David White wrote: > Hello, > I have some basic experience interacting with & troubleshooting OpenLDAP as > well as 389-ds, but I don't have a whole lot of experience setting them up or > configuring an OpenLDAP server. > > My goal is to setup replication from a Primary inside a trusted network > outwards to a Replica that is in an untrusted network, without allowing the > replica any > direct access to the primary, due to firewall flows and network requirements. > This is true even for the initial connection, so a simple RefreshAndPersist > configuration won't work. > > I have read that it is possible to setup a push-based replication using a > proxy, such that: > > * The proxy gets installed as a "hidden" database onto the same server as > the primary > * The proxy sets up replication with the primary using RefreshAndPersist > * The proxy is then able to push the data out of the replica > > I have skimmed over, and re-read, a lot of portions from this document: > https://www.openldap.org/doc/admin24/replication.html > I have also followed this basic guide to setup a Primary with replication > capability: https://ubuntu.com/server/docs/service-ldap-replication > > What I'm having trouble with, is finding a useful guide that will walk me > through the process to setup and configure the proxy as I've described above.
A working example is in test045 of the test suite. You can simply convert the slapd.conf files to LDIF format from there. > > Questions: > > * Based on my requirements above, will the proxy with syncrepl meet my > needs? > o If I put the proxy onto the same server as the primary, then due to > firewall flows, the replica will not have any access to the primary. All > communication will need to be initiated outbound > o If I put the proxy into the same network as the replica, well.... > that won't work either, for the same reason > > * The following URL from the OpenLDAP docs provides some example configs: > https://www.openldap.org/doc/admin24/replication.html#Syncrepl%20Proxy > o If I'm reading everything correctly, though, the "new" / "accepted" / > "preferred" way to configure the ldap server is to use the `ldapadd`, > `ldapmodify`, and related commands. My confusion and question here > is.... should I try to configure all of this by editing the old slapd.conf > file as > the openldap.org docs provide examples, or is there a way to do this > using the ldapmodify & related commands? > > o If I can / should do this from the command line... are there any > guides or tutorials that will take me step-by-step through the process as I > try to > build this in a lab environment? > > Thanks in advance, > David > > > Sent with ProtonMail <https://protonmail.com/> Secure Email. > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
