[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [SAGE] RH directory server or IBM TDS and directory structure in a fairly complex environment
- To: "Erling Ringen Elvsrud" <erlingre@xxxxxxxxx>
- Subject: Re: [SAGE] RH directory server or IBM TDS and directory structure in a fairly complex environment
- From: "Gary Richardson" <gary.richardson@xxxxxxxxx>
- Date: Tue, 15 Jan 2008 06:32:36 -0800
- Cc: sage-members@xxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; bh=6o8WdctgppvIOT1PDPJKieSrEgeaRQbgfwPuqYZiPgk=; b=MYPjDbn6sDE7zlqJHlQ+Fll4OAK3WgTTleWYKyCzJmc7e73kdEd0lY7c84bvrWGmnxCW01YnCkjNsBgJmnXPk3OIEk8y+AI+K+26QOTuAIrvcej3S4UOIdoGWklyRrpX3qIsK/TU05Jtz9QzQBtUZ/dCYi7054i/fAo5lsD/Fbc=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=a2nwscrBxnnb2sas63scYnn5l+b5IdF3h1BSLYX3kbD0o4niYn0oopIN/pDhnnhwL9ISZvnDAVElKjmfcuLfiSU4gelzdCXW8EPnG1WHYfxIKbEeo5jXdpgOaGvNc5UhJkdEXYvxj/c7LIC78Q5lrXCKK5ofH9GWx6ek5/uRcCI=
- In-reply-to: <664c5a070801150350o531c2cdel4a8c57f55d6b63f9@xxxxxxxxxxxxxx>
- References: <664c5a070801150350o531c2cdel4a8c57f55d6b63f9@xxxxxxxxxxxxxx>
- Sender: owner-sage-members@xxxxxxxxxx
With my limited LDAP experience I expect that the final solution will
consist of something like a writeable master (or 2 if possible)
accessible from all environments and read-only replicas in most other
environments (firewalls are opened to allow communication where
needed).
I don't have whitepapers, but I have run a similar setup using OpenLDAP -- around 100 servers in two locations. Unix logins, Qmail-LDAP, Apache, Asterisk and various directory web apps all used the database.
There was a read/write master in one and a read only replica in the other. There was around 750MB of data in LDAP (all the employees had their pictures in LDAP, as well as a lot of mail server configuration). The LDAP servers were running in VMware virtual machines were very lightly loaded. At various times, we had up to 6 replicas running.
I read an awesome article on exposing Active Directory LDAP so that you can use it for nss_ldap authentication. I can't seem to find it right now. Having linux boxes talk directly to AD via LDAP is possible. The key points in the article were:
- you had to set up a 'guest' account to allow the unix boxes to connect to LDAP
- you had to install the NIS schema -- even though you aren't using NIS, it provides the unix attributes for your objects
- I believe you had to use ldaps