--_2dfc1396-6cab-4ee1-b5cd-ec8dfb5286a7_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Quanah=2C Trying to post a reply using my hotmail account. Sorry for the = unreadable output previously posted. I'm almost embarassed to say I've bee= n involved in IT for over 15 years and never used a mailing list before. An= yhow=2C I did download the source packages and compiled them. However=2C t= he semester was winding down and I was under a lot of pressure to have some= thing completed before the end of finals week so my professor could assgn m= e a grade for the work I had done. I revered back to my previous version t= o to get some stuff written. Not to mention=2C my algorithms professor was= kicking my butt too. Wil I ever "really" need an FFT in the real world? l= ol The more I looked at what I was trying to accomplish=2C I realized I was= attaking the problem all wrong. What I was being asked to do was somethin= g more like configuring my two slapd servers to act more like Active Direct= ory global catalog servers. GC's utilitze MM instead of single master repl= ication so I scrapped the SM replication design in favor of MM. Once this = was done=2C I no longer needed the chaining overlay or proxy auth. I now h= ave MM replication of both cn=3Dconfig and my directory data (with delta) w= orking and my Kerberos KDC's are happy. One thing I did find was that confi= guring MM replication made me learn a little more about how to "properly" n= ame/configure an overlay with the syncprov and accesslog modules by digging= into the test scripts. I had some issues with sync state on the consumer= s =2C but I found a post you made to someone else a few years back that sol= ved my delta replication issue by configuring an syncprov overlay on the ac= cesslog db. Not sure I remember seeing that in the Admin Guide. Looking ba= ck at the orignal post I noticed the chain overlay I had configured was dn:= olcDatabase=3Dldap=2ColcOverlay=3D{0}chain=2ColcDatabase=3D{-1}frontend=2C= cn=3Dconfig. knowing what I know now=2C I'm not 100% sure that was correc= t. Shouldn't that overlay have been in either config database of my direct= ory or ldap backend database for the chain rather than a "frontend"? Just= a thought I've been kicking around in my head. Either way=2C I have my lda= p config working. We can either close this issue if you'd like or leave it= open and I'll attempt to confirm my theory on the overlay not being proper= ly located when I get a chance. Completely your choice. But I do have a couple questions on my MM replication of cn=3Dconfig if you= want to take them. First=2C does it make sense or is it possible to do de= lta replication on cn=3Dconfig? The data "on the wire" seems like it would= be much smaller and less frequent than directory data so perhaps it's not = as beneficial? Secondly=2C I am using a simple bind with this replication= agreement (versus sasl/gssapi and tls for my directoiry data). When confi= guring limits and acl's for replication of my dit=2C I created a groupofnam= es (cn=3Dreplicators=2C ou=3Dgroups=2C dc=3Dexample=2Cdc=3Dnet) that has ea= ch ldap server as a member. My thought process was that this made the solu= tion a bit more scalable. As ldap servers were added to the topology=2C th= ey could be added to the group of names and automtically be given the corre= ct permissions an limits. Likewise=2C as server are decomisioned=2C they c= ould easily be removed by deleteing them from the group and directory. Ca= n I use this same group of names in cn=3Dconfig replication by creating a s= imilar limit and acl using this group of names? Since I am handling the fo= rmatting of the gssapi uid in cn=3Dconfig (maybe a mistake if I ever wanted= to be able to handle multiple directories/domains)=2C can I use the gssapi= authtication of hosts in dc=3Dexample=2Cdc=3Dnet? Seems I sould be able t= o since it appears that when the authorization occurs in the database=2C th= e bind id is assumed to be already authenticated and accepted as presented = with no further authentication taking place. I'm thinking that so long as = that uid is formatted into a dn listed in an acl=2C the matching access is = applied? Am I way off base in my thinking? Now that I have a rough workab= le solution I'm just trying to pretty it up a bit and make the design more = efficient and scalable. Thanks Barry =
--_2dfc1396-6cab-4ee1-b5cd-ec8dfb5286a7_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
