[Date Prev][Date Next] [Chronological] [Thread] [Top]

Replication Design Advice

Hello OpenLDAP users,

Iâm looking for some advice concerning an OpenLDAP solution Iâm about to deploy between 4 locations in company I work for.

Currently Iâve implemented a LDAP DIT in my country and weâve had exquisite results. Iâve integrated RADIUS for wireless authentication, MIT Kerberos, Samba PDC, dovecot and the list can continue but thatâs not the scope of this message.

We have some global services located in one of the countries that all other 3 countries use ( trac, svn, web2project, alfresco ).

We want that each country to have itâs own LDAP DIT ( we donât want to have a global LDAP with slaves in each country because some of us want locally significant objects ( for authorization purposes ) and having a slave LDAP means read-only ). Thatâs why I thought of using multi-n-master on each of the four LDAP servers.

The ideea I had was that each country will have only a portion of the DIT being sent to the others ( we narrow the searchbase in syncrepl ):

Country 1 sends ou=COUNTRY-1,dc=example,dc=com
Country 2 sends ou=COUNTRY-2,dc=example,dc=com
Country 3 sends ou=COUNTRY-3,dc=example,dc=com
Country 4 sends ou=COUNTRY-4,dc=example,dc=com

In each ou=COUNTRY-{1..4} they will have ou=People and ou=Groups.

Basically thatâs the only thing I want to be consistent across all LDAP DITs.

Iâve tested the solution using some virtual machines and besides the starttls and some things each administrator will have to be cautious about things went smoothly.

I've also read something about slapo-translucent - will now test to see how it works.

Can I get some suggestions / maybe a whole new architecture for my needs in case I didnât foresee problems ?


Internal Support
CCNA Security, CCIP
StreamWIDE Romania