[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replication slapd.conf example?



Ive been working on getting replication using k5, and have a few questions since this was brought up.

when you start slapd/slurpd on your master, how do you associate the replicator principal with the server daemons.. Im assuming by some other documentation thats available on the web, that you have the replicator account in the keytab of the master, and initiate a kinit at some point.   Does the replicator account need to be in the keytab of each slave also?  ... oh.. and is your sasl regex the standard uid=(.*),cn=GSSAPI,cn=auth uid=$1,ou=users,dc=example,dc=com

Thanks..

Jonathan Higgins
Network Service Specialist IV
Kennesaw State University
jhiggins@kennesaw.edu

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law.  If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.

>>> Quanah Gibson-Mount <quanah@stanford.edu> 06/10/03 09:34PM >>>


--On Tuesday, June 10, 2003 8:51 PM -0400 kend@xanoptix.com wrote:

> Hey, all -- I've been RTFMing all day, and I can -not- figure out how to
> get replication working.  I tried via both the Debian install, and by
> hand, and either
> a) it doesn't work, or
> b) it not only doesn't work, but it spikes the CPU.
>
> I -do- get info into my replogfile, but it goes between ~2K, and 0 bytes,
> then back and forth; I assume it's trying to replicate, but is failing.
> If anyone would be kind enough to give me a -full- snippet from both slave
> and master slapd.conf files (or a link to somewhere that gives full
> examples, as opposed to the ones in the admin guide on openldap.org), it'd
> be _much_ appreciated.

Ken,

You haven't specified what version of OpenLDAP you are using.  This is how 
we set up replication on our servers, but be warned that we use K5 for our 
replication identity, so there are no passwords, etc, involved in doing 
this as there may be in other cases.

Master:

database        bdb
suffix          "dc=stanford,dc=edu"
rootdn          "cn=Manager,dc=stanford,dc=edu"

# Replica Directives

replica         host=ldap1.stanford.edu:389
                tls=yes bindmethod=sasl
 
binddn=cn=replicator,cn=service,cn=applications,dc=stanford,dc=edu 
saslmech=gssapi

replogfile      /var/log/replog


Slave:

#######################################################################
# bdb database definitions
#######################################################################

database        bdb
suffix          "dc=stanford,dc=edu"
rootdn          "cn=Manager,dc=stanford,dc=edu"

# Replica Directives

updatedn        cn=replicator,cn=service,cn=applications,dc=stanford,dc=edu
updateref       ldaps://ldap-master.stanford.edu

Also important, the ACL file for the slave (which we have as a separate 
file):

# $Id: slapd.acl,v 1.59 2003/06/10 17:53:33 quanah Exp $
# ACL include file for slapd
#
# this is for testing

access to dn.base=""
        by * read

access to dn.base="cn=monitor"
        by * read

access to *
        by 
dn.base="cn=replicator,cn=Service,cn=Applications,dc=stanford,dc=edu" write
	by * break

--Quanah

--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html