[Kolab-devel] OpenLDAP replication issues: slurpd vs syncrepl

[Fabio Pietrosanti]

I'm evaluating, based on the following information:

http://pacsec.jp/core05/psj05-barisani-en.pdf

http://www.openldap.org/doc/admin22/syncrepl.html

the syncrepl framework embedded within OpenLDAP which sound to me very
more flexible, feature rich, better designed than slurpd.

With syncrepl should be possible to replicate to slave servers only a
piece of the ldap database instead of replicating the complete directory
tree.

This would give many improvement:
- security
  With syncrepl is possible to specificy parameters for what have to be
replicate and where.
   It should be possible to replicate to slave server B only the users
that have KolabHomeServer: B .
   Or it should be replicated the whoole ldap database but without the
"password" for "non local users".
   It should avoid that a kolab server installed in a branch office, not
under strict security control of central organization, could be
phisically compromised and password hashes of ALL users compromised.

- network performance
  Only the data needed to allow a slave server to work should be replicated.

- cyrus performance
  Only mailboxes of local users should be created.
 
- kolab design simplicity enanchments
   Slurpd should be used only for kolabd notification but not for
replica, leaving this task to the more feature rich syncrepl.

Those are considerations based on my experience with a distributed (many
specialized servers) with 78k users .

Bye

Fabio