[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replication problem

To: OpenLDAP software list <OpenLDAP-software@OpenLDAP.org>
Subject: Re: Replication problem
From: Michal Dobroczynski <michal.dobroczynski@gmail.com>
Date: Thu, 22 Sep 2005 16:26:14 +0200
Content-disposition: inline
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=EQMLBee5gIAAoRe1+RG8zi5hogOvQmJdxg+kXrvKXt2jBRcrprntYChDP9UteFO+BMIziGDMCFhb0TbDDS2dh2GLSzms7SyNd+FKRFqYBjgwvJr7TPNOhnCJfQJPiw3e3oAp/+NZsxhOBE4vtHikMMmRWdzmeLOsh4+eEESuO7M=
In-reply-to: <e13d05840509220724296a1134@mail.gmail.com>
References: <200509220935.16042.marcin.giedz@eulerhermes.pl> <38555.131.175.154.56.1127381139.squirrel@131.175.154.56> <200509221301.07611.marcin.giedz@eulerhermes.pl> <e13d05840509220724296a1134@mail.gmail.com>

On 22/09/05, Marcin Giedz <marcin.giedz@eulerhermes.pl> wrote:
> Dnia czwartek, 22 września 2005 11:25, Pierangelo Masarati napisał:
> > > Hello,
> > >
> > > I did a simple replication between master and slave LDAP server in two
> > > different cities through VPN. Data propagation from master to slave works
> > > OK
> > > but when any client send changes to slave it doesn't redirect client to
> > > master LDAP. Here is what I have in slapd.conf on master:
> > >
> > > replica host=ldap-slave1.aaa:389
> > >         binddn="cn=ldapmanager,dc=xxx,dc=xx"
> > >         bindmethod=simple credentials=xxx
> > >
> > >
> > > And this on slave slapd.conf:
> > >
> > > updatedn        "cn=ldapmanager,dc=xxx,dc=xx"
> > > updateref       ldap://ldap-primary.aaa
> > >
> > >
> > > OpenLDAP version is 2.2.24 in both locations. Maybe I have forgot
> > > something?
> >
> > Did you use the "cn=ldapmanager,dc=xxx,dc=xx" identity (i.e. the
> > "updatedn") to write to the slave?
> >
> Yes.... is it problem?.... from security point of view it can be but it
> doesn't matter now. Only I'd like to do that my updates go to master not to
> slave.

As it was mentioned before: cn=ldapmanager,dc=xxx,dc=xx is in the
updatedn - this means  that everything that is sent to the replica by
"cn=ldapmanager,dc=xxx, dc=xx" is treated as replication (it means,
that new stuff appeared in the master and now master wants to share
the data with slave).
To solve the problem - just design your access lists and use different
DNs: for replication (cn=replogmanager,dc=xxx,dc=dx for example). All
others not mentioned in updatedn will be considered as "global updates
to the database" and thus will be referred to the master LDAP.

To have tidy structure, you can always put DNs that are used by some
system tools into a separate ou, like
cn=replogmanager,ou=DSA,dc=xxx,dc=xx.

http://samba.idealx.org/smbldap-howto.fr.html#htoc34
There is a nice example of designing access lists and creating
different DNs under a separate organizational unit. At the bottom of
the page you'll find sample LDIFs.

Regards,
Michal

PS if this post will appear two times on the list - I'm sorry. #$%^&*
gmail knows better than me :S

>
> Marcin
> > p.
>

References:
- Replication problem
  - From: Marcin Giedz <marcin.giedz@eulerhermes.pl>
- Re: Replication problem
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: Replication problem
  - From: Marcin Giedz <marcin.giedz@eulerhermes.pl>

Prev by Date: Re: OpenLDAP + RHEL4 - time to time database crash (BDB backend)
Next by Date: OpenLDAP & Cyrus-SASL: how to specify mech_list
Index(es):
- Chronological
- Thread