On Thu, Jun 22, 2023 at 11:07:25AM +0200, cYuSeDfZfb cYuSeDfZfb wrote: > Hi, > > As you have already may have discovered by my many posts lately, we're busy > with our ldap environment, and migrating from openldap 2.4 (bdb/RHEL7) to > 2.5 on mbd/RHEL9. > > We've always had a duo of masters, replicating to a (READ ONLY) duo of > slaves. > > All clients are configured to talk to the slaves, through a load balancer, > and the masters pretty much only receive updates to the DIT from IdM. > > Our problem is: how to handle failed authentications (ppolicy) considering > that the slaves are read-only and the slaves is where the failed > authentications take place. > > Hence, my request for feedback: is master-slave still considered "the best > way" of doing this? And then, is there a "standard way" to handle failed > authentications on read-only slaves? > > Or perhaps... is it nowadays better to chose for a simpler multi-master (4 > hosts) LDAP setup: four identical servers, where we choose to send clients > to two specific servers (firewalled differently to handle client access) > and two others to receive updates from IdM, but use multi-master > replication so that all changes (either from IdM, or from failed > authentications) are replicated equally between all four servers. > > Seems that new approach is much simpler. > > Any feedback? What is wise?
Do you need the R/O servers for performance/operational/administrative reasons? If it's a no for all of the above, just a R/W cluster is fine. Otherwise you'll have to configure ppolicy+chaining on your replicas. Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
