Hello,
I have some basic experience interacting with & troubleshooting OpenLDAP as well as 389-ds, but I don't have a whole lot of experience setting them up or configuring an OpenLDAP server.

My goal is to setup replication from a Primary inside a trusted network outwards to a Replica that is in an untrusted network, without allowing the replica any direct access to the primary, due to firewall flows and network requirements. This is true even for the initial connection, so a simple RefreshAndPersist configuration won't work.

I have read that it is possible to setup a push-based replication using a proxy, such that:

The proxy gets installed as a "hidden" database onto the same server as the primary
The proxy sets up replication with the primary using RefreshAndPersist
The proxy is then able to push the data out of the replica

I have skimmed over, and re-read, a lot of portions from this document: https://www.openldap.org/doc/admin24/replication.html

I have also followed this basic guide to setup a Primary with replication capability: https://ubuntu.com/server/docs/service-ldap-replication

What I'm having trouble with, is finding a useful guide that will walk me through the process to setup and configure the proxy as I've described above.

Questions:

Based on my requirements above, will the proxy with syncrepl meet my needs?

If I put the proxy onto the same server as the primary, then due to firewall flows, the replica will not have any access to the primary. All communication will need to be initiated outbound
If I put the proxy into the same network as the replica, well.... that won't work either, for the same reason

The following URL from the OpenLDAP docs provides some example configs: https://www.openldap.org/doc/admin24/replication.html#Syncrepl%20Proxy

If I'm reading everything correctly, though, the "new" / "accepted" / "preferred" way to configure the ldap server is to use the `ldapadd`, `ldapmodify`, and related commands. My confusion and question here is.... should I try to configure all of this by editing the old slapd.conf file as the openldap.org docs provide examples, or is there a way to do this using the ldapmodify & related commands?
If I can / should do this from the command line... are there any guides or tutorials that will take me step-by-step through the process as I try to build this in a lab environment?

Thanks in advance,
David

Sent with ProtonMail Secure Email.