[Date Prev][Date Next]
Re: Testing slave-master replication.
Thanks for the answer ..
The fact that tools provided by openldap do not support
authenticated chasing of referrals is, I believe, well
OK, searching with the terms in your response turns up some
good info: .
What confuses me, though, is that I don't want to *re*use any
credentials. In the master's slapd.conf I specify the rootpw,
rootdn, binddn and credentials. In exactly the same way, on the
slave, I want to specify the necessary information. No question
of reusing or caching. I want to stipulate in a
"-rw------- 1 root root" file exactly how my slave should
How else should I understand section 10.4.2 in the
OpenLDAP 2.0 Administrator's Guide? It seems to intimate that
authentication is provided, in point 4:
3. Do include an updatedn line. The DN given should match the DN
given in the binddn= parameter of the corresponding replica=
directive in the master slapd config file.
4. Make sure the DN given in the updatedn directive has permission
to write the database (e.g., it is listed as rootdn or is allowed
access by one or more access directives).
5. Use the updateref directive to define the URL the slave should
return if an update request is received.
In my simple testing setup, I specify only one DN as rootdn (on
master and slave), binddn and updatedn. Is there anything else I
Is there any other document or example that explains how to configure
a slave to propagate writes to the master?
Further, as I mentioned, I do not see any connection attempt from
the slave to the master. The relevant stanza from my slave slapd.conf
index cn,sn,uid,o pres,eq,sub
# For slave
I have a proxy listening on blommie:9998, forwarding to the master
on blommie:398, but I'm seeing no connection from slave. Should I?
..  For the others participating in this thread: searching for
turns up 4 on-topic threads, from which I glean that openldap
tools bind anonymously when chasing referrals for security
reasons; for example, Kurt writes: "I believe it unwise to reuse
credentials while automatically chasing referrals."
There's a longer discussion from Howard Chu in this thread:
in which he argues for sending credentials along with referrals.