[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: multimaster configuration of openldap-2.0.25
Keep in mind I've done this in 2.1.x, not 2.0.x, but the advice may be
useful:
1) I'm not sure that --enable-multimaster is a really valid configure
option. Suggest that, after running the configure command, you manually
edit the include/portable.h file and make sure SLAPD_MULTIMASTER is
defined. Then 'make depend && make'.
2) You should use an updatedn in both server configs. I use the same DN
on both servers, a different one than the rootdn. In other words, I have
the same updatedn config directive on both servers.
If you're using access control lists, I've noted that the ACLs need to
allow the updatedn write access explicitly. (no different than
single-master replication). It's been suggested that updatedn is treated
specially, but that hasn't worked for me-- and I don't see the special
allowance for it in the code like I do for rootdn.
Hope this helps a bit. Good luck. It's an experimental feature, but does
seem to be working fine in 2.1 anyway.
-Alan
> Hi,
>
> I made the changes that was suggested in the reply i got back from the
> first time, which i consider to be configuring openldap for multimaster
> support, and modify the slapd.conf files as suggested.
>
> Together with the email I sent (below), the changes was made (with
> configure --enable-multimaster)
> and to the both slapd.conf files i attached (also below)
>
> As far as i can see i've made the suggested changes, and
> I still get the servers updating each other over and over.
>
> Is there anyone who has managed to get this working? Would be grateful
> if someone could send me their slapd.conf
> files, and perhaps give me an idea what I have not done right.
>
> -----Original Message-----
> From: Howard Chu [mailto:hyc@symas.com]
> Sent: fredag, augusti 30, 2002 10:40
> To: Westman, Olle; openldap-software@OpenLDAP.org
> Subject: RE: multimaster configuration of openldap-2.0.25
>
>
> You asked this question before, and you already got the correct answers.
> http://www.openldap.org/lists/openldap-software/200208/msg00597.html
>
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support
>
>> -----Original Message-----
>> From: owner-openldap-software@OpenLDAP.org
>> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
>> Olle.Westman@astrazeneca.com
>
>> Hello All,
>>
>> I'm trying to compile OpenLDAP-2.0.25 with multimaster support. I have
>> two servers which i want to act as masters,
>> updating each other, whoever gets and update request (mirror)
>> Right now, i've compiled OpenLDAP-2.0.25 by runnning configure like
>> this:
>>
>> ./configure --enable-slapd --enable-slurpd --enable-multimaster
>> --enable-crypt --enable-debug --prefix=/usr/freeware
>>
>> The trouble is that the openldap (master)servers never stop updating
>> each other.
>>
>> I have not used a replicator dn. Is this necessary? Is it wrong to
>> update with the rootdn?
>>
>> There is SLAPD_MULTIMASTER definitions in the code, do i have to
>> define it manually or is this taken care of by --enable-multimaster?
>>
>> I have not used updateref or referral. Are they necessary in this
>> setup?
>>
>> What am I missing, and what is necessary to add/modify to make this
>> setup work?
>>
>> My slapd.conf config files look like the following:
>>
>> Server 1:
>>
>> # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7
>> 2001/09/27 20:00:31
>> kur
>> t Exp $
>> #
>> # See slapd.conf(5) for details on configuration options.
>> # This file should NOT be world readable.
>> #
>> include /usr/freeware/etc/openldap/schema/core.schema
>> include /usr/freeware/etc/openldap/schema/cosine.schema
>> include /usr/freeware/etc/openldap/schema/nis.schema
>> include /usr/freeware/etc/openldap/schema/inetorgperson.schema
>> include /usr/freeware/etc/openldap/schema/misc.schema
>>
>> # Define global ACLs to disable default read access.
>>
>> # Do not enable referrals until AFTER you have a working directory #
>> service AND an understanding of referrals.
>> #referral ldap://root.openldap.org
>>
>> pidfile /usr/freeware/var/slapd.pid
>> argsfile /usr/freeware/var/slapd.args
>>
>> # Load dynamic backend modules:
>> # modulepath /usr/freeware/libexec/openldap
>> # moduleload back_ldap.la
>> # moduleload back_ldbm.la
>> # moduleload back_passwd.la
>> # moduleload back_shell.la
>>
>> #
>> # Sample Access Control
>> # Allow read access of root DSE
>> # Allow self write access
>> # Allow authenticated users read access
>> # Allow anonymous users to authenticate
>> #
>> #access to dn="" by * read
>> #defaultaccess write
>> access to attr=userPassword
>> by self write
>> # by anonymous auth
>> by dn="cn=Manager,dc=my-domain,dc=com" write
>> by * none
>> access to *
>> by self write
>> # by anonymous auth
>> by dn="cn=Manager,dc=my-domain,dc=com" write
>> by * read
>>
>> #access to *
>> # by self write
>> # by users read
>> # by anonymous auth
>> #
>> # if no access controls are present, the default is:
>> # Allow read by all
>> #
>> # rootdn can always write!
