[Date Prev][Date Next]
Re: Securing against writes on slave slapd
On 2/27/07, Cian Davis <firstname.lastname@example.org> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Apologies if this has been posted before - I had a search through the
archives but couldn't find anything.
We have a master slapd and slurpd feeding to a slave LDAP server - all
user info, including auth, comes from LDAP. The LDAP master machine
has /home and the slave runs the mail server. I had thought that I saw
something in the OpenLDAP manual that you could force any attempted
changes on the slave server to be redirected to the master (and then
obviously, the changes would get to the slave via a push from slurpd).
But after numerous searches, I can't find it. Was I imagining things
or is there such a directive?
Now this may sound stupid, but if you put the slave slapd into
readonly mode, can it accept updates from slurpd on the master? It
would reduce the chances of writes being made to the slapd on the
slave and causing synchronisation headaches.
You're looking for updateref in slapd.conf:
Specify the referral to pass back when slapd(8) is asked to
modify a replicated local database. If specified multiple
times, each url is provided.
When a database is in a mode to accept updates from slurpd, it will
reject all writes even without the updatedn unless those writes
include structuralobjectclass and other operational attributes.