Hi there,
This will probably be a lengthy discussion. I appreciate any helpful
comments. I also searched the lists and web but couldn't find good
information.
I operate 27 servers all over the world, all running Debian (without
Debian, this wouldn't be possible). Now I would like to unify them by
using LDAP as a configuration and user management backend, as well as
AFS to share filesystems.
I see this as a series of steps as follows. Basically, while I am good
with the theory of all this, I have little to no practical experience,
so I appreciate any comments.
1. Select three servers to be the LDAP servers, configure them all for
ldap-ssl (no clear-text here) and then hook them into
a master-slave configuration with two of them mirroring the primary
one. I'll use bind9 round-robin to do some fairly unadvanced
load-balancing between them, and should be able to deal with the
failure of one of the three servers fairly easily.
2. Move user management to the LDAP tree. Ideally, I want /etc/passwd
to contain no user but root and the various other defaults that
Debian installs. All users for all systems should be placed in
a global LDAP tree, with each user's record specifying what systems
s/he may log in to.
3. Separate the mail users from the real users. About 70% of my users
never log in and simply use IMAPs or POP3s to retrieve their mail.
These should also live in the LDAP tree, but possibly under
a different subtree. I'd like to keep using postfix + courier to
handle all mail tasks. Is this possible, or should I start looking
into cyrus?
4. Put major user configuration items (like .forward, spamassassin)
into the LDAP tree. I am sure postfix can handle this particular one
somehow, and one can probably hack solutions up for other proggies.
5. Put major system configuration (postfix, bind9, apt, etc.) into the
LDAP tree.
6. Export /home from every system to every other system:
all:/home/seamus -> seamus.madduck.net:/export/home
all:/home/diamond -> diamond.madduck.net:/export/home
all:/home/embryo -> embryo.madduck.net:/export/home
etc...
Once this is all done, I think the system will rock.
I do have one question on LDAP: Can it be used as a relational
database? For instance, I would like to have a list of systems that
a user may use for login stored for each user. Can I link the systems
out of a different subtree (that I use for system configuration in
step 5), or would I need to duplicate the information?
Or would PostgreSQL be a better albeit not as performant choice in the
first place?
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
a friend is someone with whom
you can dare to be yourself
Attachment:
pgpV9FmI49eqw.pgp
Description: PGP signature