The basic implementation is the same as you would do it elsewhere, but some things we've found:
1) It's a good idea to replicate the commonly used portions of the tree on local (inside the VM box) LDAP server(s). Cuts down a lot on network traffic, improves availability, and lets you selectively index things you may not need to index elsewhere. See item 7 below. 2) Index as many of the LDAP properties as you can, and store the indexes on VDISKs for speed. It's worth waiting a few extra seconds during IPL to regenerate the indexes in the local LDAP servers (we've observed several cases of 300-400% speed increases). 3) Use a separate GLAN for authentication traffic. It doesn't cost you anything in hardware, and there's no reason to mix auth traffic up with everything else. 4) If you can, use LDAP as a locator service for another authentication protocol. LDAP isn't designed to be a authentication protocol, it's a directory protocol. The combination of LDAP and Kerberos is much faster and more robust (as well as being more scalable and less likely to get you into turf battles with the Microsoft weenies). 5) Consider using stunnel or ssh port redirection to wrapper LDAP traffic, even internally. This may not always be necessary, but it allows later bridging of the authentication GLAN to external LAN segments w/o worrying about exposing the traffic. If you have a crypto engine, this would be a good time to turn it on. 6) Keep the LDAP replicas RAM small and depend on faster I/O performance to VDISK rather than memory caching for data. 7) Consider using a number of small LDAP servers as the actual data storage engines and having the primary LDAP instance act only as a referrer (eg, all the searches start at the primary, but immediately get tossed over to a secondary server that handles the appropriate subset of the whole tree). It sounds counterintuitive, but the memory and CPU footprint is generally smaller, and you have additional capabilities to tune the division of the database and spread out the load, possibly even to external LDAP servers if necessary. This also positions you better for incorporating grid services based on MDS (which is essentially LDAP at the core) at a later time. -- db David Boyes Sine Nomine Associates > -----Original Message----- > From: Linux on 390 Port [mailto:[EMAIL PROTECTED] Behalf Of > Eric Sammons > Sent: Wednesday, November 05, 2003 11:30 AM > To: [EMAIL PROTECTED] > Subject: zLinux authentication to an LDAP > > > Has anyone come across a good document or HOWTO for LDAP and zLinux? > > I would like to create an authentication scheme for my Linux > guests where > they would authenticate to an LDAP. While I have experience > doing this, I > would like to see something like a best practices or suggestions for > implementation in a Z/VM environment. > > Thanks! > Eric Sammons > (804)697-3925 > FRIT - Infrastructure Engineering >
