[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: distributed directories

There actually are ways to store (at least parts of) your LDAP configuration in 
LDAP.  I do it for my HP-UX hosts.  See


I maintain the configurations for our replicas with ssh, rsync, gawk, and sed.  
When a sysadmin brings up a new server they use sed on a standard template file 
to create the new slapd.conf for the local replica.

When I updated from samba 2.2 to samba 3.0 schema I generated the new 
slapd.conf files on all the replicas with these two commands (line breaks in 
the first command were added by my mail client) :

# grep replica /etc/openldap/slapd.conf
|gawk -F\: '/^[^#]/{print $1}'
|gawk -F\= '{printf "ssh -2 -i/root/.ssh/id_dsa.ldapsync %s sed 
rd/g%c \\\</etc/openldap/slapd.conf \\\>slapd.conf.new\n", $2, 39, 39}' 

# bash bush_in_the_skull

As always with *nix pipelines, you have to be careful with the escapes.... I'm 
sure this could be done cleaner, but I just yanked this out of my history file, 
it's what actually worked.


On 14 Apr 2004 at 11:05, denis.havlik@t-mobile.at wrote:
> >> A) How do ACLs work in such a setup? I can imagine that one may get
> >> better  performance if ACLs are determined on the caching server:
> >In general it is not a good idea, but it can be based on the trust you 
> can
> >put on the caching servers.  In the scenario you're drawing it appears
> In fact, this whole bussines with ACLs has been bothering me since the 
> beginning. Everything else in openLDAP scales quite nicely, but ACLs (and 
> other things, like "limit" statements & ssl certs) have to be entered 
> again and again on every server. It's exactly the administrators nightmare 
> situation we are trying to avoid in the first place. :-(
> Automatically updating part of the slapd configuration file on slave 
> servers at server start (btw, can slapd re-load the configuration without 
> restart?) sounds like a good idea. I can think of two ways to do it:
> 1) classical way, with scp/rsync or such. That's simple to do, but why do 
> we have an LDAP server for?
> 2) Store the ACLs data for slaves in LDAP, and read them from the master 
> server when needed. Anyone went this way?
> One step further would be to "read the slapd configuration from master 
> LDAP server". I presume this is an old idea - what was the result of 
> discussions so far?
> regards
>         Denis