I wrongly supposed that a LDAP server configured with replication (sycnrepl) and not using syncprov modules (so is only a consumer and not a provider) would automatically behave as a Read-ONLY replica as it will sync from other servers specified on the syncrepl settings but will not be providing deltas thru syncprov module.
However I tested the following scenario (N-way multimatseer with one 'Readreplica')
- Servers A and B with syncprov enabled (so they are providers) - Servers A and B both sync (syncprel) to the other (so they are consumers) - Added server C syncrepl to A and B, *BUT not loading syncprov*. So is a consumer only, (ReadReplica)?
However I verified that I can make changes to C and they got stored into C. (Not replicated to A/B as they don't sync with C).
- So how I got C behave like a true ReadOnly replica (denying writes)? - If I have to set some settings, note that I'm also replicating olcConfig tree cn=config, so how I got this setting applied only to one server?
Thanks for any hints or explation on my doubts.
Hi Marc, very interesting I'm doing similar setups as yours. Do you add olcReferral on C?
Xuhua
Hi
Hi
Thanks for the quick reply.
No I didn't add any olcReferral anywhere, may idea is to have truly read only C (rejecting writes, not referring to the master).
My use case might be quite strange, and not the best approach:
I'm currenlty building a docker container which uses an already existing DIT, loading proper LDIFs. For this it parses the them to figure out the current setup.
I'm assuming (may be wrongly) that:
1- If the DIT loads and uses syncprov modules -> Is a Master/Provider 2- If the DIT has olcSyncrepl -> Is a Slave/Consumer
If 1 & 2 are both true I assume I'm in a N-Way Multimaster scenario If only 1 is true I assume I'm the Master on a Master/Slave setup If only 2 is true I assume I'm the Slave (ReadOnly) on a Master/Slave scenario.
In all above cases I would like the slave to be readonly replica, totally denying writes.
- Is this possible or I have to refer either way? - If this is the case (Referral required) how I ensure that only the C node becomes readonly and refers to master (either A or B).
Regards
Missatge de Xuhua Lin xuhua.lin@gmail.com del dia dj., 9 d’abr. 2020 a les 0:39:
Hi Marc, very interesting I'm doing similar setups as yours. Do you add olcReferral on C?
Xuhua
--On Thursday, April 9, 2020 10:50 AM +0200 Marc Franquesa marc.franquesa@gmail.com wrote:
1- If the DIT loads and uses syncprov modules -> Is a Master/Provider 2- If the DIT has olcSyncrepl -> Is a Slave/Consumer
If 1 & 2 are both true I assume I'm in a N-Way Multimaster scenario If only 1 is true I assume I'm the Master on a Master/Slave setup If only 2 is true I assume I'm the Slave (ReadOnly) on a Master/Slave scenario.
Incorrect, you can have syncprov loaded on a consumer. What makes a system a consumer is:
a) it has a syncrepl configuration parameter b) it does not have a serverID value > 0 (i.e., it is the default of 0)
If a server has:
a) syncprov (and possibly accesslog), no serverID >1, and no syncrepl statement, it is a standalone provider b) syncprov (and possibly accesslog), serverID > 1, and a syncrepl statement, it is a multimaster node c) no syncprov, no serverID > 0, and no syncrepl statement, it is a standalone server that is not a provider (since there are no replication cookies stored)
In all above cases I would like the slave to be readonly replica, totally denying writes.
This is how most read only consumers are configured. I would note that providing a referral does not mean the consumer "accepts writes". It means that if something tries to write to the consumer, it will get a referal to the provider host. It is up to the client attempting to make the write operation to honor that referal (or not). If you also configure chaining on the replica, then it can forward the write to the provider itself, but it is still not accepting the write operation, as the write is performed on the master.
I'm not really clear what you mean by "read only" in any of these cases. If you want an LDAP server that accepts no writes at all, then you shouldn't configure replication, as any writes that occur on the provider will then occur on the consumer, and additionally set the readonly configuration parameter to TRUE.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 4/9/20 4:56 PM, Quanah Gibson-Mount wrote:
If a server has:
Sorry, nitpicking here:
a) syncprov (and possibly accesslog), no serverID >1, and no syncrepl statement, it is a standalone provider
should be: serverID > 0 <=> serverID >= 1
b) syncprov (and possibly accesslog), serverID > 1, and a syncrepl statement, it is a multimaster node
should be: serverID > 0 <=> serverID >= 1
Isn't mirrormode true not also needed for MMR?
c) no syncprov, no serverID > 0, and no syncrepl statement, it is a standalone server that is not a provider (since there are no replication cookies stored)
Yes.
I'm not really clear what you mean by "read only" in any of these cases. If you want an LDAP server that accepts no writes at all, then you shouldn't configure replication, as any writes that occur on the provider will then occur on the consumer, and additionally set the readonly configuration parameter to TRUE.
He probably wants to implement a 2-tier replication topology where applications/systems access pure consumer replicas which do not accept write operations from normal clients but only the modifications retrieved via syncrepl from providers. (At least that's how Æ-DIR is designed. ;-)
Ciao, Michael.
--On Thursday, April 9, 2020 6:19 PM +0200 Michael Ströder michael@stroeder.com wrote:
a) syncprov (and possibly accesslog), no serverID >1, and no syncrepl statement, it is a standalone provider
should be: serverID > 0 <=> serverID >= 1
b) syncprov (and possibly accesslog), serverID > 1, and a syncrepl statement, it is a multimaster node
should be: serverID > 0 <=> serverID >= 1
Correct, thanks. :)
Isn't mirrormode true not also needed for MMR?
Ah right, thanks. :)
I'm not really clear what you mean by "read only" in any of these cases. If you want an LDAP server that accepts no writes at all, then you shouldn't configure replication, as any writes that occur on the provider will then occur on the consumer, and additionally set the readonly configuration parameter to TRUE.
He probably wants to implement a 2-tier replication topology where applications/systems access pure consumer replicas which do not accept write operations from normal clients but only the modifications retrieved via syncrepl from providers. (At least that's how Æ-DIR is designed. ;-)
Yeah, that's my guess too, but their statements make that hard to determine. ;)
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Marc Franquesa -
Michael Ströder -
Quanah Gibson-Mount -
Xuhua Lin