[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access Rules and Replication

Hi List,

I've just joined the list as I'm starting work on a new project to move 
our OpenLDAP servers over to cn=config from the old slapd.conf 
configuration.

I've been working with our LDAP servers for about twelve months since I 
started this job, and have used OpenLDAP and other LDAP servers for five 
years before that.

For the moment we're not looking to change the way clients use LDAP, but 
are looking to bring the config up to the new format, and take advantage 
of "no downtime" configuration changes.

At present our production environment uses a single LDAP Master, which 
is used by the IAM system and system and network admins to maintain the 
various entries, while clients are set to read from ldap.une.edu.au, a 
RR DNS entry to the LDAP consumers.  Beyond discussions of moving to an 
F5 Load Banacer, rather than RR DNS, we're not aiming to change that setup.

I've read examples of replicating not only the directory, but also the 
cn=schema,cn=config DIT, which seems useful.  Can anyone advise if there 
are any pitfalls in this approach, or any reason not to investigate it?

I can see that the Access Controls are moved into olcAccess entries 
either in the cn=config or database parts of the tree.  If we can 
replicate the schema to the consumers, can we replicate our ACLs as 
well?  Has anyone done this, are their examples?  I've been searching 
around for a while and haven't found any.

I'm also interested in hearing about any other issues people have 
encountered moving to the cn=config setup, gotcha's or anything else 
people might consider useful for me to know.

Thanks all

Andrew

-- 
Andrew Devenish-Meares
Solutions Analyst
Information Technology
University of New England
Armidale   NSW   2351

e:  adevenis@une.edu.au
p:  02 6773 4098
w: http://une.edu.au/itd