[Date Prev][Date Next] [Chronological] [Thread] [Top]

slave ldap server and replication question

To: openldap-software@OpenLDAP.org
Subject: slave ldap server and replication question
From: Steve Thompson <smt@NICS1.corning.com>
Date: Mon, 14 Feb 2000 15:39:32 -0500 (EST)

Warning: LDAP newbie alert. Two questions.

Setup: openldap 1.2.9 on Digital Unix 4.0f & RH Linux 6.0, master slapd
and two slave slapds (all three on decunix), to be used, amongst other
things, for user authentication & automount maps, to replace NIS. Users on
decunix use the Compaq LDAP authentication stuff, pam_ldap/nss_ldap on
Linux.

First question: Master and slave are set up and working fine. Changes sent
directly to the master are replicated to the slaves with no problems. I
wish to point my client systems at "HOST slave1 slave2 master", so that if
slave1 is down, slave2 is used, etc. This works well.

The problem is when a user wishes to change their password, or a client
administrator wants to change anything at all. The slave server that they
contact by virtue of the /etc/ldap.conf entry knows that it is a slave and
sends a referral to the master. The openldap clients then attempt the
modification on the master, but by binding anonymously. This is not going
to work unless I apply an ACL that allows write access to anything by
anyone; the ldap clients appear not to call ldap_set_rebind_proc()
anywhere. This is clearly a no-no. Obviously I can point my administrators
at the master, but a client embedded inside a passwd command appears to
have no such option. I can't point my clients all at the master though as
they may be several hundred miles apart over a low-bandwidth link. Thus,
the use of a slave to which clients are pointed initially cannot be done
at all in this scenario, if I use openldap. Am I right? Hopefully not.

Second question: I can get replication to work using bindmethod=simple
only if I also use credentials=clear-text-password in the master's
slapd.conf file. Using credentials={crypt}encrypted-password does not work
at all, even though the database contains an encrypted {crypt}xxxxx
userpassword for the cn=replicator entry. Bug or feature?

TIA,
-steve
------------------------------------------------------------------------------
Steve Thompson                 Internet:   smt@corning.com
@ Corning, Inc.                Phone:      (607) 974 2659
Data Center, Sullivan Park     FAX:        (607) 974 3964
Painted Post, NY 14870
    "186,300 miles per second: it's not just a good idea, it's the law"
------------------------------------------------------------------------------

Prev by Date: Re: Complex Group ACL "selfwrite" question
Next by Date: replication fundamentals
Index(es):
- Chronological
- Thread