Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
Tero Saarni
OpenLDAP
Commits
e4067862
Commit
e4067862
authored
Jun 15, 2020
by
Quanah Gibson-Mount
Browse files
ITS
#9275
-- Update wording to remove slave and master terms, consolidate on provider/consumer
parent
a2c81aeb
Changes
114
Expand all
Hide whitespace changes
Inline
Side-by-side
ANNOUNCEMENT
View file @
e4067862
...
...
@@ -9,7 +9,7 @@ A N N O U N C E M E N T -- OpenLDAP 2.4
* Slapd(8) enhancements
- Syncrepl enhancements, including push-mode and
Multi-
Mast
er support
Multi-
Provid
er support
- Dynamic configuration enhancements, including
online schema editing and full access control
- Dynamic monitoring enhancements, including
...
...
CHANGES
View file @
e4067862
...
...
@@ -134,7 +134,7 @@ OpenLDAP 2.4.47 Release (2018/12/19)
Fixed slapd-bdb/hdb/mdb to not convert certain IDLs to ranges (ITS#8868)
Fixed slapo-accesslog deadlock during cleanup (ITS#8752)
Fixed slapo-memberof cn=config modifications (ITS#8663)
Fixed slapo-ppolicy with multi
mast
er replication (ITS#8927)
Fixed slapo-ppolicy with multi
-provid
er replication (ITS#8927)
Fixed slapo-syncprov with NULL modlist (ITS#8843)
Build Environment
Added slapd reproducible build support (ITS#8928)
...
...
@@ -196,7 +196,7 @@ OpenLDAP 2.4.45 Release (2017/06/01)
Fixed slapd segfault with invalid hostname (ITS#8631)
Fixed slapd sasl SEGV rebind in same session (ITS#8568)
Fixed slapd syncrepl filter handling (ITS#8413)
Fixed slapd syncrepl infinite looping mods with delta-sync M
M
R (ITS#8432)
Fixed slapd syncrepl infinite looping mods with delta-sync M
P
R (ITS#8432)
Fixed slapd callback struct so older modules without writewait should function.
Custom modules may need to be updated for sc_writewait callback (ITS#8435)
Fixed slapd-ldap/meta broken LDAP_TAILQ macro (ITS#8576)
...
...
@@ -271,7 +271,7 @@ OpenLDAP 2.4.43 Release (2015/11/30)
Fixed slapd-ldap to skip client controls in ldap_back_entry_get (ITS#8244)
Fixed slapd-null to have an option to return a search entry (ITS#8249)
Fixed slapd-relay to correctly handle quoted options (ITS#8284)
Fixed slapo-accesslog delta-sync M
M
R with interrupted refresh phase (ITS#8281)
Fixed slapo-accesslog delta-sync M
P
R with interrupted refresh phase (ITS#8281)
Fixed slapo-dds segfault when using slapo-memberof (ITS#8133)
Fixed slapo-ppolicy to allow purging of stale pwdFailureTime attributes (ITS#8185)
Fixed slapo-ppolicy to release entry on failure (ITS#7537)
...
...
@@ -315,7 +315,7 @@ OpenLDAP 2.4.41 Release (2015/06/21)
Fixed slapd slapadd config db import of minimal frontend entry (ITS#8150)
Fixed slapd slapadd onetime leak with -w (ITS#8014)
Fixed slapd sasl auxprop crash with invalid config (ITS#8092)
Fixed slapd syncrepl delta-m
m
r issue with overlays and slapd.conf (ITS#7976)
Fixed slapd syncrepl delta-m
p
r issue with overlays and slapd.conf (ITS#7976)
Fixed slapd syncrepl mutex for cookie state (ITS#7968)
Fixed slapd syncrepl memory leaks (ITS#8035)
Fixed slapd syncrepl to free presentlist at end of refresh mode (ITS#8038)
...
...
@@ -475,7 +475,7 @@ OpenLDAP 2.4.38 Release (2013/11/16)
Fixed liblmdb wasted space on split (ITS#7589)
Fixed slapd for certs with a NULL issuerDN (ITS#7746)
Fixed slapd cn=config with empty nested includes (ITS#7739)
Fixed slapd syncrepl memory leak with delta-sync M
M
R (ITS#7735)
Fixed slapd syncrepl memory leak with delta-sync M
P
R (ITS#7735)
Fixed slapd-bdb/hdb to stop processing on dn not found (ITS#7741)
Fixed slapd-bdb/hdb with indexed ANDed filters (ITS#7743)
Fixed slapd-mdb to stop processing on dn not found (ITS#7741)
...
...
@@ -581,7 +581,7 @@ OpenLDAP 2.4.34 Release (2013/03/01)
Fixed liblmdb to validate data limits (ITS#7485)
Fixed liblmdb mdb_update_key for large keys (ITS#7505)
Fixed ldapmodify to not core dump with invalid LDIF (ITS#7477)
Fixed slapd syncrepl for old entries in M
M
R setup (ITS#7427)
Fixed slapd syncrepl for old entries in M
P
R setup (ITS#7427)
Fixed slapd signedness for index_substr_any_* (ITS#7449)
Fixed slapd enforce SLAPD_MAX_DAEMON_THREADS (ITS#7450)
Fixed slapd mutex in send_ldap_ber (ITS#6164)
...
