[Date Prev][Date Next] [Chronological] [Thread] [Top]

setting up "redudant" ldap service

Hi all!

Although my questions are in some aspects similar to the ones in the thread "Multi Master Enviornment for Openldap 2.3" please allow me to start an own one as my situation is slightly different.

first what i have:
* two servers, runnung slesl0 (in a testing environment)
* one is configures as master (i think it should be called the provider): ldapserv2
* the second should act as slave (consumer): ldapserv1
* both serve as database for freeradius, dhcpd and bind9, which are working greatly together!
* keeping data consistant is done by syncrepl, which works also great!

now the questions:
1) how to handle write requests sent by clients to the slave (ldapserv1)?
i tried to setup slapo-chain but obviously failed since clients which can not handle referrals fail to write data (they get the error: LDAP_REFERRAL) if they send it to the slave ldapserv1, or am i missunderstanding the concept?
my slapd.conf on the slave looks like (relevant part only):
--- slapd.conf
### database definitions etc.

#### chain overlay definition
overlay chain
chain-rebind-as-user    FALSE
chain-uri       "ldaps://ldapserv2.biochem.mpg.de"
chain-rebind-as-user    TRUE
chain-idassert-bind     bindmethod="simple"

syncrepl rid=2

### update referral
updateref ldaps://ldapserv2.biochem.mpg.de
---- end of slapd.conf

as said, syncrepl works perfectly, but write requests (via php web interface) to ldapserv1 are not forwarded (as i would expect/want) to ldapserv2.
what am i doing wrong here?

2) what to do if ldapserv2 (master) is unrechable, is it possible just to "switch" ldapserv1 to be a master (commenting out the syncrepl section, chain and updateref and restart openldap) or is there a better method?

3) a "conceptual" question: for production use i think a two server setup may be not reliable enough (as we plan to do all authentication via ldap, both user and devices on switches). what would be the "optimal" setup? i thought of something like one master, which is not addressed to by clients directly, and two slaves which chain write requests to the master and answer read request themself, clients only contact the two slaves. is this a reasonable setup or what would be a preferrable installation?

4) what about the mentioned (in another thread) mirrormode? would this serve my needs better or is the above scenario "good enough"? but mirrormode is only available in openldap 2.4?

thanks in advance for any hints and comments!

with best regards

-- Markus Krause email: krause@biochem.mpg.de Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98

     This message was sent using https://webmail2.biochem.mpg.de
If you encounter any problems please report to rz-linux@biochem.mpg.de