[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Denying access to syncrepl consumere during initial DIT content load

To: Howard Chu <hyc@symas.com>, openldap-technical@openldap.org
Subject: Re: Denying access to syncrepl consumere during initial DIT content load
From: Michael Ströder <michael@stroeder.com>
Date: Mon, 24 Mar 2014 19:09:17 +0100
In-reply-to: <53304AE3.4010604@symas.com>
References: <alpine.BSF.2.00.1403240952400.1298@pohjola.cksoft.de> <53302B1A.6010909@symas.com> <53303B92.6060208@stroeder.com> <53303E7E.60002@symas.com> <533040FE.4060502@stroeder.com> <53304AE3.4010604@symas.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 SeaMonkey/2.25

Howard Chu wrote:
> Michael Ströder wrote:
>> Howard Chu wrote:
>>> Michael Ströder wrote:
>>>> Howard Chu wrote:
>>>>> Christian Kratzer wrote:
>>>>>>
>>>>>> I remember a discussion some time ago about the possibility of delaying
>>>>> access to a syncrepl. consumer during the intial DIT load.
>>>>>
>>>>> http://www.openldap.org/lists/openldap-bugs/201308/msg00043.html
>>>>>
>>>>> Feel free to experiment with it and see whether it suits your need.
>>>>
>>>> Why was this undocumented strictrefresh option limited to delta-syncrepl?
>>>
>>> Just expedient at the time, it would take more code to cover other cases. Also
>>> it wasn't clear to me that this was actually a good approach, thus the need
>>> for other developers to test it and give feedback.
>>
>> Hmm, it's some work and risk to change a serious setup to delta-syncrepl.
>>
>>> The biggest problem with this approach is that it has global impact - turning
>>> off slapd's listeners. On a slapd with multiple independent databases, this
>>> would be a bad idea.
>>
>> IMO that's not really an issue because
>> 1. you likely have many replicas serving the same set of databases to
>> clients and
>> 2. it's very likely that you're initializing all DBs at once because if
>> deploying a new server, recovering after file system corruption etc.
> 
> An obvious counter-example: a server with multiple databases, consuming from
> distinct providers. If the connection to one of those providers is lost and
> reconnected, the current code would disable slapd globally but only one of the
> multiple DBs needs to be blocked.

If you have HA requirements in such a replication setup you will set up
another replica with such a configuration => see "set of databases" in item 1.
above.

>> Anyway having an slapd-internal mechanism is way better than external
>> work-arounds with monitoring contextCSN and using iptables etc.
> 
> Sure. But again, it requires more thinking, there are plenty of undesirable
> side-effects to any approach you can mention.

Thinking is always good.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- Denying access to syncrepl consumere during initial DIT content load
  - From: Christian Kratzer <ck-lists@cksoft.de>
- Re: Denying access to syncrepl consumere during initial DIT content load
  - From: Howard Chu <hyc@symas.com>
- Re: Denying access to syncrepl consumere during initial DIT content load
  - From: Michael Ströder <michael@stroeder.com>
- Re: Denying access to syncrepl consumere during initial DIT content load
  - From: Howard Chu <hyc@symas.com>
- Re: Denying access to syncrepl consumere during initial DIT content load
  - From: Michael Ströder <michael@stroeder.com>
- Re: Denying access to syncrepl consumere during initial DIT content load
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: question about openldap restore with command sldapadd
Next by Date: RE: question about openldap restore with command sldapadd
Index(es):
- Chronological
- Thread