...
@@ -598,7 +598,7 @@ OpenLDAP 2.4.34 Release (2013/03/01)
Fixed slapd-meta segfault when modifying olcDbUri (ITS#7526)
Fixed slapd-sql back-config support (ITS#7499)
Fixed slapo-constraint handle uri and restrict correctly (ITS#7418)
Fixed slapo-constraint with multi-
mast
er replication (ITS#7426)
Fixed slapo-constraint with multi-
provid
er replication (ITS#7426)
Fixed slapo-constraint segfault (ITS#7431)
Fixed slapo-deref control initialization (ITS#7436)
Fixed slapo-deref control exposure (ITS#7445)
...
...
@@ -635,7 +635,7 @@ OpenLDAP 2.4.33 Release (2012/10/10)
Fixed slapd alock handling on Windows (ITS#7361)
Fixed slapd acl handling with zero-length values (ITS#7350)
Fixed slapd syncprov to not reference ops inside a lock (ITS#7172)
Fixed slapd delta-syncrepl M
M
R with large attribute values (ITS#7354)
Fixed slapd delta-syncrepl M
P
R with large attribute values (ITS#7354)
Fixed slapd slapd_rw_destroy function (ITS#7390)
Fixed slapd-ldap idassert bind handling (ITS#7403)
Fixed slapd-mdb slapadd -q -w double free (ITS#7356)
...
...
@@ -721,7 +721,7 @@ OpenLDAP 2.4.31 Release (2012/04/21)
Fixed slapd listener initialization (ITS#7233)
Fixed slapd cn=config with olcTLSVerifyClient (ITS#7197)
Fixed slapd delta-syncrepl fallback on non-leaf error (ITS#7195)
Fixed slapd to reject M
M
R setups with bad serverID setting (ITS#7200)
Fixed slapd to reject M
P
R setups with bad serverID setting (ITS#7200)
Fixed slapd approxIndexer key generation (ITS#7203)
Fixed slapd modification of olcSuffix (ITS#7205)
Fixed slapd schema validation with missing definitions (ITS#7224)
...
...
@@ -799,7 +799,7 @@ OpenLDAP 2.4.27 Release (2011/11/24)
Added slapd support for draft-wahl-ldap-session (ITS#6984)
Added slapadd pipelining capability (ITS#7078)
Added slapd Add-if-not-present (ITS#6561)
Added slapd delta-syncrepl M
M
R (ITS#6734,ITS#7029,ITS#7031)
Added slapd delta-syncrepl M
P
R (ITS#6734,ITS#7029,ITS#7031)
Added slapd-mdb experimental backend (ITS#7079)
Added slapd-passwd dynamic config support
Added slapd-perl dynamic config support
...
...
@@ -1083,11 +1083,11 @@ OpenLDAP 2.4.24 Release (2011/02/10)
Fixed slapo-syncprov filter race condition (ITS#6708)
Fixed slapo-syncprov active mod race (ITS#6709)
Fixed slapo-syncprov to refresh if context is dirty (ITS#6710)
Fixed slapo-syncprov CSN updates to all
replica
s (ITS#6718)
Fixed slapo-syncprov CSN updates to all
consumer
s (ITS#6718)
Fixed slapo-syncprov sessionlog ordering (ITS#6716)
Fixed slapo-syncprov sessionlog with adds (ITS#6503)
Fixed slapo-syncprov mutex (ITS#6438)
Fixed slapo-syncprov mincsn check with M
M
R (ITS#6717)
Fixed slapo-syncprov mincsn check with M
P
R (ITS#6717)
Fixed slapo-syncprov control leak (ITS#6795)
Fixed slapo-syncprov error codes (ITS#6812)
Fixed slapo-translucent entry leak (ITS#6746)
...
...
@@ -1279,7 +1279,7 @@ OpenLDAP 2.4.20 Release (2009/11/27)
OpenLDAP 2.4.19 Release (2009/10/06)
Fixed client tools with null timeouts (ITS#6282)
Fixed slapadd to warn about missing attrs for
replica
s (ITS#6281)
Fixed slapadd to warn about missing attrs for
consumer
s (ITS#6281)
Fixed slapd acl cache (ITS#6287)
Fixed slapd tools to allow -n for conversion (ITS#6258)
Fixed slapd-ldap with null timeouts (ITS#6282)
...
...
@@ -1446,8 +1446,8 @@ OpenLDAP 2.4.16 Release (2009/04/05)
Fixed slapd schema_init freed value (ITS#6036)
Fixed slapd syncrepl newCookie sync messages (ITS#5972)
Fixed slapd syncrepl hang during shutdown (ITS#6011)
Fixed slapd syncrepl too many M
M
R messages (ITS#6020)
Fixed slapd syncrepl skipped entries with M
M
R (ITS#5988)
Fixed slapd syncrepl too many M
P
R messages (ITS#6020)
Fixed slapd syncrepl skipped entries with M
P
R (ITS#5988)
Fixed slapd-bdb/hdb cachesize handling (ITS#5860)
Fixed slapd-bdb/hdb with slapcat with empty dn (ITS#6006)
Fixed slapd-bdb/hdb with NULL transactions (ITS#6012)
...
...
