[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd replication (push based)




On Tue, 24 Jun 2008 09:40:24 -0700, Howard Chu <hyc@symas.com> wrote:
> Martin Simovic wrote:
>> Hi,
>>
>> I have the following setup
>>
>> LAN --- slapd 2.4.7 (master) --- DMZ ---slapd 2.3.30 (slave)
>>
>> I'm trying to achieve replication from master to slave.
>> the firewall policy is LAN-->DMZ allow
>>                         DMZ-->LAN reject
>>
>> this was actually very easy with slurpd (removed from 2.4) as the only
>> need was to allow TCP traffic from master to slave
>>
>> with syncrepl it seems to me that no matter if I use push/pull method
>> the client (slave) is the one that binds to the master (provider). this
>> means that firewall rule that allows TCP traffic to LAN is needed - this
>> is very ugly.
>>
>> is there a way to workaround this (or did i just misunderstand the whole
>> problem)
> 
> See the configuration used in test045 in the test suite.

thanks for the answer.

the truth is, iÂve alrady been through the test045 but canÂt understand
what
is going on there. the openldap admin guide seems to be a lot more verbose 
about much simpler subjects and very sparse about something which does not
seem so straightforward (and used to be so simple in slurpd times).

my scenario seems pretty usual (like secured rw copy of DIT on lan, while
read
only copy on dmz - for mail server, apache auth, etc.) 
in this very usual and IMHO wise setup the DMZtoLAN traffic is undesirable.

and yet there is no solid documentation in admin guide.

any pointers to documentation would be much appreciated.

thank you,

Martin.