[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLdap 1.2 replica setup

To: Dirk Vleugels <Dirk.Vleugels@de.uu.net>, openldap-general@OpenLDAP.org
Subject: Re: OpenLdap 1.2 replica setup
From: John Hensley <hensley@merit.edu>
Date: Wed, 24 Feb 1999 22:44:13 -0500
Cc: techdb@doosh.de.uu.net
In-reply-to: <19990224172808.K13772@doosh.de.uu.net>; from Dirk Vleugels on Wed, Feb 24, 1999 at 05:28:09PM +0100
Mail-followup-to: Dirk Vleugels <Dirk.Vleugels@de.uu.net>, openldap-general@OpenLDAP.org, techdb@doosh.de.uu.net
References: <19990224172808.K13772@doosh.de.uu.net>

At 17:28 +0100 24 February 1999, Dirk Vleugels <Dirk.Vleugels> wrote:

> Hello,
> 
> i'm a bit puzzled how to setup a replica LDAP server. I'm using  
> "The SLAPD & SLURPD Admin Guide for Release 3.3" Paper as advice.
> 
> I added the following statements to the master slapd.conf:
> 
> replica         host="host.domain.com:389"
>                 binddn="uid=REPLIC,ou=Roles,dc=de,dc=uu.net"
>                 bindmethod=simple credentials={crypt}XXXXXXXX
> 
> replogfile      /users/confdb/run/slapd/replog
> 
> The slave slapd.conf is the same as the master conf file (except
> replica and replog statements). Do I have to maintain local ACL's in
> the slave slapd.conf? I do right now. 
> The only other statements are:
> 
> updatedn        "uid=REPLIC,ou=Roles,dc=de,dc=uu.net"
> referral        master://confdb01.de.uu.net
> 
> I tried it with & without referral option, but how would the slave
> contact the master otherwise to propagate local modifies?
> 
> The above updatedn is a posixAccount entry with a {crypt} userpassword
> (I assumed this is used as the replica bind credential). I gave the DN 
> full write access to the slave DB:
> 
> access          to * by dn="cn=REPLIC,ou=Roles,dc=de,dc=uu.net"  write

If that's not just a typo in your message, it could be your problem. You
specified "uid=REPLIC" above, not "cn=REPLIC".

This comes hard on the heels of my own attempt at getting replication
set up. I got the replication itself working fine, but it looks like ud
-- at least -- doesn't seem to follow through properly on the referral
from the slave server. When I try to modify an object, I see the slave
return the referral, and I see the subsequent connection to the master
server, but it fails with "insufficient access". It works fine if I
connect directly to the master, of course.

Some cursory looks at the man pages and the ud code turned up a glaring
lack of ldap_set_rebind_proc. In fact, none of the packaged client tools
seem to use it; the only mention I find in any sort of client is in
libraries/libldap/test.c. Am I on the right track? Does anyone have
clients dealing properly with a replicated setup?

I suppose I should mention that I'm using Kerberos binds throughout. If
anyone's got it going with simple authentication, please let me know and
I'll bark up that tree.

--
John Hensley <hensley@merit.edu>
Merit Network, Inc.

References:
- OpenLdap 1.2 replica setup
  - From: Dirk Vleugels <Dirk.Vleugels@de.uu.net>

Prev by Date: Re: LDAP, SSL, Roaming Access.
Next by Date: Mail servers that use LDAP
Index(es):
- Chronological
- Thread