@@ -1457,19 +1457,19 @@ OpenLDAP 2.4.16 Release (2009/04/05)
Fixed slapo-accesslog interaction with ppolicy (ITS#5979)
Fixed slapo-dynlist conversion to cn=config (ITS#6002)
Fixed slapo-syncprov newCookie sync messages (ITS#5972)
Fixed slapd-syncprov too many M
M
R messages (ITS#6020)
Fixed slapo-syncprov
replica
lockout (ITS#5985)
Fixed slapd-syncprov too many M
P
R messages (ITS#6020)
Fixed slapo-syncprov
consumer
lockout (ITS#5985)
Fixed slapo-syncprov modtarget tracking (ITS#5999)
Fixed slapo-syncprov multiple CSN propagation (ITS#5973)
Fixed slapo-syncprov race condition (ITS#6045)
Fixed slapo-syncprov sending cookies without CSN (ITS#6024)
Fixed slapo-syncprov skipped entries with M
M
R (ITS#5988)
Fixed slapo-syncprov skipped entries with M
P
R (ITS#5988)
Fixed tools passphrase free (ITS#6014)
Build Environment
Cleaned up alloc/free functions for Windows (ITS#6005)
Fixed running of autosave files in testsuite (ITS#6026)
Documentation
admin24 clarified M
M
R URI requirements (ITS#5942,ITS#5987)
admin24 clarified M
P
R URI requirements (ITS#5942,ITS#5987)
Added ldapexop(1) manual page (ITS#5982)
slapd-ldap/meta(5) added missing TLS options (ITS#5989)
...
...
@@ -1519,14 +1519,14 @@ OpenLDAP 2.4.14 Release (2009/02/14)
Fixed slapd connection assert (ITS#5835)
Fixed slapd epoll handling (ITS#5886)
Fixed slapd frontend/backend options handling (ITS#5857)
Fixed slapd glue with M
M
R (ITS#5925)
Fixed slapd glue with M
P
R (ITS#5925)
Fixed slapd logging on Windows (ITS#5392)
Fixed slapd listener comparison (ITS#5613)
Fixed slapd manageDSAit with glue entries (ITS#5921)
Fixed slapd relax behavior with structuralObjectClass (ITS#5792)
Fixed slapd syncrepl rename handling (ITS#5809)
Fixed slapd syncrepl M
M
R when adding new server (ITS#5850)
Fixed slapd syncrepl M
M
R with deleted entries (ITS#5843)
Fixed slapd syncrepl M
P
R when adding new server (ITS#5850)
Fixed slapd syncrepl M
P
R with deleted entries (ITS#5843)
Fixed slapd syncrepl replication with glued DB (ITS#5866)
Fixed slapd syncrepl replication with moddn (ITS#5901)
Fixed slapd syncrepl replication with referrals (ITS#5881)
...
...
@@ -1760,7 +1760,7 @@ OpenLDAP 2.4.11 Release (2008/07/16)
Fixed slapd equality rules for olcRootDN/olcSchemaDN (ITS#5540)
Fixed slapd sets memory leak (ITS#5557)
Fixed slapd sortvals binary search (ITS#5578)
Fixed slapd syncrepl updates with multiple
mast
ers (ITS#5597)
Fixed slapd syncrepl updates with multiple
provid
ers (ITS#5597)
Fixed slapd syncrepl superior objectClass delete/add (ITS#5600)
Fixed slapd syncrepl/slapo-syncprov contextCSN updates as internal ops (ITS#5596)
Added slapd-ldap/slapd-meta option to filter out search references (ITS#5593)
...
...
@@ -1837,7 +1837,7 @@ OpenLDAP 2.4.9 Release (2008/05/07)
Fixed slapd syncrepl crash on empty CSN (ITS#5432)
Fixed slapd syncrepl refreshAndPersist (ITS#5454)
Fixed slapd syncrepl modrdn processing (ITS#5397)
Fixed slapd syncrepl M
M
R partial refresh (ITS#5470)
Fixed slapd syncrepl M
P
R partial refresh (ITS#5470)
Fixed slapd value list termination (ITS#5450)
Fixed slapd/slapo-accesslog rq mutex usage (ITS#5442)
Fixed slapd-bdb ID_NOCACHE handling (ITS#5439)
...
...
@@ -1909,7 +1909,7 @@ OpenLDAP 2.4.8 Release (2008/02/19)
Fixed slapd-bdb crash with modrdn (ITS#5358)
Fixed slapd-bdb SEGV with bdb4.6 (ITS#5322)
Fixed slapd-bdb modrdn to same dn (ITS#5319)
Fixed slapd-bdb M
M
R (ITS#5332)
Fixed slapd-bdb M
P
R (ITS#5332)
Added slapd-bdb/slapd-hdb DB encryption (ITS#5359)
Fixed slapd-ldif delete (ITS#5265)
Fixed slapd-meta link to slapd-ldap (ITS#5355)
...
...
@@ -1946,7 +1946,7 @@ OpenLDAP 2.4.7 Release (2007/12/14)
Fixed slapd paged results handling when using rootdn (ITS#5230)
Fixed slapd syncrepl presentlist handling (ITS#5231)
Fixed slapd core schema 'c' definition for RFC4519 (ITS#5236)
Fixed slapd 3-way
M
ulti-
Mast
er
R
eplication (ITS#5238)
Fixed slapd 3-way
m
ulti-
provid
er
r
eplication (ITS#5238)
Fixed slapd hash collisions in index slots (ITS#5183)
Fixed slapd replication of dSAOperation attributes (ITS#5268)
Fixed slapadd contextCSN updating (ITS#5225)
...
