Re: OpenLDAP 2.2 and db4 under RHEL4 on Xen 3.0

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Sunday, March 19, 2006 12:41 PM -0700 Michael Torrie 
<torriem@chem.byu.edu> wrote:

> On Sat, 2006-03-18 at 23:43 -0800, Quanah Gibson-Mount wrote:
> > I'm assuming by a "dbm" backend, you mean ldbm.  Of course, ldbm is not
> > recommended for use, because of its many problems.  Honestly, if you are
> > looking to run a directory service, I would highly advise you dump Xen,
> > and  use something where BDB is supported (and I'd suggest running
> > OpenLDAP  2.3.20 (or higher, if newer releases have been made by the
> > time you get to  it)).
>
> Unfortunately 2.3.20 is not an option.  This xen server (which is not in
> production at this moment) syncs (or will sync) using slurpd off of our
> production servers which are all 2.2, and cannot be changed until the
> next hardware/OS upgrade cycle.  I will be getting the syncrep stuff
> going soon which I understand will can allow two different versions of
> OpenLDAP to sync.  Even at that point, when this xen machine goes into
> production we have to, as much as possible, stick with maintainable RPM
> packages that are vendor supported.  I've maintained servers using
> source tarballs before.  It's not fun.
>
> I am sure the distro makers (IE RedHat) will fix this problem soon as
> they support Xen more and more.  Xen is here to stay.  It's not going
> away.  Rather than dumping xen our long-term plan is to migrate all of
> our servers to Xen virtual machines over the next five years.  We'll be
> using a cluster of identical machines that are all tied into a fiber-
> channel storage backbone.  This will allow near 100% uptime even with
> equipment failure as we can transparently migrate xen vms from host to
> host on the fly, allowing physical maintenance.  Since each vm is tied
> directly to a scsi LUN coming over fiber channel, even the file server
> can run in a virtual machine without significant performance loss.
>
> So while the problems with xen are not the concern of the OpenLDAP
> developers really, expect to hear more and more from your users about
> xen and running OpenLDAP on xen.  I had just hoped someone with more
> experience could tell me to just rebuild the bdb stuff with some
> configure option.  I'll be talking to the bdb folks about this.

Michael,

As Howard noted, an alternative vendor solution is CDS from Symas 
Corporation.  That software installs into its own path (/opt/symas), so it 
doesn't conflict with the ldap libraries shipped by RedHat.  I would 
strongly recommend against using the RedHat for a number of reasons:

(1) They historically do a very bad job of packaging OpenLDAP.  This 
pattern continues with their current packaged version
(2) They have no incentive to "do" OpenLDAP well, since it competes with 
their Fedora DS
(3) They do not update their distributed version, nor patch it for the many 
known bugs fixed in later releases.

If what you are looking for is a reliable, robust directory service, then 
using RedHat's packaged version is the wrong thing to do.

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html