Andrew Bartlett abartlet at
Tue Aug 12 01:23:44 GMT 2008

On Mon, 2008-08-11 at 14:34 +0200, Oliver Liebel wrote:
> hi andrew,
> i have created a simple slapd.conf for the needs of mmr with 2 dcs 
> (ldapmaster + ldapslave),
> based on the standalone-template.
> i have attached a complete one from my test-setup and my idea for a 
> template.
> please take a look on it.

It certainly looks reasonable to me.  Please put the passwords back in
cleartext in the config file for 'rootpw', as we have to have them clear
anyway (in the replication), and it will make debugging easier.  (As you
say, move to SASL later).

> the corresponding steps during provisioning maybe could be done in the 
> following way:
> (just the mmr-specific settings below)
> setup dc1:
> #> provision-backend --ol-mmr="yes" 
> --ol-mmr-url1="ldap://"  
> --ol-mmr-url2="ldap://" ...
> --ol-mmr="yes" forces the use of the slapd.conf.mmr as 
> slapd.conf-template, serverid should be increased for every url, 
> starting from "1")
> i think we should generate the rids automatic too, depending on how much 
> dcs are involved, starting from 1.


> next starting slapd on ldapmaster listening on port 9000, then provision 
> ldapmaster with:
> #> provision  --ldap-backend="ldap://" 
> --ldap-backend-type=openldap ...

We could potentially still provision to the ldapi URL, if you started
slapd listening on both ldapi and TCP sockets.

> setup dc2:
> provisioning-backend <same mmr-parameters as above>
> next starting slapd on ldapslave listening on port 9000,
> provision (initial content load) on ldapslave is started automatic 
> through replication.
> next starting smbd on ldapmaster (slapd still running) and join 
> ldapslave as bdc
> /usr/local/samba/bin/net join LDAP BDC -U administrator%linux -d 3
> "....
> We still need to perform a DsAddEntry() so that we can create the 
> CN=NTDS Settings container.
> Joined domain LDAP (S-1-5-21-61934931-241975640-940257882)"
> -> but the ntds entry already seems to be created correctly.

OK... (this area does need to be cleaned up)

> i have tested replication between both servers in both directions by 
> modifiying the description of the
> administrator object, works fine.


> could you please point me in the right direction, of how to add new 
> parameters to the
> provision-backend script und what files (excluding slapd.conf template) 
> are used during
> the backend provision too? 

The rest of the script is in scripting/python/samba/

> i have attached a modified version of the 
> provision-backend script, as far as
> i could set it up (hopefully not to bad...).

It looks alright, but please post a diff next time (makes it easier to
spot your changes).

Look closely at how we sub in memberof configuration into the
slapd.conf.  I suggest that you could add a ${REPL_CONFIG} after each
database, which the script could sub with either "" or by reading and
subing in a slapd-replica.conf

Let me know if you need any more help.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.        

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list