...
contrib/ldaptcl/ldap.n
View file @
e4067862
...
...
@@ -84,8 +84,7 @@ Currently simple and kerberos-based authentication, are supported.
To use LDAP and still have reasonable security in a networked,
Internet/Intranet environment, secure shell can be used to setup
secure, encrypted connections between client machines and the LDAP
server, and between the LDAP server and any replica or slave servers
that might be used.
server, and between all LDAP nodes that might be used.
To perform the LDAP "bind" operation:
...
...
contrib/slapd-modules/lastbind/slapo-lastbind.5
View file @
e4067862
...
...
@@ -60,7 +60,7 @@ attribute is updated on each successful bind operation.
.B lastbind_forward_updates
Specify that updates of the authTimestamp attribute
on a consumer should be forwarded
to a
mast
er instead of being written directly into the consumer's local
to a
provid
er instead of being written directly into the consumer's local
database. This setting is only useful on a replication consumer, and
also requires the
.B updateref
...
...
doc/guide/admin/Makefile
View file @
e4067862
...
...
@@ -69,7 +69,7 @@ sdf-img: \
intro_tree.png
\
ldap-sync-refreshandpersist.png
\
ldap-sync-refreshonly.png
\
n-way-multi-
mast
er.png
\
n-way-multi-
provid
er.png
\
push-based-complete.png
\
push-based-standalone.png
\
refint.png
\
...
...
doc/guide/admin/config.sdf
View file @
e4067862
...
...
@@ -45,9 +45,9 @@ H2: Replicated Directory Service
slapd(8) includes support for {{LDAP Sync}}-based replication, called
{{syncrepl}}, which may be used to maintain shadow copies of directory
information on multiple directory servers. In its most basic
configuration, the {{
mast
er}} is a syncrepl provider and one or more
{{
slave
}} (or {{shadow}}) are syncrepl consumers. An example
master-slave
configuration is shown in figure 3.3. Multi-
Mast
er
configuration, the {{
provid
er}} is a syncrepl provider and one or more
{{
consumer
}} (or {{shadow}}) are syncrepl consumers. An example
provider-consumer
configuration is shown in figure 3.3. Multi-
Provid
er
configurations are also supported.
!import "config_repl.png"; align="center"; title="Replicated Directory Services"
...
...
doc/guide/admin/intro.sdf
View file @
e4067862
...
...
@@ -33,7 +33,7 @@ tuned to give quick response to high-volume lookup or search
operations. They may have the ability to replicate information
widely in order to increase availability and reliability, while
reducing response time. When directory information is replicated,
temporary inconsistencies between the
replica
s may be okay, as long
temporary inconsistencies between the
consumer
s may be okay, as long
as inconsistencies are resolved in a timely manner.
There are many different ways to provide a directory service.
...
...
@@ -436,11 +436,11 @@ a pool of threads. This reduces the amount of system overhead
required while providing high performance.
{{B:Replication}}: {{slapd}} can be configured to maintain shadow
copies of directory information. This {{single-
mast
er/multiple-
slave
}}
copies of directory information. This {{single-
provid
er/multiple-
consumer
}}
replication scheme is vital in high-volume environments where a
single {{slapd}} installation just doesn't provide the necessary availability
or reliability. For extremely demanding environments where a
single point of failure is not acceptable, {{multi-
mast
er}} replication
single point of failure is not acceptable, {{multi-
provid
er}} replication
is also available. {{slapd}} includes support for {{LDAP Sync}}-based
replication.
...
...
doc/guide/admin/maintenance.sdf
View file @
e4067862
...
...
@@ -159,7 +159,7 @@ type are:
.{{S: }}
+{{B: Start the server}}
Obviously this doesn't cater for any complicated deployments like {{SECT: MirrorMode}} or {{SECT: N-Way Multi-
Mast
er}},
Obviously this doesn't cater for any complicated deployments like {{SECT: MirrorMode}} or {{SECT: N-Way Multi-
Provid
er}},
but following the above sections and using either commercial support or community support should help. Also check the
{{SECT: Troubleshooting}} section.
...
...
doc/guide/admin/n-way-multi-
mast
er.png
→
doc/guide/admin/n-way-multi-
provid
er.png
View file @
e4067862
File moved
doc/guide/admin/overlays.sdf
View file @
e4067862
...
...
@@ -79,7 +79,7 @@ or in raw form.
It is also used for {{SECT:delta-syncrepl replication}}
Note: An accesslog database is unique to a given
mast
er. It should
Note: An accesslog database is unique to a given
provid
er. It should
never be replicated.
H3: Access Logging Configuration
...
...
@@ -259,13 +259,13 @@ default when {{B:--enable-ldap}}.
H3: Chaining Configuration
In order to demonstrate how this overlay works, we shall discuss a typical
scenario which might be one
mast
er server and three Syncrepl
slave
s.
scenario which might be one
provid
er server and three Syncrepl
replica
s.
