Replacing Slurpd using Open...

The Suretec Blog

Calendar

Back October '08 Forward
Mon Tue Wed Thu Fri Sat Sun
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    

Tag Cloud

Quicksearch

Archives

October 2008
September 2008
August 2008
Recent...
Older...
ACCU: professionalism in programming
View our Directors profile on LinkedIn

Powered by

Serendipity PHP Weblog

Replacing Slurpd using OpenLDAP 2.4

Thursday, July 10. 2008

Open Source OpenLDAP
I updated the replication section of the OpenLDAP Admin guide last night to the final version discussing Push Based Replication, i.e. what slurpd does in OpenLDAP 2.3 (dropped for various reasons, but since the docs won't be available properly until 2.4.11 is out I'm posting it here.

Read on for more....

Basically with OpenLDAP 2.4 you have two choices:

1. A Master directory, which as you know can have multiple database definitions, therefore a LDAP[?] Proxy included:





Your slapd.conf or cn=config can list your normal LDAP database and also a back-ldap[?] database which sucks in data via Syncrepl pointing to the main URI and pushes changes out via the back-ldap uri, hence "Push-based".

2. If you don't have access to the master directory or you aren't setting up a new deployment, you can create a standalone LDAP Proxy that does the same as above:



So, for method 1.:

CODE:
####################################################################### # Standard OpenLDAP Master/Provider ####################################################################### include     /usr/local/etc/openldap/schema/core.schema include     /usr/local/etc/openldap/schema/cosine.schema include     /usr/local/etc/openldap/schema/nis.schema include     /usr/local/etc/openldap/schema/inetorgperson.schema include     /usr/local/etc/openldap/slapd.acl modulepath  /usr/local/libexec/openldap moduleload  back_hdb.la moduleload  syncprov.la moduleload  back_monitor.la moduleload  back_ldap.la pidfile     /usr/local/var/slapd.pid argsfile    /usr/local/var/slapd.args loglevel    sync stats database    hdb suffix      "dc=suretecsystems,dc=com" directory   /usr/local/var/openldap-data checkpoint      1024 5 cachesize       10000 idlcachesize    10000 index       objectClass eq # rest of indexes index       default     sub rootdn "cn=admin,dc=suretecsystems,dc=com" rootpw    testing # syncprov specific indexing index entryCSN eq index entryUUID eq # syncrepl Provider for primary db overlay syncprov syncprov-checkpoint 1000 60 # Let the replica DN have limitless searches limits dn.exact="cn=replicator,dc=suretecsystems,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited database    monitor database    config rootpw    testing ############################################################################## # Consumer Proxy that pulls in data via Syncrepl and pushes out via slapd-ldap ############################################################################## database        ldap # ignore conflicts with other databases, as we need to push out to same suffix hidden     on suffix          "dc=suretecsystems,dc=com" rootdn          "cn=slapd-ldap" uri             ldap://localhost:9012/ lastmod         on          # We don't need any access to this DSA restrict        all acl-bind        bindmethod=simple                 binddn="cn=replicator,dc=suretecsystems,dc=com"                 credentials=testing syncrepl        rid=001                 provider=ldap://localhost:9011/                 binddn="cn=replicator,dc=suretecsystems,dc=com"                 bindmethod=simple                 credentials=testing                 searchbase="dc=suretecsystems,dc=com"                 type=refreshAndPersist                 retry="5 5 300 5" overlay         syncprov


Corresponding Slave config:

CODE:
####################################################################### # Standard OpenLDAP Slave without Syncrepl ####################################################################### include     /usr/local/etc/openldap/schema/core.schema include     /usr/local/etc/openldap/schema/cosine.schema include     /usr/local/etc/openldap/schema/nis.schema include     /usr/local/etc/openldap/schema/inetorgperson.schema include     /usr/local/etc/openldap/slapd.acl modulepath  /usr/local/libexec/openldap moduleload  back_hdb.la moduleload  syncprov.la moduleload  back_monitor.la moduleload  back_ldap.la pidfile     /usr/local/var/slapd.pid argsfile    /usr/local/var/slapd.args loglevel    sync stats database    hdb suffix      "dc=suretecsystems,dc=com" directory   /usr/local/var/openldap-slave/data checkpoint      1024 5 cachesize       10000 idlcachesize    10000 index       objectClass eq # rest of indexes index       default     sub rootdn "cn=admin,dc=suretecsystems,dc=com" rootpw    testing # Let the replica DN have limitless searches limits dn.exact="cn=replicator,dc=suretecsystems,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited updatedn "cn=replicator,dc=suretecsystems,dc=com" # Refer updates to the master updateref   ldap://localhost:9011 database    monitor database    config rootpw    testing


