On Friday 14 July 2006 03:48, Erich Weiler wrote: > Hi Matt, > > I think I'm almost there! > > I added a similar entry to my slave server, got my keytabs set up, > crontabs set up, etc. > > I'm wondering how the master server knows to accept the slave's > authentication? The slave will authenticate just like any other identity in the directory. > Do I need something like: > > overlay syncprov > syncprov-checkpoint 100 60 > syncprov-sessionlog 100 > > and something like..... > > access to * > by self write I hope this isn't the first ACL you have, allowing self write to all attributes is most likely a security issue. > by dn="cn=Manager,dc=soe,dc=ucsc,dc=edu" write If this is your rootdn, this clause is unnecessary (rootdn always gets write). > by <some kind of entry regarding gssapi ldap/slave.domain.com auth?> AFAIK, no, you need to just do some SASL to dn mapping with authz-regexp statements. > by * read This may also not be a good idea, but you haven't stated if this is your full ACL list. > in the master LDAP server's slapd.conf file? > > Do you have access entries for your slaves in slapd.conf on your master > server? You should probably give your slaves read access to all attributes you want replicated on all entries you want replicated. And, you probably want the slaves to have unlimited (time,size) access. It's probably most convenient to do this by putting all your slaves in a groupOfNames entry, eg cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu (with the DN each slave is mapped to by your authz-regexp's as a member attribute) and add clauses like this to every ACL: by group="cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu" read and a line like this in each database: limits group="cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu" size=unlimited time=unlimited Then, adding another slave requires only an ldapmodify (besides the slave configuration). > Also, when you had everything set up correctly, did the slave > automatically populate /var/lib/ldap with the databases as soon as slapd > started up? It can if you slapadd just the base entry for this database (with all normal attributes and at least the entryCSN attribute) with the -w flag (unnecessary if the entry you add has the contextCSN), then the slave should sync itself. However, depending on the size of your directory, it may be a lot more efficient to slapadd a recent dump of the entire database. Regards, Buchan -- Buchan Milne ISP Systems Specialist B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)
Attachment:
pgpy2Rql1ZiVb.pgp
Description: PGP signature