I sent this two days ago, from an unsubscribed account and it still hasn't shown up... don't know if moderation is hampered, or if it just didn't make through...
I have the basics covered - 1 master, 4 syncrepl slaves (going to 2-3 MM, 1-2 slaves). This setup has been working quite well - supporting AIX, Linux user data, Samba PDC/BDCs, and Kerberos (slapd 2.4.7 Debian Sid/unstable)
The only issue I have now, is having to find the master to perform any updates.
I'd like to use slapo-chain so that update referrals are automatically handled, especially since so little stuff supports referrals - even things that should.
There are a few examples here and there, and unfortunately, some of them contradict others (probably written to different ldap levels).
As an example of my plight, here is the output of ldappasswd on a slave machine (ldapmodify shows the same issue, but isn't as easy to show)
# # on the slave, when trying a ldappasswd: $ ldappasswd -Ydigest-md5 -w<my passwd> SASL/DIGEST-MD5 authentication started SASL username: renegade SASL SSF: 128 SASL data security layer installed. Result: Referral (10) Referral: ldap://ldap-master.cobpli.svl.ibm.com
# # The following is the slave ldap trace, and there is *no* traffic to the master... conn=0 op=1 BIND authcid="renegade@COBPLI.SVL.IBM.COM" authzid="renegade@COBPLI.SVL.IBM.COM" conn=0 op=1 BIND dn="uid=renegade,ou=users,dc=cobpli,dc=svl,dc=ibm,dc=com" mech=DIGEST-MD5 sasl_ssf=128 ssf=128 conn=0 op=1 RESULT tag=97 err=0 text= conn=0 op=2 EXT oid=1.3.6.1.4.1.4203.1.11.1 conn=0 op=2 PASSMOD conn=0 op=2 RESULT oid= err=10 text=
# # The basics work: $ ldapwhoami SASL/GSSAPI authentication started SASL username: renegade@COBPLI.SVL.IBM.COM SASL SSF: 56 SASL data security layer installed. dn:uid=renegade,ou=users,dc=cobpli,dc=svl,dc=ibm,dc=com
# # Proxy authentication works: $ ldapwhoami -Uproxy -Ydigest-md5 -w<passwd> -Xu:cowboy SASL/DIGEST-MD5 authentication started SASL username: u:cowboy SASL SSF: 128 SASL data security layer installed. dn:uid=cowboy,ou=users,dc=cobpli,dc=svl,dc=ibm,dc=com
# # Here is the likely relevant ldap sections (chain overlay, syncprop, updatref): # overlay chain chain-uri "ldap://ldap-master.cobpli.svl.ibm.com/" # Neither of these lines make a difference chain-rebind-as-user TRUE #chain-rebind-as-user FALSE # Here, I've tried simple/sasl, varied saslmech, etc... chain-idassert-bind bindmethod="simple" saslmech=digest-md5 authz=proxyauthz binddn="uid=proxy,ou=users,dc=cobpli,dc=svl,dc=ibm,dc=com" credentials="<passwd>" mode=self chain-idassert-authzFrom "*"
syncrepl rid=1 provider=ldap://ldap-master.cobpli.svl.ibm.com/ starttls=no binddn="cn=Replicator,ou=DSA,dc=cobpli,dc=svl,dc=ibm,dc=com" bindmethod=simple credentials=<passwd> searchbase="dc=cobpli,dc=svl,dc=ibm,dc=com" schemaChecking=off type=refreshAndPersist retry="10 10 300 +" updateref ldap://ldap-master.cobpli.svl.ibm.com/