[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Multi-master syncrepl config: excluding olcSaslHost from replication
- To: openldap-technical@openldap.org
- Subject: Multi-master syncrepl config: excluding olcSaslHost from replication
- From: Kyle Brantley <kyle@averageurl.com>
- Date: Fri, 21 Aug 2015 13:31:36 -0600
- User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
I'm working on a full multi-master slapd setup, where both the cn=config
database as well as the actual database are fully replicated. All access
to the slapd instances is gated with GSSAPI (the only notable exception
being the syncrepl users, which I'm working on converting over to GSSAPI
anyway).
However, I need to be able to configure olcSaslHost on a per-server
basis. Server A will have a different value for olcSaslHost than server
B will. While I want to replicate cn=config, I don't want to replicate
the olcSaslHost attribute.
I've tried two things, and neither have worked:
1) Configuring exattrs="olcSaslHost" in the olcSyncrepl statements for
cn=config.
* This allows me to configure the attribute, but as soon as there
is any other change to cn=config, it wipes the attribute out across all
of the nodes.
2) Updating the ACL for the syncrepl user to not have access to the
olcSaslHost attribute.
* Unfortunately, this has similar behavior to the above: making a
change on one node will wipe the olcSaslHost attribute out of all of the
nodes.
How best can I go about doing this? I was hoping that olcSaslRealm was
multi-value and could be configured in a manner similar to olcServerID,
but that isn't the case. I was hoping that denying access to the
attributes (via ACL or olcSynrepl config) would make the syncrepl engine
ignore the attribute, but because it can't see it on the node where the
attribute was changed, but it can see it on the downstream nodes, it
wipes the attribute out entirely.
Any help / suggestions welcome.
Thanks,
--Kyle