Hi all,
i want to implement a specific openldap configuration with 3 instances:
1st is a master
2nd is a syncrepl replica "and" slurpd master
3rd is a slurpd replica
The reason why i want to implement this configuration is that i have
firewall restrictions:
Only the 2nd instance can establish TCP connections on 1st and 3rd
instances. TCP connections in the other direction is forbidden >:o .
The 1st instance sends updates correctly to the 2nd instance. But the
2nd instance doesn't generate replication log. So, i send nothing to the
3rd instance.
Here is an extract of my 2nd instance configuration:
database bdb
suffix "o=test"
rootdn "cn=root DN, o=test"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}JDqRrNmZbCiInNsubLessizYPdmcwhgf
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/products/freeware/openldap/var/openldap-slapd-pivot
#
# Changelog is check every 64 KB written or every 15 min
#
checkpoint 64 15
# password hash algorithm
password-hash {SSHA}
#
# Set the entry cache size to 50000.
#
cachesize 50000
# Indexes to maintain
index objectClass,entryCSN,entryUUID eq
index uid pres,eq,sub
index mail pres,eq,sub
index cn pres,eq,sub
index sn pres,eq,sub
#
# Slurpd master replication parameters
#
replica uri=ldaps://localhost:1636/
binddn="cn=Replicator, o=test"
bindmethod=simple credentials=secret
replogfile
/usr/products/freeware/openldap/var/replication/replication_pivot.log
#
# SyncREPL slave replication parameters
#
syncrepl rid=3
provider=ldaps://10.1.1.69:636
#type=refreshOnly
type=refreshAndPersist
#interval=01:00:00:00
searchbase="o=test"
filter="(objectClass=*)"
scope=sub
#attrs="cn,sn,ou,telephoneNumber,title,l"
schemachecking=off
bindmethod=simple
binddn="cn=root DN, o=test"
credentials=secret
So, my questions :
Can this architecture work ?
If yes, do you have a idea to solve the issue ?
If no, is there a solution according to the restriction ?
Rgds, Bruno.