[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slurpd questions





--On Wednesday, January 05, 2005 3:41 PM -0500 David Sonenberg <dsonenberg@strozllc.com> wrote:

I'm trying to setup up a slave LDAP server and was wondering does slurpd
need to run on both the master and slave?  Can it use the TLS
connection, if so how do I force it to do so?

It only needs to run on the master. You can force it to use TLS, read the "man slapd" page.


Pay attention to the "replica" syntax line.

OpenLDAP 2.2.15      Last change: 2004/07/27                   15

Standards, Environments, and Macros                 SLAPD.CONF(5)

    replica
         uri=ldap[s]://<hostname>[:port]|host=<hostname>[:port]
         [starttls=yes|critical]     [suffix=<suffix>     [...]]
         bindmethod=simple|sasl       [binddn=<simple       DN>]
         [credentials=<simple password>] [saslmech=<SASL  mech>]
         [secprops=<properties>]                 [realm=<realm>]
         [authcId=<authentication  ID>]  [authzId=<authorization
         ID>] [attr[!]=<attr list>]

         Specify a replication site for this database.  Refer to
         the   "OpenLDAP  Administrator's  Guide"  for  detailed
         information on setting up a replicated slapd  directory
         service.  Zero  or more suffix instances can be used to
         select the subtrees that will be  replicated  (defaults
         to  all  the  database). host is deprecated in favor of
         the uri option.  uri allows the replica LDAP server  to
         be  specified  as  an  LDAP URI. A bindmethod of simple
         requires the options binddn and credentials and  should
         only  be  used when adequate security services (e.g TLS
         or IPSEC) are in place. A bindmethod of  sasl  requires
         the  option  saslmech. Specific security properties (as
         with the sasl-secprops keyword above) for a  SASL  bind
         can be set with the secprops option. A non-default SASL
         realm can  be  set  with  the  realm  option.   If  the
         mechanism will use Kerberos, a kerberos instance should
         be given in authcId. An attr list can  be  given  after
         the  attr keyword to allow the selective replication of
         the listed attributes only; if the optional !  mark  is
         used, the list is considered exclusive, i.e. the listed
         attributes are not replicated.  If  an  objectClass  is
         listed,  all  the  related  attributes  are  (are  not)
         replicated.


--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin