Re: Antwort: Re: distributed directories [Virus checked]

[Buchan Milne <bgmilne@obsidian.co.za>]

On Wed, 14 Apr 2004 denis.havlik@t-mobile.at wrote:

> >> A) How do ACLs work in such a setup? I can imagine that one may get
> >> better  performance if ACLs are determined on the caching server:
> 
> >In general it is not a good idea, but it can be based on the trust you 
> can
> >put on the caching servers.  In the scenario you're drawing it appears
> 
> In fact, this whole bussines with ACLs has been bothering me since the 
> beginning. Everything else in openLDAP scales quite nicely, but ACLs (and 
> other things, like "limit" statements & ssl certs) have to be entered 
> again and again on every server. It's exactly the administrators nightmare 
> situation we are trying to avoid in the first place. :-(
> 
> Automatically updating part of the slapd configuration file on slave 
> servers at server start (btw, can slapd re-load the configuration without 
> restart?) sounds like a good idea. I can think of two ways to do it:
> 
> 1) classical way, with scp/rsync or such. That's simple to do, but why do 
> we have an LDAP server for?
> 2) Store the ACLs data for slaves in LDAP, and read them from the master 
> server when needed. Anyone went this way?

3) Use an include file ...
(which may make (2) easier to implement and definitely makes (1) much 
easier).

See /etc/openldap/slapd.access.conf in your openldap-server package

> 
> One step further would be to "read the slapd configuration from master 
> LDAP server". I presume this is an old idea - what was the result of 
> discussions so far?

Kolab has some intereseting stuff for bootstrapping LDAP servers, IIRC 
using the perl backend for a configuration suffix (and having changes on 
the master replicate to this backend) which writes to a perl database file 
(tied hash?) which is used to generate the slapd.conf before slapd is 
started.

Regards,
Buchan