
Date: Thu, 10 Jan 2013 21:36:12 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)
--_2dfc1396-6cab-4ee1-b5cd-ec8dfb5286a7_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Quanah=2C  Trying to post a reply using my hotmail account.  Sorry for the =
unreadable output previously posted.  I'm almost embarassed to say I've bee=
n involved in IT for over 15 years and never used a mailing list before. An=
yhow=2C I did download the source packages and compiled them.  However=2C t=
he semester was winding down and I was under a lot of pressure to have some=
thing completed before the end of finals week so my professor could assgn m=
e a grade for the work I had done.  I revered back to my previous version t=
o to get some stuff written.  Not to mention=2C my algorithms professor was=
 kicking my butt too. Wil I ever "really" need an FFT in the real world?  l=
ol The more I looked at what I was trying to accomplish=2C I realized I was=
 attaking the problem all wrong.  What I was being asked to do was somethin=
g more like configuring my two slapd servers to act more like Active Direct=
ory global catalog servers. GC's utilitze MM instead of  single master repl=
ication so I scrapped the SM replication design in favor of MM.  Once this =
was done=2C I no longer needed the chaining overlay or proxy auth.  I now h=
ave MM replication of both cn=3Dconfig and my directory data (with delta) w=
orking and my Kerberos KDC's are happy. One thing I did find was that confi=
guring MM replication made me learn a little more about how to "properly" n=
ame/configure an overlay with the syncprov and accesslog modules by digging=
 into the test scripts.   I had some issues with sync state on the consumer=
s =2C but I found a post you made to someone else a few years back that sol=
ved my delta replication issue by configuring an syncprov overlay on the ac=
cesslog db.  Not sure I remember seeing that in the Admin Guide. Looking ba=
ck at the orignal post I noticed the chain overlay I had configured was dn:=
 olcDatabase=3Dldap=2ColcOverlay=3D{0}chain=2ColcDatabase=3D{-1}frontend=2C=
 cn=3Dconfig.  knowing what I know now=2C I'm not 100% sure that was correc=
t.  Shouldn't that overlay have been in either config database of my direct=
ory  or ldap backend database for the chain rather than a "frontend"?  Just=
 a thought I've been kicking around in my head. Either way=2C I have my lda=
p config working.  We can either close this issue if you'd like or leave it=
 open and I'll attempt to confirm my theory on the overlay not being proper=
ly located when I get a chance.   Completely your choice.
But I do have a couple questions on my MM replication of cn=3Dconfig if you=
 want to take them.  First=2C does it make sense or is it possible to do de=
lta replication on cn=3Dconfig?  The data "on the wire" seems like it would=
 be much smaller and less frequent than directory data so perhaps it's not =
as beneficial?   Secondly=2C I am using a simple bind with this replication=
 agreement (versus sasl/gssapi and tls for my directoiry data).  When confi=
guring limits and acl's for replication of my dit=2C I created a groupofnam=
es (cn=3Dreplicators=2C ou=3Dgroups=2C dc=3Dexample=2Cdc=3Dnet) that has ea=
ch ldap server as a member.  My thought process was that this made the solu=
tion a bit more scalable.  As ldap servers were added to the topology=2C th=
ey could be added to the group of names and automtically be given the corre=
ct permissions an limits.  Likewise=2C as server are decomisioned=2C they c=
ould easily be removed by deleteing them from the group and directory.   Ca=
n I use this same group of names in cn=3Dconfig replication by creating a s=
imilar limit and acl using this group of names?  Since I am handling the fo=
rmatting of the gssapi uid in cn=3Dconfig (maybe a mistake if I ever wanted=
 to be able to handle multiple directories/domains)=2C can I use the gssapi=
 authtication of hosts in dc=3Dexample=2Cdc=3Dnet?  Seems I sould be able t=
o since it appears that when the authorization occurs in the database=2C th=
e bind id is assumed to be already authenticated and accepted as presented =
with no further authentication taking place.  I'm thinking that so long as =
that uid is formatted into a dn listed in an acl=2C the matching access is =
applied?  Am I way off base in my thinking?  Now that I have a rough workab=
le solution I'm just trying to pretty it up a bit and make the design more =
efficient and scalable. Thanks Barry  		 	   		  =

--_2dfc1396-6cab-4ee1-b5cd-ec8dfb5286a7_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style><!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 12pt=3B
font-family:Calibri
}
--></style></head>
<body class=3D'hmmessage'><div dir=3D'ltr'>Quanah=2C <BR>&nbsp=3B<BR>Trying=
 to post a reply using my hotmail account.&nbsp=3B Sorry for the unreadable=
