[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: replica uri support (is this a current stable feature?)

To: openldap-software@OpenLDAP.org
Subject: Re: replica uri support (is this a current stable feature?)
From: Cybr0t McWhulf <cybre@killcybre.org>
Date: Tue, 27 Jan 2004 17:58:23 -0500 (EST)
In-reply-to: <Pine.LNX.4.44.0401271028290.5919-100000@cerberus>

So apparently this does work in 2.2.5, which I believe is in "testing", as opposed to 2.1.25 which is "stable", is that correct?

At what point did replica uri support first emerge in stable releases?  I've seen posts indicating 2.1.23, and all the man pages for slapd.conf post 2.1.23 list it as a functionality, however I've yet to get anything (compiled 2.1.22->2.2.5) with the exception of 2.2.5 to not barf on replica uri's.

All I'm asking for here is a straight simple answer so I can figure out how best to deploy remote nodes that MUST have data replicated to them in a secure manner.  I would use tls on 389 but I've yet to find anything that would prohibit cleartext transmission as well.  And I'd much rather just have everything done through ldaps on 636.

Thanks,

 -- Cy

On Tue, 27 Jan 2004, Cybr0t McWhulf wrote:

> Post for the original patch which was merged into cvs:
> http://www.openldap.org/lists/openldap-software/200306/msg00302.html
>
>
> From the OpenLDAP Administrator's Guide:
> http://www.openldap.org/doc/admin22/replication.html
>  -----------------------------------------------------------------------------
>
> 13.4.5. Configure the master slapd for replication
>
> To configure slapd to generate a replication logfile, you add a " replica" configuration option to the master slapd's config file. For example, if we wish to propagate changes to the slapd instance running on host slave.example.com:
>
>         replica uri=ldap://slave.example.com:389
>                 binddn="cn=Replicator,dc=example,dc=com"
>                 bindmethod=simple credentials=secret
>
> In this example, changes will be sent to port 389 (the standard LDAP port) on host slave.example.com. The slurpd process will bind to the slave slapd as "cn=Replicator,dc=example,dc=com" using simple authentication with password "secret".
>
> If we wish to perform the same replication using ldaps on port 636:
>
>         replica uri=ldaps://slave.example.com:636
>                 binddn="cn=Replicator,dc=example,dc=com"
>                 bindmethod=simple credentials=secret
>
> The host option is deprecated in favor of uri, but the following replica configuration is still supported:
>
>  -----------------------------------------------------------------------------
>
>
>
> Another mailing list post regarding Slurpd over SSL:
> http://www.openldap.org/lists/openldap-software/200311/msg00442.html
>  -----------------------------------------------------------------------------
> Port 636 is the default LDAPS (LDAP over SSL) port. As already noted, you
> cannot use the LDAP StartTLS request over SSL. If you want slurpd to use SSL,
> you must not specify TLS in the replica configuration.
>
> If you're using OpenLDAP 2.1.23 you can use a URI in the replica
> configuration, and specify ldaps there. e.g., instead of
> 	replica host=foo.bar.domain:636
> use
> 	replica uri=ldaps://foo.bar.domain
>
>  -----------------------------------------------------------------------------
>
>
>
> And last but not least, the slapd.conf manpage:
>  -----------------------------------------------------------------------------
>
>        replica          uri=ldap[s]://<hostname>[:port]|host=<hostname>[:port]
>               [tls=yes|critical]            [suffix=<suffix>            [...]]
>               bindmethod=simple|sasl [binddn=<simple DN>] [credentials=<simple
>               password>]    [saslmech=<SASL   mech>]   [secprops=<properties>]
>               [realm=<realm>]          [authcId=<authentication           ID>]
>               [authzId=<authorization ID>] [attr[!]=<attr list>]
>
>  -----------------------------------------------------------------------------
>
> So.. That being said, anyone else have any input on this?
>
>
> > Date: Tue, 27 Jan 2004 12:22:06 +0100
> > From: "[iso-8859-1] Bjørn Ove Grøtan" <bjorn.grotan@itea.ntnu.no>
> > Reply-To: openldap-software@OpenLDAP.or
> > To: Cybr0t McWhulf <cybre@killcybre.org>
> > Cc: openldap-software@OpenLDAP.org
> > Subject: Re: replica uri support
> >
> > Cybr0t McWhulf:
> > >
> > > Here's what I've tried:
> > >  ----
> > > replica uri=ldaps://<insert host here>
> > > 	suffix="dc=your,dc=domain"
> > > 	bindmethod=simple
> > > 	binddn="cn=Master,dc=your,dc=domain"
> > > 	credentials=<credentials>
> > >  ----
> >
> >
> > > Am I horribly misinformed here?  Is my syntax goofy?
> >
> > replica
> >     host=<your-host-replica-1>
> >     suffix="dc=your,dc=domain"
> >     bindmethod=simple
> >     binddn="cn=Master,dc=your,dc=domain"
> >     credentials=<credentials>
> >     tls=critical
> >
> > slurpd does not support replication with ldaps, only ldap+tls as far as
> > I know.
> >
> > An example slapd.conf for replication can be found here (as reference to
> > in the FAQomatic):
> > http://www.openldap.org/lists/openldap-software/199907/msg00204.html
> >
> > --
> > Regards
> >
> > Bjørn Ove Grøtan
> >
>
>

References:
- Re: replica uri support
  - From: Cybr0t McWhulf <cybre@killcybre.org>

Prev by Date: Re: syncrepl missing deletes when using objectClass
Next by Date: Re: syncrepl missing deletes when using objectClass
Index(es):
- Chronological
- Thread