Ldap – Is it possible to have non-replicated data on an LDAP consumer

ldapopenldap

I've read all the available documentation, the Mastering OpenLDAP book, and like a zillion mail-list posts but I haven't found a way to make such scenario possible. I see several use cases for this scenario like an enterprise application syncing all users from the main LDAP of the Org but keeping it's own application related schemas and objects in its server.

So please, could you point me in the right direction or help me discard the possibility at all?

EDIT June 17

An example scenario:
example scenario

What I'm trying to accomplish is to be able to get all the data in o=area1,o=myorg,dc=org and o=area2,o=myorg,dc=org from the provider, but also to be able to have additional data in the consumer, like o=subarea1,o=myorg,dc=org.

I have no problem getting the data from the provider, I've set up an syncrepl entry in the consumer for each branch (area1, area2) with different rids

syncrepl rid=101 
 provider="ldap://provider:389" 
 bindmethod=simple 
 binddn="cn=replicator,o=myorg,cn=org" 
 credentials="***" 
 searchbase="o=area1,o=myorg,dc=org" 
 type=refreshAndPersist 
 retry="5 5 300 5" 
 timeout=3 
 schemachecking=off 
 scope=sub

and I've also activated syncprov on the provider.

The proble arises when I try to add any data on the consumer, it always fails with error:

LDAP Error code 53 - shadow context; no update referral

Best Answer

Yes you can. Just search filter and attrs you want to replicate at your syncrepl configuration

syncrepl rid=1
  provider=ldap://provider.myorg.com:389
  type=refreshOnly
  interval=01:00:00:00
  searchbase="ou=sales,o=employees,o=myorg,cn=com"
  filter="(objectClass=posixAccount)"
  scope=base
  attrs="cn,sn,userPassword"
  schemachecking=off
  bindmethod=simple
  binddn="cn=syncuser,o=myorg,cn=com"
  credentials=secret

now, it goes as follows:

  • replicate only ou=sales,o=myorg,cn=com
  • replicate only posixAccount schema
  • only cn, sn, and userPassword. Thus keeping consumer's gid and uid intact.
  • and don't go into children. Just, the baseDN you specify. Scope has some options.
    • sub, means all with subtrees
    • one, means only the searchbase and the one below it
    • base, means only the searchbase

There is one catch though. For attributes that your master samba does not have it, you have to update manually. For example, you have samba password at your consumer LDAP and your master LDAP does not have it, you have to update 2 LDAP to sync sambaNTPassword and sambaLMPassword at consumer LDAP to userPassword at master LDAP when user change their password. Of course, that only apply if you want to keep them passwords sync though.

Related Topic