6:25 a.m.
Hi,
it seems this has been asked before but I am not sure of the conclusion:
http://www.openldap.org/lists/openldap-technical/201211/msg00078.html
I have setup setup with slapo-lastbind configured on some slaves that
have a working chaining configuration to the masters.
It seems that the authTimestmap attribute from slapo-lastbind is not
getting replicated.
From looking at the source code for lastbind it seems we would need
to implement something similar to olcPPolicyForwardUpdates from
ppolicy.c
If none of the gurus here don't object the code looks clean enough
that I would attempt to port forwarding of updates from slapo-ppolicy
to slapo-lastbind. ( olcLastbindForwardUpdates )
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
6:37 a.m.
Hi Christian,
I'm not one of the gurus you were talking about, but I would appreciate
that very much anyway!!
I recently filed an ITS asking also for excluding specific entries from
having the "authTimestamp" attribute populated (ITS#77076).
If you think it should be not so difficult to implement... I would
appreciate.
Thanks in advance
Marco
On Tue, Oct 8, 2013 at 3:25 PM, Christian Kratzer <ck-lists(a)cksoft.de>wrote:
Hi,
it seems this has been asked before but I am not sure of the conclusion:
http://www.openldap.org/lists/**openldap-technical/201211/**
msg00078.html<http://www.openldap.org/lists/openldap-technical/201211/...
I have setup setup with slapo-lastbind configured on some slaves that
have a working chaining configuration to the masters.
It seems that the authTimestmap attribute from slapo-lastbind is not
getting replicated.
From looking at the source code for lastbind it seems we would need
to implement something similar to olcPPolicyForwardUpdates from
ppolicy.c
If none of the gurus here don't object the code looks clean enough
that I would attempt to port forwarding of updates from slapo-ppolicy
to slapo-lastbind. ( olcLastbindForwardUpdates )
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian
Kratzer
11:01 a.m.
Christian Kratzer wrote:
it seems this has been asked before but I am not sure of the
conclusion:
http://www.openldap.org/lists/openldap-technical/201211/msg00078.html
I have setup setup with slapo-lastbind configured on some slaves that
have a working chaining configuration to the masters.
It seems that the authTimestmap attribute from slapo-lastbind is not
getting replicated.
> From looking at the source code for lastbind it seems we would need
to implement something similar to olcPPolicyForwardUpdates from
ppolicy.c
If none of the gurus here don't object the code looks clean enough
that I would attempt to port forwarding of updates from slapo-ppolicy
to slapo-lastbind. ( olcLastbindForwardUpdates )
I don't want to keep you away from contributing this but you should be aware
of two issues:
1. You have much higher load because of the chaining to a provider and
subsequent replication to the consumers.
2. If the provider is down slapo-ppolicy does *not* write any ppolicy
attributes at all.
Ciao, Michael.
11:50 a.m.
Hi Michael,
On Tue, 8 Oct 2013, Michael Ströder wrote:
<snipp/>
I don't want to keep you away from contributing this
I'll give it a shot and see if I can whip up a proof of concept before I
dive too deep or waste too much time.
but you should be aware
of two issues:
1. You have much higher load because of the chaining to a provider and
subsequent replication to the consumers.
yes I am are of the potential load and expect to keep things under control
with olcLastBindPrecision. I do not expect updating authTimestamp on each
bind to scale past anything but trivial workloads.
2. If the provider is down slapo-ppolicy does *not* write any
ppolicy
attributes at all.
yes it's far from perfect.
I try to address this in my current project by forwarding the updates from
the slaves to an ip address shared between the masters using keepalived.
This works adequately but has issues recovering from restarts of the masters.
This would be easier if chaining would support multiple targets.
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
1:42 p.m.
Hi,
On Tue, 8 Oct 2013, Michael Ströder wrote:
I don't want to keep you away from contributing this but you
should be aware
of two issues:
1. You have much higher load because of the chaining to a provider and
subsequent replication to the consumers.
2. If the provider is down slapo-ppolicy does *not* write any ppolicy
attributes at all.
I whipped up following patch and would like some review on it:
http://www.cksoft.de/paste/b4e3d7b2a77f330237ef518eb946d104c1999cda/slapo...
The patch introduces a new lastbind_forward_updates (olcLastBindForwardUpdates )
boolean parameter to slapo-lastbind that has the same semantics as
ppolicy_forward_updates (olcPPolicyForwardUpdates) in slapo-ppolicy.
I adapted the code from slapo-ppolicy but was not sure of one line I
marked with TODO in the patch.
I have a 2 master, 2 slave syncrepl test setup which chaining from
the slaves to the masters ( to one of them to be precise ).
- Bind on master1 results in authTimestamp getting replicated to master2
and both slaves.
- Bind on slave1 with olcLastBindForwardUpdates=TRUE results in authTimestamp
getting forwarded to the master with updateRef and chaining and replicated
from there.
I have also patch the slapo-lastbind.5 manpage.
This of course needs a review before being used in production.
Disclaimers apply.
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
2:03 p.m.
--On Tuesday, October 08, 2013 10:42 PM +0200 Christian Kratzer
<ck-lists(a)cksoft.de> wrote:
Hi,
I have also patch the slapo-lastbind.5 manpage.
This of course needs a review before being used in production.
Please read:
<http://www.openldap.org/devel/contributing.html>
Thanks,
Quanah
--
Quanah Gibson-Mount
Architect - Server
Zimbra Software, LLC
--------------------
Zimbra :: the leader in open source messaging and collaboration
2:34 p.m.
Hi Quanah,
On Tue, 8 Oct 2013, Quanah Gibson-Mount wrote:
> I have also patch the slapo-lastbind.5 manpage.
>
> This of course needs a review before being used in production.
Please read:
<http://www.openldap.org/devel/contributing.html>
Thanks for the pointer.
Posted as: ITS#7721
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
3646
days inactive
3646
days old
openldap-technical@openldap.org
6 comments
4 participants
participants (4)
-
Christian Kratzer -
Marco Pizzoli -
Michael Ströder -
Quanah Gibson-Mount