[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: federated directory

To: gmatt@nerc.ac.uk
Subject: Re: federated directory
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Tue, 27 Jul 2004 20:49:20 +0200 (CEST)
Cc: "openldap" <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <63378.81.72.89.40.1090948321.squirrel@81.72.89.40>
References: <1090420446.16604.95.camel@lea.nerc-wallingford.ac.uk> <1090938319.14512.100.camel@lea.nerc-wallingford.ac.uk> <40945.131.175.154.56.1090942793.squirrel@131.175.154.56> <1090945047.14512.117.camel@lea.nerc-wallingford.ac.uk> <63378.81.72.89.40.1090948321.squirrel@81.72.89.40>
User-agent: SquirrelMail/1.4.3a-1

>> interesting - I thought multi master was declared dead and impossible to
>> implement with OpenLDAP...
>
> It is; I suggest using the feature to allow simultaneous replication and
> regular write to the same database, keeping the proprietary and the
> shadowed data separated only programmatically, i.e. by means of ACLs and
> "suffix" parameters in the replica directives... i.e.:
>
> "master":
>     - owns "dc=example,dc=com" except the children
>       of "ou=Local,dc=example,dc=com"
>     - the "replica" directive contains the option
>       "suffix=ou=Global,c=example,dc=com" (assuming no changes
>       will take place below it);
>     - ACLs contain the rule
>       access to dn.regex="((.+),)?cn=Slave
> (#[0-9]+),ou=Local,dc=example,dc=com$"
>           by dn.exact,expand="cn=Replicator $3,ou=Local,dc=example,dc=com"
> write
>           by * read
>
> "slave #n":
>     - owns the subtree of "cn=Slave #n,ou=Local,dc=example,dc=com";
>     - replicates the rest;
>     - the "replica" directive contains the option
>       "suffix=cn=Slave #n,ou=Local,dc=example,dc=com";
>     - ACLs contain the rule
>       access to dn.subtree="cn=Slave #n,ou=Local,dc=example,dc=com"
>           by <your access rules>
>       access to dn.regex="((.+),)?cn=Slave
> (#[0-9]+),ou=Local,dc=example,dc=com$"
>           by dn.exact,expand="cn=Replicator $3,ou=Local,dc=example,dc=com"
> write
>           by <your access rules>
>       access to dn.subtree=ou=Global,dc=example,dc=com$"
>           by dn.exact="cn=Global Replicator,ou=Local,dc=example,dc=com"
> write
>           by <your access rules>
>
> Again, this is untested; I might want to test it some time, when I can
> spare a few cycles.

To make the story short: with a few changes, it works with slurpd as well,
exploiting the multimaster mechanism.  Since both slurpd and multimaster
are or will be deprecated, I don't think adding a test is worth the
effort.  I might pack the example files and put them on some ftp, if
there's interest in this solution.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: federated directory
  - From: Howard Chu <hyc@symas.com>

References:
- federated directory
  - From: Greg Matthews <gmatt@nerc.ac.uk>
- Re: federated directory
  - From: Greg Matthews <gmatt@nerc.ac.uk>
- Re: federated directory
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: federated directory
  - From: Greg Matthews <gmatt@nerc.ac.uk>
- Re: federated directory
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: RE: Export Control Classification Number (ECCN) For openLDAP
Next by Date: OpenLDAP SRPM for RedHat 9
Index(es):
- Chronological
- Thread