[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: quick question about a slave openldap server

To: openldap-software@OpenLDAP.org
Subject: Re: quick question about a slave openldap server
From: bulk@alfredsson.org
Date: Tue, 2 Apr 2002 13:33:38 +0200
Content-disposition: inline
In-reply-to: <871ydy4jkb.fsf@papadoc.bayour.com>; from turbo@bayour.com on Tue, Apr 02, 2002 at 09:59:48AM +0200
References: <20020326140432.GB15877@conectiva.com.br> <877kny6v34.fsf@papadoc.bayour.com> <20020328131946.GA3770@conectiva.com.br> <871ydy4jkb.fsf@papadoc.bayour.com>
User-agent: Mutt/1.3.17i

On Tue, Apr 02, 2002 at 09:59:48AM +0200, Turbo Fredriksson wrote:
> >>>>> "Andreas" == Andreas Hasenack <andreas@conectiva.com.br> writes:
>     Andreas> Em Wed, Mar 27, 2002 at 01:42:07PM +0100, Turbo
>     Andreas> Fredriksson escreveu:
>     >> If you have the slave read-only, NO modification is possible,
>     >> only the replication daemon can write to it...
> 
>     Andreas> I couldn't reproduce this, I set readonly to yes and the
>     Andreas> updatedn couldn't write to it anymore... This with
>     Andreas> openldap-2.0.22.
> 
> Then the bug isn't fixed (YET!?!?)

Is it a bug? I thought the readonly option made slapd open the database
files readonly  (e.g. fopen("/var/lib/ldap/...", "r"); )

One use for this could be when making backups; i.e. restart slapd in
readonly mode, and then copy the database files or via slapcat,
which is not recommended on a readwrite installation.

Theoretically I can see the the use of having a readonly-but-updateable
replica, but would not have understood that "readonly on" did this
from the documentation.

----
5.2.3.2. readonly { on | off }

This directive puts the database into "read-only" mode. Any attempts to
modify the database will return an "unwilling to perform" error.
----

"any attempts" would include the replicadn, in my world.

>     Andreas> Could you confirm this? Setting "readonly yes" on the

maybe "readonly on" works better?

> ----- s n i p -----
> access to
> +attr=cn,givenName,sn,krbName,krb5PrincipalName,loginShell,gecos,mail,mailAltern+ateAddress,mailHost,mailQuota,trustModel,accessTo,uidNumber,gidNumber,homeDirec+tory,homePostalAddress,mobile,labeledURI,homePhone,userPassword,ldapPassword,cl+earTextPassword
>         by dn="uid=turbo.+\+realm=BAYOUR.COM" read
>         by dn="uid=replicator.+\+realm=BAYOUR.COM" write
>         by users read
>        by * none

> access to *
>        by dn="uid=turbo.+\+realm=BAYOUR.COM" read
>        by dn="uid=replicator.+\+realm=BAYOUR.COM" write
>        by * read
>----- s n i p -----
>
>I should really remove the last 'by * read' and the 'by users read'
>but...

If you did that, would not the first access rule become unneccessary?
I.e. all accesses allowed/denied in rule one would be the same in rule
two... (by * none is implicit?)

Which leads to a quite straightforward ACL :)

Regards,
 Stefan

Follow-Ups:
- Re: quick question about a slave openldap server
  - From: "Pierangelo Masarati" <masarati@aero.polimi.it>
- Re: quick question about a slave openldap server
  - From: Turbo Fredriksson <turbo@bayour.com>

References:
- Re: quick question about a slave openldap server
  - From: Turbo Fredriksson <turbo@bayour.com>

Prev by Date: Quick question how to manage pam + nss !!!
Next by Date: Re: quick question about a slave openldap server
Index(es):
- Chronological
- Thread