[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Testing slave-master replication.



You seem to have a misconception about how slaves work with referrals.

Referrals are returned by a slave server to a particular client. It is up to
the client to "chase" the referral.

When an LDAP client attempts a modification on a slave server, the slave
server refers the client to the master. The client must rebind to the master
and perform the modification there. The point of this current discussion is
that the current OpenLDAP tools always perform referral chasing with an
anonymous rebind. This will not work if the master requires some real
authentication before it allows any modifications.

The updatedn/binddn info in slapd.conf is for use by slurpd when it
propagates changes from the master to the slave. Updates only propagate in
this direction, master to slave. The slave never accepts or processes updates
from anywhere else; all other updates are referred back to the master.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Jean Jordaan

> Hi Kurt
>
> Thanks for the answer ..
>
> > The fact that tools provided by openldap do not support
> > authenticated chasing of referrals is, I believe, well
> > documented.
>
> OK, searching with the terms in your response turns up some
> good info: [1].
>
> What confuses me, though, is that I don't want to *re*use any
> credentials. In the master's slapd.conf I specify the rootpw,
> rootdn, binddn and credentials. In exactly the same way, on the
> slave, I want to specify the necessary information. No question
> of reusing or caching. I want to stipulate in a
> "-rw-------    1 root     root" file exactly how my slave should
> chase referrals.
>
> How else should I understand section 10.4.2 in the
> OpenLDAP 2.0 Administrator's Guide? It seems to intimate that
> authentication is provided, in point 4:
>
>     3. Do include an updatedn line. The DN given should match the DN
>        given in the binddn= parameter of the corresponding replica=
>        directive in the master slapd config file.
>     4. Make sure the DN given in the updatedn directive has permission
>        to write the database (e.g., it is listed as rootdn or
> is allowed
>        access by one or more access directives).
>     5. Use the updateref directive to define the URL the slave should
>        return if an update request is received.
>
> In my simple testing setup, I specify only one DN as rootdn (on
> master and slave), binddn and updatedn. Is there anything else I
> should do?
>
> Is there any other document or example that explains how to configure
> a slave to propagate writes to the master?
>
> Further, as I mentioned, I do not see any connection attempt from
> the slave to the master. The relevant stanza from my slave slapd.conf
> is:
>
> database        ldbm
> suffix          "dc=XXXX,dc=co,dc=za"
> rootdn          "cn=admin,dc=XXXX,dc=co,dc=za"
> rootpw          {SSHA}hzXXXXXXXXX0Ov5Z8IC7Oi6mUxtlQ+o
> directory       /var/lib/openldap-ldbm/XXXX
> defaultaccess   read
> schemacheck     on
> lastmod on
> index           cn,sn,uid,o     pres,eq,sub
> # For slave
> updatedn        "cn=admin,dc=XXXX,dc=co,dc=za"
> updateref       ldap://blommie:9998
>
> I have a proxy listening on blommie:9998, forwarding to the master
> on blommie:398, but I'm seeing no connection from slave. Should I?
>
> --
> Jean Jordaan
> http://www.upfrontsystems.co.za
>
> .. [1] For the others participating in this thread: searching for
> http://www.google.com/search?&q=site%3Awww.openldap.org+authen
ticated+chasing+of+referrals
turns up 4 on-topic threads, from which I glean that openldap
tools bind anonymously when chasing referrals for security
reasons; for example, Kurt writes: "I believe it unwise to reuse
credentials while automatically chasing referrals."
http://www.openldap.org/lists/ietf-ldapext/199911/msg00027.html
There's a longer discussion from Howard Chu in this thread:
http://www.openldap.org/lists/openldap-devel/200205/msg00018.html
in which he argues for sending credentials along with referrals.