On each replica, add this near the top of the {{slapd.conf}}(5) file
(global), before any database definitions:
> overlay chain
> chain-uri "ldap://ldap
mast
er.example.com"
> chain-uri "ldap://ldap
provid
er.example.com"
> chain-idassert-bind bindmethod="simple"
> binddn="cn=Manager,dc=example,dc=com"
> credentials="<secret>"
...
...
@@ -275,48 +275,48 @@ On each replica, add this near the top of the {{slapd.conf}}(5) file
Add this below your {{syncrepl}} statement:
> updateref "ldap://ldap
mast
er.example.com/"
> updateref "ldap://ldap
provid
er.example.com/"
The {{B:chain-tls}} statement enables TLS from the
slave
to the ldap
mast
er.
The {{B:chain-tls}} statement enables TLS from the
replica
to the ldap
provid
er.
The DITs are exactly the same between these machines, therefore whatever user
bound to the
slave
will also exist on the
mast
er. If that DN does not have
update privileges on the
mast
er, nothing will happen.
bound to the
replica
will also exist on the
provid
er. If that DN does not have
update privileges on the
provid
er, nothing will happen.
You will need to restart the
slave
after these {{slapd.conf}} changes.
You will need to restart the
replica
after these {{slapd.conf}} changes.
Then, if you are using {{loglevel stats}} (256), you can monitor an
{{ldapmodify}} on the
slave
and the
mast
er. (If you're using {{cn=config}}
{{ldapmodify}} on the
replica
and the
provid
er. (If you're using {{cn=config}}
no restart is required.)
Now start an {{ldapmodify}} on the
slave
and watch the logs. You should expect
Now start an {{ldapmodify}} on the
replica
and watch the logs. You should expect
something like:
> Sep 6 09:27:25
slave
1 slapd[29274]: conn=11 fd=31 ACCEPT from IP=143.199.102.216:45181 (IP=143.199.102.216:389)
> Sep 6 09:27:25
slave
1 slapd[29274]: conn=11 op=0 STARTTLS
> Sep 6 09:27:25
slave
1 slapd[29274]: conn=11 op=0 RESULT oid= err=0 text=
> Sep 6 09:27:25
slave
1 slapd[29274]: conn=11 fd=31 TLS established tls_ssf=256 ssf=256
> Sep 6 09:27:28
slave
1 slapd[29274]: conn=11 op=1 BIND dn="uid=user1,ou=people,dc=example,dc=com" method=128
> Sep 6 09:27:28
slave
1 slapd[29274]: conn=11 op=1 BIND dn="uid=user1,ou=People,dc=example,dc=com" mech=SIMPLE ssf=0
> Sep 6 09:27:28
slave
1 slapd[29274]: conn=11 op=1 RESULT tag=97 err=0 text=
> Sep 6 09:27:28
slave
1 slapd[29274]: conn=11 op=2 MOD dn="uid=user1,ou=People,dc=example,dc=com"
> Sep 6 09:27:28
slave
1 slapd[29274]: conn=11 op=2 MOD attr=mail
> Sep 6 09:27:28
slave
1 slapd[29274]: conn=11 op=2 RESULT tag=103 err=0 text=
> Sep 6 09:27:28
slave
1 slapd[29274]: conn=11 op=3 UNBIND
> Sep 6 09:27:28
slave
1 slapd[29274]: conn=11 fd=31 closed
> Sep 6 09:27:28
slave
1 slapd[29274]: syncrepl_entry: LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY)
> Sep 6 09:27:28
slave
1 slapd[29274]: syncrepl_entry: be_search (0)
> Sep 6 09:27:28
slave
1 slapd[29274]: syncrepl_entry: uid=user1,ou=People,dc=example,dc=com
> Sep 6 09:27:28
slave
1 slapd[29274]: syncrepl_entry: be_modify (0)
And on the
mast
er you will see this:
> Sep 6 09:23:57 ldap
mast
er slapd[2961]: conn=55902 op=3 PROXYAUTHZ dn="uid=user1,ou=people,dc=example,dc=com"
> Sep 6 09:23:57 ldap
mast
er slapd[2961]: conn=55902 op=3 MOD dn="uid=user1,ou=People,dc=example,dc=com"
> Sep 6 09:23:57 ldap
mast
er slapd[2961]: conn=55902 op=3 MOD attr=mail
> Sep 6 09:23:57 ldap
mast
er slapd[2961]: conn=55902 op=3 RESULT tag=103 err=0 text=
Note: You can clearly see the PROXYAUTHZ line on the
mast
er, indicating the
proper identity assertion for the update on the
mast
er. Also note the
slave
immediately receiving the Syncrepl update from the
mast
er.
