[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP instance as syncREPL replica and Slurpd master



Howard Chu wrote:
> Bruno Lezoray EMSM wrote:
>> Howard Chu wrote:
>>>>> In OpenLDAP 2.3 this will require one more slapd process (while
>>>>> eliminating the slurpd process).
>>>>>
>>>>> 1 provider
>>>>> 2 regular consumer
>>>>> 2A back-ldap consumer
>>>>> 3 external replica
>> To follow with the same restrictions:
>>
>> Only the 2nd instance can establish TCP connections on 1st and 3rd
>> instances. TCP connections in the other direction is forbidden  >:o  .
>
> That was obvious, given your firewall setup.
>
>> Is it possible to configure the different instances to enable
>> replication in the both direction ?
>> 1 <-> 2 <-> 3
>
> Of course, but that would be a bad idea. Think about what you're
> doing. The reason you put a *read-only* replica outside the firewall
> is because it resides on an untrusted network. If you start accepting
> changes from it, it's like punching a hole in your firewall and
> letting the outside world in.
It's not a untrusted network. instance 1 and 3 are in a DMZ with
restricted access by firewalls several levels of firewalls. I don't know
the complete details of the architecture but i am confident in it (i
have no other choice).

For the moment, instance 3 can't accept modification except with the
bind DN of the updatedn parameter.
Which solution can i have ?
- setup 2 masters and 2 back-ldap that synchronize each one in a direction ?
- another solution

Rgds, Bruno.