On Thu, 2008-06-26 at 14:06 +0100, Gavin Henry wrote:
msimovic@concurrent-thinking.com wrote:
On Tue, 24 Jun 2008 09:40:24 -0700, Howard Chu hyc@symas.com wrote:
Martin Simovic wrote:
Hi,
I have the following setup
LAN --- slapd 2.4.7 (master) --- DMZ ---slapd 2.3.30 (slave)
I'm trying to achieve replication from master to slave. the firewall policy is LAN-->DMZ allow DMZ-->LAN reject
this was actually very easy with slurpd (removed from 2.4) as the only need was to allow TCP traffic from master to slave
with syncrepl it seems to me that no matter if I use push/pull method the client (slave) is the one that binds to the master (provider). this means that firewall rule that allows TCP traffic to LAN is needed - this is very ugly.
is there a way to workaround this (or did i just misunderstand the whole problem)
See the configuration used in test045 in the test suite.
thanks for the answer.
the truth is, i´ve alrady been through the test045 but can´t understand what is going on there. the openldap admin guide seems to be a lot more verbose about much simpler subjects and very sparse about something which does not seem so straightforward (and used to be so simple in slurpd times).
my scenario seems pretty usual (like secured rw copy of DIT on lan, while read only copy on dmz - for mail server, apache auth, etc.) in this very usual and IMHO wise setup the DMZtoLAN traffic is undesirable.
and yet there is no solid documentation in admin guide.
any pointers to documentation would be much appreciated.
Did you see:
http://www.openldap.org/doc/admin24/replication.html#Push%20Based
It really does need cleaning up.
Thanks. Yes, it's really messy.
actually my desperate need for this made me overcome my laziness. i compiled the slapd from source, run the tests, immediately after the test045 copied the slapd.1. ...slapd.3.conf files. this made me understand what is really going on there.
my understanding is that i need to run two instances of slapd on master (master + proxy) proxy is pulling down changes from master and stores them in it's backend (ldap backend pointing to slave server) all the rest is question of acl's.
can you correct me please, if i'm wrong. trying to implement it right now.
M.
openldap-technical@openldap.org