> Sep 6 09:27:25
replica
1 slapd[29274]: conn=11 fd=31 ACCEPT from IP=143.199.102.216:45181 (IP=143.199.102.216:389)
> Sep 6 09:27:25
replica
1 slapd[29274]: conn=11 op=0 STARTTLS
> Sep 6 09:27:25
replica
1 slapd[29274]: conn=11 op=0 RESULT oid= err=0 text=
> Sep 6 09:27:25
replica
1 slapd[29274]: conn=11 fd=31 TLS established tls_ssf=256 ssf=256
> Sep 6 09:27:28
replica
1 slapd[29274]: conn=11 op=1 BIND dn="uid=user1,ou=people,dc=example,dc=com" method=128
> Sep 6 09:27:28
replica
1 slapd[29274]: conn=11 op=1 BIND dn="uid=user1,ou=People,dc=example,dc=com" mech=SIMPLE ssf=0
> Sep 6 09:27:28
replica
1 slapd[29274]: conn=11 op=1 RESULT tag=97 err=0 text=
> Sep 6 09:27:28
replica
1 slapd[29274]: conn=11 op=2 MOD dn="uid=user1,ou=People,dc=example,dc=com"
> Sep 6 09:27:28
replica
1 slapd[29274]: conn=11 op=2 MOD attr=mail
> Sep 6 09:27:28
replica
1 slapd[29274]: conn=11 op=2 RESULT tag=103 err=0 text=
> Sep 6 09:27:28
replica
1 slapd[29274]: conn=11 op=3 UNBIND
> Sep 6 09:27:28
replica
1 slapd[29274]: conn=11 fd=31 closed
> Sep 6 09:27:28
replica
1 slapd[29274]: syncrepl_entry: LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY)
> Sep 6 09:27:28
replica
1 slapd[29274]: syncrepl_entry: be_search (0)
> Sep 6 09:27:28
replica
1 slapd[29274]: syncrepl_entry: uid=user1,ou=People,dc=example,dc=com
> Sep 6 09:27:28
replica
1 slapd[29274]: syncrepl_entry: be_modify (0)
And on the
provid
er you will see this:
> Sep 6 09:23:57 ldap
provid
er slapd[2961]: conn=55902 op=3 PROXYAUTHZ dn="uid=user1,ou=people,dc=example,dc=com"
> Sep 6 09:23:57 ldap
provid
er slapd[2961]: conn=55902 op=3 MOD dn="uid=user1,ou=People,dc=example,dc=com"
> Sep 6 09:23:57 ldap
provid
er slapd[2961]: conn=55902 op=3 MOD attr=mail
> Sep 6 09:23:57 ldap
provid
er slapd[2961]: conn=55902 op=3 RESULT tag=103 err=0 text=
Note: You can clearly see the PROXYAUTHZ line on the
provid
er, indicating the
proper identity assertion for the update on the
provid
er. Also note the
replica
immediately receiving the Syncrepl update from the
provid
er.
H3: Handling Chaining Errors
...
...
@@ -683,8 +683,8 @@ H2: The Proxy Cache Engine
{{TERM:LDAP}} servers typically hold one or more subtrees of a
{{TERM:DIT}}. Replica (or shadow) servers hold shadow copies of
entries held by one or more
mast
er servers. Changes are propagated
from the
mast
er server to replica
(slave)
servers using LDAP Sync
entries held by one or more
provid
er servers. Changes are propagated
from the
provid
er server to replica servers using LDAP Sync
replication. An LDAP cache is a special type of replica which holds
entries corresponding to search filters instead of subtrees.
...
...
doc/guide/admin/replication.sdf
View file @
e4067862
This diff is collapsed.
Click to expand it.
doc/guide/admin/slapdconf2.sdf
View file @
e4067862
...
...
@@ -569,12 +569,12 @@ H4: olcSyncrepl
> [syncdata=default|accesslog|changelog]
This directive specifies the current database as a
replica
of the
mast
er content by establishing the current {{slapd}}(8) as a
This directive specifies the current database as a
consumer
of the
provid
er content by establishing the current {{slapd}}(8) as a
replication consumer site running a syncrepl replication engine.
The
mast
er database is located at the
replication
provider site
specified by the {{EX:provider}} parameter. The
replica
database is
kept up-to-date with the
mast
er content using the LDAP Content
The
provid
er database is located at the provider site
specified by the {{EX:provider}} parameter. The
consumer
database is
kept up-to-date with the
provid
er content using the LDAP Content
Synchronization protocol. See {{REF:RFC4533}}
for more information on the protocol.
...
...
@@ -585,19 +585,16 @@ described by the current {{EX:syncrepl}} directive. {{EX:<replica ID>}}
is non-negative and is no more than three decimal digits in length.
The {{EX:provider}} parameter specifies the replication provider site
containing the
mast
er content as an LDAP URI. The {{EX:provider}}
containing the
provid
er content as an LDAP URI. The {{EX:provider}}
parameter specifies a scheme, a host and optionally a port where the
provider slapd instance can be found. Either a domain name or IP
address may be used for <hostname>. Examples are
{{EX:ldap://provider.example.com:389}} or {{EX:ldaps://192.168.1.1:636}}.
If <port> is not given, the standard LDAP port number (389 or 636) is used.
Note that the syncrepl uses a consumer-initiated protocol, and hence its
specification is located at the consumer site, whereas the {{EX:replica}}
specification is located at the provider site. {{EX:syncrepl}} and
{{EX:replica}} directives define two independent replication
mechanisms. They do not represent the replication peers of each other.
specification is located on the consumer.
The content of the syncrepl
replica
is defined using a search
The content of the syncrepl
consumer
is defined using a search
specification as its result set. The consumer slapd will
send search requests to the provider slapd according to the search
specification. The search specification includes {{EX:searchbase}},
...
...
@@ -620,7 +617,7 @@ synchronization operation finishes. The interval is specified
by the {{EX:interval}} parameter. It is set to one day by default.
