When we first deployed openldap a decade or so ago, we implemented regular syncrepl rather than delta syncrepl because at the time the latter did not support mirror mode. As part of a project to implement the password policy overlay, we plan to switch to delta syncrepl to make the replication of failed login attributes etc more efficient.
If I understand correctly, while obviously if a provider is only configured for syncrepl a consumer can only use syncrepl, if a provider is configured for delta syncrepl, a consumer can do either? As such, my tentative deployment plan (intended to avoid downtime), is:
* Update configuration on backup master to provide delta syncrepl * Cutover load balancer to backup master * Update primary master to provide delta syncrepl, and to consume changes from backup master via delta syncrepl * Cutover load balancer back to primary master * Update backup master to consume changes from primary master via delta syncrepl * One at a time, remove slaves from load balancer and update to consume changes from both masters via delta syncrepl
Currently on my masters, syncrepl is configured as:
----- overlay syncprov syncprov-checkpoint 500 30 syncprov-reloadhint TRUE syncprov-sessionlog 500 -----
And consumers are configured as:
----- syncrepl rid=1 provider=ldaps://master-2.ldap.csupomona.edu/ type=refreshAndPersist retry="10 10 60 +" searchbase="dc=csupomona,dc=edu" bindmethod=simple binddn=cn=XXXX credentials=XXXXXX -----
To add delta syncrepl support to the provider, my understanding is that I need to add the access log database:
----- database mdb directory /var/lib/openldap-data/accesslog maxsize 2147483648 suffix cn=accesslog rootdn cn=accesslog
index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart
overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE -----
And update the syncrepl config on the primary database to include the accesslog overlay:
----- overlay syncprov syncprov-checkpoint 500 30 syncprov-reloadhint TRUE syncprov-sessionlog 500
overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE logpurge 07+00:00 01+00:00 -----
And then on the consumer, I need to update the syncrepl configuration to include the logbase, logfilter, and syncdata elements:
----- syncrepl rid=1 provider=ldaps://master-2.ldap.csupomona.edu/ type=refreshAndPersist retry="10 10 60 +" searchbase="dc=csupomona,dc=edu" bindmethod=simple binddn=cn=XXXX credentials=XXXXXX logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog -----
Does this all seem reasonable and pass sanity check?
Thanks much.