Some questions around syncrepl, updateref, the chain overlay and teh authzTo attribute:
For performance reasons, I need a LDAP replica on a remote site. I set this up using syncrepl. Now, given some clients' inability to direct updates to an LDAP server different from the one they send queries to, is the following the intended way to deal with this situation (using OpenLDAP as a server, of course) or is there a simpler solution?
- set updateref on the syncrepl consumer - use the chain overlay on the syncrepl consumer - set an appropriate authzTo attribute for the replication entity and set autz-policy to to on the syncrepl provider
I'm somewhat reluctant to configuring something as powerful as proxy auth in LDAP attributes. Is there a way to configure proxy authorisation solely in slapd.conf? Or at least, to restrict it to entities explicitly enumerated in slapd.conf?
As an aside, I couldn't find it documented that authzTo was an operational attribute, so I wasted my time looking for a schema containing that attribute. Did I miss something or is this indeed not documented explicitly?