[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Updatedn questions




Andrew Findlay wrote:
> 
> Good point - I should have included more of the slave slapd.conf in my
> reply, which would have shown that I normally make updatedn and rootdn
> the same on slaves. This policy also allows the bind password to be
> given in slapd.conf thus avoiding the need for updatedn to be listed
> in the directory.

According to ldapv3.pdf, this is a bad idea:
The updatedn is the identity used by slurpd when replicating changes to
slaves. The updatedn should be a unique dn, used by no other users or
processes.
If the updatedn is also the root dn the slave will be unable to tell the
diffrence between a replication connection and an administrative
connection. This situation allows a slave to be updated by a source
other than the master, and thus become out of sync with the rest of the
Dit causing future replication events to fail.
> 
> Here is part of slapd.conf from my example-slave config:
> 
> > database        ldbm
> > suffix          "dc=example,dc=org"
> > rootdn          "cn=SLURPD,dc=example,dc=org"
> > rootpw          {SSHA}2bpnVaAE7taF2R94VARqeflaw3uWI6dm
> >
> > # The DN used by the remote SLURPD
> > updatedn        "cn=SLURPD,dc=example,dc=org"
> > # Where to refer updates to if anyone tries to make changes here
> > updateref       ldap://localhost:3389/
> 
> Andrew
> --
> -----------------------------------------------------------------------
> |                 From Andrew Findlay, Skills 1st Ltd                 |
> | Consultant in large-scale systems, networks, and directory services |
> |        Andrew.Findlay@skills-1st.co.uk       +44 1628 782565        |
> -----------------------------------------------------------------------