In the {{EX:refreshAndPersist}} operation, a synchronization search
remains persistent in the provider {{slapd}} instance. Further updates to the
master replica
will generate {{EX:searchResultEntry}} to the consumer slapd
provider
will generate {{EX:searchResultEntry}} to the consumer slapd
as the search responses to the persistent synchronization search.
If an error occurs during replication, the consumer will attempt to reconnect
...
...
@@ -633,8 +630,8 @@ indefinite number of retries until success.
The schema checking can be enforced at the LDAP Sync consumer site
by turning on the {{EX:schemachecking}} parameter.
If it is turned on, every replicated entry will be checked for its
schema as the entry is stored
int
o the
replica content
.
Every entry in the
replica
should contain those attributes
schema as the entry is stored o
n
the
consumer
.
Every entry in the
consumer
should contain those attributes
required by the schema definition.
If it is turned off, entries will be stored without checking
schema conformance. The default is off.
...
...
@@ -642,7 +639,7 @@ schema conformance. The default is off.
The {{EX:binddn}} parameter gives the DN to bind as for the
syncrepl searches to the provider slapd. It should be a DN
which has read access to the replication content in the
mast
er database.
provid
er database.
The {{EX:bindmethod}} is {{EX:simple}} or {{EX:sasl}},
depending on whether simple password-based authentication or
...
...
@@ -707,14 +704,15 @@ for more details.
H4: olcUpdateref: <URL>
This directive is only applicable in a slave slapd. It
This directive is only applicable in a {{replica}} (or {{shadow}})
{{slapd}}(8) instance. It
specifies the URL to return to clients which submit update
requests upon the replica.
If specified multiple times, each {{TERM:URL}} is provided.
\Example:
> olcUpdateref: ldap://
mast
er.example.net
> olcUpdateref: ldap://
provid
er.example.net
H4: Sample Entries
...
...
doc/guide/admin/slapdconfig.sdf
View file @
e4067862
...
...
@@ -427,12 +427,12 @@ H4: syncrepl
> [syncdata=default|accesslog|changelog]
This directive specifies the current database as a
replica
of the
mast
er content by establishing the current {{slapd}}(8) as a
This directive specifies the current database as a
consumer
of the
provid
er content by establishing the current {{slapd}}(8) as a
replication consumer site running a syncrepl replication engine.
The
mast
er database is located at the replication provider site
specified by the {{EX:provider}} parameter. The
replica
database is
kept up-to-date with the
mast
er content using the LDAP Content
The
provid
er database is located at the replication provider site
specified by the {{EX:provider}} parameter. The
consumer
database is
kept up-to-date with the
provid
er content using the LDAP Content
Synchronization protocol. See {{REF:RFC4533}}
for more information on the protocol.
...
...
@@ -443,19 +443,16 @@ described by the current {{EX:syncrepl}} directive. {{EX:<replica ID>}}
is non-negative and is no more than three decimal digits in length.
The {{EX:provider}} parameter specifies the replication provider site
containing the
mast
er content as an LDAP URI. The {{EX:provider}}
containing the
provid
er content as an LDAP URI. The {{EX:provider}}
parameter specifies a scheme, a host and optionally a port where the
provider slapd instance can be found. Either a domain name or IP
address may be used for <hostname>. Examples are
{{EX:ldap://provider.example.com:389}} or {{EX:ldaps://192.168.1.1:636}}.
If <port> is not given, the standard LDAP port number (389 or 636) is used.
Note that the syncrepl uses a consumer-initiated protocol, and hence its
specification is located at the consumer site, whereas the {{EX:replica}}
specification is located at the provider site. {{EX:syncrepl}} and
{{EX:replica}} directives define two independent replication
mechanisms. They do not represent the replication peers of each other.
specification is located on the consumer.
The content of the syncrepl
replica
is defined using a search
The content of the syncrepl
consumer
is defined using a search
specification as its result set. The consumer slapd will
send search requests to the provider slapd according to the search
specification. The search specification includes {{EX:searchbase}},
...
...
@@ -479,7 +476,7 @@ synchronization operation finishes. The interval is specified
by the {{EX:interval}} parameter. It is set to one day by default.
In the {{EX:refreshAndPersist}} operation, a synchronization search
remains persistent in the provider {{slapd}} instance. Further updates to the
master replica
will generate {{EX:searchResultEntry}} to the consumer slapd
provider
will generate {{EX:searchResultEntry}} to the consumer slapd
as the search responses to the persistent synchronization search.
If an error occurs during replication, the consumer will attempt to reconnect
...
...
@@ -492,8 +489,8 @@ indefinite number of retries until success.
The schema checking can be enforced at the LDAP Sync consumer site
by turning on the {{EX:schemachecking}} parameter.
If it is turned on, every replicated entry will be checked for its
schema as the entry is stored
int
o the
replica content
.
Every entry in the
replica
should contain those attributes
schema as the entry is stored o
n
the
consumer
.
Every entry in the
consumer
should contain those attributes
required by the schema definition.
If it is turned off, entries will be stored without checking
schema conformance. The default is off.
...
...
@@ -507,7 +504,7 @@ defaults for these parameters come from {{ldap.conf}}(5).
The {{EX:binddn}} parameter gives the DN to bind as for the
syncrepl searches to the provider slapd. It should be a DN
which has read access to the replication content in the
mast
er database.
provid
er database.
