[Freeipa-users] scalability
Rob Crittenden
rcritten at redhat.com
Tue Nov 4 21:28:49 UTC 2008
David Robinson wrote:
> Hi all,
>
> Fedora Directory Server supports up to 4-way multi-master replication,
> and afaict freeIPA only uses multi-master replication. Does freeIPA
> therefore only support 4 freeIPA servers per realm? Is it possible to
> setup freeIPA to use a combination of multi-master and single-master
> replication to increase scalability (where updates are forwarded back
> to a master)? If so, how can this be configured (I assume its not as
> simple as just setting up the replication agreements)?
Not yet. FDS supports read-only replicas but we don't have support for
setting this up yet. It is on our list of things to do. The topology can
get really ugly if we aren't careful, and we're trying to be careful.
From what I understand FDS can handle more than 4-way MMR it just isn't
tested at all past 4 so you'll be going into uncharted territory if you
try :-)
> The use-case I'm thinking of is where one has multiple datacentres
> (say 5). Ideally you would have two centralized masters (for
> redundancy) and two freeIPA servers per datacentre (one as a backup,
> but I can't think of a reason they couldn't be active/active). Am I
> correct in thinking that 4-way multi-master replication is overkill if
> LDAP is only being used for authentication? Would it really matter if
> you couldn't change your password from each datacentre?!
Well, when we handle read-only replicas we'll enable the chain-on-update
plugin which will forward write requests to a writable master, so
administration would be possible anywhere.
LDAP is used for a lot more than authentication. Right now it is just
used for user/group info and as the KDC backend. In the future it will
do a lot more.
rob
More information about the Freeipa-users
mailing list