[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Updatedn questions
Andrew Findlay wrote:
>
> Good point - I should have included more of the slave slapd.conf in my
> reply, which would have shown that I normally make updatedn and rootdn
> the same on slaves. This policy also allows the bind password to be
> given in slapd.conf thus avoiding the need for updatedn to be listed
> in the directory.
According to ldapv3.pdf, this is a bad idea:
The updatedn is the identity used by slurpd when replicating changes to
slaves. The updatedn should be a unique dn, used by no other users or
processes.
If the updatedn is also the root dn the slave will be unable to tell the
diffrence between a replication connection and an administrative
connection. This situation allows a slave to be updated by a source
other than the master, and thus become out of sync with the rest of the
Dit causing future replication events to fail.
>
> Here is part of slapd.conf from my example-slave config:
>
> > database ldbm
> > suffix "dc=example,dc=org"
> > rootdn "cn=SLURPD,dc=example,dc=org"
> > rootpw {SSHA}2bpnVaAE7taF2R94VARqeflaw3uWI6dm
> >
> > # The DN used by the remote SLURPD
> > updatedn "cn=SLURPD,dc=example,dc=org"
> > # Where to refer updates to if anyone tries to make changes here
> > updateref ldap://localhost:3389/
>
> Andrew
> --
> -----------------------------------------------------------------------
> | From Andrew Findlay, Skills 1st Ltd |
> | Consultant in large-scale systems, networks, and directory services |
> | Andrew.Findlay@skills-1st.co.uk +44 1628 782565 |
> -----------------------------------------------------------------------