Being in the DMZ, the new mail server has its own OpenLDAP LDAP directory server, which has to be kept synchronized with a master copy located on the network. OpenLDAP has slurpd which can be used to "push" modifications made to the master out to slave servers, and syncrepl with which a slave can "pull" changes from a master. Both types of replication (as the name already implies) ensure updates are performed on the slave server verbatim, i.e. without any changes to the entries.

What I need though, is a synchronization process with which I can modify entries on the fly. That is the purpose of the lsync program I'm developing. A configuration file specifies a search filter to decide which entries will be read, and LDAP attribute types can be modified on the fly before being copied to the target (i.e. slave) servers.

An example might help. For the mail toaster, users will be completely "virtual", although their passwords, common names, etc. should be copied from the master LDAP directory. Specifying

autotypes             = uidnumber, homedirectory, loginshell, gecos, mail
auto/uidnumber        = 8000
auto/homedirectory    = /shared/homes/domain/{@uid}
auto/loginshell       = /bin/false
auto/gecos            = "{$cn}"

will have the entries read on the source directory modified accordingly before they are added or modified on the target LDAP server. It works pretty well.


blog comments powered by Disqus