mail us  |  mail this page

contact us
training  | 
tech stuff  | 

Chapter 7 Referrals, Aliases & Proxies (Chaining)

Contents

  1. 7.1 Replication and Referral Overview
  2. 7.2 Replication
    1. 7.2.1 OpenLDAP Replication
      1. 7.2.1.1 OpenLDAP syncrepl Style Replication
      2. 7.2.1.2 OpenLDAP syncrepl RefreshOnly
        1. Example Configuration using OLC
        2. Example Configuration using slapd.conf
      3. 7.2.1.3 OpenLDAP syncrepl RefreshAndPersist
        1. Example Configuration using OLC
        2. Example Configuration using slapd.conf
      4. 7.2.1.4 OpenLDAP syncrepl Multi-Master
        1. Example Configuration using OLC
        2. Example Configuration using slapd.conf
      5. 7.2.1.5 OpenLDAP syncrepl SessionLog, Access Logs and Delta-sync
        1. Example Configuration using OLC
        2. Example Configuration using slapd.conf
      6. 7.2.1.6 Syncing DIT before syncrepl Replication
    2. 7.2.2 ApacheDS Replication
  3. 7.3 Referrals
    1. 7.3.1 Deleting Referrals
    2. 7.3.2 Referral Chaining
  4. 7.4 Aliases
  5. 7.5 LDAP Proxy & Chaining
  6. 7.6 Historical - OpenLDAP slurpd Style Replication (Obsolete from 2.4)
    1. 7.6.1.1 Historical - OpenLDAP slurpd Replication Errors (Obsolete from 2.4)
    2. 7.6.1.2 Historical - Syncing DIT before slurp Replication (Obsolete from 2.4)

7.6 Historical Information Only

OpenLDAP Slurpd Style Replication (Obsoleted in 2.4)

This information describes slurpd style replication which was obsoleted in OpenLDAP 2.4. It is of historical interest and is maintained for those users (pre OpenLDAP 2.4) who may have legacy operational systems.

Slurpd style replication used a 'push' replication strategy and is obsoleted from version 2.4. Documentation is maintained here for historical reasons and for anyone marooned on older versions of OpenLDAP. It is configured and controlled as shown in Figure 7.2-1:

Slurpd style replication

7.5-1 Slurpd Style Replication

When slapd (1) running the Master DIT (7) receives a modify operation (9) it updates the DIT and a timestamped copy of the transaction is written to the log file (2) defined in the master's slapd.conf (5) file replogfile directive.

Slurpd (3) when initially loaded obtains its operational parameters from slapd.conf (5). At a periodic time defined by replicationinterval slurpd will read the log file (2) defined by the replogfile directive and write the updates (10) to one (or more) slave DITs (8) defined by the replica directive(s) in slapd.conf (5).

The slave DIT (8) is a read only copy for all clients except a client which binds using the DN defined by updatedn. The slave server (4) returns the LDAP URI defined by updateref to all modify operations from clients (except those initiated using the DN in updatedn). Both updatedn and updateref are defined in the slapd.conf (6) file. The DN defined in updatedn in (6) MUST be the same as that defined in the replica directive (binddn= parameter) in (5) for this slave instance.

7.6.1 Slurpd Replication Errors (Obsoleted in 2.4)

If slurpd (3) fails to update the slave instance it creates a REJECTION file whose name is the same as that defined in the replogfile directive with .rej appended as shown below:

# slapd.conf reploglogfile directive
replogfile /var/log/ldap/slave1.log

# REJECTION file will be named
# /var/log/ldap/slave1.log.rej

Each error message in the REJECTION log file is the same as that used in the normal transaction log but is preceded by a line starting with the keyword ERROR containing the error message. An example is shown below:

ERROR: No such attribute
replica: slave1.example.com:389
time: 809618633
dn: uid=rsmith,dc=example,dc=com
changetype: modify
replace: description
description: clown
-
replace: modifiersName
modifiersName: uid=rsmith,dc=example,dc=com
-
replace: modifyTimestamp
modifyTimestamp: 20000805073308Z

To fix the errors either the slave may edited (in the case above to add a description attribute to the entry) or the REJECTION log may be edited to correct the errors (in the above example the replace: description line could be changed to add: description). There is no need to remove lines beginning with ERROR since these are ignored. After appropriate remedial action the REJECTION file may be re-applied by running slurpd in a single-shot mode (after stopping any currently running slurpd) using the following command:

slurpd -o -r /var/log/ldap/slave1.log.rej

# where -r defines the path to the REJECTION file 
# and -o indicates single-shot mode

Slurpd will apply the transactions in the defined (-r) file and exit. The normal slurpd should now be restarted.

