good morning,
I would like to be able to replicate the schema info only from cn=config.
I tried to add the olcSyncrepl to cn=schema
dn: cn=schema,cn=config changetype: modify add: olcSyncrepl olcSyncrepl: ....
but doesn't work: <olcSyncrepl> only allowed within database declaration
I tried to push a whole new olcDatabase={0}config (next step would be to add glue overlay to olcDatabase={1}config,cn=config)
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to dn.base="cn=config" by * none olcSuffix: cn=schema,cn=config olcRootDN: cn=admin,cn=schema,cn=config olcRootPW:: e1NTSEF9bnNNYkxIMFhFTm0zaXA5N0JXaHRVb3RwTlRsRXRxNTA= olcMonitoring: FALSE olcSyncrepl: ....
but it doesn't work: olcSuffix: value #0: suffix <cn=schema,cn=config> not allowed in config database.
It does work to add olcSyncrepl to olcDatabase={0}config,cn=config with a filter like: olcSyncrepl: {0}rid=001 provider=... binddn=... bindmethod=simple search base="cn=schema,cn=config" filter="(!(cn=core))"
but then the whole olcDatabase={0}config,cn=config becomes a shadow context and I'm unable to ldapmodify anything (olcLoglevel for example).
What am I missing?
thank you for reading me,
Francesco
Quoting Francesco Malvezzi francesco.malvezzi@unimore.it:
good morning,
I would like to be able to replicate the schema info only from cn=config.
I tried to add the olcSyncrepl to cn=schema
dn: cn=schema,cn=config changetype: modify add: olcSyncrepl olcSyncrepl: ....
but doesn't work: <olcSyncrepl> only allowed within database declaration
The correct way to enable replication after cn=config already exists is with ldapmodify:
dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl
It does work to add olcSyncrepl to olcDatabase={0}config,cn=config with a filter like: olcSyncrepl: {0}rid=001 provider=... binddn=... bindmethod=simple search base="cn=schema,cn=config" filter="(!(cn=core))"
but then the whole olcDatabase={0}config,cn=config becomes a shadow context and I'm unable to ldapmodify anything (olcLoglevel for example).
What am I missing?
You need to set up all rids in your modify operation, each listing provider with their own URI. Optionally, you could even have different credentials pointing in different directions - nothing prevents this. For n-way replication, you need to perform the same modification to n sides. Otherwise your replicas will be read-only as you have seen. This is the same for any database, not just n0. Go back and enable CRL checking after you are sure that it works, if using TLS.
Example, change the macros to suit your setup and apply this same ldif to each of your replicas:
dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl olcSyncrepl: rid=001 provider=%%LDAP_URI_1%% bindmethod=simple timeout=0 network-timeout=0 binddn="%%CONFIG_ROOT_DN%%" credentials="%%CONFIG_ROOT_PW%%" keepalive=0:0:0 starttls=critical tls_cert="%%LDAP_SERVER%%/ssl/cert.pem" tls_key="%%LDAP_SERVER%%/ssl/key.pem" tls_cacert="%%CA_CHAIN_SERVERS%%" tls_reqcert=demand tls_crlcheck=none filter="(objectclass=*)" searchbase="cn=config" scope=sub attrs="*,+" schemachecking=off type=refreshAndPersist retry="60 +" olcSyncrepl: rid=002 provider=%%LDAP_URI_2%% bindmethod=simple timeout=0 network-timeout=0 binddn="%%CONFIG_ROOT_DN%%" credentials="%%CONFIG_ROOT_PW%%" keepalive=0:0:0 starttls=critical tls_cert="%%LDAP_SERVER%%/ssl/cert.pem" tls_key="%%LDAP_SERVER%%/ssl/key.pem" tls_cacert="%%CA_CHAIN_SERVERS%%" tls_reqcert=demand tls_crlcheck=none filter="(objectclass=*)" searchbase="cn=config" scope=sub attrs="*,+" schemachecking=off type=refreshAndPersist retry="60 +" - add: olcMirrorMode olcMirrorMode: TRUE
-mike
The correct way to enable replication after cn=config already exists is with ldapmodify:
dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl
It does work to add olcSyncrepl to olcDatabase={0}config,cn=config with a filter like: olcSyncrepl: {0}rid=001 provider=... binddn=... bindmethod=simple search base="cn=schema,cn=config" filter="(!(cn=core))"
but then the whole olcDatabase={0}config,cn=config becomes a shadow context and I'm unable to ldapmodify anything (olcLoglevel for example).
