I know nothing about LDAP / OpenLDAP. With that out of the way...
I have a CentOS 5 machine running openldap-2.3.27-8 I just built a CentOS 5.2 machine with openldap-2.3.27-8.el5_1.3 My goal is to have the LDAP on the first machine synch with, and stay synched to, the LDAP on the second machine, so if the first machine dies I can bring up an interface with it's IP on the second and get authentication working again.
I've Googled "LDAP replication" and "LDAP synchronization". Both terms lead me to a variety of papers that have a variety of ideas of how this should be done, and some have diagrams of convoluted networks involving multiple load balancers, etc. Since I know nothing about LDAP or OpenLDAP, it is very difficult for me to evaluate what I'm seeing... is this way "best", but because it's part of a globe-spanning install with hundreds of thousands of users?
I'm hoping for a pointer to a nice, simple document that doesn't pre-suppose any depth of knowledge and isn't part of a Holy War over which method of doing this confers the greatest bragging rights :-)
--On Tuesday, July 08, 2008 10:58 AM -0700 John Oliver joliver@john-oliver.net wrote:
I'm hoping for a pointer to a nice, simple document that doesn't pre-suppose any depth of knowledge and isn't part of a Holy War over which method of doing this confers the greatest bragging rights :-)
Read the documentation at http://www.openldap.org and then come back if you have questions?
I'd also advise updating your openldap release. There's an excellent article on the OpenLDAP FAQ as to why.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
On Tuesday 08 July 2008 19:58:24 John Oliver wrote:
I know nothing about LDAP / OpenLDAP. With that out of the way...
I have a CentOS 5 machine running openldap-2.3.27-8 I just built a CentOS 5.2 machine with openldap-2.3.27-8.el5_1.3 My goal is to have the LDAP on the first machine synch with, and stay synched to, the LDAP on the second machine, so if the first machine dies I can bring up an interface with it's IP on the second and get authentication working again.
Well, you should rather configure any LDAP clients to fail over to the second LDAP server, so no intervention is required.
I've Googled "LDAP replication" and "LDAP synchronization".
Why did you not consult the documentation for the software you are using?
http://www.openldap.org/doc/admin23/syncrepl.html#Configuring%20Syncrepl
BTW, there are probably some best practice issues that aren't covered there. If you have configured your provider well, it is actually quite trivial to add a new consumer without requiring any configuration changes on the provider. The issues to take into account are:
-Ensuring the identity used by a new consumer has access to all the content that you wish it to replicate (suggestion: add a group-based ACL allowing read access to all entries) -Ensuring the identity used by a new consumer has unlimited (size/time) access to all the content that you wish to replicate (suggestion: add group-based limit statements).
Then, adding a new consumer is reduced to adding an identity for the consumer to use for replication, adding it to the appropriate group, and starting slapd with a suitable configuration on the consumer.
Regards, Buchan
openldap-technical@openldap.org