Slurpd Configuration Examples:

Master slapd.conf configuration:

# slapd master
# global section - check file every 5 minutes
replicationinterval 300

# database section
database bdb
...
# simple security to slave located at ldap-rep1.example.com 
# with a cleartext password
# directive only used by slurpd
replica uri=ldap://ldap-rep1.example.com bindmethod=simple
  binddn="uid=admin,ou=admin,dc=example,dc=com" credentials=guess
	
# saves changes to specfied file
# directive used by both slapd and slurpd
replogfile /var/log/ldap/slavedit.log

Slave slapd.conf configuration (on host ldap-rep1.example.com):

# slapd slave
# global section - check file every 5 minutes


# database section
database bdb
...

# defines the dn that is used in the
# replica directive of the master
# directive only used by slurpd
updatedn "uid=admin,ou=admin,dc=example,dc=com"
	
# referral given if a client tries to update slave
updateref ldap://master-ldap.example.com

Up Arrow

7.6.2 Syncing DIT before Slurpd Replication

Before slurpd replication can occur the DITs (Master and Slave(s)) must be known to be in the same state. A manual synchronization process must be performed first as itemised below:

Note: Slurpd was obsoleted in OpenLDAP 2.3 and is included here for completeness. In the case of OpenLDAP using syncrepl style replication a slave or multi-master can synchronize starting from an empty DIT. However, the process defined below may also be used and depending on the volumes involved may offer a more efficient (quicker) starting point.

  1. Stop the LDAP server that will contain the master DIT instance. This is essential to prevent further DIT updates.

  2. Create an LDIF copy of the DIT to be replicated using the appropriate off-line tools for the LDAP server.

    (For OpenLDAP use slapcat).

  3. Configure the server running the master DIT instance.

    For OpenLDAP using slurp style replication - add the replica, replogfile and replicationinterval directives to the slapd.conf file. Do not restart the server at this time.

    Note: If running OpenLDAP using the on-line configuration feature (cn=config) the server must be active.

  4. Move the LDIF file created in step 2 above to the the server(s) that will run the slave or multi-master (applies to sysncrepl only) instance.

  5. Stop the LDAP server that will run the slave or multi-master (applies to syncrepl only) instance .

  6. Apply the LDIF file moved in step 4 to the server using the appropriate off-line tools for the LDAP server.

    (For OpenLDAP use slapadd). Since the server has not been configured the -n (dbnum) option should be used.

  7. Configure the server that will run the slave or multi-master (applies to syncrepl only) instance to act as either a slave or a multi-master (applies to syncrepl only).

    For OpenLDAP using slurpd style replication only this will involve defining a database directive and all its associated directives (since the -n dbnum directive was used to add the DIT the order in which this is defined is very important - for replication specifically add the updatedn directive and the updateref directives.

    Note: If running OpenLDAP using the run-time configuration feature (cn=config) the server must be active.

  8. If a master-slave configuration, start the server running the slave DIT instance. Confirm it is working. If a multi-master configuration (applies to sysncrepl only) start this copy of the master and confirm it is running.

  9. Start the server running the master instance of the DIT or the second master in a multi-master configuration (applies to sysncrepl only).

  10. Perform a test transaction on the master (or one of the masters in a multi-master configuration - syncrepl only) and confirm it has been propagated to the slave (or second master - syncrepl only). If not, start looking at the logs. And panic. Always helps.

Up Arrow



Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.

Contents

tech info
guides home
intro
contents
1 objectives
big picture
2 concepts
3 ldap objects
quickstart
4 install ldap
5 samples
6 configuration
7 replica & refer
reference
8 ldif
9 protocol
10 ldap api
operations
11 howtos
12 trouble
13 performance
14 ldap tools
security
15 security
appendices
notes & info
ldap resources
rfc's & x.500
glossary
ldap objects
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox

Search

web zytrax.com

Share

Icons made by Icomoon from www.flaticon.com is licensed by CC 3.0 BY
share page via facebook tweet this page

Page

email us Send to a friend feature print this page Display full width page Decrease font size Increase font size

Resources

Systems

FreeBSD
NetBSD
OpenBSD
DragonFlyBSD
Linux.org
Debian Linux

Software

LibreOffice
OpenOffice
Mozilla
GitHub
GNU-Free SW Foundation
get-dns

Organizations

Open Source Initiative
Creative Commons

Misc.

Ibiblio - Library
Open Book Project
Open Directory
Wikipedia

Site

CSS Technology SPF Record Conformant Domain
Copyright © 1994 - 2025 ZyTrax, Inc.
All rights reserved. Legal and Privacy
site by zytrax
hosted by javapipe.com
web-master at zytrax
Page modified: January 20 2022.