On Thu, 25 Oct 2018 at 18:40, Tony Brian Albers <t...@kb.dk> wrote: > On Wed, 2018-10-24 at 11:42 -0500, Tom Harvill wrote:> > > We run multiple clusters in different data centers with a single > > directory (LDAP) for general authentication and some user grouping > > for > > special purposes (eg delineating admin users for privileges). We put > > 'extra' user data in an RDBMS. > > > > We currently use 389-DS (aka Fedora Directory Server) and there is > > some > > internal pressure to switch to OpenLDAP. > > > > 389-DS is working well, we use the multi-master feature. It really > > hasn't failed us. > > > > I'm writing this list to ask: > > > > - what directory solution do you implement? > > - if LDAP, which flavor? > > - do you have any opinions one way or another on the topic? > > > > Because 389-DS has just worked, it's sort-of out of sight and mind. > > I've > > been re-engaging it for a little while and from what I can see it's > > fairly well documented (I don't remember this being the case when we > > originally set it up 10+ years ago.) I think OpenLDAP doesn't have > > integrated multi-master replication - that feature appears to be a > > bolted on script. > > At KB one of our Hadoop clusters is using 389-DS through FreeIPA, and > it works great. Our 389-DS server is getting hit pretty hard from time > to time since everything is using kerberos and FreeIPA(all the jobs > running on the cluster looks up users etc. in FreeIPA), but it gets by > and is very stable(we've had two unexpected service stops fixable by > just restarting them in 2½ years now). > > All hosts use sssd and user homedirs are automounted on them using > krb5. > > IMO you should consider IdM or FreeIPA since it brings quite a lot of > extra functionality while still using a standard LDAP backend.
100% agree. FreeIPA with SSSD includes 389-DS and has been perfect. Would always recommend. I've been following the IPA/SSSD development quite closely for two years now - they are a very good team and have actively helped me with issues on the mailing lists on numerous occasions. Cheers L.
_______________________________________________ Beowulf mailing list, Beowulf@beowulf.org sponsored by Penguin Computing To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf