[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Adding read-only consumers to a Mirror Mode Replication setup?
- To: openldap-technical@openldap.org
- Subject: Re: Adding read-only consumers to a Mirror Mode Replication setup?
- From: Michael Ströder <michael@stroeder.com>
- Date: Wed, 24 Oct 2018 09:25:44 +0200
- Autocrypt: addr=michael@stroeder.com; prefer-encrypt=mutual; keydata= xsBNBFbdnRoBCADj0vYA4aRwKJ6AE4mf8oElLgMT/1eLNKpJ2FYBWcwj9d8dTk5/p9b8DRxy S/qQIUUZqt9xRFZwUCm0vFeQMRDeN9xzAKoRzrJifoDOacOjG1lhZTKYvVZGgUT89Ao3QeHh Q7gPzcAKNoueoR2y3FXStOYuRrbk5PlSjVAITjsotgc7PWE9mmVYpeu8a+byK/DBHKUyolOA 1UXYvDa7MbPhMtdNm8qnwtKs1Vsyk1VkErM+5cIe+zTT6WYQcmZMRjCtWGiFTzk9W6Mdlskk WRTKhKNgokTsgcy1ecaCBUZWxv/SyXgD81+rwRi9b8Px+1reg43ayxi8sV7jrI1feybbABEB AAHNJ01pY2hhZWwgU3Ryw7ZkZXIgPG1pY2hhZWxAc3Ryb2VkZXIuY29tPsLAdwQTAQgAIQUC Vt2dGgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRAH3HrjaovJOFpTCACjO773gcmJ KvzjiNpUFl/gANyaJgIq4VbMQ7VthRb1F9X6YbdJ6Z99ntyESjGFCpjofcSomr2vJDpv6ht+ lY33yo20YwsMpqe2OeId0jPybG+FtabKjgBNoAk7iqnBGUvE4t0dz0n1LQVCQR2jxyTKmcNq OYpsRZ3H+6kWwJMuVgsNZglINVZ8JgV5QuLYN5jhYz+pOuFnU11bV6nWREvzZXzebe7g7Zus 6AsWjtJ0lDvgBNzLlF3/eFrVch6Bejs0SvuFseIdZQk+4YU6Rb8xul/jDFXIfo7eTmijO3dV T5AmC1cUi8czncwpgAJnEH8vYv23RoN/aw2gSMCS2huIzsBNBFbdnRoBCAC7L1cTVBVZZuM/ yxSUM5CsgGBlTD1Cr7C2ngZFsHSYXVLq6NUB8GZA2iLK96CrwnFw4/Jjz4llOjc50iVRMQKL RyFWOJAMrpPq2ew5T+Uoo524D//dwVbqkFVVuvM8NPiKIDyPGCjP+acM1D8hXwhOXgQ8Iz8Q 3/GRSYjitn9JrkF0ia2nhariznBKVu0LDffxF/hOCx45+QRR2/rYYlshfZMB7nEJX9P+hVfM CSzltz9Z8CldeUbiJvnyrISReR2XBw9oh8JkIUP0BtpIaify9A7EfzOk+W9BUnWe+YwdSUsB fJxOhSv+umyW5GMqZGFu+4oYnkzbe+1LUs1JarCtABEBAAHCwF8EGAEIAAkFAlbdnRoCGwwA CgkQB9x642qLyTjEUgf+JX6Atatl/QKe37yCj1OZYNPd3B0rPLJRF5mEmrADRXLZC9+uFeDS Wxxln040gnR6rjBHrRcvVmlTDiZY26iuL16+V+0/aZ9uyXNQSzk2cwDSiI/8gvr72Y+FN5fh cGXpeNHxHilYc9onzDhxyE76cwzqTKm4q2ULIH2u9IHQ5O86Fv6nHPYhe2fy1bhQapNwi/Xl 3G3i2WNH/w7m+1zWU1IddZOjmXzoxLT1BATwXGa0Tt5RjVb2mM1Wg3Zj6kqFkF2vvKcvrwj0 q0Ap5uyfN5m0uWzQMCMoaV9HQf7f5MkS1lnwBqDgnojjVAieX5uk7olUiRuPKHMfhvXulYP8 AA==
- In-reply-to: <20181023184406.GB8758@bic.mni.mcgill.ca>
- Openpgp: id=43C8730E84A20E560722806C07DC7AE36A8BC938
- References: <20181017205209.GE441@bic.mni.mcgill.ca> <7B80FD3752A55025EC8F3373@[192.168.1.39]> <455cc73a-fbf4-7e4d-22df-f1a3f9c50a1e@stroeder.com> <14968333DB238BE93FF00C4C@[192.168.1.39]> <20181023184406.GB8758@bic.mni.mcgill.ca>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
On 10/23/18 8:44 PM, Jean-Francois Malouin wrote:
> Right now I have 2 Debian Stretch 9.5 servers running 2.4.46 from the stretch
> backports. Servers are in a MMR setup, using syncrepl for replication (NOT
> delta-syncrepl), with a LMDB backend.
>
> The intent is to use the directory as a users authentication repository for a
> 100+ workstations-- with what I said above, would such a setup considered safe?
> Am I asking for trouble down the road with version 2.4.46?
It should work.
> Finally, should I rather consider the LTB project for Debian OpenLDAP as been
> mentioned in some other threads rather than using the Debian backports? I'm a
> bit reluctant to roll my own packaging from source.
The recommendation for LTB builds have two reasons:
1. At some times Debian packages were far behind OpenLDAP's releases
while LTB package updates are most times published a couple of days
after an OpenLDAP release.
2. Debian, and only Debian, links OpenLDAP with GNUTLS because they have
some old licensing paranoia regarding OpenSSL. This caused trouble in
the past. Forgot the details, not sure about the current state.
Bear in mind on Debian: The GNUTLS wrapper in OpenLDAP does not return
TLS related error messages as diagnostic message to the client. So if
cert validation fails at the client side the only message you see is
"Server Down". People then look for connection problems and do not get
the idea to look after cert config error. The OpenSSL wrapper returns a
text message from the OpenSSL libs as diagnostic message.
> Sorry for the very naive questions, I'm still fairly new to OpenLDAP!
Your questions are not naive. You're welcome asking here.
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature