LDAP how is Failover done?

Tue Aug 16 16:38:48 UTC 2011

On Tue, Aug 9, 2011 at 12:26 PM, Christopher Browne <cbbrowne-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:

>> [..]
>>
>>> A characteristic case would be where an organization wants integrated
>>> control over a number of systems that feed off of LDAP, and has
>>> several locations, each of which is sufficiently "trusted" to be
>>> considered an authority..
>>
>>
>> Yes indeed a good case for MM. But in your opinion isn't better to
>> delegate control and distribute the different parts of the DIT where
>> required instead of replicating the whole DIT to the remote sites. I
>> _think_ this MM ideas come mostly from MS AD's ways of doing things
>> instead of properly defining a distributed DIT and use referrals or
>> chaining instead? When people come from the MS AD world they usually
>> see the Directory as a simple People, Computers, and Groups DIT
>> structure, instead of a rich DIT that combines the best of the X500
>> org-based pattern with the DNS pattern.
>
> I haven't had *any* exposure to Microsoft "AD", so that's certainly
> not related to my thinking.
>

I wasn't implying that you had!

It's just that many multi-master requirements are not justified IMHO,
they just follow the latest FAD imposed by MS or whoever.

Many LDAP implementations are little more than centralized user/pass
and in many cases only have LDAP because some software requires it
(e.g. IT Asset mgmnt solution, BI package, ERP, etc.), so they could
care less about good directory design and implementations strategies.
For them it's just a necessary evil. Other times, LDAP is just there
because of centralized mgmnt of Windoze envs using MS AD, but it's not
really LDAP it's just MS AD.

Some folks like to replace that with OpenLDAP+Samba but whilst it's a
great move to get more Open Source in the organization, I think that
is actually negative for both sides.
For the Windoze side, Samba simply doesn't provide all the bells and
whistles of MS AD, well not Samba 3 ate least and not with a lot of
work.

For the OpenLDAP side, it's negative because it limit's the powers of
LDAP with a flat and poor DIT structure. It would be much better to
create a real and rich LDAP server and keep using MS AD as slave.

Furthermore, I think that many LDAP installations don't even consider
referrals and continuations. For example it would be stupid IMHO to
create a government-wide multi-master set-up, instead of creating
independent inter-linked trees for each branch/dept/office.

Again, I think that every implementation should model specific to
their needs, instead of trying to adopt a model "just because".

Multi-master, Master-Slave and distributed models need to be driven by
business needs rather than technical ones. Usually, the more
de-centralized and monolithic the better, but that is of course, not
always the case.

> In my environment, we have several data centres, and while services
> are always being run in one or another of them, there is a quite
> conscious agnosticism as to where those services *ought* to be, as one
> of the purposes to the multiplicity is the ability to potentially
> failover services to a different site.
>

Absolutely! In your case multi-master is more than justified and makes sense.

But, my experience has been more on the SMB and govt side where many
require multi-master when it's really not justified, and just because
MS AD does it doesn't make it good!

Furthermore, they use multi-master for all the wrong reasons, for
example to have redundancy in a same physical location, where a simple
master-slave solution would suffice.

Note, that up to your posts, I didn't have any example where
multi-master actually made sense, so it's been very enlightening
indeed.

--
Alejandro Imass
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists