[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Testing slave-master replication.

To: openldap-software@OpenLDAP.org
Subject: Re: Testing slave-master replication.
From: Jean Jordaan <jean@upfrontsystems.co.za>
Date: Mon, 24 Feb 2003 09:29:34 +0200
In-reply-to: <5.2.0.9.0.20030221132433.026efaa8@127.0.0.1>
References: <3E56311B.7020805@upfrontsystems.co.za> <3E56311B.7020805@upfrontsystems.co.za> <5.2.0.9.0.20030221132433.026efaa8@127.0.0.1>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030213

Hi Kurt

Thanks for the answer ..

The fact that tools provided by openldap do not support
authenticated chasing of referrals is, I believe, well
documented.


OK, searching with the terms in your response turns up some
good info: [1].

What confuses me, though, is that I don't want to *re*use any
credentials. In the master's slapd.conf I specify the rootpw,
rootdn, binddn and credentials. In exactly the same way, on the
slave, I want to specify the necessary information. No question
of reusing or caching. I want to stipulate in a
"-rw-------    1 root     root" file exactly how my slave should
chase referrals.

How else should I understand section 10.4.2 in the
OpenLDAP 2.0 Administrator's Guide? It seems to intimate that
authentication is provided, in point 4:

   3. Do include an updatedn line. The DN given should match the DN
      given in the binddn= parameter of the corresponding replica=
      directive in the master slapd config file.
   4. Make sure the DN given in the updatedn directive has permission
      to write the database (e.g., it is listed as rootdn or is allowed
      access by one or more access directives).
   5. Use the updateref directive to define the URL the slave should
      return if an update request is received.

In my simple testing setup, I specify only one DN as rootdn (on
master and slave), binddn and updatedn. Is there anything else I
should do?

Is there any other document or example that explains how to configure
a slave to propagate writes to the master?

Further, as I mentioned, I do not see any connection attempt from
the slave to the master. The relevant stanza from my slave slapd.conf
is:

database        ldbm
suffix          "dc=XXXX,dc=co,dc=za"
rootdn          "cn=admin,dc=XXXX,dc=co,dc=za"
rootpw          {SSHA}hzXXXXXXXXX0Ov5Z8IC7Oi6mUxtlQ+o
directory       /var/lib/openldap-ldbm/XXXX
defaultaccess   read
schemacheck     on
lastmod on
index           cn,sn,uid,o     pres,eq,sub
# For slave
updatedn        "cn=admin,dc=XXXX,dc=co,dc=za"
updateref       ldap://blommie:9998

I have a proxy listening on blommie:9998, forwarding to the master
on blommie:398, but I'm seeing no connection from slave. Should I?

--
Jean Jordaan
http://www.upfrontsystems.co.za

.. [1] For the others participating in this thread: searching for
http://www.google.com/search?&q=site%3Awww.openldap.org+authenticated+chasing+of+referrals
turns up 4 on-topic threads, from which I glean that openldap
tools bind anonymously when chasing referrals for security
reasons; for example, Kurt writes: "I believe it unwise to reuse
credentials while automatically chasing referrals."
http://www.openldap.org/lists/ietf-ldapext/199911/msg00027.html
There's a longer discussion from Howard Chu in this thread:
http://www.openldap.org/lists/openldap-devel/200205/msg00018.html
in which he argues for sending credentials along with referrals.

Follow-Ups:
- RE: Testing slave-master replication.
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- Testing slave-master replication.
  - From: Jean Jordaan <jean@upfrontsystems.co.za>
- Re: Testing slave-master replication.
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: evolutionPerson, schema design
Next by Date: ldapsearch of Active Directory?
Index(es):
- Chronological
- Thread