Edgar Fuß wrote:
For performance reasons, I need a LDAP replica on a remote site. I set this up using syncrepl. Now, given some clients' inability to direct updates to an LDAP server different from the one they send queries to, is the following the intended way to deal with this situation (using OpenLDAP as a server, of course) or is there a simpler solution?
- set updateref on the syncrepl consumer
- use the chain overlay on the syncrepl consumer
Yupp. Use slapo-chain on the consumer.
- set an appropriate authzTo attribute for the replication entity and set
autz-policy to to on the syncrepl provider
That is for proxy authorization. Do you really need that? From my understanding the clients would be to the consumer replica and the master enforces access control. IMHO no need for proxy authz.
As an aside, I couldn't find it documented that authzTo was an operational attribute, so I wasted my time looking for a schema containing that attribute.
Why is looking at the schema a waste of time?
Ciao, Michael.