Fractional Replication in OpenLDAP

Overview

Sometimes you only want part of the full directory available on a consumer. Fractional Replication makes thet possible.

Steps

1. Design a query that isolates the subset of entries you want in the fraction[^1],
2. Use the same basic configuration as a full replica,
3. Use you fractioning query for the search for replication, and
4. Chain ALLupdates to a/the Producer . [^1]: The simplest fraction is a sub tree of the DIT.

Discussion

Security and Regulatory requirements drive geographic and logical directory data topology. When no such pressures are present we replicate everything to all servers. That maximizes redundancy for availability and minimizes the number of servers needed.

OpenLDAP supports Fractional Replication (FR) so you can stand up a directory server in a hostile environment. Only the data needed for that application space is stored there. That minimizes the attack surface and the amount that would be exposed if the directory’s security defenses are breached.

FR also let’s you set up smaller “local” directory servers. This would let a small local server authenticate users accessing local machines, smart door locks, etc.

More sophisticated search filters are possible. [TODO: amplify]