Nicolas Williams wrote: > On Wed, Dec 23, 2009 at 11:25:01AM -0800, Ben Rockwood wrote: > >> I'm very interested in finding someone who has experience deploying >> LDAP in multiple sites for operating system IDM and how they handle >> the home directory problem. I want to federate LDAP across multiple >> global sites, but I'm nervous about a user logging into a system in >> Europe who has a home directory in the Bay Area and the latency >> associated. I suppose an option is to have separate homedirs in each >> site, but that adds an additional step when >> provisioning/deprovisioning users which isn't good. >> >> Is there anyone that can shed some light on the topic? There seems to >> be very little information on doing AAA (LDAP, Kerberos, BSM, etc) >> deployments for OS authentication on a large scale. >> > > I'm not entirely sure what you mean by federate. I think you mean that > you have a single namespace of users/groups but want to override some > things locally, such as home directory locations. > > Assuming I understood correctly, you have some choices: > > - Setup distinct directories, one per-site, and keep them in synch via > tools that you write and which provide for the override functionality > that you want. > > This is clearly painful. > > - Use the automounter and/or NFSv4 referrals (recently added to > OpenSolaris in /dev) and/or symlinks to add a level of indirection? > > I.e., make the override something that doesn't live in the directory, > but in local NFS servers. > > For example, you could have user's homedirs be /home/<user> and then > use auto_home to map that to a local homedir path in every site. Add > in symlinks and/or NFSv4 referrals pointing to the user's true or > local home, and you have a decent solution. >
Maybe I should step back slightly. I'm particularly interested in best-practice with regard to multi-site identity, auth, and accounting. When I consider creating a configuration its fairly straight forward to have a single replicated directory (LDAP) which has a local presence in each site across the globe; but each user is going to need a home directory for login. Now, I can use several methods to override or redirect, such as you point out. But what is the best practice way to handle this size deployment? Home directories are one such problem, but there are plenty of others. This really starts to become an issue as you look toward IDM in cloud deployments, where some of your servers are here and some there, perhaps on different continents. I feel like I'm inventing an architecture for the first time, but others have done this many times before. benr.