Possible ACLs:

CODE:
# Give the replica DN unlimited read access.  This ACL may need to be # merged with other ACL statements. access to <strong>      by dn.base="cn=replicator,dc=suretecsystems,dc=com" write      by </strong> break access to dn.base=""         by <strong> read access to dn.base="cn=Subschema"         by </strong> read access to dn.subtree="cn=Monitor"     by dn.exact="uid=admin,dc=suretecsystems,dc=com" write     by users read     by <strong> none access to </strong>         by self write         by * read 



Method 2:

CODE:
####################################################################### # Standard OpenLDAP Master/Provider ####################################################################### include     /usr/local/etc/openldap/schema/core.schema include     /usr/local/etc/openldap/schema/cosine.schema include     /usr/local/etc/openldap/schema/nis.schema include     /usr/local/etc/openldap/schema/inetorgperson.schema include     /usr/local/etc/openldap/slapd.acl modulepath  /usr/local/libexec/openldap moduleload  back_hdb.la moduleload  syncprov.la moduleload  back_monitor.la moduleload  back_ldap.la pidfile     /usr/local/var/slapd.pid argsfile    /usr/local/var/slapd.args loglevel    sync stats ############################################################################## # Consumer Proxy that pulls in data via Syncrepl and pushes out via slapd-ldap ############################################################################## database        ldap # ignore conflicts with other databases, as we need to push out to same suffix hidden     on suffix          "dc=suretecsystems,dc=com" rootdn          "cn=slapd-ldap" uri             ldap://localhost:9012/ lastmod         on          # We don't need any access to this DSA restrict        all acl-bind        bindmethod=simple                 binddn="cn=replicator,dc=suretecsystems,dc=com"                 credentials=testing syncrepl        rid=001                 provider=ldap://localhost:9011/                 binddn="cn=replicator,dc=suretecsystems,dc=com"                 bindmethod=simple                 credentials=testing                 searchbase="dc=suretecsystems,dc=com"                 type=refreshAndPersist                 retry="5 5 300 5" overlay         syncprov


And point the above to the same kind of slave using the already listed config.

Anyway, more explaination will be in the Admin Guide when 2.4.11 comes out.

Thanks,

Gavin.

Suretec Systems.
Posted by Gavin Henry in Open Source, OpenLDAP at 20:15 | Comments (0) | Trackbacks (0)
Defined tags for this entry: , , , , , , , , , , , , ,
Related entries by tags:
OpenLDAP 2.4.12 Released
"When you *can* do something useful, you *should*"
Asterisk 1.6.0 is the first official release of Asterisk 1.6
OpenLDAP for Fortune 20 Enterprises
Suretec partners Symas release a MySQL Cluster back-end for OpenLDAP

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
BBCode format allowed
Pavatar/Gravatar/Favatar/MyBlogLog author images supported.
 
 


Original theme by David Cummins, hacked by Suretec and powered by Serendipity

Site Feeds

Comments

Gavin Henry about LDAP questions answered
Sat, 24.05.2008 00:43
*I just wanted to add that you can do sql ldap connections in PostgreSQL: http://pgfound ry.org/projects/dblink-ldap/


Gavin Henry about Running a business on desktop Linux
Tue, 13.05.2008 09:03
*Simply not true: http://www .ubuntu.com/getubuntu/download "Ubuntu 8.04 LTS Desktop E dition - Supported to 20 [...]


Memetic Engineer about Running a business on desktop Linux
Mon, 12.05.2008 19:18
*"No forced software and hardwa re upgrades every couple years " That is simply not true w ith Ubuntu ! They pro [...]


Links

Categories



All categories

Twitter