On 22/09/05, Marcin Giedz <[EMAIL PROTECTED]> wrote: > Dnia czwartek, 22 września 2005 11:25, Pierangelo Masarati napisał: > > > Hello, > > > > > > I did a simple replication between master and slave LDAP server in two > > > different cities through VPN. Data propagation from master to slave works > > > OK > > > but when any client send changes to slave it doesn't redirect client to > > > master LDAP. Here is what I have in slapd.conf on master: > > > > > > replica host=ldap-slave1.aaa:389 > > > binddn="cn=ldapmanager,dc=xxx,dc=xx" > > > bindmethod=simple credentials=xxx > > > > > > > > > And this on slave slapd.conf: > > > > > > updatedn "cn=ldapmanager,dc=xxx,dc=xx" > > > updateref ldap://ldap-primary.aaa > > > > > > > > > OpenLDAP version is 2.2.24 in both locations. Maybe I have forgot > > > something? > > > > Did you use the "cn=ldapmanager,dc=xxx,dc=xx" identity (i.e. the > > "updatedn") to write to the slave? > > > Yes.... is it problem?.... from security point of view it can be but it > doesn't matter now. Only I'd like to do that my updates go to master not to > slave.
As it was mentioned before: cn=ldapmanager,dc=xxx,dc=xx is in the updatedn - this means that everything that is sent to the replica by "cn=ldapmanager,dc=xxx, dc=xx" is treated as replication (it means, that new stuff appeared in the master and now master wants to share the data with slave). To solve the problem - just design your access lists and use different DNs: for replication (cn=replogmanager,dc=xxx,dc=dx for example). All others not mentioned in updatedn will be considered as "global updates to the database" and thus will be referred to the master LDAP. To have tidy structure, you can always put DNs that are used by some system tools into a separate ou, like cn=replogmanager,ou=DSA,dc=xxx,dc=xx. http://samba.idealx.org/smbldap-howto.fr.html#htoc34 There is a nice example of designing access lists and creating different DNs under a separate organizational unit. At the bottom of the page you'll find sample LDIFs. Regards, Michal PS if this post will appear two times on the list - I'm sorry. #$%^&* gmail knows better than me :S > > Marcin > > p. >
