access to *
by self write
I hope this isn't the first ACL you have, allowing self write to all
attributes is most likely a security issue.
No, this is my last ACL, there are a few more restrictive ones above it.
by <some kind of entry regarding gssapi ldap/slave.domain.com auth?>
AFAIK, no, you need to just do some SASL to dn mapping with authz-regexp
statements.
This is one part I'm not sure how to approach, I'm fairly new to SASL
and couldn't make much sense of the documentation on how to use SASL
with OpenLDAP authz-regexp... Especially in the sense that I want to use
gssapi keytabs to authenticate... Matt, if you're reading this, could
you maybe post an example of how you've set this on your master server?
You should probably give your slaves read access to all attributes you want
replicated on all entries you want replicated. And, you probably want the
slaves to have unlimited (time,size) access.
It's probably most convenient to do this by putting all your slaves in a
groupOfNames entry, eg cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu (with the
DN each slave is mapped to by your authz-regexp's as a member attribute) and
add clauses like this to every ACL:
by group="cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu" read
and a line like this in each database:
limits group="cn=Replicator,ou=Group,dc=soe,dc=ucsc,dc=edu"
size=unlimited
time=unlimited
Then, adding another slave requires only an ldapmodify (besides the slave
configuration).
OK, I can add a "cn=Replicator" to my "ou=Group" easily enough, and
limit them. Can you maybe give me an example of the authz-regexp stuff?
It can if you slapadd just the base entry for this database (with all normal
attributes and at least the entryCSN attribute) with the -w flag (unnecessary
if the entry you add has the contextCSN), then the slave should sync itself.
However, depending on the size of your directory, it may be a lot more
efficient to slapadd a recent dump of the entire database.
By base entry you mean dc=soe,dc=ucsc,dc=edu ? Again, sorry, this is me
trying to make sense of the documentation while feeling my way through
it at the same time...
ciao, erich
