Replication of LDAP bases

To: Debian Edu Mailinglist <debian-edu@lists.debian.org>
Subject: Replication of LDAP bases
From: Ragnar Wisløff <ragnar@skolelinux.no>
Date: Thu, 10 Feb 2005 22:37:48 +0100
Message-id: <[🔎] 200502102237.48915.ragnar@skolelinux.no>

LDAP has considerable flexibility when it comes to replication and 
distribution of data. In a setting where a Debian Edu central LDAP database 
is to be utilised by several schools there are a few issues I would like to 
understand more about. Hopefully some of you have more experience than I and 
want to share.

I see several solutions.

1.
A central LDAP server that all servers at remote and local locations 
authenticate against.
This is a solution where there is medium bandwidth available, enough to do 
authentication, but not enough for NFS mounting across the link from a remote 
school to the central server.
The problem here could be all the information stored in the LDAP base that 
really should be unique to the server.
The fact that home directories in particular is found in LDAP should not 
reallly be a problem, but there needs to be a system where these home dirs 
are created and set up properly locally. wlus will deal with that only on the 
server on which it runs.

2.
A central LDAP server that sends replicas of the entire base to remote 
servers. This leads to less traffic, a central server handling all user 
management and no changes to the wlus frontend. There could be scaling 
problems with the central server handling a large number of users, perhaps. 
Also, the parts that should be unique will be shared. E.g. the Samba SID 
would be transferred from the central server to the slaves. Again local home 
dir creation would have to be handled.

3.
A distributed, more fine grained system, where the nodes in the LDAP tree are 
split up and changed to reflect the different schools. Then the different 
branches can be replicated to the different schools, and the unique parts. 
The problem with this solution is that the wlus frontend is not able to 
handle this as it stands now. But perhaps the module could be cloned and deal 
with different parts of the tree by changing the suffix?


I have set the replication up, technically it works well. A new certificate 
had to be made at the slave and a cn made to handle the replication traffic, 
that was about all. But I have not tested if this actually works in a live 
setting. 

Any comments appreciated. I may have totally misunderstood this and would like 
to understand where I went wrong in that case :)


-- 
Ragnar Wisløff
--------------
life is a reach. then you gybe.

Reply to:

Follow-Ups:
- Re: Replication of LDAP bases
  - From: Bjorn Ove Grotan <bgrotan@samfundet.no>

Prev by Date: Re: woody or sarge?
Next by Date: Re: SuperOffice-killer
Previous by thread: Re: woody or sarge?
Next by thread: Re: Replication of LDAP bases
Index(es):
- Date
- Thread