Hi. I work at a rather large company that has a rather slow LDAP server that impacts the performance on a wiki-server, I am using. I am playing with the idea of setting up a cache or replication of the company LDAP server locally to reduce time spent performing ldap lookups, but as I am quite new to the world of LDAP and openldap, I have a hard time getting the set-up right.
I would like to set up a server that does not impose any requirements on the existing (slow) server at all. I only need a read-only server - updates are made on the slow 'master' - and only a few percent of the records are interesting to our wiki.
Having looked at caching and proxying, I ended up at setting my mind on replication. As the master is out-of-bounds except for ldap queries (no slurping-logs), the syncrepl-option seems to be the way to go. I just can't get my head around the configuration. The master LDAP has the following structure (as I see it) o=company.com -> ou=commondirectory -> c=xx Under commondirectory, all countries (such as 'dk', 'us' and a whole bunch of others) are represented with the employees residing in them listed below.
o=company.com -> ou=companygroups -> ou=groupmembers contain groups that are used for controlling access to the wiki pages.
So what I need to have on my replicated server is: The groups and people in the countries 'us' and 'dk'.
To start off easy, I try to replicate the c=dk at first - I've tried adding the following to /etc/ldap/slapd.conf
syncrepl rid=111 provider=ldap://ldap.company.com:389 type=refreshOnly interval=00:12:00:00 searchbase="c=dk,ou=commondirectory,o=company.com" scope=one updatedn="c=dk,ou=commondirectory,o=company.com"
which make the server start without errormessages, but when I query with ldapsearch -x -h 127.0.0.1 -b "c=dk,ou=commondirectory,o=company.com" '(objectClass=*)' I get no result: "result: 32 No such object"
What am I doing wrong?
Did you load the syncprov module on master server ?
On Wed, Dec 17, 2008 at 9:17 PM, Morten Mikkelsen mortenbreum@gmail.comwrote:
Hi. I work at a rather large company that has a rather slow LDAP server that impacts the performance on a wiki-server, I am using. I am playing with the idea of setting up a cache or replication of the company LDAP server locally to reduce time spent performing ldap lookups, but as I am quite new to the world of LDAP and openldap, I have a hard time getting the set-up right.
I would like to set up a server that does not impose any requirements on the existing (slow) server at all. I only need a read-only server - updates are made on the slow 'master' - and only a few percent of the records are interesting to our wiki.
Having looked at caching and proxying, I ended up at setting my mind on replication. As the master is out-of-bounds except for ldap queries (no slurping-logs), the syncrepl-option seems to be the way to go. I just can't get my head around the configuration. The master LDAP has the following structure (as I see it) o=company.com -> ou=commondirectory -> c=xx Under commondirectory, all countries (such as 'dk', 'us' and a whole bunch of others) are represented with the employees residing in them listed below.
o=company.com -> ou=companygroups -> ou=groupmembers contain groups that are used for controlling access to the wiki pages.
So what I need to have on my replicated server is: The groups and people in the countries 'us' and 'dk'.
To start off easy, I try to replicate the c=dk at first - I've tried adding the following to /etc/ldap/slapd.conf
syncrepl rid=111 provider=ldap://ldap.company.com:389 type=refreshOnly interval=00:12:00:00 searchbase="c=dk,ou=commondirectory,o=company.com" scope=one updatedn="c=dk,ou=commondirectory,o=company.com"
which make the server start without errormessages, but when I query with ldapsearch -x -h 127.0.0.1 -b "c=dk,ou=commondirectory,o=company.com" '(objectClass=*)' I get no result: "result: 32 No such object"
What am I doing wrong?
/Morten
On Thu, Dec 18, 2008 at 3:22 PM, jakjr joao.alfredo@gmail.com wrote:
Did you load the syncprov module on master server ?
Hi. I cannot control or inspect the primary LDAP server in any way at all. I'm not even sure what server is being used. Is there no way to one-way-replicate it just by ordinary queries that don't impose requirements on it? Thanks,
Morten Mikkelsen wrote:
On Thu, Dec 18, 2008 at 3:22 PM, jakjr joao.alfredo@gmail.com wrote:
Did you load the syncprov module on master server ?
I cannot control or inspect the primary LDAP server in any way at all.
You can access it via LDAP?
I'm not even sure what server is being used.
Check the server's rootDSE if access control allows it. Usually there are many hints therein which server it is.
Is there no way to one-way-replicate it just by ordinary queries that don't impose requirements on it?
That's rather a matter of implementing a custom sync script. Depending on ACLs and server-side limits this may or may not work.
Ciao, Michael.
openldap-technical@openldap.org
-
jakjr -
Michael Ströder -
Morten Mikkelsen