[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: central database on one server, "dislocated" servers in many cities

To: Tomasz Chmielewski <mangoo@interia.pl>
Subject: Re: central database on one server, "dislocated" servers in many cities
From: Howard Chu <hyc@symas.com>
Date: Wed, 27 Oct 2004 06:23:56 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <417F9CE6.5030900@interia.pl>
References: <417F4CC2.7040903@interia.pl> <417F92CD.7010104@symas.com> <417F9CE6.5030900@interia.pl>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041002

Tomasz Chmielewski wrote:

Howard Chu wrote:
>> 5) moreover, in each branch, clients should be able to change their passwords,

>>and Samba should be able to add machines to the database automatically. >>These changes should be added to the local machine (to save time on a tight >>bandwidth, prevent failures due to broken link etc.), which would then be >>transferred to the central server, and from there, to the rest of the branch offices.
For the realtime solution - use the chaining overlay in OpenLDAP 2.2 to force the replicas to directly update the master when a client performs a modification. This guarantees that changes will preserve data consistency, and avoids the problems of client-side referral chasing, but it requires that the master is reachable when a modification is performed.
OK... I guess I'd use "realtime" solution then.
Could you pint me to some documentation on "chaining overlay"? In the whole "OpenLDAP 2.2 Admirator's Guide" there is no such word as "chaining", and there is only one word "chain", not very relevant to this topic.

My mistake, the chaining overlay has not been released in OpenLDAP 2.2. It is in CVS HEAD though. Basically it uses back-ldap to make slapd chase referrals that the underlying database would otherwise try to send to the client. As such, you should first read the slapd-ldap(5) manpage and then have a look at this message:

http://www.openldap.org/lists/openldap-devel/200306/msg00041.html

You will also need a good understanding of Proxy Authorization, as described in the 2.2 Admin Guide.

As I said, this will be only used for changing passwords / adding machines, and as these are done rather seldom, it's OK if it's slow - connsistecy is a priority here.

I thought of using referrals for that, but I'm not sure if it's possible to use referrals just for write access:

1) passwords should be written to the master, and then replicated to slaves,

2) on the other hand, passwords should be read from slaves located locally - to provide fast access (and to prevent a situation when a link to the master is broken, and noone can log in, as connecting to master and getting password is impossible).

The chaining solution will accomplish the above. I expect that it will be freshened up for OpenLDAP 2.3 along with a manpage but if you're desperate to try it, it should work with 2.2.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: central database on one server, "dislocated" servers in many cities
  - From: Tomasz Chmielewski <mangoo@interia.pl>

References:
- Re: central database on one server, "dislocated" servers in many cities
  - From: Tomasz Chmielewski <mangoo@interia.pl>
- Re: central database on one server, "dislocated" servers in many cities
  - From: Howard Chu <hyc@symas.com>
- Re: central database on one server, "dislocated" servers in many cities
  - From: Tomasz Chmielewski <mangoo@interia.pl>

Prev by Date: Re: central database on one server, "dislocated" servers in many cities
Next by Date: Re: Book recomendation
Index(es):
- Chronological
- Thread