LDAP newb question?

[Kevin Fries]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tim Alberts wrote:

| Not really a question for a fedora user list, but this is the only
| list I enjoy...
|
|
| First, can I use a single LDAP server to maintain two different
| address books (internal contacts / external contacts) and use it as
| an authentication system for two (or more) Linux machines? I'm
| trying to learn how to setup LDAP and I see all these tutorials for
| these tasks separately, but nothing that really says I can do it
| all at once with one server.
|
|
| Second, if the computer running the LDAP server fails in some
| manner is the database easily copied/mirrored to another server
| that can take over?  Is it as easy as copy the config and data
| directory to the second machine and turn on the server?  Or does
| LDAP have a built in structure for maintaining information among a
| primary/backup server?

You ask allot of questions, all of which are very simple.

First Addressbook vs Authentication -
This is not really two address books, but two uses of the address
book.  After all, don't I want all my login or email users to also
appear in the address book?  Of course I do.  On regular address book
entries you will include objectClass entries for inetOrgPerson which
gives me fields such as mail.  But only email users also have an
objectClass of qmailUser and PosixAccount in addition to the
inetOrgPerson.  Therefore, All entries have the ability to appear in
the address book, but I need to add more information to also give them
access to anything.

Second Failover
Yes, you can add two LDAP server addresses in the /etc/ldap.conf
file.  If OL can not communicate with the first server, it will try to
contact the second.  So it is important to keep the servers in sync
with one another.

Third Sync
There are two types of sync with OL.  The first is called a replica.
In this situation, you always make changes to the primary server, and
whenever data gets saved, the master server records the changes in a
log.  A program called slurpd propagates those changes to all
configured replicas.

The other type of replication is called syncrepl.  In this case, the
replica contacts the master on a regular basis.  The changes are not
as immediate, but you also do not need to keep a port open on the
replica for the master to communicate on.  This has fantastic security
possibilities, but will only work with the OL that comes in FC3, and
is not quite fully baked.  So it has issues.

Ideally, the idea would be to use syncrepl to case server 2, server 3,
... , server N to keep its LDAP database in sync with a primary
source.  Then have each server use its local cache to authenticate,
with rollover to the primary source.  This way even if your LDAP
server stops working for any reason, your services have the ability to
still get its accounts from another source.

HTH
Kevin Fries
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCAbF0iFq1Eo16+CgRAqsJAJ96HKa+wOTH7xSVnCWP30aQnwbJvwCgwD26
IYLpmq38xkkj6QzlFg/OT5g=
=vopD
-----END PGP SIGNATURE-----