On 27/05/11 12:06 -0700, Matthias Birkner wrote: >At $ork we have been "granted the opportunity" to consolidate our 20-odd, >globally dispersed, NIS domains into a central LDAP database. If anyone has >success stories, war stories, or good references they'd be willing to share, >I'd >appreciate any pointers I can get. > >Our environment is mostly linux (RedHat) with some Solaris thrown in. The LDAP >structure we'll be folding into already exists so we do have some restrictions >we have to keep in mind; the biggest two being "referrals must be supported by >the client" and "anonymous access is not allowed". Not sure what other >information would be helpful at this point so I'll close here and answer other >questions as they come up. > >Thanks, >Matt >
You might want to take a look at 389 Directory Server or Red Hat Directory Server if you want a supported version. Both of these support multi-master replication for HA/DR and scale massively. There is also the FreeIPA project, which is very cool for supporting Linux/Unix environments. It essentially integrates Kerberos and PKI solutions with 389 DS, giving you multi-master support for Kerberos and LDAP. If you are looking to maintain a smaller LDAP implementation, OpenLDAP might be the easier way to go. In any case, watch out for old versions of nss_ldap, they don't handle network interruptions or LDAP server failover very well. If at all possible, use SSSD on your newer clients (RHEL6, etc), as that removes much of the pain of nss_ldap and reduces the load on your LDAP servers. If you are not using SSSD, make sure you enable NSCD on clients. Cheers, Brian _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
