[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Denying access to syncrepl consumere during initial DIT content load

To: Michael Ströder <michael@stroeder.com>, openldap-technical@openldap.org
Subject: Re: Denying access to syncrepl consumere during initial DIT content load
From: Howard Chu <hyc@symas.com>
Date: Mon, 24 Mar 2014 08:10:27 -0700
In-reply-to: <533040FE.4060502@stroeder.com>
References: <alpine.BSF.2.00.1403240952400.1298@pohjola.cksoft.de> <53302B1A.6010909@symas.com> <53303B92.6060208@stroeder.com> <53303E7E.60002@symas.com> <533040FE.4060502@stroeder.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26a1

Michael Ströder wrote:

Howard Chu wrote:

Michael Ströder wrote:

Howard Chu wrote:

Christian Kratzer wrote:


I remember a discussion some time ago about the possibility of delaying

access to a syncrepl. consumer during the intial DIT load.

http://www.openldap.org/lists/openldap-bugs/201308/msg00043.html

Feel free to experiment with it and see whether it suits your need.


Why was this undocumented strictrefresh option limited to delta-syncrepl?


Just expedient at the time, it would take more code to cover other cases. Also
it wasn't clear to me that this was actually a good approach, thus the need
for other developers to test it and give feedback.


Hmm, it's some work and risk to change a serious setup to delta-syncrepl.

The biggest problem with this approach is that it has global impact - turning
off slapd's listeners. On a slapd with multiple independent databases, this
would be a bad idea.


IMO that's not really an issue because
1. you likely have many replicas serving the same set of databases to clients and
2. it's very likely that you're initializing all DBs at once because if
deploying a new server, recovering after file system corruption etc.

An obvious counter-example: a server with multiple databases, consuming fromdistinct providers. If the connection to one of those providers is lost andreconnected, the current code would disable slapd globally but only one of themultiple DBs needs to be blocked.

Anyway having an slapd-internal mechanism is way better than external
work-arounds with monitoring contextCSN and using iptables etc.

Sure. But again, it requires more thinking, there are plenty of undesirableside-effects to any approach you can mention.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Denying access to syncrepl consumere during initial DIT content load
  - From: Michael Ströder <michael@stroeder.com>

References:
- Denying access to syncrepl consumere during initial DIT content load
  - From: Christian Kratzer <ck-lists@cksoft.de>
- Re: Denying access to syncrepl consumere during initial DIT content load
  - From: Howard Chu <hyc@symas.com>
- Re: Denying access to syncrepl consumere during initial DIT content load
  - From: Michael Ströder <michael@stroeder.com>
- Re: Denying access to syncrepl consumere during initial DIT content load
  - From: Howard Chu <hyc@symas.com>
- Re: Denying access to syncrepl consumere during initial DIT content load
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Denying access to syncrepl consumere during initial DIT content load
Next by Date: Re: Denying access to syncrepl consumere during initial DIT content load
Index(es):
- Chronological
- Thread