[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP replication using GSSAPI for slave server auth

On Fri, Jul 14, 2006 at 03:37:31PM +0200, Buchan Milne wrote:
> It's probably most convenient to do this by putting all your slaves in a 
> groupOfNames entry, eg cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu (with the 
> DN each slave is mapped to by your authz-regexp's as a member attribute) and 
> add clauses like this to every ACL:
> by group="cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu" read

Yes, the group approach is the best one, but you don't need this line in every
ACL. Just add this to the top:

access to dn.subtree="dc=example,dc=com"
	by group.exact="cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu" read
	by * break

So that, if there is no match, the rest of the ACLs is read and processed as