On Mar 29, 2010, at 2:06 PM, Hugh Brown wrote: > Hi everyone -- I'm looking for a sanity check on an attitude/mode of > thinking I've picked up. > > I'm early in my career, and my experience has been exclusively at > small shops. I've worked with NIS and LDAP on/for Unix, and I was > quickly convinced that One Bag o' Passwords(tm) is the way to go. So > far, so good. But I've also seen what happens when the OBOP server > goes away, even *with* failover and/or caching, and that's made me > leery of depending on it so much. (Example: I've been bitten by > mismatches in MTU settings that have left LDAP clients hanging and > unable to realize that they should fail over to a backup server.) > > At my current job, I use LDAP. I've got a room full of servers, most > of which are LDAP clients; there are two LDAP servers in that room, > and one more off-site. This is *much* better than my previous two > jobs, where the backup servers were either on different netblocks, > entirely offsite or simply non-existent. > > But even with that redundancy, I've got into the habit of setting up > really important servers so that they're *not* LDAP clients. My > reason is that if the LDAP server goes away, I do not want processes > to hang, or to be unable to log in. > > The tradeoff is that I ensure my account shows up using other means > (cfengine, automated installation or by hand if I'm in a hurry); since > I'm the only sysadmin, and that's not likely to change any time soon, > I figure this is reasonable. I've done this with firewalls, my backup > server, monitoring servers (Nagios, Cacti, etc) and the VM host. > > So...what do you think? *Is* this reasonable? Is it stupid, or is > this one of those "It depends" questions? Is it just a question of > tweaking caching/failover settings? What do you do, and how big is > the environment where you do it?
I've worked at a lot of places with centralized authentication systems -- LDAP, NIS, NIS+, NetInfo, Windows Domains, Active Directory -- and I've been satisfied to varying degrees with their use. At my current shop, however, we've had problems running LDAP (OpenLDAP on Red Hat); not frequent, but very disruptive and troublesome to fix when they occur. In fact, we aborted a project to extend LDAP to our production systems, going with local files distributed via cfengine (200-300 hosts), and are planning on doing the same in our development environment, which is where we currently run LDAP. You have to do some minor contortions to manage passwords and to have different lists of accounts on different systems, but otherwise it's a lot simpler than LDAP and has been more reliable so far. So yes, I think it's reasonable. :) -------------------------------------------------------------------- Leon Towns-von Stauber http://www.occam.com/leonvs/ "We have not come to save you, but you will not die in vain!" _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
