[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: RES: Updating password in slave ldap server

On Monday 11 August 2008 13:52:49 Gustavo Mendes de Carvalho wrote:
> Hi Buchan,
> >> Now I am planning to put another LDAP slave in other geographical
> >> place (far from this 2 servers) and because of that I am planning to
> >> put some slave server receiving all updates from master server, but in
> >> all ldap client machines in this new location I would like to
> >> configure this new slave server (Slave server 2) as URI host in
> >> ldap.conf files. I mean Location 1: Master server 1 and slave server 1
> >> Location 2: Slave server 2
> >
> > If you configure the updateref correctly on the slave, then the client
> will get a referral
> > when it tries to make a change. If the client chases referrals (samba and
> pam_ldap do),
> > then they will re-try their change against the master on their own.
> I already use updateref, but only in same physical place (I mean, for slave
> ldap server). I am concerned about links among them, because when I
> configure updateref in slave server 2 (location 2) I want avoid some
> problem when user is changing password or something else and slave server 2
> can't contact master server 1, in location 1

No, with a conventional master-slave setup, the slave will not contact the 
master, the *client*, that originally connected to the slave, should re-
connect to the master, and try the change there.

If you have the master listed as the fallback on the clients, if the slave is 
unavailable, the client should fall back to the master in any case. Adding 
slapo-chain here would not provide any benefit (unless you can't allow the 
clients to connect to the master).

If you want HA writes, and you are sure you have everything in place to avoid 
conflicting changes, you could use the multi-master replication support in 
2.4, but honestly, in your architecture (with the clients in site2 listing 
only one server in their configuration), IMHO your bigger problem is going to 
be what happens then site 2 has no working LDAP server (e.g. during reboot of 
slave for kernel update etc.), and the added complexity of multi-master is not 
worth it ...

IMHO, too many people are rushing after slapo-chain and multi-master instead 
of just getting the basics right.