[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Securing against writes on slave slapd

On 2/27/07, Cian Davis <davisc@skynet.ie> wrote:
Hash: SHA1

Hi All, Apologies if this has been posted before - I had a search through the archives but couldn't find anything.

We have a master slapd and slurpd feeding to a slave LDAP server - all
user info, including auth, comes from LDAP. The LDAP master machine
has /home and the slave runs the mail server. I had thought that I saw
something in the OpenLDAP manual that you could force any attempted
changes on the slave server to be redirected to the master (and then
obviously, the changes would get to the slave via a push from slurpd).
But after numerous searches, I can't find it. Was I imagining things
or is there such a directive?

Now this may sound stupid, but if you put the slave slapd into
readonly mode, can it accept updates from slurpd on the master? It
would reduce the chances of writes being made to the slapd on the
slave and causing synchronisation headaches.

You're looking for updateref in slapd.conf:
updateref <url>
	      Specify the referral to pass back  when  slapd(8)  is  asked  to
	      modify  a  replicated  local  database.	If  specified multiple
	      times, each url is provided.

When a database is in a mode to accept updates from slurpd, it will
reject all writes even without the updatedn unless those writes
include structuralobjectclass and other operational attributes.