[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: replica of schema info
> The correct way to enable replication after cn=config already exists is
> with ldapmodify:
>
> dn: olcDatabase={0}config,cn=config
> changetype: modify
> add: olcSyncRepl
>
>
>> It does work to add olcSyncrepl to olcDatabase={0}config,cn=config with
>> a filter like:
>> olcSyncrepl: {0}rid=001 provider=... binddn=... bindmethod=simple
>> search base="cn=schema,cn=config" filter="(!(cn=core))"
>>
>> but then the whole olcDatabase={0}config,cn=config becomes a shadow
>> context and I'm unable to ldapmodify anything (olcLoglevel for example).
>>
>> What am I missing?
>
> You need to set up all rids in your modify operation, each listing
> provider with their own URI. Optionally, you could even have different
> credentials pointing in different directions - nothing prevents this.
> For n-way replication, you need to perform the same modification to n
> sides. Otherwise your replicas will be read-only as you have seen. This
> is the same for any database, not just n0. Go back and enable CRL
> checking after you are sure that it works, if using TLS.
>
> Example, change the macros to suit your setup and apply this same ldif
> to each of your replicas:
>
> dn: olcDatabase={0}config,cn=config
> changetype: modify
> add: olcSyncRepl
> olcSyncrepl: rid=001
> provider=%%LDAP_URI_1%%
> bindmethod=simple
> timeout=0
> network-timeout=0
> binddn="%%CONFIG_ROOT_DN%%"
> credentials="%%CONFIG_ROOT_PW%%"
> keepalive=0:0:0
> starttls=critical
> tls_cert="%%LDAP_SERVER%%/ssl/cert.pem"
> tls_key="%%LDAP_SERVER%%/ssl/key.pem"
> tls_cacert="%%CA_CHAIN_SERVERS%%"
> tls_reqcert=demand
> tls_crlcheck=none
> filter="(objectclass=*)"
> searchbase="cn=config"
> scope=sub
> attrs="*,+"
> schemachecking=off
> type=refreshAndPersist
> retry="60 +"
> olcSyncrepl: rid=002
> provider=%%LDAP_URI_2%%
> bindmethod=simple
> timeout=0
> network-timeout=0
> binddn="%%CONFIG_ROOT_DN%%"
> credentials="%%CONFIG_ROOT_PW%%"
> keepalive=0:0:0
> starttls=critical
> tls_cert="%%LDAP_SERVER%%/ssl/cert.pem"
> tls_key="%%LDAP_SERVER%%/ssl/key.pem"
> tls_cacert="%%CA_CHAIN_SERVERS%%"
> tls_reqcert=demand
> tls_crlcheck=none
> filter="(objectclass=*)"
> searchbase="cn=config"
> scope=sub
> attrs="*,+"
> schemachecking=off
> type=refreshAndPersist
> retry="60 +"
> -
> add: olcMirrorMode
> olcMirrorMode: TRUE
>
Thank you for answering so quick.
If I understand correctly, this is a n-way multi master layout for the
whole cn=config.
Does it mean if I ldapmodify the olcLogLevel on a replica, it will be
modified on all other peers as well?
So it's not what I was looking for.
I was looking for a way to replicate (master -> slave) a sub-portion of
the cn=config, namely the cn=schema,cn=config.
BTW, olcMirrorMode turns out to be very powerful. In a master slave
setup, allows me to ldapmodify slave without incurring in the "err=53
text=shadow context; no update referral".
Am I allowed to insert a olcMirrorMode in a slave while using master
slave setup? Or am I just exploiting a grey-zone configuration? I am
scared to mark as 'mirror' a slave server. It looks wrong.
If instead is correct, my problem is solved.
thank you,
Francesco