[Date Prev][Date Next]
Re: Setting up "slave" OpenLDAP server
On Tuesday 08 July 2008 19:58:24 John Oliver wrote:
> I know nothing about LDAP / OpenLDAP. With that out of the way...
> I have a CentOS 5 machine running openldap-2.3.27-8 I just built a
> CentOS 5.2 machine with openldap-2.3.27-8.el5_1.3 My goal is to have
> the LDAP on the first machine synch with, and stay synched to, the LDAP
> on the second machine, so if the first machine dies I can bring up an
> interface with it's IP on the second and get authentication working
Well, you should rather configure any LDAP clients to fail over to the second
LDAP server, so no intervention is required.
> I've Googled "LDAP replication" and "LDAP synchronization".
Why did you not consult the documentation for the software you are using?
BTW, there are probably some best practice issues that aren't covered there.
If you have configured your provider well, it is actually quite trivial to
add a new consumer without requiring any configuration changes on the
provider. The issues to take into account are:
-Ensuring the identity used by a new consumer has access to all the content
that you wish it to replicate (suggestion: add a group-based ACL allowing
read access to all entries)
-Ensuring the identity used by a new consumer has unlimited (size/time) access
to all the content that you wish to replicate (suggestion: add group-based
Then, adding a new consumer is reduced to adding an identity for the consumer
to use for replication, adding it to the appropriate group, and starting
slapd with a suitable configuration on the consumer.