[Date Prev][Date Next]
Re: Antwort: Re: distributed directories [Virus checked]
On Wed, 14 Apr 2004 email@example.com wrote:
> >> A) How do ACLs work in such a setup? I can imagine that one may get
> >> better performance if ACLs are determined on the caching server:
> >In general it is not a good idea, but it can be based on the trust you
> >put on the caching servers. In the scenario you're drawing it appears
> In fact, this whole bussines with ACLs has been bothering me since the
> beginning. Everything else in openLDAP scales quite nicely, but ACLs (and
> other things, like "limit" statements & ssl certs) have to be entered
> again and again on every server. It's exactly the administrators nightmare
> situation we are trying to avoid in the first place. :-(
> Automatically updating part of the slapd configuration file on slave
> servers at server start (btw, can slapd re-load the configuration without
> restart?) sounds like a good idea. I can think of two ways to do it:
> 1) classical way, with scp/rsync or such. That's simple to do, but why do
> we have an LDAP server for?
> 2) Store the ACLs data for slaves in LDAP, and read them from the master
> server when needed. Anyone went this way?
3) Use an include file ...
(which may make (2) easier to implement and definitely makes (1) much
See /etc/openldap/slapd.access.conf in your openldap-server package
> One step further would be to "read the slapd configuration from master
> LDAP server". I presume this is an old idea - what was the result of
> discussions so far?
Kolab has some intereseting stuff for bootstrapping LDAP servers, IIRC
using the perl backend for a configuration suffix (and having changes on
the master replicate to this backend) which writes to a perl database file
(tied hash?) which is used to generate the slapd.conf before slapd is