[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: replica of schema info

To: openldap-technical@openldap.org
Subject: Re: replica of schema info
From: Mike Jackson <mj@netauth.com>
Date: Thu, 15 May 2014 13:27:37 +0300
Content-disposition: inline
In-reply-to: <53748A1C.5080101@unimore.it>
References: <53748A1C.5080101@unimore.it>
User-agent: Internet Messaging Program (IMP) H5 (6.1.7)


Quoting Francesco Malvezzi <francesco.malvezzi@unimore.it>:

good morning,

I would like to be able to replicate the schema info only from cn=config.

I tried to add the olcSyncrepl to cn=schema

dn: cn=schema,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: ....

but doesn't work:
<olcSyncrepl> only allowed within database declaration

The correct way to enable replication after cn=config already existsis with ldapmodify:


dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl

It does work to add olcSyncrepl to olcDatabase={0}config,cn=config with
a filter like:
olcSyncrepl: {0}rid=001 provider=... binddn=...  bindmethod=simple
 search base="cn=schema,cn=config" filter="(!(cn=core))"

but then the whole olcDatabase={0}config,cn=config becomes a shadow
context and I'm unable to ldapmodify anything (olcLoglevel for example).

What am I missing?

You need to set up all rids in your modify operation, each listingprovider with their own URI. Optionally, you could even have differentcredentials pointing in different directions - nothing prevents this.For n-way replication, you need to perform the same modification to nsides. Otherwise your replicas will be read-only as you have seen.This is the same for any database, not just n0. Go back and enable CRLchecking after you are sure that it works, if using TLS.

Example, change the macros to suit your setup and apply this same ldifto each of your replicas:


dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncrepl: rid=001
  provider=%%LDAP_URI_1%%
  bindmethod=simple
  timeout=0
  network-timeout=0
  binddn="%%CONFIG_ROOT_DN%%"
  credentials="%%CONFIG_ROOT_PW%%"
  keepalive=0:0:0
  starttls=critical
  tls_cert="%%LDAP_SERVER%%/ssl/cert.pem"
  tls_key="%%LDAP_SERVER%%/ssl/key.pem"
  tls_cacert="%%CA_CHAIN_SERVERS%%"
  tls_reqcert=demand
  tls_crlcheck=none
  filter="(objectclass=*)"
  searchbase="cn=config"
  scope=sub
  attrs="*,+"
  schemachecking=off
  type=refreshAndPersist
  retry="60 +"
olcSyncrepl: rid=002
  provider=%%LDAP_URI_2%%
  bindmethod=simple
  timeout=0
  network-timeout=0
  binddn="%%CONFIG_ROOT_DN%%"
  credentials="%%CONFIG_ROOT_PW%%"
  keepalive=0:0:0
  starttls=critical
  tls_cert="%%LDAP_SERVER%%/ssl/cert.pem"
  tls_key="%%LDAP_SERVER%%/ssl/key.pem"
  tls_cacert="%%CA_CHAIN_SERVERS%%"
  tls_reqcert=demand
  tls_crlcheck=none
  filter="(objectclass=*)"
  searchbase="cn=config"
  scope=sub
  attrs="*,+"
  schemachecking=off
  type=refreshAndPersist
  retry="60 +"
-
add: olcMirrorMode
olcMirrorMode: TRUE


-mike

Follow-Ups:
- Re: replica of schema info
  - From: Francesco Malvezzi <francesco.malvezzi@unimore.it>

References:
- replica of schema info
  - From: Francesco Malvezzi <francesco.malvezzi@unimore.it>

Prev by Date: replica of schema info
Next by Date: Re: replica of schema info
Index(es):
- Chronological
- Thread