[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: cn=config config problem

On Tue, Jan 26, 2010 at 07:23:51PM -0800, Howard Chu wrote:
> Alex Samad wrote:
> > Hi
> > 
> > I have setup a multimaster setup and some slave nodes, using cn=config.
> > 
> > I am looking at trying to create a user in the cn=config space
> The config database does not support user entries, it only handles config entries.
Okay, maybe you can suggest a best practice approach for my setup.

I have 2 master nodes setup in multiple master 

and a few (3-4) slave nodes.

In it previous incarnation I used slapd.conf + tls to authorise access,
I mapped x509 dns to a replica dn, so the base was dc=samad,dc=com,dc=au
and the replica dn was cn=replia,ou=roles,dc=samad,dc=com,dc=au

now I want to do the same thing, map x509 certs to roles and give the
roles access to certain parts of  cn=config and dc=samad,dc=com,dc=au.

I can understand putting roles in the dc=samad,dc=com,dc=au for
dc=samad,dc=com,dc=au, but I don't really see putting roles in
dc=samad,dc=com,dc=au to manage/access cn=config and I would rather not
be always using the cn=config rootdn/rootpw 

should I create a cn=manager db and use that ?

My other question on this setup is replicating dc=samad,dc=com,dc=au,
means replicating olcDatabase={2}hdb,cn=config and below, which means I
also replicate the olcsyncRepl.  Should I either block this on the
masters and create it on the consumers or somehow when i create the
initial consumer tell it not to replicate this attribute.

My issue right now is that it has rootdn/rootpw.  and I am looking at
moving to tls/certs - re the above question


Attachment: signature.asc
Description: Digital signature