From e3dd9ac6932220011ac7284bb53e54ac83bc5d5f Mon Sep 17 00:00:00 2001 From: =?utf8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= Date: Wed, 15 Jan 2025 12:32:58 +0000 Subject: [PATCH] Update and clarify replication docs --- doc/guide/admin/replication.sdf | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/doc/guide/admin/replication.sdf b/doc/guide/admin/replication.sdf index 9b39cf50be..681fd16da4 100644 --- a/doc/guide/admin/replication.sdf +++ b/doc/guide/admin/replication.sdf @@ -347,6 +347,10 @@ is too far out of sync (or completely empty), conventional syncrepl is used to bring it up to date and replication then switches back to the delta-syncrepl mode. +Note: partial replication is incompatible with deltasync. For deltasync to +work, the replication user needs unrestricted read access to both the main +database and accesslog database. + Note: since the database state is stored in both the changelog DB and the main DB on the provider, it is important to backup/restore both the changelog DB and the main DB using slapcat/slapadd when restoring a DB or copying @@ -481,9 +485,18 @@ The provider is implemented as an overlay, so the overlay itself must first be configured in {{slapd.conf}}(5) before it can be used. The provider has two primary configuration directives and two secondary directives for when delta-syncrepl is being used. + Because the LDAP Sync search is subject to access control, proper access control privileges should be set up for the replicated -content. +content. In many environments the replicas are meant to carry the +same data as provider so the replication user needs unrestricted +read access to the database and as such this tends to be the first +access rule for that database: + +> access to * by "$REPLICATOR" read by * break + +However if partial replication is desired, the access rules can be +tightened appropriately. The two primary options to configure are the checkpoint and sessionlog behaviors. @@ -497,7 +510,13 @@ operations. If {{}} operations or more than {{}} time has passed since the last checkpoint, a new checkpoint is performed. Checkpointing is disabled by default. -The session log is configured by the +If an accesslog is maintained for this database and contains all the +successful writes, it is the preferred way to provide the resync +information: + +> syncprov-sessionlog-source + +Otherwise an in memory session session log is configured by the > syncprov-sessionlog @@ -535,7 +554,7 @@ A more complete example of the {{slapd.conf}}(5) content is thus: > > overlay syncprov > syncprov-checkpoint 100 10 -> syncprov-sessionlog 100 +> syncprov-sessionlog-source cn=accesslog H4: Set up the consumer slapd -- 2.47.2