On Tue, Jan 26, 2010 at 07:23:51PM -0800, Howard Chu wrote:
> Alex Samad wrote:
> > Hi
> >
> > I have setup a multimaster setup and some slave nodes, using cn=config.
> >
> > I am looking at trying to create a user in the cn=config space
>
> The config database does not support user entries, it only handles config entries.
>
Okay, maybe you can suggest a best practice approach for my setup.
I have 2 master nodes setup in multiple master
and a few (3-4) slave nodes.
In it previous incarnation I used slapd.conf + tls to authorise access,
I mapped x509 dns to a replica dn, so the base was dc=samad,dc=com,dc=au
and the replica dn was cn=replia,ou=roles,dc=samad,dc=com,dc=au
now I want to do the same thing, map x509 certs to roles and give the
roles access to certain parts of cn=config and dc=samad,dc=com,dc=au.
I can understand putting roles in the dc=samad,dc=com,dc=au for
dc=samad,dc=com,dc=au, but I don't really see putting roles in
dc=samad,dc=com,dc=au to manage/access cn=config and I would rather not
be always using the cn=config rootdn/rootpw
should I create a cn=manager db and use that ?
My other question on this setup is replicating dc=samad,dc=com,dc=au,
means replicating olcDatabase={2}hdb,cn=config and below, which means I
also replicate the olcsyncRepl. Should I either block this on the
masters and create it on the consumers or somehow when i create the
initial consumer tell it not to replicate this attribute.
My issue right now is that it has rootdn/rootpw. and I am looking at
moving to tls/certs - re the above question
Alex
Attachment:
signature.asc
Description: Digital signature