 output previously posted.&nbsp=3B I'm almost embarassed to say I've been i=
nvolved in IT for over 15 years and never used a mailing list before.<BR>&n=
bsp=3B<BR>Anyhow=2C I did download the source packages and compiled them.&n=
bsp=3B However=2C the semester was winding down and I was under a lot of pr=
essure to have something completed before the end of finals week so my prof=
essor could assgn me a grade for the work I had done.&nbsp=3B I revered bac=
k to my previous version to to get some stuff written.&nbsp=3B Not to menti=
on=2C my algorithms professor was kicking my butt too. Wil I ever "really" =
need an FFT in the real world?&nbsp=3B lol<BR>&nbsp=3B<BR>The more I looked=
 at what I was trying to accomplish=2C I realized I was attaking the proble=
m all wrong.&nbsp=3B What I was being asked to do was something more like c=
onfiguring my two slapd servers to act more like Active Directory global ca=
talog servers. GC's utilitze MM instead of&nbsp=3B single master replicatio=
n so I scrapped the SM replication design in favor of MM.&nbsp=3B Once this=
 was done=2C I no longer needed the chaining overlay or proxy auth.&nbsp=3B=
 I now have MM replication of both cn=3Dconfig and my directory data (with =
delta) working and my Kerberos KDC's are happy.<BR>&nbsp=3B<BR>One thing I =
did find was that configuring MM replication made me learn a little more ab=
out how to "properly" name/configure an overlay with the syncprov and acces=
slog modules by digging into the test scripts.&nbsp=3B&nbsp=3B&nbsp=3BI had=
 some issues with sync state on the consumers&nbsp=3B=2C but I found a post=
 you made to someone else a few years back that solved my delta replication=
 issue by configuring an syncprov overlay on the accesslog db.&nbsp=3B Not =
sure I remember seeing that in the Admin Guide.<BR>&nbsp=3B<BR>Looking back=
 at the orignal post I noticed the chain overlay I had configured was dn: o=
lcDatabase=3Dldap=2ColcOverlay=3D{0}chain=2ColcDatabase=3D{-1}frontend=2C c=
n=3Dconfig.&nbsp=3B knowing what I know now=2C I'm not 100% sure that was c=
orrect.&nbsp=3B Shouldn't that overlay have been in&nbsp=3Beither config da=
tabase&nbsp=3Bof my directory&nbsp=3B or ldap backend database for the chai=
n rather than a "frontend"?&nbsp=3B Just a thought I've been kicking around=
 in my head.<BR>&nbsp=3B<BR>Either way=2C I have my ldap config working.&nb=
sp=3B We can either close this issue if you'd like or leave it open and I'l=
l attempt to confirm my theory on the overlay not being properly located wh=
en I get a chance.&nbsp=3B&nbsp=3B&nbsp=3BCompletely your choice.<br><BR>Bu=
t I do have a couple questions on my MM replication of cn=3Dconfig if you w=
ant to take them.&nbsp=3B First=2C does it make sense or is it possible to =
do delta replication on cn=3Dconfig?&nbsp=3B The data "on the wire" seems l=
ike it would be much smaller and less frequent than directory data so perha=
ps it's&nbsp=3Bnot as beneficial?&nbsp=3B&nbsp=3B Secondly=2C I am using a =
simple bind with this replication agreement (versus sasl/gssapi and tls for=
 my directoiry data).&nbsp=3B When configuring limits and acl's for replica=
tion of my dit=2C I created a groupofnames (cn=3Dreplicators=2C ou=3Dgroups=
=2C dc=3Dexample=2Cdc=3Dnet) that has each ldap server as a member.&nbsp=3B=
 My thought process was that this made the solution a bit more scalable.&nb=
sp=3B As ldap servers were added to the topology=2C they could be added to =
the group of names and automtically be given the correct permissions an lim=
its.&nbsp=3B Likewise=2C as server are decomisioned=2C they could easily be=
 removed&nbsp=3Bby deleteing them from the group and directory.&nbsp=3B&nbs=
p=3B Can I use this same group of names in cn=3Dconfig replication by creat=
ing a similar limit and acl using this group of names?&nbsp=3B Since I am h=
andling the formatting of the gssapi uid in cn=3Dconfig (maybe&nbsp=3Ba mis=
take if I ever wanted to be able to handle multiple directories/domains)=2C=
 can I use the gssapi authtication of hosts in dc=3Dexample=2Cdc=3Dnet?&nbs=
p=3B Seems I sould be able to since it appears that when the authorization =
occurs in the database=2C the bind id is assumed to be already authenticate=
d and accepted as presented with no further authentication taking place.&nb=
sp=3B I'm thinking that so long as that uid is formatted into a dn listed i=
n an acl=2C the matching access is applied?&nbsp=3B Am I way off base in my=
 thinking?&nbsp=3B Now that I have a rough workable solution I'm just tryin=
g to pretty it up a bit and make the design more efficient and scalable.<BR=
>&nbsp=3B<BR>Thanks<BR>&nbsp=3B<BR>Barry<BR>&nbsp=3B<BR> 		 	   		  </div><=
/body>
</html>=

--_2dfc1396-6cab-4ee1-b5cd-ec8dfb5286a7_--
Prev by Date: Re: (ITS#7406) Search with scope for newer entries don't work
Next by Date: (ITS#7489) Update slapd.overlays.5 manpage index
Index(es):
- Chronological
- Thread