Provider: Provider server’s hostname – in this example – or IP address. OlcAccess: ,cn=configīinddn="cn=replicator,dc=example,dc=com" credentials=Įnsure the following attributes have the correct values: Since ordering matters, first check what the existing ACLs look like on the dc=example,dc=com tree: $ sudo ldapsearch -Q -Y EXTERNAL -H ldapi:/// -LLL -b cn=config '(olcSuffix=dc=example,dc=com)' olcAccess Read access to the content that we want replicatedįor that we need to update the ACLs on the provider.The next step is to give this replication user the correct privileges, i.e.: Now set a password for it with ldappasswd: $ ldappasswd -x -ZZ -D cn=admin,dc=example,dc=com -W -S cn=replicator,dc=example,dc=com Then add it with ldapadd: $ ldapadd -x -ZZ -D cn=admin,dc=example,dc=com -W -f replicator.ldifĪdding new entry "cn=replicator,dc=example,dc=com" To create the replication user, save the following contents to a file called replicator.ldif: dn: cn=replicator,dc=example,dc=com Provider configuration - replication userīoth replication strategies will need a replication user, as well as updates to the ACLs and limits regarding this user. Please consult the LDAP with TLS guide for details of how to set this up. You must have Transport Layer Security (TLS) enabled already. The delta replication sends less data over the network, but is more complex to set up. For example, if the userPassword attribute of the uid=john,ou=people,dc=example,dc=com entry changed, then the whole entry is sent to the consumer.ĭelta replication: Only the actual change is sent, instead of the whole entry. Standard replication: Changed entries are sent to the consumer in their entirety. There are two ways to use this replication: A detailed description of this replication mechanism can be found in the OpenLDAP administrator’s guide and in its defining RFC 4533. This allows changes to be synchronised using a Consumer - Provider model. Replication is achieved via the Sync replication engine, syncrepl. In such an environment, it is standard practice to build redundancy (high availability) into LDAP to prevent havoc should the LDAP server become unresponsive. The LDAP service becomes increasingly important as more networked systems begin to depend on it. Multi-node configuration with Docker-Composeĭistributed Replicated Block Device (DRBD)
0 Comments
Leave a Reply. |