Re: Replication of LDAP bases

To: Debian Edu Mailinglist <debian-edu@lists.debian.org>
Subject: Re: Replication of LDAP bases
From: Ragnar Wisløff <ragnar@skolelinux.no>
Date: Fri, 11 Feb 2005 17:33:42 +0100
Message-id: <[🔎] 200502111733.42878.ragnar@skolelinux.no>
In-reply-to: <[🔎] 20050211085405.GA17232@samfundet.no>
References: <[🔎] 200502102237.48915.ragnar@skolelinux.no> <[🔎] 20050211085405.GA17232@samfundet.no>

fredag 11 februar 2005, 09:54, skrev Bjorn Ove Grotan:
> Ragnar Wisløff:
> > LDAP has considerable flexibility when it comes to replication and
> > distribution of data. In a setting where a Debian Edu central LDAP
> > database is to be utilised by several schools there are a few issues I
> > would like to understand more about. Hopefully some of you have more
> > experience than I and want to share.
> >
> > I see several solutions.
> >
> > 1.
> > The fact that home directories in particular is found in LDAP should not
> > reallly be a problem, but there needs to be a system where these home
> > dirs are created and set up properly locally. wlus will deal with that
> > only on the server on which it runs.
>
> There's a pam-module for this type of feature: pam-mkhomedir. When the
> user log in for the first time, you can run a specified script to do all
> things of magic, like setup homedir, generate files like .bash_profile
> etc

That is a good idea :)

>
> > 2.
> > A central LDAP server that sends replicas of the entire base to remote
> > servers. This leads to less traffic, a central server handling all user
> > management and no changes to the wlus frontend. There could be scaling
> > problems with the central server handling a large number of users,
> > perhaps. Also, the parts that should be unique will be shared. E.g. the
> > Samba SID would be transferred from the central server to the slaves.
> > Again local home dir creation would have to be handled.
>
> Similar setups are being used with ActiveDirectory in schools today. I
> know of a setup with AD where at least 3 schools are interconnected
> using fiberoptic network between the schools. This is a cost-issue in
> many cases. I adviced them to invest in proper network setup between the
> schools using fiber rather than radio (2Mbit). LDAP is not designed for
> heavy writes, and as long as you don't sit and add 100's of users all
> day - network-traffic caused by replication shouldn't be a big issue.

That was the idea. I don't think the openLDAP traffic will be much higher than 
AD.

>
> > 3.
> > A distributed, more fine grained system, where the nodes in the LDAP tree
> > are split up and changed to reflect the different schools. Then the
> > different branches can be replicated to the different schools, and the
> > unique parts.
>
> As of OpenLDAP 2.2.x,the alternative replication-engine Syncrepl supports
> both partial and sparse replications. I'd like to see OpenLDAP 2.2.x
> hitting Debian archives any day - but I know there's been some issues with
> applying gnutls-patches.

It is perhaps a heavy tool, but from what I could read there can be several 
slurpds that handle different replication instances.

>
> > The problem with this solution is that the wlus frontend is not able to
> > handle this as it stands now. But perhaps the module could be cloned and
> > deal with different parts of the tree by changing the suffix?
>
> Or (if I dare suggest it) - use a different LDAP administration tool,
> for setups with this need.

Dare all you want :) 

-- 
Ragnar Wisløff
--------------
life is a reach. then you gybe.

Reply to:

References:
- Replication of LDAP bases
  - From: Ragnar Wisløff <ragnar@skolelinux.no>
- Re: Replication of LDAP bases
  - From: Bjorn Ove Grotan <bgrotan@samfundet.no>

Prev by Date: Re: Replication of LDAP bases
Next by Date: Dates for developer gatherings in 2005
Previous by thread: Re: Replication of LDAP bases
Next by thread: Re: SuperOffice-killer
Index(es):
- Date
- Thread