fredag 11 februar 2005, 09:54, skrev Bjorn Ove Grotan: > Ragnar Wisl�ff: > > LDAP has considerable flexibility when it comes to replication and > > distribution of data. In a setting where a Debian Edu central LDAP > > database is to be utilised by several schools there are a few issues I > > would like to understand more about. Hopefully some of you have more > > experience than I and want to share. > > > > I see several solutions. > > > > 1. > > The fact that home directories in particular is found in LDAP should not > > reallly be a problem, but there needs to be a system where these home > > dirs are created and set up properly locally. wlus will deal with that > > only on the server on which it runs. > > There's a pam-module for this type of feature: pam-mkhomedir. When the > user log in for the first time, you can run a specified script to do all > things of magic, like setup homedir, generate files like .bash_profile > etc
That is a good idea :) > > > 2. > > A central LDAP server that sends replicas of the entire base to remote > > servers. This leads to less traffic, a central server handling all user > > management and no changes to the wlus frontend. There could be scaling > > problems with the central server handling a large number of users, > > perhaps. Also, the parts that should be unique will be shared. E.g. the > > Samba SID would be transferred from the central server to the slaves. > > Again local home dir creation would have to be handled. > > Similar setups are being used with ActiveDirectory in schools today. I > know of a setup with AD where at least 3 schools are interconnected > using fiberoptic network between the schools. This is a cost-issue in > many cases. I adviced them to invest in proper network setup between the > schools using fiber rather than radio (2Mbit). LDAP is not designed for > heavy writes, and as long as you don't sit and add 100's of users all > day - network-traffic caused by replication shouldn't be a big issue. That was the idea. I don't think the openLDAP traffic will be much higher than AD. > > > 3. > > A distributed, more fine grained system, where the nodes in the LDAP tree > > are split up and changed to reflect the different schools. Then the > > different branches can be replicated to the different schools, and the > > unique parts. > > As of OpenLDAP 2.2.x,the alternative replication-engine Syncrepl supports > both partial and sparse replications. I'd like to see OpenLDAP 2.2.x > hitting Debian archives any day - but I know there's been some issues with > applying gnutls-patches. It is perhaps a heavy tool, but from what I could read there can be several slurpds that handle different replication instances. > > > The problem with this solution is that the wlus frontend is not able to > > handle this as it stands now. But perhaps the module could be cloned and > > deal with different parts of the tree by changing the suffix? > > Or (if I dare suggest it) - use a different LDAP administration tool, > for setups with this need. Dare all you want :) -- Ragnar Wisl�ff -------------- life is a reach. then you gybe.
