[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS suggestions for the developers and the masses

I posted my conclusion and solution to the ubiquitous TLS replication issue on May 14, 2003. This same set of questions has come up no less than three times since then, three times that I've actually kept in my folder and not deleted outright. It raises for me at least a pair of ideas, which I would most humbly suggest.

First, the archive of this mailing list is online as a searchable reference. The single issues that I solved by input from this list are a) "tls=critical" under replicas and b) a slapd.replog separate from the default slurpd.replog. Both of these fixed inextricable problems for me. Given that someone asks about TLS about every other week, it bears mention that these answers *are* archived in the list online and people are not looking for them.

Second, these issues are not handled adequately in the product documentation. I say that with great respect and discretion, because this is a huge job being done very well by far too few people, and I am grateful for them and the work they do. If these solutions were found in the common literature, however, they would not come up every other week on the mailing list.

That slapd and slurpd would compete for a log and cause an IO-bound performance hit on my server is not mentioned ANYWHERE, even in AEleen Frisch's excellent series of LDAP articles in linuxjournal. I now have slapd writing to a specified slapd.replog and slurpd doing some scribbling on a default slurpd.replog, and the box just hums. I cut the system load by 60% with that one.

That my replicas would not encrypt traffic between them until I specified "tls=critical" was something I stumbled upon after much pain. I ran slapd -d3 in the foreground and manipulated the database all day long before I finally found that critical worked. I can't explain it, and it's not documented anywhere obvious.

I'm not in any position to point fingers or blame or naivte at anyone who reads this. These are merely suggestions, perhaps suitable for a FAQ that goes out as a welcome email for new subscribers. (A FAQ such as this would have answered the very reason I joined the list in the first place!) They're definitely worth adding to the documentation, I believe. I hope this helps the cause.


John Beamon
Systems Administrator
Franklin American Mortgage
eml: jbeamon@franklinamerican.com
web: www.franklinamerican.com