Hi,
I would like to control what gets replicated to my ldap slaves.
How would I specify what I don't want to be replicated? Is this even possible or do I have to create a filter that finds everything that I want to send down?
Thanks,
This is something I would like details on, too!
In order to control what gets replicated, I tried defining as "binddn" (in syncrepl slaves) an account with particular privileges (as defined in my master ACL) and I remained with the impression that whatever this account has "read" privileges on, will get replicated.
However, this was not the case. Replication didn't work with that account (or with some other accounts with limited access I tried) in slave syncrepl "binddn".
I ended up using the master's Manager as a "binddn" in syncrepl slaves and thus all the DIT gets replicated, but I couldn't find any other alternative.
Still, replication works flawlessly this way and my DIT is not very large, so the problem is not very big for me, but ideally I would like to isolate parts of the DIT depending on what is used in each slave.
I'm using openldap 2.3.43-12 on CentOS 5.5 at all boxes.
Nick
On 3/11/2010 4:43 μμ, Bram Cymet wrote:
Hi,
I would like to control what gets replicated to my ldap slaves.
How would I specify what I don't want to be replicated? Is this even possible or do I have to create a filter that finds everything that I want to send down?
Thanks,
It seems we don't have much input on syncrepl filtering, but I found this thread, and it might serve as a starting point for testing: http://www.openldap.org/lists/openldap-technical/200906/msg00311.html
Here is the working setup on the syncrepl consumer:
syncrepl rid=123 provider=ldap://rh-test3.kvm.rla:389 type=refreshOnly interval=00:00:01:00 retry="30 10 600 20" searchbase="dc=local" filter="(|(objectClass=sambaGroupMapping)(uid=user1))" scope=sub schemachecking=off bindmethod=simple binddn="uid=syncrepl,ou=sysusers,dc=local" credentials=pwdsyncrepl # BEGIN Session TLS starttls="critical" tls_cacert=__CACERTFILE__ # End Session TLS
Obviously the binddn should have (just read ?) access to the part of the DIT being replicated.
In that thread, the user is using syncrepl type=refreshOnly with a filter on Openldap 2.3.
From an older thread (on openldap v2.3.11): http://www.openldap.org/lists/openldap-bugs/200512/msg00014.html, you can see another working setup. The user mentions some problems with type = refreshAndPersist replication but these are reported as corrected in subsequent openldap versions.
Nick
openldap-technical@openldap.org
-
Bram Cymet -
Nick Milas