I've been using OpenLDAP for years now. I did investigate going to
389-DS years ago and gave up on it for the following reasons:
1. The documentation was not very good. I remember setting things up
exactly as I believe the documentation instructed, and things wouldn't
work. A coworker with more experience with 389-DS would come over, and
to fix the problem would do *exactly* the opposite of what I thought the
instructions were saying to do. Very frustrating.
2. When investigating using replication, I found the replication logs
stored user passwords in the replication log in plain-text, and even
labelled the data as "plaintext password". That was a show-stopper for
me. I shared my findings with my coworkers, and agreed that was too bad
a practice for us to accept.
When did you last look at OpenLDAP? OpenLDAP has had multi-master
capability for a while now, but the developer advise against it, and I
have to agree with them. For most cases, multi-master creates
unnecessary complexity that lead to data loss in certain cases (I forget
the details, but I think this would happen if both masters had different
data, and both lost power before the replication completed - ask on the
openldap mailing list for the developers arguments against multi-master).
I also would not call the OpenLDAP replication mechanism a bolted on
script. It used to be a separate process, the slurpd daemon, but that
was superceded by a newer mechanism that is incorporated into slapd a
while ago.
In my environments, I never really saw a pressing need for multi-master.
I have one read-write master, and then several read-only slaves. I'll
make the head node of each cluster a read-only slave, so the compute
nodes don't have to leave the clusters private network to get directory
information.
Prentice
On 10/24/2018 12:29 PM, Tom Harvill wrote:
Hello,
Long time lurker, very infrequent poster - I enjoy this list very much.
We run multiple clusters in different data centers with a single
directory (LDAP) for general authentication and some user grouping for
special purposes (eg delineating admin users for privileges). We put
'extra' user data in an RDBMS.
We currently use 389-DS (aka Fedora Directory Server) and there is
some internal pressure to switch to OpenLDAP.
389-DS is working well, we use the multi-master feature. It really
hasn't failed us.
I'm writing this list to ask:
- what directory solution do you implement?
- if LDAP, which flavor?
- do you have any opinions one way or another on the topic?
Because 389-DS has just worked, it's sort-of out of sight and mind.
I've been re-engaging it for a little while and from what I can see
it's fairly well documented (I don't remember this being the case when
we originally set it up 10+ years ago.) I think OpenLDAP doesn't have
integrated multi-master replication - that feature appears to be a
bolted on script.
Thanks in advance for your time,
Tom
Tom Harvill
Holland Computing Center
https://hcc.unl.edu
_______________________________________________
Beowulf mailing list, Beowulf@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
_______________________________________________
Beowulf mailing list, Beowulf@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