What am I missing?
You need to set up all rids in your modify operation, each listing provider with their own URI. Optionally, you could even have different credentials pointing in different directions - nothing prevents this. For n-way replication, you need to perform the same modification to n sides. Otherwise your replicas will be read-only as you have seen. This is the same for any database, not just n0. Go back and enable CRL checking after you are sure that it works, if using TLS.
Example, change the macros to suit your setup and apply this same ldif to each of your replicas:
dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl olcSyncrepl: rid=001 provider=%%LDAP_URI_1%% bindmethod=simple timeout=0 network-timeout=0 binddn="%%CONFIG_ROOT_DN%%" credentials="%%CONFIG_ROOT_PW%%" keepalive=0:0:0 starttls=critical tls_cert="%%LDAP_SERVER%%/ssl/cert.pem" tls_key="%%LDAP_SERVER%%/ssl/key.pem" tls_cacert="%%CA_CHAIN_SERVERS%%" tls_reqcert=demand tls_crlcheck=none filter="(objectclass=*)" searchbase="cn=config" scope=sub attrs="*,+" schemachecking=off type=refreshAndPersist retry="60 +" olcSyncrepl: rid=002 provider=%%LDAP_URI_2%% bindmethod=simple timeout=0 network-timeout=0 binddn="%%CONFIG_ROOT_DN%%" credentials="%%CONFIG_ROOT_PW%%" keepalive=0:0:0 starttls=critical tls_cert="%%LDAP_SERVER%%/ssl/cert.pem" tls_key="%%LDAP_SERVER%%/ssl/key.pem" tls_cacert="%%CA_CHAIN_SERVERS%%" tls_reqcert=demand tls_crlcheck=none filter="(objectclass=*)" searchbase="cn=config" scope=sub attrs="*,+" schemachecking=off type=refreshAndPersist retry="60 +"
add: olcMirrorMode olcMirrorMode: TRUE
Thank you for answering so quick.
If I understand correctly, this is a n-way multi master layout for the whole cn=config.
Does it mean if I ldapmodify the olcLogLevel on a replica, it will be modified on all other peers as well?
So it's not what I was looking for.
I was looking for a way to replicate (master -> slave) a sub-portion of the cn=config, namely the cn=schema,cn=config.
BTW, olcMirrorMode turns out to be very powerful. In a master slave setup, allows me to ldapmodify slave without incurring in the "err=53 text=shadow context; no update referral".
Am I allowed to insert a olcMirrorMode in a slave while using master slave setup? Or am I just exploiting a grey-zone configuration? I am scared to mark as 'mirror' a slave server. It looks wrong.
If instead is correct, my problem is solved.
thank you,
Francesco
Quoting Francesco Malvezzi francesco.malvezzi@unimore.it:
I was looking for a way to replicate (master -> slave) a sub-portion of the cn=config, namely the cn=schema,cn=config.
OK, so then it looks like this is what you're after:
http://documentation.fusiondirectory.org/en/documentation/replication_syncre...
NOTE: I didn't write that document
-mike
Il 15/05/2014 14:20, Mike Jackson ha scritto:
Quoting Francesco Malvezzi francesco.malvezzi@unimore.it:
I was looking for a way to replicate (master -> slave) a sub-portion of the cn=config, namely the cn=schema,cn=config.
OK, so then it looks like this is what you're after:
http://documentation.fusiondirectory.org/en/documentation/replication_syncre...
thank you for the link.
I'm pretty sure it's similar to my current configuration which has the serious drawback that it turns cn=config in a shadow referral so I can't update cn=config any longer.
ciao,
Francesco
Quoting Francesco Malvezzi francesco.malvezzi@unimore.it:
I'm pretty sure it's similar to my current configuration which has the serious drawback that it turns cn=config in a shadow referral so I can't update cn=config any longer.
I don't know, I'm going to test it as soon as I get a new server installed a few hours from now.
Upon first glance, it seemed to me that it would do what you want.
-mike
openldap-technical@openldap.org
-
Francesco Malvezzi -
Mike Jackson