Hi,
I have the following setup
LAN --- slapd 2.4.7 (master) --- DMZ ---slapd 2.3.30 (slave)
I'm trying to achieve replication from master to slave. the firewall policy is LAN-->DMZ allow DMZ-->LAN reject
this was actually very easy with slurpd (removed from 2.4) as the only need was to allow TCP traffic from master to slave
with syncrepl it seems to me that no matter if I use push/pull method the client (slave) is the one that binds to the master (provider). this means that firewall rule that allows TCP traffic to LAN is needed - this is very ugly.
is there a way to workaround this (or did i just misunderstand the whole problem)
thanks,
Martin.
Martin Simovic wrote:
Hi,
I have the following setup
LAN --- slapd 2.4.7 (master) --- DMZ ---slapd 2.3.30 (slave)
I'm trying to achieve replication from master to slave. the firewall policy is LAN-->DMZ allow DMZ-->LAN reject
this was actually very easy with slurpd (removed from 2.4) as the only need was to allow TCP traffic from master to slave
with syncrepl it seems to me that no matter if I use push/pull method the client (slave) is the one that binds to the master (provider). this means that firewall rule that allows TCP traffic to LAN is needed - this is very ugly.
is there a way to workaround this (or did i just misunderstand the whole problem)
See the configuration used in test045 in the test suite.
On Tue, 24 Jun 2008 09:40:24 -0700, Howard Chu hyc@symas.com wrote:
Martin Simovic wrote:
Hi,
I have the following setup
LAN --- slapd 2.4.7 (master) --- DMZ ---slapd 2.3.30 (slave)
I'm trying to achieve replication from master to slave. the firewall policy is LAN-->DMZ allow DMZ-->LAN reject
this was actually very easy with slurpd (removed from 2.4) as the only need was to allow TCP traffic from master to slave
with syncrepl it seems to me that no matter if I use push/pull method the client (slave) is the one that binds to the master (provider). this means that firewall rule that allows TCP traffic to LAN is needed - this is very ugly.
is there a way to workaround this (or did i just misunderstand the whole problem)
See the configuration used in test045 in the test suite.
thanks for the answer.
the truth is, i´ve alrady been through the test045 but can´t understand what is going on there. the openldap admin guide seems to be a lot more verbose about much simpler subjects and very sparse about something which does not seem so straightforward (and used to be so simple in slurpd times).
my scenario seems pretty usual (like secured rw copy of DIT on lan, while read only copy on dmz - for mail server, apache auth, etc.) in this very usual and IMHO wise setup the DMZtoLAN traffic is undesirable.
and yet there is no solid documentation in admin guide.
any pointers to documentation would be much appreciated.
thank you,
Martin.
openldap-technical@openldap.org
-
Howard Chu -
Martin Simovic -
msimovic@concurrent-thinking.com