[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Brief syncrepl question

On Tue, 2006-05-30 at 12:58 -0400, Aaron Richton wrote:
> The answer to your question is no. The answer to what you're trying to
> accomplish is likely more difficult--OpenLDAP is an open source project,
> after all.
> OpenLDAP 2.1 doesn't do syncprov, at all. You may be able to slurpd from
> 2.1 into 2.{2,3} and then syncrepl from that. I doubt I'd recommend that
> configuration. You might consider that OS X 10.4 uses OpenLDAP 2.2.19. Not
> ideal, but you'll get syncrepl (in theory). But 2.2.19 isn't likely to be
> a happy version for syncrepl in practice.

We will be upgrading the server to Tiger server in a few months.  And
when I do I'll investigate syncrepl again.

I will try to slurpd into a 2.3 server and syncrepl from there, but
Apple sees these slurpd hosts as full replicas of the OpenDirectory
system (even if they are not) and that causes some problems.  I'm just
checking out my options at this point.

> In production, you'd probably be a lot better off adding back-netinfo to a
> local build of 2.2.29 or, better yet, 2.3.23. You can get it from
> www.opensource.apple.com.

Alas upgrading versions of openldap on OS X Server is not trivial at

Does anyone know if it is the back-netinfo module that actually connects
to password server and handles the sasl and simple binds?  It is not
clear from reading the source code.  In tiger server itself, the netinfo
database is deprecated.  

The rest of the apple OpenLDAP source tree tree is littered with Apple
changes, so it's hard to see what Apple has done and how to adapt those
changes to a newer version of Openldap.  Also hampering the effort is
the fact that while the source code for everything Apple has done is
available, but cannot be built without proprietary header files that
don't ship with the operating system.  

I want to abandon this proprietary custom Apple solution soon.   In the
meantime we're keeping the Apple system because it interfaces so
seamlessly with the Apple clients.  While it is possible to make apple
clients talk directly to openldap, things like password syncing,
automatic mounting of home directories and so forth are not so easy.  I
have other mechanisms for dealing with syncing from the apple server to
a linux server, and I can syncrepl from there for now.

Apple's hack to bridge openldap and the password server should be done
through overlays or something, but it is not.  And the way they've
chosen to implement this has caused no end to problems for me and many
other OS X Server users.  deadlocks, crashes, etc.  


> On Tue, 30 May 2006, Michael L Torrie wrote:
> > I am pretty sure the answer to this question is, no, but I haven't
> > managed to find any definitive answer on google yet.  The question is
> > can I use syncrepl to sync openldap 2.2 and openldap 2.3 servers against
> > an openldap 2.1.x master server?  Unfortunately at the moment my Apple
> > openldap server is restricted to openldap 2.1 (Panther Server) but I
> > have a cluster of linux servers that I'd like to keep synced (the
> > schemas on the Apple have been setup to be the exact same as my linux
> > servers).
> >
> > thanks.
> >
> > Michael
> >