[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap slave master relationship



both the provider and the consumer work fine independently, they both use TLS and have clients configured to use them, but now one of them must become a slave to the other and use Syncrepl to take the changes that the master provides.
but since both are using different certificates i dont know how are they gona communicate with their clients, since to use TLS you must create a CA certificate with the FQDN of the server, so both have different FQDN and hence different certificates.
I'll provide a full debug list when i get the chance.
thanks for the help already provided, and please can you provide some more.
kindest regards.



Lee Jensen wrote:

on the fear of sounding like an idiot, it didnt work. i have the following missing in my understanding:
>>do both provider and consumer have the same name?
>>I'm using ssl start_tls, but the consumer has his cacert that he passes to its clients and the provider has his, do i make one cacert that will work on both?



I've never configured SSL/TLS for openldap and don't know what implications or configuration changes are required to use it with syncrepl. Someone else may better be able to answer this.



>>and the binddn "slave_reader" has the bind password in the slapd.conf, but the updatedn doesnt, so how is it gona bind and update?



I wondered this myself. I assume that because syncrepl actually runs inside the server daemon and the updatedn is configured from within the slapd.conf it's considered safe. So the syncrepl part of the daemon just uses that as the dn which is making mods for internal calls to check permissions to modify objects.

If it's not working perhaps you could enable some trace debugging and
send that to the list. "it's not working" doesn't provide a great deal
of information to go off of. It could be SSL related however. You may
need to alter your provider configuration for the provider or
something.


Do you have at least the master running with clients able to connect etc
using SSL? Perhaps you should break it down. Make sure SSL is configured
and working properly and then set up syncrepl. Or in reverse set up
syncrepl and test it out then enable SSL and realize you'll probably
need to modify the config a little.

Lee



>>and i believe this line "limits dn.exact="cn=slave_writer,dc=directory,dc=com" size=unlimited time=unlimited" doesnt work on my version of openldap "openldap : slapd 2.2.13", do this line matter much or not?
this is my simple ACL in the master slapd.conf:


access to *
 by dn.exact="cn=reader,dc=xxx,dc=mycompany,dc=com" read stop
 by * none break
access to attr=userPassword
       by dn="cn=manager,dc=xxx,dc=mycompany,dc=com" write
       by self write
       by anonymous auth
       by * none
access to *
       by dn="cn=manager,dc=xxx,dc=mycompany,dc=com" write
       by * read

and this is the slapd.conf in the slave:

access to *
 by dn.exact="cn=writer,dc=yyy,dc=mycompany,dc=com" write stop
 by * none break
access to attr=userPassword
       by dn="cn=manager,dc=yyy,dc=mycompany,dc=com" write
       by self write
       by anonymous auth
       by * none
access to *
       by dn="cn=manager,dc=yyy,dc=mycompany,dc=com" write
       by * read

and the Syncrepl in the slave is:
syncrepl rid=1
provider=ldap://zlato.batelco.jo:389
type=refreshOnly
interval=00:01:00:00
searchbase="dc=xxx,dc=mycompany,dc=com"
filter="(objectClass=*)"
scope=sub
attrs="*"
schemachecking=off
updatedn="cn=writer,dc=yyy,dc=mycompany,dc=com"
bindmethod=simple
binddn="cn=reader,dc=xxx,dc=mycompany,dc=com"
credentials=slave_reader_password
starttls=yes


updateref ldap://xxx.mycompany.com

I cant seem to make it work?
thanks.