On Tue, Jan 26, 2010 at 07:23:51PM -0800, Howard Chu wrote:
Alex Samad wrote:
Hi
I have setup a multimaster setup and some slave nodes, using cn=config.
I am looking at trying to create a user in the cn=config space
The config database does not support user entries, it only handles config entries.
Okay, maybe you can suggest a best practice approach for my setup.
I have 2 master nodes setup in multiple master
and a few (3-4) slave nodes.
In it previous incarnation I used slapd.conf + tls to authorise access, I mapped x509 dns to a replica dn, so the base was dc=samad,dc=com,dc=au and the replica dn was cn=replia,ou=roles,dc=samad,dc=com,dc=au
now I want to do the same thing, map x509 certs to roles and give the roles access to certain parts of cn=config and dc=samad,dc=com,dc=au.
I can understand putting roles in the dc=samad,dc=com,dc=au for dc=samad,dc=com,dc=au, but I don't really see putting roles in dc=samad,dc=com,dc=au to manage/access cn=config and I would rather not be always using the cn=config rootdn/rootpw
should I create a cn=manager db and use that ?
My other question on this setup is replicating dc=samad,dc=com,dc=au, means replicating olcDatabase={2}hdb,cn=config and below, which means I also replicate the olcsyncRepl. Should I either block this on the masters and create it on the consumers or somehow when i create the initial consumer tell it not to replicate this attribute.
My issue right now is that it has rootdn/rootpw. and I am looking at moving to tls/certs - re the above question
Alex