[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: syncrepl, updateref, chain overlay and the authzTo attribute

Edgar Fuß wrote:
> For performance reasons, I need a LDAP replica on a remote site. I set this
> up using syncrepl. Now, given some clients' inability to direct updates to
> an LDAP server different from the one they send queries to, is the
> following the intended way to deal with this situation (using OpenLDAP as a
> server, of course) or is there a simpler solution?
> - set updateref on the syncrepl consumer
> - use the chain overlay on the syncrepl consumer

Yupp. Use slapo-chain on the consumer.

> - set an appropriate authzTo attribute for the replication entity and set
> autz-policy to to on the syncrepl provider

That is for proxy authorization. Do you really need that? From my
understanding the clients would be to the consumer replica and the master
enforces access control. IMHO no need for proxy authz.

> As an aside, I couldn't find it documented that authzTo was an operational
> attribute, so I wasted my time looking for a schema containing that
> attribute.

Why is looking at the schema a waste of time?

Ciao, Michael.