Hi,
Is it possible to integrate two OpenLDAP servers so that some users (filtered by some criteria) are replicated from one server to another (but not vice versa)?
Does OpenLDAP provide some functionalties for this or must I write a cron scheduled shell script utilizing ldapsearch and ldapmodify?
Any advice or configuration example is appreciated.
Kind regards,
Harri
Hi!
General FAQ on openldap replication:
https://www.openldap.org/faq/data/cache/1170.html
Use the "syncrepl" configuration directive. On the page
https://www.openldap.org/faq/data/cache/1117.html
there's a configuration example about how to replicate an entire LDAP tree:
--clip-- syncrepl rid=1 provider=ldap://ldap1.my.org:389 type=refreshAndPersist retry="60 +" searchbase="o=my.org,c=us" filter="(objectClass=*)" scope=sub attrs="*,+" schemachecking=off bindmethod=simple binddn="cn=syncuser,o=my.org,c=us" credentials=syncpass
updateref ldap://ldap1.my.org --clip--
Note the options 'searchbase', 'filter', 'scope' and 'attrs' that define the LDAP search used to select which objects to replicate. You can set them in the same way you would using ldapsearch to only replicate those objects you need to replicate.
Best,
Janne P.
On Wed, Jan 13, 2021 at 12:13:43PM +0200, Harri T. wrote:
Hi,
Is it possible to integrate two OpenLDAP servers so that some users (filtered by some criteria) are replicated from one server to another (but not vice versa)?
Does OpenLDAP provide some functionalties for this or must I write a cron scheduled shell script utilizing ldapsearch and ldapmodify?
Any advice or configuration example is appreciated.
Kind regards,
Harri
Hi Janne,
And thank you for the answer. I found out that the replication source is actually a redundant two node installation with MirrorMode [1] replication between the nodes.
Is this game changer? Can I add two syncrepl providers to the consumer's slapd configuration? If it's not possible I think one provider is enough.
Kind regards,
Harri
[1] https://www.openldap.org/doc/admin24/replication.html#MirrorMode
On 14.1.2021 12.03, Janne Peltonen wrote:
Hi!
General FAQ on openldap replication:
https://www.openldap.org/faq/data/cache/1170.html
Use the "syncrepl" configuration directive. On the page
https://www.openldap.org/faq/data/cache/1117.html
there's a configuration example about how to replicate an entire LDAP tree:
--clip-- syncrepl rid=1 provider=ldap://ldap1.my.org:389 type=refreshAndPersist retry="60 +" searchbase="o=my.org,c=us" filter="(objectClass=*)" scope=sub attrs="*,+" schemachecking=off bindmethod=simple binddn="cn=syncuser,o=my.org,c=us" credentials=syncpass
updateref ldap://ldap1.my.org --clip--
Note the options 'searchbase', 'filter', 'scope' and 'attrs' that define the LDAP search used to select which objects to replicate. You can set them in the same way you would using ldapsearch to only replicate those objects you need to replicate.
Best,
Janne P.
On Wed, Jan 13, 2021 at 12:13:43PM +0200, Harri T. wrote:
Hi,
Is it possible to integrate two OpenLDAP servers so that some users (filtered by some criteria) are replicated from one server to another (but not vice versa)?
Does OpenLDAP provide some functionalties for this or must I write a cron scheduled shell script utilizing ldapsearch and ldapmodify?
Any advice or configuration example is appreciated.
Kind regards,
Harri
--On Thursday, January 14, 2021 5:34 PM +0200 "Harri T." haba713@gmail.com wrote:
Hi Janne,
And thank you for the answer. I found out that the replication source is actually a redundant two node installation with MirrorMode [1] replication between the nodes.
Is this game changer? Can I add two syncrepl providers to the consumer's slapd configuration? If it's not possible I think one provider is enough.
You can have multiple syncrepl stanzas on a consumer. However it's not clear to me how things will behave with what you're proposing, so YMMV.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On Thu, Jan 14, 2021 at 02:46:35PM -0800, Quanah Gibson-Mount wrote:
Hi Janne,
And thank you for the answer. I found out that the replication source is actually a redundant two node installation with MirrorMode [1] replication between the nodes.
Is this game changer? Can I add two syncrepl providers to the consumer's slapd configuration? If it's not possible I think one provider is enough.
You can have multiple syncrepl stanzas on a consumer. However it's not clear to me how things will behave with what you're proposing, so YMMV.
Yeah. The way I've solved something like this is that I have two consumers that form a redundant pair using keepalived, and both of them have one half of the mirrormode-replicating pair as a provider. In my case, I don't actually care that the active consumer may be following an inactive provider (and so have old data). If that's a problem with you, you could figure out a way for the consumers' keepalived to follow what's going on with the providers, and relinquish master status in the consumer pair if the provider they're following is out.
I don't know if the openldap proxy can be used as a syncrepl provider - if it can, you might experiment with that: you could have the consumer use the proxy as the provider, and the proxy could have both members of the mirrored pair as backends. The proxy code selects the backend that is quicker to respond, so always replies if at least one of the backends is alive.
Best,
Janne
openldap-technical@openldap.org
-
Harri T. -
Janne Peltonen -
Quanah Gibson-Mount