Hi All,
I have 2 LDAP Servers (1 master and 1 slave) and I synchronize bdb database by slurp daemon. So, when somebody needs to update his/her password or other information, everything is done in master server and then slave server receives this updates. This 2 servers are in the same physical place.
Now I am planning to put another LDAP slave in other geographical place (far from this 2 servers) and because of that I am planning to put some slave server receiving all updates from master server, but in all ldap client machines in this new location I would like to configure this new slave server (Slave server 2) as URI host in ldap.conf files. I mean Location 1: Master server 1 and slave server 1 Location 2: Slave server 2
Is there any way to do: 1. ldap client machines in location 2 to authenticate using Slave server 2 ? 2. when client machines needs to change some ldap information (like password or personal information), to force this update to occurs in slave server 2 and then master server 1 receives this uodate ?
Do I have to use 2 Master servers (1 in each location) ? If yes, can I synchronize both BDB databases ? How ? Any other suggestions ?
Thanks in advance
--- Gustavo Mendes de Carvalho email: gmcarvalho@gmail.com
On Sun, Aug 10, 2008 at 11:32 PM, Gustavo Mendes de Carvalho gmcarvalho@gmail.com wrote:
Hi All,
I have 2 LDAP Servers (1 master and 1 slave) and I synchronize bdb database by slurp daemon. So, when somebody needs to update his/her password or other information, everything is done in master server and then slave server receives this updates. This 2 servers are in the same physical place.
Now I am planning to put another LDAP slave in other geographical place (far from this 2 servers) and because of that I am planning to put some slave server receiving all updates from master server, but in all ldap client machines in this new location I would like to configure this new slave server (Slave server 2) as URI host in ldap.conf files. I mean Location 1: Master server 1 and slave server 1 Location 2: Slave server 2
Is there any way to do:
- ldap client machines in location 2 to authenticate using Slave server 2 ?
- when client machines needs to change some ldap information (like password
or personal information), to force this update to occurs in slave server 2 and then master server 1 receives this uodate ?
Do I have to use 2 Master servers (1 in each location) ? If yes, can I synchronize both BDB databases ? How ? Any other suggestions ?
slapo-chain on the slave in location 2 will do what you ask.
On Sunday 10 August 2008 23:32:12 Gustavo Mendes de Carvalho wrote:
Hi All,
I have 2 LDAP Servers (1 master and 1 slave) and I synchronize bdb database by slurp daemon. So, when somebody needs to update his/her password or other information, everything is done in master server and then slave server receives this updates. This 2 servers are in the same physical place.
Now I am planning to put another LDAP slave in other geographical place (far from this 2 servers) and because of that I am planning to put some slave server receiving all updates from master server, but in all ldap client machines in this new location I would like to configure this new slave server (Slave server 2) as URI host in ldap.conf files. I mean Location 1: Master server 1 and slave server 1 Location 2: Slave server 2
Is there any way to do:
- ldap client machines in location 2 to authenticate using Slave server 2
? 2. when client machines needs to change some ldap information (like password or personal information), to force this update to occurs in slave server 2 and then master server 1 receives this uodate ?
Which server is (ultimately) used for password changing does not depend on whether it is listed in the configuration file.
If you configure the updateref correctly on the slave, then the client will get a referral when it tries to make a change. If the client chases referrals (samba and pam_ldap do), then they will re-try their change against the master on their own.
While slapo-chain *can* be used for this, slapo-chain is really *only* necessary with clients that don't chase referrals.
Just configure things correctly (according to the documentation), and you should have a working solution.
Now, if there is a reason why the clients can't reach the master (e.g. firewall policy or similar), in *that* case slapo-chain can provide a solution.
You didn't explain why you though there was a problem in the first place ....
Do I have to use 2 Master servers (1 in each location) ?
No.
Regards, Buchan
Hi Buchan,
Now I am planning to put another LDAP slave in other geographical place (far from this 2 servers) and because of that I am planning to put some slave server receiving all updates from master server, but in all ldap client machines in this new location I would like to configure this new slave server (Slave server 2) as URI host in ldap.conf files. I mean Location 1: Master server 1 and slave server 1 Location 2: Slave server 2
If you configure the updateref correctly on the slave, then the client
will get a referral
when it tries to make a change. If the client chases referrals (samba and
pam_ldap do),
then they will re-try their change against the master on their own.
I already use updateref, but only in same physical place (I mean, for slave ldap server). I am concerned about links among them, because when I configure updateref in slave server 2 (location 2) I want avoid some problem when user is changing password or something else and slave server 2 can't contact master server 1, in location 1
Just configure things correctly (according to the documentation), and you
should
have a working solution.
I will.
Now, if there is a reason why the clients can't reach the master (e.g. firewall policy or similar), in *that* case slapo-chain can provide a
solution.
You didn't explain why you though there was a problem in the first place
....
It's above
Do I have to use 2 Master servers (1 in each location) ?
No.
--- Gustavo Mendes de Carvalho email: gmcarvalho@gmail.com
On Monday 11 August 2008 13:52:49 Gustavo Mendes de Carvalho wrote:
Hi Buchan,
Now I am planning to put another LDAP slave in other geographical place (far from this 2 servers) and because of that I am planning to put some slave server receiving all updates from master server, but in all ldap client machines in this new location I would like to configure this new slave server (Slave server 2) as URI host in ldap.conf files. I mean Location 1: Master server 1 and slave server 1 Location 2: Slave server 2
If you configure the updateref correctly on the slave, then the client
will get a referral
when it tries to make a change. If the client chases referrals (samba and
pam_ldap do),
then they will re-try their change against the master on their own.
I already use updateref, but only in same physical place (I mean, for slave ldap server). I am concerned about links among them, because when I configure updateref in slave server 2 (location 2) I want avoid some problem when user is changing password or something else and slave server 2 can't contact master server 1, in location 1
No, with a conventional master-slave setup, the slave will not contact the master, the *client*, that originally connected to the slave, should re- connect to the master, and try the change there.
If you have the master listed as the fallback on the clients, if the slave is unavailable, the client should fall back to the master in any case. Adding slapo-chain here would not provide any benefit (unless you can't allow the clients to connect to the master).
If you want HA writes, and you are sure you have everything in place to avoid conflicting changes, you could use the multi-master replication support in 2.4, but honestly, in your architecture (with the clients in site2 listing only one server in their configuration), IMHO your bigger problem is going to be what happens then site 2 has no working LDAP server (e.g. during reboot of slave for kernel update etc.), and the added complexity of multi-master is not worth it ...
IMHO, too many people are rushing after slapo-chain and multi-master instead of just getting the basics right.
Regards, Buchan
openldap-technical@openldap.org
-
Almir Karic -
Buchan Milne -
Gustavo Mendes de Carvalho