[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS suggestions for the developers and the masses
- To: OpenLDAP Software <openldap-software@OpenLDAP.org>
- Subject: TLS suggestions for the developers and the masses
- From: John Beamon <jbeamon@franklinamerican.com>
- Date: Thu, 19 Jun 2003 16:08:43 -0500
- Organization: Franklin American Mortgage
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3) Gecko/20030312
I posted my conclusion and solution to the ubiquitous TLS replication
issue on May 14, 2003. This same set of questions has come up no less
than three times since then, three times that I've actually kept in my
folder and not deleted outright. It raises for me at least a pair of
ideas, which I would most humbly suggest.
First, the archive of this mailing list is online as a searchable
reference. The single issues that I solved by input from this list are
a) "tls=critical" under replicas and b) a slapd.replog separate from the
default slurpd.replog. Both of these fixed inextricable problems for
me. Given that someone asks about TLS about every other week, it bears
mention that these answers *are* archived in the list online and people
are not looking for them.
Second, these issues are not handled adequately in the product
documentation. I say that with great respect and discretion, because
this is a huge job being done very well by far too few people, and I am
grateful for them and the work they do. If these solutions were found
in the common literature, however, they would not come up every other
week on the mailing list.
That slapd and slurpd would compete for a log and cause an IO-bound
performance hit on my server is not mentioned ANYWHERE, even in AEleen
Frisch's excellent series of LDAP articles in linuxjournal. I now have
slapd writing to a specified slapd.replog and slurpd doing some
scribbling on a default slurpd.replog, and the box just hums. I cut the
system load by 60% with that one.
That my replicas would not encrypt traffic between them until I
specified "tls=critical" was something I stumbled upon after much pain.
I ran slapd -d3 in the foreground and manipulated the database all day
long before I finally found that critical worked. I can't explain it,
and it's not documented anywhere obvious.
I'm not in any position to point fingers or blame or naivte at anyone
who reads this. These are merely suggestions, perhaps suitable for a
FAQ that goes out as a welcome email for new subscribers. (A FAQ such
as this would have answered the very reason I joined the list in the
first place!) They're definitely worth adding to the documentation, I
believe. I hope this helps the cause.
--
John Beamon
Systems Administrator
Franklin American Mortgage
eml: jbeamon@franklinamerican.com
web: www.franklinamerican.com