Mathieu Baudier via FreeIPA-users wrote: > Hello, > > we are using IPA as the backbone of a middle-sized infrastructure whose > purpose is to host multi-tenants (Java) applications. These applications use > 389-ds instances to manage the authentication and authorisation. The 389-ds > instances are deployed on hosts which are IPA clients but are not IPA servers. > > Since we monitor closely the IPA servers and their 389-ds instances, I was > wondering whether it could be efficient to also host the applicative 389-ds > LDAP trees on the same hosts as the IPA servers. These instances are small > (hundreds of applicative users maximum) and use only the standard LDAP > schemas, consistently with IPA (which was taken as the reference when > developing the user-management model of these applications). > > I can see three approaches: > > 1) Separate 389-ds instances on distinct ports. In that case, only the > software is shared. > > 2) Separate 389-ds backends in the IPA instances, with their own replication > agreements. > > 3) Separate LDAP subtrees within the IPA backends. In that case, IPA > replication agreements are leveraged. > > Intuitively, I would favour 2), then 1), then 3). > > Did I miss something in this analysis? > Is it reasonable/advisable to reuse the IPA servers for such purposes? > Does anyone have experience with such a setup? > > Thanks in advance for any comment!
I'm not going to make a specific recommendation but I can provide some general guidance. We don't test additional backends. I guess it could work but it wouldn't surprise me if we had some baked-in assumptions. We did in the past so maybe we fixed all the bugs. We don't recommend more than 4 replication agreements per server (backend really). It requires additional CPU, disk, etc for 389-ds to track the changes. I imagine that additional backends might impact performance but the 389-ds team might be able to say for sure. We generally discourage running additional services on an IPA server to avoid complications. I think multiple 389-ds instances should work ok, we used to run two ourselves, but this brings additional memory use, I/O, etc. You might need to size up your server to handle the load, depending on what it is. Storing additional data within the IPA LDAP server can work, other users have done it successfully. We make no guarantees that some future feature might want to use the same DN structure but our DIT is architected in a pretty obvious way so it shouldn't be hard to find a place to put custom data. IPA backs up by backend so it should be handled by ipa-backup and ipa-restore. No guarantees of course. We don't test it. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
