49
49
The easiest way is to point an LDAP backend ({{SECT: Backends}} and {{slapd-ldap(8)}})
50
50
to your slave directory and setup Syncrepl to point to your Master database.
52
REFERENCE test045/048 for better explanation of above.
54
52
If you imagine Syncrepl pulling down changes from the Master server, and then
55
53
pushing those changes out to your slave servers via {{slapd-ldap(8)}}. This is
56
called proxy mode (elaborate/confirm?).
60
BETTER EXAMPLE here from test045/048 for different push/multiproxy examples.
65
> include ./schema/core.schema
66
> include ./schema/cosine.schema
67
> include ./schema/inetorgperson.schema
68
> include ./schema/openldap.schema
69
> include ./schema/nis.schema
71
> pidfile /home/ghenry/openldap/ldap/tests/testrun/slapd.3.pid
72
> argsfile /home/ghenry/openldap/ldap/tests/testrun/slapd.3.args
74
> modulepath ../servers/slapd/back-bdb/
75
> moduleload back_bdb.la
76
> modulepath ../servers/slapd/back-monitor/
77
> moduleload back_monitor.la
78
> modulepath ../servers/slapd/overlays/
79
> moduleload syncprov.la
80
> modulepath ../servers/slapd/back-ldap/
81
> moduleload back_ldap.la
83
> # We don't need any access to this DSA
86
> #######################################################################
87
> # consumer proxy database definitions
88
> #######################################################################
91
> suffix "dc=example,dc=com"
93
> uri ldap://localhost:9012/
97
> # HACK: use the RootDN of the monitor database as UpdateDN so ACLs apply
98
> # without the need to write the UpdateDN before starting replication
99
> acl-bind bindmethod=simple
100
> binddn="cn=Monitor"
101
> credentials=monitor
103
> # HACK: use the RootDN of the monitor database as UpdateDN so ACLs apply
104
> # without the need to write the UpdateDN before starting replication
106
> provider=ldap://localhost:9011/
107
> binddn="cn=Manager,dc=example,dc=com"
110
> searchbase="dc=example,dc=com"
111
> filter="(objectClass=*)"
112
> attrs="*,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp"
115
> type=refreshAndPersist
122
DETAILED EXPLANATION OF ABOVE LIKE IN OTHER SECTIONS (line numbers?)
54
called Syncrepl Proxy Mode. You can also use Syncrepl Multi-proxy mode:
56
!import "push-based-complete.png"; align="center"; title="Syncrepl Proxy Mode"
57
FT[align="Center"] Figure X.Y: Replacing slurpd
59
The following example is for a self-contained push-based replication solution:
61
> #######################################################################
62
> # Standard OpenLDAP Master/Provider
63
> #######################################################################
65
> include /usr/local/etc/openldap/schema/core.schema
66
> include /usr/local/etc/openldap/schema/cosine.schema
67
> include /usr/local/etc/openldap/schema/nis.schema
68
> include /usr/local/etc/openldap/schema/inetorgperson.schema
70
> include /usr/local/etc/openldap/slapd.acl
72
> modulepath /usr/local/libexec/openldap
73
> moduleload back_hdb.la
74
> moduleload syncprov.la
75
> moduleload back_monitor.la
76
> moduleload back_ldap.la
78
> pidfile /usr/local/var/slapd.pid
79
> argsfile /usr/local/var/slapd.args
84
> suffix "dc=suretecsystems,dc=com"
85
> directory /usr/local/var/openldap-data
91
> index objectClass eq
95
> rootdn "cn=admin,dc=suretecsystems,dc=com"
98
> # syncprov specific indexing
102
> # syncrepl Provider for primary db
104
> syncprov-checkpoint 1000 60
106
> # Let the replica DN have limitless searches
107
> limits dn.exact="cn=replicator,dc=suretecsystems,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
114
> ##############################################################################
115
> # Consumer Proxy that pulls in data via Syncrepl and pushes out via slapd-ldap
116
> ##############################################################################
119
> # ignore conflicts with other databases, as we need to push out to same suffix
121
> suffix "dc=suretecsystems,dc=com"
122
> rootdn "cn=slapd-ldap"
123
> uri ldap://localhost:9012/
127
> # We don't need any access to this DSA