The {{EX:bindmethod}} is {{EX:simple}} or {{EX:sasl}},
depending on whether simple password-based authentication or
...
...
@@ -573,7 +570,7 @@ more information on how to use this directive.
H4: updateref <URL>
This directive is only applicable in a {{
slave
}} (or {{shadow}})
This directive is only applicable in a {{
replica
}} (or {{shadow}})
{{slapd}}(8) instance. It
specifies the URL to return to clients which submit update
requests upon the replica.
...
...
@@ -581,7 +578,7 @@ If specified multiple times, each {{TERM:URL}} is provided.
\Example:
> updateref ldap://
mast
er.example.net
> updateref ldap://
provid
er.example.net
H3: BDB and HDB Database Directives
...
...
@@ -632,7 +629,7 @@ controls).
The next section of the configuration file defines a BDB
backend that will handle queries for things in the
"dc=example,dc=com" portion of the tree. The
database is to be replicated to two
slave
slapds, one on
database is to be replicated to two
replica
slapds, one on
truelies, the other on judgmentday. Indices are to be
maintained for several attributes, and the {{EX:userPassword}}
attribute is to be protected from unauthorized access.
...
...
doc/guide/images/src/delta-syncrepl.svg
View file @
e4067862
...
...
@@ -4621,7 +4621,7 @@
x=
"96.974648"
y=
"113.75929"
style=
"font-size:18px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:125%;writing-mode:lr-tb;text-anchor:start;font-family:Arial"
/></flowRegion><flowPara
id=
"flowPara27617"
>
Master/
Provider
</flowPara></flowRoot>
<flowRoot
id=
"flowPara27617"
>
Provider
</flowPara></flowRoot>
<flowRoot
xml:space=
"preserve"
id=
"flowRoot3120"
style=
"font-size:18px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:125%;writing-mode:lr-tb;text-anchor:start;font-family:Arial"
...
...
doc/guide/images/src/dual_dc.svg
View file @
e4067862
...
...
@@ -5015,7 +5015,7 @@
x=
"137.38075"
y=
"681.46503"
style=
"font-size:18px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:125%;writing-mode:lr-tb;text-anchor:start;font-family:Arial"
/></flowRegion><flowPara
id=
"flowPara15542"
>
Replica
Pool
</flowPara></flowRoot>
<flowRoot
id=
"flowPara15542"
>
Consumer
Pool
</flowPara></flowRoot>
<flowRoot
xml:space=
"preserve"
id=
"flowRoot15534"
style=
"font-size:18px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:125%;writing-mode:lr-tb;text-anchor:start;font-family:Arial"
...
...
@@ -5027,7 +5027,7 @@
x=
"137.38075"
y=
"681.46503"
style=
"font-size:18px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:125%;writing-mode:lr-tb;text-anchor:start;font-family:Arial"
/></flowRegion><flowPara
id=
"flowPara15544"
>
Replica
Pool
</flowPara></flowRoot>
<path
id=
"flowPara15544"
>
Consumer
Pool
</flowPara></flowRoot>
<path
style=
"fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.71494228px;stroke-linecap:butt;stroke-linejoin:miter;marker-start:url(#Arrow1Lstart);marker-end:url(#Arrow1Lend);stroke-opacity:1"
d=
"M 254.55844,186.23712 L 254.55844,261.49474"
id=
"path16515"
/>
...
...
doc/guide/images/src/n-way-multi-
mast
er.dia
→
doc/guide/images/src/n-way-multi-
provid
er.dia
View file @
e4067862
File moved
doc/guide/images/src/n-way-multi-
mast
er.svg
→
doc/guide/images/src/n-way-multi-
provid
er.svg
View file @
e4067862
...
...
@@ -13,12 +13,12 @@
id=
"svg7893"
inkscape:version=
"0.46"
sodipodi:docbase=
"/home/ghenry/Desktop"
sodipodi:docname=
"n-way-multi-
mast
er.svg"
sodipodi:docname=
"n-way-multi-
provid
er.svg"
sodipodi:version=
"0.32"
width=
"744.09448"
inkscape:output_extension=
"org.inkscape.output.svg.inkscape"
version=
"1.0"
inkscape:export-filename=
"/home/ghenry/Desktop/n-way-multi-
mast
er.png"
inkscape:export-filename=
"/home/ghenry/Desktop/n-way-multi-
provid
er.png"
inkscape:export-xdpi=
"90"
inkscape:export-ydpi=
"90"
>
<metadata
...
...
@@ -4573,7 +4573,7 @@
x=
"194.28572"
y=
"475.52304"
style=
"font-size:24px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:125%;writing-mode:lr-tb;text-anchor:start;font-family:Arial"
/></flowRegion><flowPara
id=
"flowPara6968"
>
N-Way Multi-
Mast
er
</flowPara></flowRoot>
<text
id=
"flowPara6968"
>
N-Way Multi-
Provid
er
</flowPara></flowRoot>
<text
xml:space=
"preserve"
style=
"font-size:40px;font-style:normal;font-weight:normal;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans"
x=
"316"
...
...
doc/guide/images/src/push-based-complete.svg
View file @
e4067862
...
...
@@ -4667,7 +4667,7 @@
x=
"96.974648"