LDAP has considerable flexibility when it comes to replication and distribution of data. In a setting where a Debian Edu central LDAP database is to be utilised by several schools there are a few issues I would like to understand more about. Hopefully some of you have more experience than I and want to share.
I see several solutions. 1. A central LDAP server that all servers at remote and local locations authenticate against. This is a solution where there is medium bandwidth available, enough to do authentication, but not enough for NFS mounting across the link from a remote school to the central server. The problem here could be all the information stored in the LDAP base that really should be unique to the server. The fact that home directories in particular is found in LDAP should not reallly be a problem, but there needs to be a system where these home dirs are created and set up properly locally. wlus will deal with that only on the server on which it runs. 2. A central LDAP server that sends replicas of the entire base to remote servers. This leads to less traffic, a central server handling all user management and no changes to the wlus frontend. There could be scaling problems with the central server handling a large number of users, perhaps. Also, the parts that should be unique will be shared. E.g. the Samba SID would be transferred from the central server to the slaves. Again local home dir creation would have to be handled. 3. A distributed, more fine grained system, where the nodes in the LDAP tree are split up and changed to reflect the different schools. Then the different branches can be replicated to the different schools, and the unique parts. The problem with this solution is that the wlus frontend is not able to handle this as it stands now. But perhaps the module could be cloned and deal with different parts of the tree by changing the suffix? I have set the replication up, technically it works well. A new certificate had to be made at the slave and a cn made to handle the replication traffic, that was about all. But I have not tested if this actually works in a live setting. Any comments appreciated. I may have totally misunderstood this and would like to understand where I went wrong in that case :) -- Ragnar Wisl�ff -------------- life is a reach. then you gybe.
