Hi everyone -- I'm looking for a sanity check on an attitude/mode of thinking I've picked up.
I'm early in my career, and my experience has been exclusively at small shops. I've worked with NIS and LDAP on/for Unix, and I was quickly convinced that One Bag o' Passwords(tm) is the way to go. So far, so good. But I've also seen what happens when the OBOP server goes away, even *with* failover and/or caching, and that's made me leery of depending on it so much. (Example: I've been bitten by mismatches in MTU settings that have left LDAP clients hanging and unable to realize that they should fail over to a backup server.) At my current job, I use LDAP. I've got a room full of servers, most of which are LDAP clients; there are two LDAP servers in that room, and one more off-site. This is *much* better than my previous two jobs, where the backup servers were either on different netblocks, entirely offsite or simply non-existent. But even with that redundancy, I've got into the habit of setting up really important servers so that they're *not* LDAP clients. My reason is that if the LDAP server goes away, I do not want processes to hang, or to be unable to log in. The tradeoff is that I ensure my account shows up using other means (cfengine, automated installation or by hand if I'm in a hurry); since I'm the only sysadmin, and that's not likely to change any time soon, I figure this is reasonable. I've done this with firewalls, my backup server, monitoring servers (Nagios, Cacti, etc) and the VM host. So...what do you think? *Is* this reasonable? Is it stupid, or is this one of those "It depends" questions? Is it just a question of tweaking caching/failover settings? What do you do, and how big is the environment where you do it? Thanks, Hugh -- Hugh Brown http://saintaardvarkthecarpeted.com Because the plural of Anecdote is Myth.
signature.asc
Description: Digital signature
_______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
