[Fedora-directory-users] LDAP Load Tools
Marc Sauton
msauton at redhat.com
Thu Jun 19 14:21:04 UTC 2008
Michael Brown wrote:
> Sanga M. Collins wrote:
>> I think the deployment guide suggests you use pointers instead of
>> loading large pieces of data into the directory
>>
>> Sanga M. Collins Network Engineering
>> ~~~~~~~~~~~~~~~~~~~~~~~
>> IT Management LLC
>> 6491 Sunset Strip #5, Sunrise Fl, 33313
>> Tel: (954) 572 7411, Fax: (435) 578 7411
>>
>>
>> -----Original Message-----
>> From: fedora-directory-users-bounces at redhat.com
>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of
>> Michael Ströder
>> Sent: Thursday, June 19, 2008 3:48 AM
>> To: General discussion list for the Fedora Directory server project.
>> Subject: Re: [Fedora-directory-users] LDAP Load Tools
>>
>> Michael Brown wrote:
>>
>>> I'm working with an RHDS customer (currently RHDS 7.1sp3, hopefully
>>> moving to sp6 soon, or RHDS 8) with large attribute requirements
>>> (some attributes 25-30 Mbytes)
>>>
>>
>> Never saw a deployment where you store several MB into attributes.
>> I'm really curious whether that works? I know you can store this
>> amount of data but whether it really works for many entries.
>>
>> Ciao, Michael.
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
> As an FYI... The issue in the environment in which I'm working is not
> a data at rest issue for the large attributes, but rather a
> replication and writing issue.
>
> This is a US Government customer who has deployed a large PKI and LDAP
> infrastructure based upon the Red Hat CA and DS products, and they
> have several CA's with large certificate revocation lists approaching
> several tens of Mbytes each (the customer has issued tens of million
> of certs from all the CAs deployed, and has revoked > 20% of these
> prior to expiration at any one time for various reasons, thus the
> large CRLs). These CRLs are published to Red Hat DS instances in the
> certificateRevocationList;binary attribute in the entry for each CA
> and replicated to consumer DS instances and customers who require the
> CRLs. OCSP is also used, but CRLs are still required for many
> applications.
>
> This is a reasonably mature architecture as far as PKI and LDAP are
> concerned, first deployed in 1999 or thereabouts (think Netscape
> days), but the large CRL growth has been problematic both in
> generation and in publishing/replication at times. The publishing and
> replication tuning is what I'm trying to address with additional lab
> testing.
>
> The Red Hat CA and DS solutions have shown themselves to be scalable
> and secure in this environment, with proper care and tuning.
>
> Michael
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
I sometimes use rpm's or tar files to represent large attributes.
M.
More information about the Fedora-directory-users
mailing list