130
> acl-bind bindmethod=simple
131
> binddn="cn=replicator,dc=suretecsystems,dc=com"
132
> credentials=testing
135
> provider=ldap://localhost:9011/
136
> binddn="cn=replicator,dc=suretecsystems,dc=com"
138
> credentials=testing
139
> searchbase="dc=suretecsystems,dc=com"
140
> type=refreshAndPersist
145
A replica configuration for this type of setup could be:
147
> #######################################################################
148
> # Standard OpenLDAP Slave without Syncrepl
149
> #######################################################################
151
> include /usr/local/etc/openldap/schema/core.schema
152
> include /usr/local/etc/openldap/schema/cosine.schema
153
> include /usr/local/etc/openldap/schema/nis.schema
154
> include /usr/local/etc/openldap/schema/inetorgperson.schema
156
> include /usr/local/etc/openldap/slapd.acl
158
> modulepath /usr/local/libexec/openldap
159
> moduleload back_hdb.la
160
> moduleload syncprov.la
161
> moduleload back_monitor.la
162
> moduleload back_ldap.la
164
> pidfile /usr/local/var/slapd.pid
165
> argsfile /usr/local/var/slapd.args
167
> loglevel sync stats
170
> suffix "dc=suretecsystems,dc=com"
171
> directory /usr/local/var/openldap-slave/data
177
> index objectClass eq
181
> rootdn "cn=admin,dc=suretecsystems,dc=com"
184
> # Let the replica DN have limitless searches
185
> limits dn.exact="cn=replicator,dc=suretecsystems,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
187
> updatedn "cn=replicator,dc=suretecsystems,dc=com"
189
> # Refer updates to the master
190
> updateref ldap://localhost:9011
197
You can see we use the {{updatedn}} directive here and example ACLs ({{F:usr/local/etc/openldap/slapd.acl}}) for this could be:
199
> # Give the replica DN unlimited read access. This ACL may need to be
200
> # merged with other ACL statements.
203
> by dn.base="cn=replicator,dc=suretecsystems,dc=com" write
206
> access to dn.base=""
209
> access to dn.base="cn=Subschema"
212
> access to dn.subtree="cn=Monitor"
213
> by dn.exact="uid=admin,dc=suretecsystems,dc=com" write
221
In order to support more replicas, just add more {{database ldap}} sections and
222
increment the {{syncrepl rid}} number accordingly.
224
Note: You must populate the Master and Slave directories with the same data,
225
unlike when using normal Syncrepl
227
If you do not have access to modify the master directory configuration you can
228
configure a standalone ldap proxy, which might look like:
230
!import "push-based-standalone.png"; align="center"; title="Syncrepl Standalone Proxy Mode"
231
FT[align="Center"] Figure X.Y: Replacing slurpd with a standalone version
233
The following configuration is an example of a standalone LDAP Proxy:
235
> include /usr/local/etc/openldap/schema/core.schema
236
> include /usr/local/etc/openldap/schema/cosine.schema
237
> include /usr/local/etc/openldap/schema/nis.schema
238
> include /usr/local/etc/openldap/schema/inetorgperson.schema
240
> include /usr/local/etc/openldap/slapd.acl
242
> modulepath /usr/local/libexec/openldap
243
> moduleload syncprov.la
244
> moduleload back_ldap.la
246
> ##############################################################################
247
> # Consumer Proxy that pulls in data via Syncrepl and pushes out via slapd-ldap
248
> ##############################################################################
251
> # ignore conflicts with other databases, as we need to push out to same suffix
253
> suffix "dc=suretecsystems,dc=com"
254
> rootdn "cn=slapd-ldap"
255
> uri ldap://localhost:9012/
259
> # We don't need any access to this DSA
262
> acl-bind bindmethod=simple
263
> binddn="cn=replicator,dc=suretecsystems,dc=com"
264
> credentials=testing
267
> provider=ldap://localhost:9011/
268
> binddn="cn=replicator,dc=suretecsystems,dc=com"
270
> credentials=testing
271
> searchbase="dc=suretecsystems,dc=com"
272
> type=refreshAndPersist
127
277
As you can see, you can let your imagination go wild using Syncrepl and
128
278
{{slapd-ldap(8)}} tailoring your replication to fit your specific network