Hi all,
i want to implement a specific openldap configuration with 3 instances: 1st is a master 2nd is a syncrepl replica "and" slurpd master 3rd is a slurpd replica The reason why i want to implement this configuration is that i have firewall restrictions: Only the 2nd instance can establish TCP connections on 1st and 3rd instances. TCP connections in the other direction is forbidden >:o .
The 1st instance sends updates correctly to the 2nd instance. But the 2nd instance doesn't generate replication log. So, i send nothing to the 3rd instance.
Here is an extract of my 2nd instance configuration: database bdb suffix "o=test" rootdn "cn=root DN, o=test" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA}JDqRrNmZbCiInNsubLessizYPdmcwhgf # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/products/freeware/openldap/var/openldap-slapd-pivot # # Changelog is check every 64 KB written or every 15 min # checkpoint 64 15
# password hash algorithm password-hash {SSHA}
# # Set the entry cache size to 50000. # cachesize 50000 # Indexes to maintain index objectClass,entryCSN,entryUUID eq index uid pres,eq,sub index mail pres,eq,sub index cn pres,eq,sub index sn pres,eq,sub
# # Slurpd master replication parameters # replica uri=ldaps://localhost:1636/ binddn="cn=Replicator, o=test" bindmethod=simple credentials=secret
replogfile /usr/products/freeware/openldap/var/replication/replication_pivot.log
# # SyncREPL slave replication parameters # syncrepl rid=3 provider=ldaps://10.1.1.69:636 #type=refreshOnly type=refreshAndPersist #interval=01:00:00:00 searchbase="o=test" filter="(objectClass=*)" scope=sub #attrs="cn,sn,ou,telephoneNumber,title,l" schemachecking=off bindmethod=simple binddn="cn=root DN, o=test" credentials=secret
So, my questions : Can this architecture work ? If yes, do you have a idea to solve the issue ? If no, is there a solution according to the restriction ?
Rgds, Bruno.