Modified ldap replication configuration

19cdfbd4 · Goik Martin · 6359f7d2 · 19cdfbd4
Commit 19cdfbd4 authored 8 years ago by Goik Martin
--- a/Doc/Sdi/ldap.xml
+++ b/Doc/Sdi/ldap.xml
@@ -667,16 +667,24 @@ modifying entry "olcDatabase={0}config,cn=config"</programlisting>

      <para>Depending on your database backend choice you may have to alter
      the <link
-      xlink:href="http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap-olc">installation
-      procedure</link> by replacing <quote>bdb</quote> with <quote>mdb</quote>
-      accordingly both on the provider and the consumer side.</para>
+      xlink:href="https://wiki.debian.org/LDAP/OpenLDAPSetup#with_cn.3Dconfig-1">installation
+      procedure</link> by replacing <quote>hdb</quote> with <quote>mdb</quote>
+      accordingly both on the provider and the consumer side. For (yet)
+      unknown reasons the <property>olcSyncProvConfig</property>
+      <acronym>objectclass</acronym> is absent on our systems. You may safely
+      omit configuring the related parameters
+      <property>olcSyncProvConfig</property> and
+      <property>olcSyncProvConfig</property>.</para>
+
+      <para>Using Apache Directory Studio may be used in favour of
+      <command>ldapmodify</command> and friends.</para>

      <para>Hints:</para>

      <orderedlist>
        <listitem>
-          <para>Activating the syncprov overlay requires an additional
-          <property>olcModuleLoad</property> value:</para>
+          <para>Activating the <code>syncprov</code> overlay requires an
+          additional <property>olcModuleLoad</property> value:</para>

          <programlisting language="none">dn: cn=module{0},cn=config
 objectClass: olcModuleList
@@ -687,42 +695,21 @@ olcModulePath: /usr/lib/ldap</programlisting>
        </listitem>

        <listitem>
-          <para/>
+          <para>You may want to add the value <code>sync</code> to the
+          <property>olcLogLevel</property> attribute. This will create related
+          messages in <filename>/var/log/syslog</filename>.</para>
        </listitem>
      </orderedlist>

      <para>Check for provider changes being propagated to the
      consumer.</para>

-      <para>The current configuration does have two serious security
-      flaws:</para>
-
-      <orderedlist>
-        <listitem>
-          <para>The replication is based on the provider's
-          <code>cn=admin,dc=hdm-stuttgart,dc=de</code> account having maximum
-          privileges. Read access is however sufficient. Thus in a
-          professional environment you will have to define an appropriate
-          <code>syncrepl</code> user having just enough (read)
-          privileges.</para>
-        </listitem>
-
-        <listitem>
-          <para>The credentials are being sent in clear text and are thus
-          subject to network sniffing (e.g. by using <link
-          xlink:href="https://www.wireshark.org">Wireshark</link>). In a
-          professional setup you will have to configure <xref
-          linkend="glo_TLS"/> for encrypting your communication
-          channel.</para>
-        </listitem>
-      </orderedlist>
-
-      <para>The <link
-      xlink:href="https://help.ubuntu.com/lts/serverguide/openldap-server.html#openldap-provider-configuration">installation
-      procedure</link> does have a security drawback: It uses the provider's
-      <code>cn=admin,dc=hdm-stuttgart,dc=de</code> account. Read access is
-      however sufficient. Thus define a suitable replication user for this
-      purpose being endowed with just sufficient privileges:</para>
+      <para>The current configuration contains a serious security flaw: The
+      credentials are being sent in clear text and are thus subject to network
+      sniffing (e.g. by using <link
+      xlink:href="https://www.wireshark.org">.Wireshark</link>). In a
+      professional setup you will have to configure <xref linkend="glo_TLS"/>
+      for encrypting your communication channel.</para>
    </section>

    <section xml:id="sdiSectLdapByJava">