[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
setting up "redudant" ldap service
Hi all!
Although my questions are in some aspects similar to the ones in the
thread "Multi Master Enviornment for Openldap 2.3" please allow me to
start an own one as my situation is slightly different.
first what i have:
* two servers, runnung slesl0 (in a testing environment)
* one is configures as master (i think it should be called the
provider): ldapserv2
* the second should act as slave (consumer): ldapserv1
* both serve as database for freeradius, dhcpd and bind9, which are
working greatly together!
* keeping data consistant is done by syncrepl, which works also great!
now the questions:
1) how to handle write requests sent by clients to the slave (ldapserv1)?
i tried to setup slapo-chain but obviously failed since clients which
can not handle referrals fail to write data (they get the error:
LDAP_REFERRAL) if they send it to the slave ldapserv1, or am i
missunderstanding the concept?
my slapd.conf on the slave looks like (relevant part only):
--- slapd.conf
### database definitions etc.
[skipped]
#### chain overlay definition
overlay chain
chain-rebind-as-user FALSE
chain-uri "ldaps://ldapserv2.biochem.mpg.de"
chain-rebind-as-user TRUE
chain-idassert-bind bindmethod="simple"
binddn="cn=manager,o=test"
credentials="secret"
mode="self"
syncrepl rid=2
provider=ldaps://ldapserv2.biochem.mpg.de
type=refreshAndPersist
retry=1,5,5,6,30,+
interval=00:00:01:00
searchbase="o=test"
filter="(objectclass=*)"
scope=sub
attrs="*"
schemachecking=off
binddn="cn=manager,o=test"
bindmethod=simple
credentials="secret"
sizelimit=unlimited
### update referral
updateref ldaps://ldapserv2.biochem.mpg.de
---- end of slapd.conf
as said, syncrepl works perfectly, but write requests (via php web
interface) to ldapserv1 are not forwarded (as i would expect/want) to
ldapserv2.
what am i doing wrong here?
2) what to do if ldapserv2 (master) is unrechable, is it possible just
to "switch" ldapserv1 to be a master (commenting out the syncrepl
section, chain and updateref and restart openldap) or is there a
better method?
3) a "conceptual" question: for production use i think a two server
setup may be not reliable enough (as we plan to do all authentication
via ldap, both user and devices on switches). what would be the
"optimal" setup? i thought of something like one master, which is not
addressed to by clients directly, and two slaves which chain write
requests to the master and answer read request themself, clients only
contact the two slaves. is this a reasonable setup or what would be a
preferrable installation?
4) what about the mentioned (in another thread) mirrormode? would this
serve my needs better or is the above scenario "good enough"? but
mirrormode is only available in openldap 2.4?
thanks in advance for any hints and comments!
with best regards
markus
--
Markus Krause email: krause@biochem.mpg.de
Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS
by order of the Computing Center of the Max-Planck-Institute of Biochemistry
Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98
----------------------------------------------------------------------
This message was sent using https://webmail2.biochem.mpg.de
If you encounter any problems please report to rz-linux@biochem.mpg.de