[Fedora-directory-users] LDAP Load Tools

Marc Sauton msauton at redhat.com
Thu Jun 19 14:21:04 UTC 2008 

Michael Brown wrote:
> Sanga M. Collins wrote:
>> I think the deployment guide suggests you use pointers instead of 
>> loading large pieces of data into the directory
>>
>> Sanga M. Collins Network Engineering
>> ~~~~~~~~~~~~~~~~~~~~~~~
>> IT Management LLC
>> 6491 Sunset Strip #5, Sunrise Fl, 33313
>> Tel: (954) 572 7411, Fax: (435) 578 7411
>>
>>
>> -----Original Message-----
>> From: fedora-directory-users-bounces at redhat.com 
>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of 
>> Michael Ströder
>> Sent: Thursday, June 19, 2008 3:48 AM
>> To: General discussion list for the Fedora Directory server project.
>> Subject: Re: [Fedora-directory-users] LDAP Load Tools
>>
>> Michael Brown wrote:
>>  
>>> I'm working with an RHDS customer (currently RHDS 7.1sp3,  hopefully 
>>> moving to sp6 soon, or RHDS 8) with large attribute requirements 
>>> (some attributes 25-30 Mbytes)
>>>     
>>
>> Never saw a deployment where you store several MB into attributes. 
>> I'm really curious whether that works? I know you can store this 
>> amount of data but whether it really works for many entries.
>>
>> Ciao, Michael.
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
> As an FYI... The issue in the environment in which I'm working is not 
> a data at rest issue for the large attributes, but rather a 
> replication and writing issue.
>
> This is a US Government customer who has deployed a large PKI and LDAP 
> infrastructure based upon the Red Hat CA and DS products, and they 
> have several CA's with large certificate revocation lists approaching 
> several tens of Mbytes each (the customer has issued tens of million 
> of certs from all the CAs deployed, and has revoked > 20% of these 
> prior to expiration at any one time for various reasons, thus the 
> large CRLs).  These CRLs are published to Red Hat DS instances in the 
> certificateRevocationList;binary attribute in the entry for each CA 
> and replicated to consumer DS instances and customers who require the 
> CRLs.  OCSP is also used, but CRLs are still required for many 
> applications.
>
> This is a reasonably mature architecture as far as PKI and LDAP are 
> concerned, first deployed in 1999 or thereabouts (think Netscape 
> days), but the large CRL growth has been problematic both in 
> generation and in publishing/replication at times.  The publishing and 
> replication tuning is what I'm trying to address with additional lab 
> testing.
>
> The Red Hat CA and DS solutions have shown themselves to be scalable 
> and secure in this environment, with proper care and tuning.
>
> Michael
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
I sometimes use rpm's or tar files to represent large attributes.
M.

More information about the Fedora-directory-users mailing list