Hi, people!

My company asks me to build an LDAP server network where there is a big central server storing data from all the company and various minor servers, one for each branch office, where only the sensitive data for the office is stored. The good way is to do some replication with slurpd or syncrepl, copying data registered on the central server to the minor, local servers.

The problem is that they've requested me to follow the bad way: it was required that the data must be stored on the minor, local server first, and replicated to the central server after. I know it is multimaster replication and it is dangerous, not kosher and whatnot, but they insist on using this topology. Also, they don't want to use some other external application. The problem is that the Internet links are very unstable here, and expecting a write on the central server and its posterior replication can stop an office for some days.

So, I've followed the ugly way, doing some complex workarounds with slurpd and imposing some restrictions to the data. However, it is clear that what I have done is not correct: it is very hard to understand and to maintain, it uses some undocumented OpenLDAP features, it makes impossible to use TLS for authentication etc.

So, I'd like to ask: does anyone have some tip on what to do in this situation? Does anyone have an idea about how to implement this exotic replication model on a reasonably simple way? I hope so... :)

Thanks in advance!