On 10/09/2009 20:23, Brandon Hume wrote:
Most of my organization's data is kept in LDAP, along with groups and affiliations and titles and positions and everything else. We've got a simple single-master, multi-slave setup, built back in the OpenLDAP 2.0 days.
We also have a provisioning service, which essentially monitors LDAP, and as new people arrive, change position, or what have you, it runs off and provisions accounts, mailboxes, services and permissions as needed for the person, all automatically.
Currently, this monitoring - trying to keep it as "live" as possible - is done by essentially making the provisioning server an LDAP replicant, using slurpd. It works "well enough", though it has some problems.
But slurpd is going away, and I'm trying to kill it off in our structure. The provisioning server is one of the last holdouts.
So my question is this: Is it possible for me to write some code, using perl or C or whatever is needed, that will connect as a syncrepl consumer, and "refresh and persist"? Are there docs for how the synchronization protocol works? Is it just an odd LDAP query?
Hi,
You should find this section of the admin guide enlightening: http://www.openldap.org/doc/admin24/replication.html
The syncrepl protocol is defined by RFC4533. Very basically, it is a plain LDAP search plus a specific control to obtain a persistent search, and communicate state change information.
If you choose this route, you can of course look at OpenLDAP's code in C (servers/slapd/syncrepl.c in the source tree). Also, the ApacheDS project is implementing a listener in Java, which you probably look at too.
If you do implement a syncrepl consumer, many of us would be most interested to hear your feedback, and/or checkout the code.
Hope this helps, Jonathan