[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: federated directory

> On Tue, 2004-07-27 at 16:39, Pierangelo Masarati wrote:
>> I might have missed your initial message; however, I think you can do
>> that
>> with slurpd as well; in that case you need to build slapd as
>> multi-master,
>> but use that option wisely, i.e. to make each instance of slapd master
>> of
>> its own data.  In that case, the replicas should be replicas for the
>> shared data, and replicate only the portion of DIT they master the to
>> other instances of slapd by using the "suffix" option of the "replica"
>> directive.  Note that this should work in principle, but I haven't
>> tested
>> it (yet).  If you're comfortable with syncrepl then go ahead, since
>> slurpd
>> is slowly fading away and syncrepl will eventually replace it.
> interesting - I thought multi master was declared dead and impossible to
> implement with OpenLDAP...

It is; I suggest using the feature to allow simultaneous replication and
regular write to the same database, keeping the proprietary and the
shadowed data separated only programmatically, i.e. by means of ACLs and
"suffix" parameters in the replica directives... i.e.:

    - owns "dc=example,dc=com" except the children
      of "ou=Local,dc=example,dc=com"
    - the "replica" directive contains the option
      "suffix=ou=Global,c=example,dc=com" (assuming no changes
      will take place below it);
    - ACLs contain the rule
      access to dn.regex="((.+),)?cn=Slave
          by dn.exact,expand="cn=Replicator $3,ou=Local,dc=example,dc=com"
          by * read

"slave #n":
    - owns the subtree of "cn=Slave #n,ou=Local,dc=example,dc=com";
    - replicates the rest;
    - the "replica" directive contains the option
      "suffix=cn=Slave #n,ou=Local,dc=example,dc=com";
    - ACLs contain the rule
      access to dn.subtree="cn=Slave #n,ou=Local,dc=example,dc=com"
          by <your access rules>
      access to dn.regex="((.+),)?cn=Slave
          by dn.exact,expand="cn=Replicator $3,ou=Local,dc=example,dc=com"
          by <your access rules>
      access to dn.subtree=ou=Global,dc=example,dc=com$"
          by dn.exact="cn=Global Replicator,ou=Local,dc=example,dc=com" write
          by <your access rules>

Again, this is untested; I might want to test it some time, when I can
spare a few cycles.

> The main problem I had with slurpd was
> stopping it replicating twice if there were two replica directives,
> however, I dont have my old configs to provide details.
> syncrepl seems to work apart from the entryUUID problem. I've posted on
> a different thread about that. It is 100% reproducible so if I dont hear
> from anyone in the next day or so I will file a bug report on ITS.

Then keep working with syncrepl, and possibly file the ITS.


Pierangelo Masarati

    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497