Hi all!
Although my questions are in some aspects similar to the ones in the thread "Multi Master Enviornment for Openldap 2.3" please allow me to start an own one as my situation is slightly different.
first what i have: * two servers, runnung slesl0 (in a testing environment) * one is configures as master (i think it should be called the provider): ldapserv2 * the second should act as slave (consumer): ldapserv1 * both serve as database for freeradius, dhcpd and bind9, which are working greatly together! * keeping data consistant is done by syncrepl, which works also great!
now the questions: 1) how to handle write requests sent by clients to the slave (ldapserv1)? i tried to setup slapo-chain but obviously failed since clients which can not handle referrals fail to write data (they get the error: LDAP_REFERRAL) if they send it to the slave ldapserv1, or am i missunderstanding the concept? my slapd.conf on the slave looks like (relevant part only): --- slapd.conf ### database definitions etc. [skipped]
#### chain overlay definition overlay chain chain-rebind-as-user FALSE chain-uri "ldaps://ldapserv2.biochem.mpg.de" chain-rebind-as-user TRUE chain-idassert-bind bindmethod="simple" binddn="cn=manager,o=test" credentials="secret" mode="self"
syncrepl rid=2 provider=ldaps://ldapserv2.biochem.mpg.de type=refreshAndPersist retry=1,5,5,6,30,+ interval=00:00:01:00 searchbase="o=test" filter="(objectclass=*)" scope=sub attrs="*" schemachecking=off binddn="cn=manager,o=test" bindmethod=simple credentials="secret" sizelimit=unlimited
### update referral updateref ldaps://ldapserv2.biochem.mpg.de ---- end of slapd.conf
as said, syncrepl works perfectly, but write requests (via php web interface) to ldapserv1 are not forwarded (as i would expect/want) to ldapserv2. what am i doing wrong here?
2) what to do if ldapserv2 (master) is unrechable, is it possible just to "switch" ldapserv1 to be a master (commenting out the syncrepl section, chain and updateref and restart openldap) or is there a better method?
3) a "conceptual" question: for production use i think a two server setup may be not reliable enough (as we plan to do all authentication via ldap, both user and devices on switches). what would be the "optimal" setup? i thought of something like one master, which is not addressed to by clients directly, and two slaves which chain write requests to the master and answer read request themself, clients only contact the two slaves. is this a reasonable setup or what would be a preferrable installation?
4) what about the mentioned (in another thread) mirrormode? would this serve my needs better or is the above scenario "good enough"? but mirrormode is only available in openldap 2.4?
thanks in advance for any hints and comments!
with best regards markus