<html> <head> <style><!-- .hmmessage P { margin:0px=3B padding:0px } body.hmmessage { font-size: 12pt=3B font-family:Calibri } --></style></head> <body class=3D'hmmessage'><div dir=3D'ltr'>Quanah=2C <BR> =3B<BR>Trying= to post a reply using my hotmail account. =3B Sorry for the unreadable= output previously posted. =3B I'm almost embarassed to say I've been i= nvolved in IT for over 15 years and never used a mailing list before.<BR>&n= bsp=3B<BR>Anyhow=2C I did download the source packages and compiled them.&n= bsp=3B However=2C the semester was winding down and I was under a lot of pr= essure to have something completed before the end of finals week so my prof= essor could assgn me a grade for the work I had done. =3B I revered bac= k to my previous version to to get some stuff written. =3B Not to menti= on=2C my algorithms professor was kicking my butt too. Wil I ever "really" = need an FFT in the real world? =3B lol<BR> =3B<BR>The more I looked= at what I was trying to accomplish=2C I realized I was attaking the proble= m all wrong. =3B What I was being asked to do was something more like c= onfiguring my two slapd servers to act more like Active Directory global ca= talog servers. GC's utilitze MM instead of =3B single master replicatio= n so I scrapped the SM replication design in favor of MM. =3B Once this= was done=2C I no longer needed the chaining overlay or proxy auth. =3B= I now have MM replication of both cn=3Dconfig and my directory data (with = delta) working and my Kerberos KDC's are happy.<BR> =3B<BR>One thing I = did find was that configuring MM replication made me learn a little more ab= out how to "properly" name/configure an overlay with the syncprov and acces= slog modules by digging into the test scripts. =3B =3B =3BI had= some issues with sync state on the consumers =3B=2C but I found a post= you made to someone else a few years back that solved my delta replication= issue by configuring an syncprov overlay on the accesslog db. =3B Not = sure I remember seeing that in the Admin Guide.<BR> =3B<BR>Looking back= at the orignal post I noticed the chain overlay I had configured was dn: o= lcDatabase=3Dldap=2ColcOverlay=3D{0}chain=2ColcDatabase=3D{-1}frontend=2C c= n=3Dconfig. =3B knowing what I know now=2C I'm not 100% sure that was c= orrect. =3B Shouldn't that overlay have been in =3Beither config da= tabase =3Bof my directory =3B or ldap backend database for the chai= n rather than a "frontend"? =3B Just a thought I've been kicking around= in my head.<BR> =3B<BR>Either way=2C I have my ldap config working.&nb= sp=3B We can either close this issue if you'd like or leave it open and I'l= l attempt to confirm my theory on the overlay not being properly located wh= en I get a chance. =3B =3B =3BCompletely your choice.<br><BR>Bu= t I do have a couple questions on my MM replication of cn=3Dconfig if you w= ant to take them. =3B First=2C does it make sense or is it possible to = do delta replication on cn=3Dconfig? =3B The data "on the wire" seems l= ike it would be much smaller and less frequent than directory data so perha= ps it's =3Bnot as beneficial? =3B =3B Secondly=2C I am using a = simple bind with this replication agreement (versus sasl/gssapi and tls for= my directoiry data). =3B When configuring limits and acl's for replica= tion of my dit=2C I created a groupofnames (cn=3Dreplicators=2C ou=3Dgroups= =2C dc=3Dexample=2Cdc=3Dnet) that has each ldap server as a member. =3B= My thought process was that this made the solution a bit more scalable.&nb= sp=3B As ldap servers were added to the topology=2C they could be added to = the group of names and automtically be given the correct permissions an lim= its. =3B Likewise=2C as server are decomisioned=2C they could easily be= removed =3Bby deleteing them from the group and directory. =3B&nbs= p=3B Can I use this same group of names in cn=3Dconfig replication by creat= ing a similar limit and acl using this group of names? =3B Since I am h= andling the formatting of the gssapi uid in cn=3Dconfig (maybe =3Ba mis= take if I ever wanted to be able to handle multiple directories/domains)=2C= can I use the gssapi authtication of hosts in dc=3Dexample=2Cdc=3Dnet?&nbs= p=3B Seems I sould be able to since it appears that when the authorization = occurs in the database=2C the bind id is assumed to be already authenticate= d and accepted as presented with no further authentication taking place.&nb= sp=3B I'm thinking that so long as that uid is formatted into a dn listed i= n an acl=2C the matching access is applied? =3B Am I way off base in my= thinking? =3B Now that I have a rough workable solution I'm just tryin= g to pretty it up a bit and make the design more efficient and scalable.<BR=
 =3B<BR>Thanks<BR> =3B<BR>Barry<BR> =3B<BR> </div><=
/body> </html>=
--_2dfc1396-6cab-4ee1-b5cd-ec8dfb5286a7_--
-
blance3459ļ¼ hotmail.com