[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: replica uri support



Post for the original patch which was merged into cvs:
http://www.openldap.org/lists/openldap-software/200306/msg00302.html


>From the OpenLDAP Administrator's Guide:
http://www.openldap.org/doc/admin22/replication.html
 -----------------------------------------------------------------------------

13.4.5. Configure the master slapd for replication

To configure slapd to generate a replication logfile, you add a " replica" configuration option to the master slapd's config file. For example, if we wish to propagate changes to the slapd instance running on host slave.example.com:

        replica uri=ldap://slave.example.com:389
                binddn="cn=Replicator,dc=example,dc=com"
                bindmethod=simple credentials=secret

In this example, changes will be sent to port 389 (the standard LDAP port) on host slave.example.com. The slurpd process will bind to the slave slapd as "cn=Replicator,dc=example,dc=com" using simple authentication with password "secret".

If we wish to perform the same replication using ldaps on port 636:

        replica uri=ldaps://slave.example.com:636
                binddn="cn=Replicator,dc=example,dc=com"
                bindmethod=simple credentials=secret

The host option is deprecated in favor of uri, but the following replica configuration is still supported:

 -----------------------------------------------------------------------------



Another mailing list post regarding Slurpd over SSL:
http://www.openldap.org/lists/openldap-software/200311/msg00442.html
 -----------------------------------------------------------------------------
Port 636 is the default LDAPS (LDAP over SSL) port. As already noted, you
cannot use the LDAP StartTLS request over SSL. If you want slurpd to use SSL,
you must not specify TLS in the replica configuration.

If you're using OpenLDAP 2.1.23 you can use a URI in the replica
configuration, and specify ldaps there. e.g., instead of
	replica host=foo.bar.domain:636
use
	replica uri=ldaps://foo.bar.domain

 -----------------------------------------------------------------------------



And last but not least, the slapd.conf manpage:
 -----------------------------------------------------------------------------

       replica          uri=ldap[s]://<hostname>[:port]|host=<hostname>[:port]
              [tls=yes|critical]            [suffix=<suffix>            [...]]
              bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple
              password>]    [saslmech=<SASL   mech>]   [secprops=<properties>]
              [realm=<realm>]          [authcId=<authentication           ID>]
              [authzId=<authorization ID>] [attr[!]=<attr list>]

 -----------------------------------------------------------------------------

So.. That being said, anyone else have any input on this?


> Date: Tue, 27 Jan 2004 12:22:06 +0100
> From: "[iso-8859-1] Bjørn Ove Grøtan" <bjorn.grotan@itea.ntnu.no>
> Reply-To: openldap-software@OpenLDAP.or
> To: Cybr0t McWhulf <cybre@killcybre.org>
> Cc: openldap-software@OpenLDAP.org
> Subject: Re: replica uri support
>
> Cybr0t McWhulf:
> >
> > Here's what I've tried:
> >  ----
> > replica uri=ldaps://<insert host here>
> > 	suffix="dc=your,dc=domain"
> > 	bindmethod=simple
> > 	binddn="cn=Master,dc=your,dc=domain"
> > 	credentials=<credentials>
> >  ----
>
>
> > Am I horribly misinformed here?  Is my syntax goofy?
>
> replica
>     host=<your-host-replica-1>
>     suffix="dc=your,dc=domain"
>     bindmethod=simple
>     binddn="cn=Master,dc=your,dc=domain"
>     credentials=<credentials>
>     tls=critical
>
> slurpd does not support replication with ldaps, only ldap+tls as far as
> I know.
>
> An example slapd.conf for replication can be found here (as reference to
> in the FAQomatic):
> http://www.openldap.org/lists/openldap-software/199907/msg00204.html
>
> --
> Regards
>
> Bjørn Ove Grøtan
>