[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP and failover

There is a nice "half-ass" solution that has proved useful for me. If your
main, critical use of OpenLDAP is for nss_ldap and pam_ldap, you can get
away without a complete failover solution. Just have your master replicate
to a slave and set
  URI ldap://master.example.com ldap://slave.example.com
in the config files for these libraries. If they cannot contact the
master, they will use the slave. Your users won't be able to change
passwords or shells, or read your company LDAP directory in their
browsers, but they will still be able to log on and work.

For a complete failover solution, you don't use replication at all. You
have two identical machines (A and B) which share storage (an external,
dual-ended, SCSI RAID array) and communicate via a heartbeat. When A
fails, B takes over A's IP address, mounts the storage, and starts up
slapd. This can be implemented with open source software. I have tested
many of the components of this (heartbeats, IP takeover, RAID arrays), but
never actually implemented it in production. I have never been able to
justify the additional hardware costs (not just the second machine, but
the really pricy external, dual-ended, SCSI RAID array). If you are
interested in implementing this and need a consultant, I would be very
interested in working with you! :-)