[Samba] LDAP Master/Slave

Jason C. Waters jwaters at h2os.com
Wed Aug 18 16:52:54 GMT 2004 

I don't think this is a solution.  If I understand what you were saying, 
on the BDC I should have this as the passwd backend:

passwd backend = ldapsam:"ldaps://ldap.server2 ldaps://ldap.server1"

server2 - the BDC and ldap slave which is read only
server1 - is the PDB and has the ldap master which users can read/write, 
so they could update their passwords.

If I have it setup this way, the users that on the other side will never 
be able to update their passwords, at least on that leg of the VPN.  Or 
maybe I just thinking about this the wrong way.

Jason

rruegner wrote:
> Hi,
> if you want to stay bdc stay alive, in cases
> when vpn broke so on your bdc smb.conf
> your slave ldap should be the first entry in the passwd backend,
> so if vpn brake , the slave ldap operates with its last
> entries from the master and will give the win clients any chance
> to operate just like if the pdc is alive.
> If vpn is up again it the ldap should refresh the slave automatic.
> But note, a bdc is read only so changes can olny be made to the master 
> ldap on the pdc.So no changes can be made to the domain during the 
> blackout period.
> If you want a full functional bdc you also should setup user clients 
> homes and profiles in your outside ( vpn ) office hosted on the bdc.
> ( a seperate dhcp server and an bind slave with longtime zone caching is 
> very usefull, too )
> 
> Regards
> 
> Jason C. Waters schrieb:
> 
>> Is anyone using this?  My smb.conf file has this line in server1(master)
>>
>> passwd backend = ldapsam:"ldaps://ldap.server1 ldaps://ldap.server2"
>>
>> and this is what server2(slave ldap, BDC) looks like:
>>
>> passwd backend = ldapsam:"ldaps://ldap.server1 ldap.server2"
>>
>> This is what happens.  When I take down server 1's ldap server, 
>> server2 just starts using its local ldap server.  But if I take down 
>> the VPN between the two, I try the same test, pdbedit -L, it works but 
>> it take about 6 seconds for it to timeout on server1.  Is this normal 
>> or do I need to change some DNS setting?  Thanks for your help.
>>
>> Jason

More information about the samba mailing list