[Date Prev][Date Next]
OpenLDAP to replace Oracle Internet Directory
- To: firstname.lastname@example.org
- Subject: OpenLDAP to replace Oracle Internet Directory
- From: Matheus Morais <email@example.com>
- Date: Fri, 25 Jun 2010 19:25:17 -0300
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=eBEA/ZbyJ/Ufnrysk+17LhSSxHe+0od5gb0uzHNNexo=; b=O8DGEcxCzzCymoo2S3VUZpH+xIaUUZUEoAZfFtGRFtZXQMVurEKjCnXUee+IWpF+Cw b/XfeLxRu4dr954Ax7Q2H2g+75fB2CcDQOEpCqT/ZlhhKbbFtefeQvKtVYe/u24jj+1m eDWh1EO+cD+24eBVPQlg59tfleZCe31FHcXp0=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=I0/zo8wT7DanxYhzZIuu6j5L4GOcxbhWFEMRMD6PRRIV8q5g5k4Rv0by4cO6fRAcpJ svSYcFnqxNYkoZTm1tPWwFpC8NH5sToXfQvd0BW9M31wh19mxqTlfW62GA/T6XyT7h8y Nfo4Z8E89WCNMd2QgdY1Lk7ZR/SVcU1bOr6j4=
I would like to share with this list my experiences with OpenLDAP implementation at one financial company, which is currently my job, and they use Oracle Internet Directory as their solution for LDAP service. This is my third year at the company and in my early days I was responsible to make the 'dirty work' in order to keep OID (I will use acronym from now because the name of the software is too large for keep writing :) working when the senior analysts were too busy with other projects to fix or request a fix for OID problems.
At some day those senior analysts left the company and I was blessed as the 'LDAP guy' by the managers. From that day I started to think by my own on that and as a free software enthusiast plus my previous small experiences with LDAP infrastructure turned my ideas for an obvious project, the OpenLDAP. I will talk more about OpenLDAP later.
They have an interesting LDAP tree which has some design problems but in a general way it is useful and support the company business process. From infrastructure perspective its painful and the main reason is because the replication technique which is absolutely inefficient in almost every aspect, from performance to scalability. OID by itself is also a great problem, it didn't respect RFC, has tons of stupid bugs that take an eternity to get resolved, has a relational database as 'backend' and the installation process is even worst. The replication is based on OID changelog at database level and small applications, called agents written in Java, are responsible to take that changes from database and replicate the modifications across the slaves. So for each slave we have an java agent querying Master and some thousand aditional rows at OID database. I don't know much about why they decided to write their own replication tool instead of using from OID but the old guys told me that Oracle replication software (DIP) didn't work well and was a very bad piece of softaware, just as OID BTW.
With that architecture we basically started to suffer from the following problems:
1 - Performance with the Master
2 - Slave scalability
3 - Information integrity
The performance problem with Master was generated by the replication agents which consume database resources to perform the replication. This first problem also generates the second because we couldn't increase the number of salves due to performance problems. OID bugs was also generating a increadible number of inconsistencies in the tree.
From that point I started a small project with first objetctive to avoid the performance problems with Master. The project was based on OpenLDAP adoption as replacements for OID slaves, an OpenLDAP Master would be created with two more OpenLDAP slaves using Delta-syncrepl to replication. With OpenLDAP slaves we could shutdown some replication agents and also the OID slaves giving more 'air' to Master database breath.
The first OpenLDAP tests showed an unbelievable perfomance, 23560 entries returned from a search in exaclty 4 seconds in average. The same operation search against OID returned in 30 seconds average. The machine configuration is almost the same, the only difference is that OID infrastructure require two machines, one for oidldapd and other for Oracle DB and we also need a DBA support BTW.
We've made a presentation to the managers showing the quality of OpenLDAP, the overlay concept and how we could use that to improve in service reliability and availability. We showed everything on our performance comparisions and asked them to support us in that 'migration' project.
Two weeks ago we replaced the first OID infrastructure for OpenLDAP 2.4.22 and everyone here is enjoying how fast is the system response and how stable is delta-syncrepl. I have evaluated with current numbers, that we will be able to replace 4 OID to just 1 OpenLDAP infrastructure and that is really pleasant. The entire migration is planned to happen in next november.
I want thank every one responsible to keep OpenLDAP project with that high level of quality and I am really proud about that kind of quality has been produced by a free software project (free as in freedom).