Slurpd provides the capability for a master slapd to propagate changes to slave slapd instances, implementing the master/slave replication scheme described above. Slurpd runs on the same host as the master slapd instance.
Sample replication scenario:
Step 1: An LDAP client starts up and connects to a slave slapd.
Step 2: The LDAP client submits an LDAP modify operation to the slave slapd.
Step 3: The slave slapd returns a referral to the LDAP client, which causes the client to send the modify operation to the master slapd.
Step 4: The master slapd performs the modify operation, writes out the change to its replication log file and returns a success code to the client.
Step 5: The slurpd process notices that a new entry has been appended to the replication log file, reads the replication log entry, and sends the change to the slave slapd via LDAP.
Step 6: The slave slapd performs the modify operation and returns a success code to the slurpd process.
Note that if the LDAP client happened to connect to the master slapd to begin with, Step 3 is omitted, but the rest of the scenario remains the same.
replica: truelies.rs.itd.umich.edu:389The modifications to lastModifiedBy and lastModifiedTime were initiated by the master slapd.
time: 809618633
dn: cn=Barbara Jensen, ou=People, o=University of Michigan, c=US
changetype: modify
delete: multiLineDescription
multiLineDescription: I enjoy sailing in my spare time
-
add: multiLineDescription
multiLineDescription: A dreamer...
-
delete: lastModifiedBy
-
add: lastModifiedBy
lastModifiedBy: cn=Barbara Jensen, ou=People, o=University of Michigan,
c=US
-
delete: lastModifiedTime
-
add: lastModifiedTime
lastModifiedTime: 950825073308Z
-
-d <level> | ?
This option sets the slurpd debug level to <level>. When level is a `?' character, the various debugging levels are printed and slapd exits, regardless of any other options you give it. Current debugging levels (a subset of slapd's debugging levels) are
Debugging levels are additive. That is, if you want heavy trace debugging and want to watch the config file being processed, you would set level to the sum of those two levels (in this case, 68).
4 heavy trace debugging
64 configuration file processing
65535 enable all debugging
-f <filename>
This option specifies an alternate slapd configuration file. Slurpd does not have its own configuration file. Instead, all configuration information is read from the slapd configuration file.-r <filename>
This option specifies an alternate slapd replication log file. Under normal circumstances, slurpd reads the name of the slapd replication log file from the slapd configuration file. However, you can override this with the -r flag, to cause slurpd to process a different replication log file. See section 10.5, Advanced slurpd Operation, for a discussion of how you might use this option.-o
Operate in "one-shot" mode. Under normal circumstances, when slurpd finishes processing a replication log, it remains active and periodically checks to see if new entries have been added to the replication log. In one-shot mode, by comparison, slurpd processes a replication log and exits immediately. If the -o option is given, the replication log file must be explicitly specified with the -r option-t <directory>
Specify an alternate directory for slurpd's temporary copies of replication logs. The default location is /usr/tmp.-k <filename>
When slurpd uses kerberos to authenticate to slave slapd instances, it needs to have an appropriate srvtab file for the remote slapd. This option allows you to specify an alternate filename containing kerberos keys for the remote slapd. The default filename is /etc/srvtab. You can also specify the srvtab file to use in the slapd configuration file's replica option. See the documentation on the srvtab directive in section 5.2.2, General Backend Options. A more complete discussion of using kerberos with slapd and slurpd may be found in Appendix D.
2. Add a replogfile directive, which tells slapd where to log changes. This file will be read by slurpd.
2. Do not include a replogfile directive.
3. Do include an updatedn line. The DN given should match the DN given in the binddn= parameter of the corresponding replica= directive in the master slapd config file.
4. Make sure the DN given in the updatedn directive has permission to write the database (e.g., it is listed as rootdn or is allowed access by one or more access directives).
If you like, you may restart the master slapd in read-only mode while you are replicating the database. During this time, the master slapd will return an "unwilling to perform" error to clients that attempt to modify data.
dbb Berkeley DB B-tree backendYou should copy all files with such a suffix that are located in the index directory specified in your slapd config file.
dbh Berkeley DB hash backend
gdbm GNU DBM backend
pag UNIX NBDM backend
dir UNIX NBDM backend
replica host=truelies.rs.itd.umich.edu:389
binddn="cn=Replicator, o=U
of M, c=US"
bindmethod=simple credentials=secret
In this example, changes will be sent to port 389 (the standard LDAP port) on host truelies. The slurpd process will bind to the slave slapd as "cn=Replicator, o=U of M, c=US" using simple authentication with password "secret". Note that the entry given by the binddn= directive must exist in the slave slapd's database (or be the rootdn specified in the slapd config file) in order for the bind operation to succeed.
slurpd -f <masterslapdconfigfile>
/usr/tmp/truelies.rs.itd.umich.edu:389.A sample rejection log entry follows:
ERROR: No such attributeNote that this is precisely the same format as the original replication log entry, but with an ERROR line prepended to the entry.
replica: truelies.rs.itd.umich.edu:389
time: 809618633
dn: cn=Barbara Jensen, ou=People, o=University of Michigan, c=US
changetype: modify
delete: multiLineDescription
multiLineDescription: I enjoy sailing in my spare time
-
add: multiLineDescription
multiLineDescription: A dreamer...
-
delete: lastModifiedBy
-
add: lastModifiedBy
lastModifiedBy: cn=Barbara Jensen, ou=People, o=University of Michigan,
c=US
-
delete: lastModifiedTime
-
add: lastModifiedTime
lastModifiedTime: 950825073308Z
-
To use one-shot mode, specify the name of the rejection log on the command line as the argument to the -r flag, and specify one-shot mode with the -o flag. For example, to process the rejection log file /usr/tmp/replog.truelies.rs.itd.umich.edu:389 and exit, use the command
slurpd -r /usr/tmp/truelies.rs.itd.umich.edu:389 -o
To propagate changes from a slapd directory server to an X.500 DSA, slurpd runs on the master slapd host, and sends changes to an ldapd which acts as a gateway to the X.500 DSA:
Figure 6: Replication from slapd to an X.500 DSA
Note that the X.500 DSA must be a read-only copy. Since the replication is one-way, updates from DAP clients connecting to the X.500 DSA simply cannot be handled.
A problem arises where attribute names differ between the slapd directory server and the X.500 DSA. At present, slapd and slurpd do not support selective replication of attributes, nor do they support translation of attribute names and values. For example, slurpd will attempt to update the "modifiersName" and "modifyTimeStamp" attributes on the slave it connects to. However, the X.500 DSA may expect these attributes to be named "lastModifiedBy" and "lastModifiedTime".
A solution to this attribute naming problem is to have the ldapd read oidtables that map "modifiersName" to the objectID (OID) for the "lastModifiedBy" attribute and "modifyTimeStamp" to the OID for the "lastModifiedTime" attribute. Since attribute names are carried as OIDs over DAP, this should perform the appropriate translation of attribute names.
Send comments about this page to: ldap-support@umich.edu