>>
>> #######################################################################
>> # ldbm database definitions
>> #######################################################################
>>
>> database ldbm
>> suffix "dc=my-domain,dc=com"
>> #suffix "o=My Organization Name,c=US"
>> rootdn "cn=Manager,dc=my-domain,dc=com"
>> #rootdn "cn=Manager,o=My Organization Name,c=US"
>> # Cleartext passwords, especially for the rootdn, should
>> # be avoid. See slappasswd(8) and slapd.conf(5) for details.
>> # Use of strong authentication encouraged.
>> rootpw secret
>> # The database directory MUST exist prior to running slapd AND
>> # should only be accessible by the slapd/tools. Mode 700 recommended.
>> directory /usr/freeware/var/openldap-ldbm
>> # Indices to maintain
>> index objectClass eq
>>
>> password-hash {CRYPT}
>>
>> #########################################################################
>> # replication definitions
>> #########################################################################
>> replica host=serv-2.company.net:389
>> binddn="cn=Manager1,dc=my-domain,dc=com"
>> bindmethod=simple credentials=secret
>> updatedn "cn=Manager,dc=my-domain,dc=com"
>> replogfile /tmp/replog-1.log
>>
>>
>> Server 2:
>>
>> # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7
>> 2001/09/27 20:00:31
>> kurt Exp $
>> #
>> # See slapd.conf(5) for details on configuration options.
>> # This file should NOT be world readable.
>> #
>> include /usr/freeware/etc/openldap/schema/core.schema
>> include /usr/freeware/etc/openldap/schema/cosine.schema
>> include /usr/freeware/etc/openldap/schema/nis.schema
>> include /usr/freeware/etc/openldap/schema/inetorgperson.schema
>> include /usr/freeware/etc/openldap/schema/misc.schema
>>
>> # Define global ACLs to disable default read access.
>>
>> # Do not enable referrals until AFTER you have a working directory #
>> service AND an understanding of referrals.
>> #referral ldap://root.openldap.org
>>
>> pidfile /usr/freeware/var/slapd.pid
>> argsfile /usr/freeware/var/slapd.args
>>
>> # Load dynamic backend modules:
>> # modulepath /usr/freeware/libexec/openldap
>> # moduleload back_ldap.la
>> # moduleload back_ldbm.la
>> # moduleload back_passwd.la
>> # moduleload back_shell.la
>>
>> #
>> # Sample Access Control
>> # Allow read access of root DSE
>> # Allow self write access
>> # Allow authenticated users read access
>> # Allow anonymous users to authenticate
>> #
>> #access to dn="" by * read
>> #defaultaccess write
>> access to attr=userPassword
>> by self write
>> # by anonymous auth
>> by dn="cn=Manager1,dc=my-domain,dc=com" write
>> by * none
>> access to *
>> by self write
>> # by anonymous auth
>> by dn="cn=Manager1,dc=my-domain,dc=com" write
>> by * read
>> #
>> # if no access controls are present, the default is:
>> # Allow read by all
>> #
>> # rootdn can always write!
>>
>> #######################################################################
>> # ldbm database definitions
>> #######################################################################
>>
>> database ldbm
>> suffix "dc=my-domain,dc=com"
>> #suffix "o=My Organization Name,c=US"
>> rootdn "cn=Manager1,dc=my-domain,dc=com"
>> #rootdn "cn=Manager,o=My Organization Name,c=US"
>> # Cleartext passwords, especially for the rootdn, should
>> # be avoid. See slappasswd(8) and slapd.conf(5) for details.
>> # Use of strong authentication encouraged.
>> rootpw secret
>> # The database directory MUST exist prior to running slapd AND
>> # should only be accessible by the slapd/tools. Mode 700 recommended.
>> directory /usr/freeware/var/openldap-ldbm
>> # Indices to maintain
>> index objectClass eq
>>
>> password-hash {CRYPT}
>>
>> #########################################################################
>> # replication definitions
>> #########################################################################
>> replica host=serv-1.company.net:389
> binddn="cn=Manager,dc=my-domain,dc=com"
>> bindmethod=simple credentials=secret
>> updatedn "cn=Manager1,dc=my-domain,dc=com"
>> replogfile /tmp/replog-2.log
===========
Alan Sparks, UNIX/Linux Systems Administrator <asparks@doublesparks.net>