From: Ondřej Kuzník Date: Wed, 15 Jan 2025 12:32:58 +0000 (+0000) Subject: Update and clarify replication docs X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e3dd9ac6932220011ac7284bb53e54ac83bc5d5f;p=thirdparty%2Fopenldap.git Update and clarify replication docs --- diff --git a/doc/guide/admin/replication.sdf b/doc/guide/admin/replication.sdf index 9b39cf50be..681fd16da4 100644 --- a/doc/guide/admin/replication.sdf +++ b/doc/guide/admin/replication.sdf @@ -347,6 +347,10 @@ is too far out of sync (or completely empty), conventional syncrepl is used to bring it up to date and replication then switches back to the delta-syncrepl mode. +Note: partial replication is incompatible with deltasync. For deltasync to +work, the replication user needs unrestricted read access to both the main +database and accesslog database. + Note: since the database state is stored in both the changelog DB and the main DB on the provider, it is important to backup/restore both the changelog DB and the main DB using slapcat/slapadd when restoring a DB or copying @@ -481,9 +485,18 @@ The provider is implemented as an overlay, so the overlay itself must first be configured in {{slapd.conf}}(5) before it can be used. The provider has two primary configuration directives and two secondary directives for when delta-syncrepl is being used. + Because the LDAP Sync search is subject to access control, proper access control privileges should be set up for the replicated -content. +content. In many environments the replicas are meant to carry the +same data as provider so the replication user needs unrestricted +read access to the database and as such this tends to be the first +access rule for that database: + +> access to * by "$REPLICATOR" read by * break + +However if partial replication is desired, the access rules can be +tightened appropriately. The two primary options to configure are the checkpoint and sessionlog behaviors. @@ -497,7 +510,13 @@ operations. If {{}} operations or more than {{}} time has passed since the last checkpoint, a new checkpoint is performed. Checkpointing is disabled by default. -The session log is configured by the +If an accesslog is maintained for this database and contains all the +successful writes, it is the preferred way to provide the resync +information: + +> syncprov-sessionlog-source + +Otherwise an in memory session session log is configured by the > syncprov-sessionlog @@ -535,7 +554,7 @@ A more complete example of the {{slapd.conf}}(5) content is thus: > > overlay syncprov > syncprov-checkpoint 100 10 -> syncprov-sessionlog 100 +> syncprov-sessionlog-source cn=accesslog H4: Set up the consumer slapd