[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs / replication / availability

dannyman wrote:

> This may be in the FAQ, but I've looked at the FAQ so often right now I want
> to talk to people instead. :)
> 1) If I use ACLs in slapd.conf, do I need to replicate these ACLs in the
> slapd.conf on a slave (replicated) server?

In principle you MUST: a slave cannot reveal information that the master
is otherwise protecting ... I think this is where LDUP (ldap replication) is
hanging: AC rules should stay with data instead of server so they get
replicated as well
There's no need to remove write pernissions from slaves, because only
the updatedn is allowed to actually write on the slave.
Everybody else is returned a referral to the updateref, if defined.

>  - Only the master has to accept writes.
>  - But, the slave servers have to determine read access. :)
> 2) Is there info somewhere on playing with LDAPv3 ACIs?  How mature are these?

Marked as experimental

> I can help find bugs?

Sure. You're welcome

> 3) Can I mix and match slapd.cond ACLs and LDAPv3 ACIs?

I think yes. ACIs are used if present; otherwise ACLs apply.

> 4) Has anyone written a script to push updates to slave LDAP servers?  I'm
> thinking it looks something like:
> Stop master ldap.
> Foreach slave ldap:
>         Stop slave ldap.
>         Push updated config files to slave.  (rsync!)
>         Optionally, push master LDAP database files to slave.
>         Start slave ldap.
> Start master ldap.
> My concern is partly that since the docs describe setting up a relicated
> server say you should copy over the database and THEN start relication, that
> if a slave falls off the network for a time then it may be some degree of a
> PITA to bring it back to reality, and I should automate reprogramming of
> slaves.  And do it during "down time." :)

slurpd keeps trying to update every now and then until it succeeds.

> Does the replog grow indefinately?  maybe slurpd -o would be my "push LDAP
> database to slave" function?  Does this buy me any less downtime?  How does
> slurpd know what from the replog to replicate?

based on timestamps and on the replica: strings

> Other have done this stuff, written scripts, learned the pitfalls?

I bet nearly everybody has his/her own custom scripts;
in my case they're REALLY custom :)

Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 | mailto:masarati@aero.polimi.it
via La Masa 34, 20156 Milano, Italy   | http://www.aero.polimi.it/~masarati