Hi,
it seems this has been asked before but I am not sure of the conclusion:
http://www.openldap.org/lists/openldap-technical/201211/msg00078.html
I have setup setup with slapo-lastbind configured on some slaves that have a working chaining configuration to the masters.
It seems that the authTimestmap attribute from slapo-lastbind is not getting replicated.
From looking at the source code for lastbind it seems we would need
to implement something similar to olcPPolicyForwardUpdates from ppolicy.c
If none of the gurus here don't object the code looks clean enough that I would attempt to port forwarding of updates from slapo-ppolicy to slapo-lastbind. ( olcLastbindForwardUpdates )
Greetings Christian
Hi Christian, I'm not one of the gurus you were talking about, but I would appreciate that very much anyway!!
I recently filed an ITS asking also for excluding specific entries from having the "authTimestamp" attribute populated (ITS#77076). If you think it should be not so difficult to implement... I would appreciate.
Thanks in advance Marco
On Tue, Oct 8, 2013 at 3:25 PM, Christian Kratzer ck-lists@cksoft.dewrote:
Hi,
it seems this has been asked before but I am not sure of the conclusion:
http://www.openldap.org/lists/**openldap-technical/201211/** msg00078.htmlhttp://www.openldap.org/lists/openldap-technical/201211/msg00078.html
I have setup setup with slapo-lastbind configured on some slaves that have a working chaining configuration to the masters.
It seems that the authTimestmap attribute from slapo-lastbind is not getting replicated.
From looking at the source code for lastbind it seems we would need to implement something similar to olcPPolicyForwardUpdates from ppolicy.c
If none of the gurus here don't object the code looks clean enough that I would attempt to port forwarding of updates from slapo-ppolicy to slapo-lastbind. ( olcLastbindForwardUpdates )
Greetings Christian
-- Christian Kratzer CK Software GmbH Email: ck@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
Christian Kratzer wrote:
it seems this has been asked before but I am not sure of the conclusion:
http://www.openldap.org/lists/openldap-technical/201211/msg00078.html
I have setup setup with slapo-lastbind configured on some slaves that have a working chaining configuration to the masters.
It seems that the authTimestmap attribute from slapo-lastbind is not getting replicated.
From looking at the source code for lastbind it seems we would need
to implement something similar to olcPPolicyForwardUpdates from ppolicy.c
If none of the gurus here don't object the code looks clean enough that I would attempt to port forwarding of updates from slapo-ppolicy to slapo-lastbind. ( olcLastbindForwardUpdates )
I don't want to keep you away from contributing this but you should be aware of two issues:
1. You have much higher load because of the chaining to a provider and subsequent replication to the consumers.
2. If the provider is down slapo-ppolicy does *not* write any ppolicy attributes at all.
Ciao, Michael.
Hi Michael,
On Tue, 8 Oct 2013, Michael Ströder wrote: <snipp/>
I don't want to keep you away from contributing this
I'll give it a shot and see if I can whip up a proof of concept before I dive too deep or waste too much time.
but you should be aware of two issues:
- You have much higher load because of the chaining to a provider and
subsequent replication to the consumers.
yes I am are of the potential load and expect to keep things under control with olcLastBindPrecision. I do not expect updating authTimestamp on each bind to scale past anything but trivial workloads.
- If the provider is down slapo-ppolicy does *not* write any ppolicy
attributes at all.
yes it's far from perfect.
I try to address this in my current project by forwarding the updates from the slaves to an ip address shared between the masters using keepalived.
This works adequately but has issues recovering from restarts of the masters.
This would be easier if chaining would support multiple targets.
Greetings Christian
Hi,
On Tue, 8 Oct 2013, Michael Ströder wrote:
I don't want to keep you away from contributing this but you should be aware of two issues:
- You have much higher load because of the chaining to a provider and
subsequent replication to the consumers.
- If the provider is down slapo-ppolicy does *not* write any ppolicy
attributes at all.
I whipped up following patch and would like some review on it:
http://www.cksoft.de/paste/b4e3d7b2a77f330237ef518eb946d104c1999cda/slapo-la...
The patch introduces a new lastbind_forward_updates (olcLastBindForwardUpdates ) boolean parameter to slapo-lastbind that has the same semantics as ppolicy_forward_updates (olcPPolicyForwardUpdates) in slapo-ppolicy.
I adapted the code from slapo-ppolicy but was not sure of one line I marked with TODO in the patch.
I have a 2 master, 2 slave syncrepl test setup which chaining from the slaves to the masters ( to one of them to be precise ).
- Bind on master1 results in authTimestamp getting replicated to master2 and both slaves.
- Bind on slave1 with olcLastBindForwardUpdates=TRUE results in authTimestamp getting forwarded to the master with updateRef and chaining and replicated from there.
I have also patch the slapo-lastbind.5 manpage.
This of course needs a review before being used in production.
Disclaimers apply.
Greetings Christian
--On Tuesday, October 08, 2013 10:42 PM +0200 Christian Kratzer ck-lists@cksoft.de wrote:
Hi, I have also patch the slapo-lastbind.5 manpage.
This of course needs a review before being used in production.
Please read:
http://www.openldap.org/devel/contributing.html
Thanks, Quanah
--
Quanah Gibson-Mount Architect - Server Zimbra Software, LLC -------------------- Zimbra :: the leader in open source messaging and collaboration
Hi Quanah,
On Tue, 8 Oct 2013, Quanah Gibson-Mount wrote:
I have also patch the slapo-lastbind.5 manpage.
This of course needs a review before being used in production.
Please read:
Thanks for the pointer.
Posted as: ITS#7721
Greetings Christian
openldap-technical@openldap.org
-
Christian Kratzer -
Marco Pizzoli -
Michael Ströder -
Quanah Gibson-Mount