[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Setting up "slave" OpenLDAP server

On Tuesday 08 July 2008 19:58:24 John Oliver wrote:
> I know nothing about LDAP / OpenLDAP.  With that out of the way...
> I have a CentOS 5 machine running openldap-2.3.27-8  I just built a
> CentOS 5.2 machine with openldap-2.3.27-8.el5_1.3  My goal is to have
> the LDAP on the first machine synch with, and stay synched to, the LDAP
> on the second machine, so if the first machine dies I can bring up an
> interface with it's IP on the second and get authentication working
> again.

Well, you should rather configure any LDAP clients to fail over to the second 
LDAP server, so no intervention is required.

> I've Googled "LDAP replication" and "LDAP synchronization".

Why did you not consult the documentation for the software you are using?


BTW, there are probably some best practice issues that aren't covered there. 
If you have configured your provider well, it is actually quite trivial to 
add a new consumer without requiring any configuration changes on the 
provider. The issues to take into account are:

-Ensuring the identity used by a new consumer has access to all the content 
that you wish it to replicate (suggestion: add a group-based ACL allowing 
read access to all entries)
-Ensuring the identity used by a new consumer has unlimited (size/time) access 
to all the content that you wish to replicate (suggestion: add group-based 
limit statements).

Then, adding a new consumer is reduced to adding an identity for the consumer 
to use for replication, adding it to the appropriate group, and starting 
slapd with a suitable configuration on the consumer.