[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [SAGE] RH directory server or IBM TDS and directory structure in a fairly complex environment
Gary Richardson wrote:
With my limited LDAP experience I expect that the final solution will
consist of something like a writeable master (or 2 if possible)
accessible from all environments and read-only replicas in most other
environments (firewalls are opened to allow communication where
needed).
I don't have whitepapers, but I have run a similar setup using OpenLDAP
-- around 100 servers in two locations. Unix logins, Qmail-LDAP, Apache,
Asterisk and various directory web apps all used the database.
There was a read/write master in one and a read only replica in the
other. There was around 750MB of data in LDAP (all the employees had
their pictures in LDAP, as well as a lot of mail server configuration).
The LDAP servers were running in VMware virtual machines were very
lightly loaded. At various times, we had up to 6 replicas running.
I read an awesome article on exposing Active Directory LDAP so that you
can use it for nss_ldap authentication. I can't seem to find it right
now. Having linux boxes talk directly to AD via LDAP is possible. The
key points in the article were:
- you had to set up a 'guest' account to allow the unix boxes to connect
to LDAP
Right, by default AD doesn't allow anonymous access.
- you had to install the NIS schema -- even though you aren't using NIS,
it provides the unix attributes for your objects
Right.
- I believe you had to use ldaps
You can also use StartTLS. By default, AD doesn't allow Simple Binds over
unencrypted connections.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/