Re: Replication of LDAP bases

To: Ragnar Wisløff <ragnar@skolelinux.no>
Cc: Debian Edu Mailinglist <debian-edu@lists.debian.org>
Subject: Re: Replication of LDAP bases
From: Bjorn Ove Grotan <bgrotan@samfundet.no>
Date: Fri, 11 Feb 2005 09:54:05 +0100
Message-id: <[🔎] 20050211085405.GA17232@samfundet.no>
Reply-to: Debian Edu Mailinglist <debian-edu@lists.debian.org>
In-reply-to: <[🔎] 200502102237.48915.ragnar@skolelinux.no>
References: <[🔎] 200502102237.48915.ragnar@skolelinux.no>

Ragnar Wisløff:
> LDAP has considerable flexibility when it comes to replication and 
> distribution of data. In a setting where a Debian Edu central LDAP database 
> is to be utilised by several schools there are a few issues I would like to 
> understand more about. Hopefully some of you have more experience than I and 
> want to share.
> 
> I see several solutions.
> 
> 1.
> The fact that home directories in particular is found in LDAP should not 
> reallly be a problem, but there needs to be a system where these home dirs 
> are created and set up properly locally. wlus will deal with that only on the 
> server on which it runs.

There's a pam-module for this type of feature: pam-mkhomedir. When the
user log in for the first time, you can run a specified script to do all
things of magic, like setup homedir, generate files like .bash_profile
etc

> 2.
> A central LDAP server that sends replicas of the entire base to remote 
> servers. This leads to less traffic, a central server handling all user 
> management and no changes to the wlus frontend. There could be scaling 
> problems with the central server handling a large number of users, perhaps. 
> Also, the parts that should be unique will be shared. E.g. the Samba SID 
> would be transferred from the central server to the slaves. Again local home 
> dir creation would have to be handled.

Similar setups are being used with ActiveDirectory in schools today. I
know of a setup with AD where at least 3 schools are interconnected
using fiberoptic network between the schools. This is a cost-issue in
many cases. I adviced them to invest in proper network setup between the
schools using fiber rather than radio (2Mbit). LDAP is not designed for
heavy writes, and as long as you don't sit and add 100's of users all
day - network-traffic caused by replication shouldn't be a big issue.

> 3.
> A distributed, more fine grained system, where the nodes in the LDAP tree are 
> split up and changed to reflect the different schools. Then the different 
> branches can be replicated to the different schools, and the unique parts. 

As of OpenLDAP 2.2.x,the alternative replication-engine Syncrepl supports both 
partial and sparse replications. I'd like to see OpenLDAP 2.2.x hitting
Debian archives any day - but I know there's been some issues with
applying gnutls-patches.

> The problem with this solution is that the wlus frontend is not able to 
> handle this as it stands now. But perhaps the module could be cloned and deal 
> with different parts of the tree by changing the suffix?

Or (if I dare suggest it) - use a different LDAP administration tool,
for setups with this need.

-- 
Bjørn Ove Grøtan

Reply to:

Follow-Ups:
- Re: Replication of LDAP bases
  - From: Ragnar Wisløff <ragnar@skolelinux.no>

References:
- Replication of LDAP bases
  - From: Ragnar Wisløff <ragnar@skolelinux.no>

Prev by Date: Re: Mindmapping Software: VYM
Next by Date: Re: Replication of LDAP bases
Previous by thread: Replication of LDAP bases
Next by thread: Re: Replication of LDAP bases
Index(es):
- Date
- Thread