[Fwd: Re: [K12OSN] silly ldap questions]

Tue Mar 28 18:25:14 UTC 2006

-------- Forwarded Message --------
From: Quentin Hartman <qhartman at lane.k12.or.us>
Reply-To: qhartman at lane.k12.or.us
To: Peter Hartmann <ascensiontech at gmail.com>
Subject: Re: [K12OSN] silly ldap questions
Date: Tue, 28 Mar 2006 10:24:06 -0800

On Tue, 2006-03-28 at 12:49 -0500, Peter Hartmann wrote:
> Hey Quentin,
> Thanks for writing.
> 
> > You certainly can, and this is probably the easiest way to set things up.
> > I like to have multiple DNS names point at the same machine, one for each
> > service. That way, I can seperate those services out on to other machines
> > if I need to without reconfiguring everything.
> 
> That's a great idea.    Just out of curiousity, what would, or could,
> you farm out if you needed to?

For instance, I am planning on putting LDAP on a dedicated machine this
summer. We are putting up more and more services that authenticate to
our LDAP directory, so I fear that it is going to become too much of a
drag on the machine it is on now. So, I setup a base server (I plan on
using Ubuntu) and then load up and configure ldap. Replicate the
directory over, update DNS to point to the new server, and I'm done.
Nothing else has to change.

You can do this with any service. Do you only have one DNS server, but
want to easily support up to three for failover? Configure your clients
to use NS0, NS1, and NS2, but make NS1 and NS2 aliases to NS0. In
reality they all point to the same machine, but once you get your
additional DNS servers up, just change the DNS config, and you're done.

You can do this with just about anything. I have follett.slane.k12.or.us
for our library system, irm.* for our inventory / trouble ticket system,
ntp.* for time service, mysql.* for DB, and several others all pointing
to a single machine which is also called maple.* . By doing it this way,
migrating those services to other machines is dead simple. If I had used
the "real" server name (maple.* in this case) rather than the service
name, it would be more difficult to split out if I only wanted to move
one service.

> 
> 
> > It sounds like you have everything
> > (ltsp, samba, ldap, dhcp, etc.)
> 
> Well, right now all those, with the exception of ldap (since we're
> still with linux auth),  are on the same server.   I didn't explain
> well enough. Can one have just ldap and not a smb fileserver on a
> dedicated machine?  That's the mounting would come in back to the
> ltsp, file,dhcp server.  Why?  FIle servers arent cheap and I wouldn't
> be messing with the ltsp server other than telling it how to
> authenicate, right?. 

You can have LDAP on a dedicated machine, no problem. If you just put
LDAP on a dedicated machine, you only need to tell the LTSP server to
authenticate to it. Everything else stays the same. 

>  (it's working and that's how I like it  :)  ) I
> could easily revert to linux auth if things went south right?.   I
> hope that's making more sense.

As long as you keep you smb.conf sections that are for linux auth, it's
easy. In my setup, I actually kept those portions in my config
(commented out, of course) for quite some time. I wanted to make sure I
had an easy fall back if LDAP didn't work out. I just built two blocks
in the config, one for ldap and one for linux, then (un)comented as
needed to switch back and forth.

I noticed that someone suggested using the smbldap-installer script.
That's probably a good start, though after I used it on some test
equipment I ended up doing the setup by hand. My config is much larger
and more complex than that script is designed to handle, but it was good
for learning if nothing else.