[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP instance as syncREPL replica and Slurpd master
Howard Chu wrote:
> Bruno Lezoray EMSM wrote:
>> Howard Chu wrote:
>>> Quanah Gibson-Mount wrote:
>>>> --On September 14, 2007 5:21:28 PM +0200 Bruno Lezoray EMSM
>>>> <bruno.lezoray@wh-ces.gmessaging.net> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> i want to implement a specific openldap configuration with 3
>>>>> instances:
>>>>> 1st is a master
>>>>> 2nd is a syncrepl replica "and" slurpd master
>>>>> 3rd is a slurpd replica
>>>> Set up a pushed-base syncrepl instead of using slurpd. Slurpd is
>>>> deprecated, and fully removed from OpenLDAP 2.4.
>>> In OpenLDAP 2.3 this will require one more slapd process (while
>>> eliminating the slurpd process).
>>>
>>> 1 provider
>>> 2 regular consumer
>>> 2A back-ldap consumer
>>> 3 external replica
>>>
>>> None of the existing (1, 2, or 3) servers' configurations need any
>>> changes. (Except, you can remove the "replica" directives from your
>>> "slurpd master" since they don't do any good, and aren't needed
>>> anyway.)
>>>
>>> The back-ldap consumer would be set up something like:
>>>
>>> database ldap
>>> suffix "dc=example,dc=com"
>>> rootdn "cn=Whoever"
>>> uri ldap://localhost:9013/ <---- URL of external replica
>>>
>>> acl-bind bindmethod=simple
>>> binddn="cn=Monitor" <---- updatedn of external replica
>>> credentials=monitor <---- password for updatedn
>>>
>>> # the usual consumer config...
>>> syncrepl rid=1
>>> provider=ldap://localhost:9011/
>>> binddn="cn=Manager,dc=example,dc=com"
>>> bindmethod=simple
>>> credentials=secret
>>> searchbase="dc=example,dc=com"
>>> filter="(objectClass=*)"
>>> schemachecking=off
>>> scope=sub
>>> type=refreshOnly
>>> interval=00:00:00:10
>>> retry="5 5 300 5"
>>>
>>>
>> Ok.
>> On the backldap instance, i have this configuration:
>> database ldap
>> suffix "o=test"
>> rootdn "cn=root DN, o=test"
>> rootpw {SSHA}JDqRrNmZbCiInNsubLessizYPdmcwhgf
>> uri ldaps://10.1.1.69:1636/
> Is that really the URI of the external replica?
Yes
>
>> acl-bind bindmethod=simple
>> binddn="cn=root DN, o=test"
>> credentials=secret
>> syncrepl rid=1
>> provider=ldaps://localhost:636/
> Is that really the URI of the syncrepl master?
No, it was a mistake. Sorry.
>
>> binddn="cn=root DN,o=test"
>> bindmethod=simple
>> credentials=secret
>> searchbase="o=test"
>> filter="(objectClass=*)"
>> schemachecking=off
>> scope=sub
>> type=refreshOnly
>> interval=00:00:00:10
>> retry="5 5 300 5"
>>
>> And on the external replica, i have :
>> database bdb
>> suffix "o=test"
>> rootdn "cn=root DN, o=test"
>> rootpw {SSHA}JDqRrNmZbCiInNsubLessizYPdmcwhgf
>> directory /usr/products/freeware/openldap/var/openldap-slapd-sym
>> checkpoint 64 15
>
> You're missing the updateDN directive. And since this is supposed to
> be a replica, it shouldn't be generating password-hashes by itself, it
> should just be taking exactly what the master generated.
Exactly.
So, i don't need a regular consumer, except if i want to have a local
database.
Thanks for your help, Howard.
Rgds, Bruno.