RE: [SSI-users] OpenSSI & LDAP
Brought to you by:
brucewalker,
rogertsang
From: Dave P. <dp...@w3...> - 2004-03-25 16:22:21
|
ah.. perhaps a little clarification then.. :-) By replication, I was referring to replicating the directory, such as you might do when crossing security layers to have an LDAP server in each layer. In that case, slurpd (from OpenLDAP) requires threading to function .. and that goes back to my previous comment. I do have some concerns about repository storage using the default Berkeley DB (bdb) mechanism and having multiple nodes write to the same file(s). Since there's no record locking, it could prove rather disasterous should two nodes try to write to the repository simultaneously. :-( Using a traditional LVS setup where each node has its own address but responds to a common "virtual" address should work just fine with an LDAP instance on each node, however this could get confusing (depending on which model of the LVS is used) when trying to serve LDAPS (StartTLS) simply by the way secure server certs are handled. Off the top of my head, I'm not sure about the ramifications of using SASL for authentication in the clusterd variant of LVS. It'll definitely be an experiment! Please do write up what you find as I'm sure there would be many people who would find the results (and setup methodology) quite interesting and useful! :-) Kind Regards, -dsp > -----Original Message----- > From: Walker, Bruce J [mailto:bru...@hp...] > Sent: Thursday, March 25, 2004 10:57 AM > To: Dave Paris; Xavier; ssi...@li... > Subject: RE: [SSI-users] OpenSSI & LDAP > > > Replication isn't an issue with OpenSSI (all files are visible at all > time from all nodes). As Dave pointed out, you need shared storage > (DRBD is coming along to relax that requirement) to get high avail for > OpenSSI and thus hi avail for your LDAP. > Process migration isn't relevant in this case either, as I see it. We > just want to start ldap daemons on each node in the cluster. > > As for load balancing the LDAP, I'm not sure Dave actually answered the > question as to whether 2 or more instances of the daemon could run on > the same OpenSSI "server" (on different nodes) at the same time. > To try this out you can: > 1. Get LVS to load balance the port(s) that LDAP uses; for the tcp > ports, make sure that the > set_port_weight command in /etc/rc.d/init.d/ha-lvs includes the ports > for ldap (see /etc/services). > For UDP it is more complicated and may require use of ipvsadm. > 2. you can stop ldap (service ldap stop); edit /etc/rc.d/ssiconfig and > put the ldap as an "M all Y" entry and rerun chkconfig (chkconfig --ssi > ldap reset); service ldap start; > > Very interested to find out how well this works. > > Bruce > > > > > > > -----Original Message----- > > From: ssi...@li... > > [mailto:ssi...@li...] On > > Behalf Of Dave Paris > > Sent: Thursday, March 25, 2004 5:29 AM > > To: Xavier; ssi...@li... > > Subject: RE: [SSI-users] OpenSSI & LDAP > > > > > > This comment only applies to OpenLDAP .. ignore if you're > > using something > > else. You may bump into some problems down the road if you > > find a need to > > replicate your LDAP directory via slurpd, as it is a threaded app and > > threads migrate to other nodes only in the context of a > > process (all threads > > go at once). > > > > On a more generalized note, LDAP is typically disk-based > > storage (storage on > > same disk as application, rather than a centralized > > database). Unless both > > nodes are root nodes and have a shared storage solution, if > > the root node in > > your cluster drops, your LDAP server will go offline, > > somewhat negating the > > benefit of having two boxes. :-) > > > > For our LDAP/RADIUS/AAA services, I used a HA/LVS kernel on a > > pair of boxes > > with one public interface and two private interfaces and use > > slurpd/rsync to > > replicate the directory, etc. between the two on the private > > interface. The > > AAA records are stored in a central database not on either > > machine, but > > MySQL could be used in a master->master replication scheme. > > It's a much > > more robust solution for services that have a requirement for high > > availability. > > > > This seems like one of those "can it be done? yes. should it > > be done? that > > depends, greatly." kinda things. > > > > Kind Regards, > > -dsp > > > > > -----Original Message----- > > > From: ssi...@li... > > > [mailto:ssi...@li...]On > > Behalf Of Xavier > > > Sent: Thursday, March 25, 2004 7:44 AM > > > To: ssi...@li... > > > Subject: [SSI-users] OpenSSI & LDAP > > > > > > > > > Hi, > > > > > > Anybody running LDAP on top of SSI ? > > > I've a 2-nodes cluster but slapd runs only on one node. > > > I'd like to have load-balancing. > > > > > > # cat /etc/cvsip.conf > > > <?xml version="1.0"?> > > > <cvips> > > > <cvip> > > > <ip_addr>10.50.10.253</ip_addr> > > > <director_node> > > > <node_num>1</node_num> > > > <garp_interface>eth0</garp_interface> > > > <sync_interface>eth0</sync_interface> > > > </director_node> > > > <director_node> > > > <node_num>2</node_num> > > > <garp_interface>eth0</garp_interface> > > > <sync_interface>eth0</sync_interface> > > > </director_node> > > > <real_server_node> > > > <node_num>1</node_num> > > > </real_server_node> > > > <real_server_node> > > > <node_num>2</node_num> > > > </real_server_node> > > > </cvip> > > > </cvips> > > > # cat /proc/cluster/lvs > > > CVIP Address Node number > > > 10.50.10.253 1 > > > # ipvsadm -L > > > IP Virtual Server version 1.0.10 (size=65536) > > > Prot LocalAddress:Port Scheduler Flags > > > -> RemoteAddress:Port Forward Weight ActiveConn > > InActConn > > > TCP 10.50.10.253:ldap wlc > > > -> 204.152.65.1:ldap Route 5 0 0 > > > TCP 10.50.10.253:ssh wlc > > > -> 204.152.65.1:ssh Route 2 0 0 > > > > > > In the same way, is there a list of applications known to be > > > "SSI-compatible" ? > > > > > > Regards, > > > Xavier > > > > > > -- > > > "One world, one web, one program" -- Microsoft promotional ad > > > > > > > > > ------------------------------------------------------- > > > This SF.Net email is sponsored by: IBM Linux Tutorials > > > Free Linux tutorial presented by Daniel Robbins, President > > and CEO of > > > GenToo technologies. Learn everything from fundamentals to system > > > > > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > > > _______________________________________________ > > > Ssic-linux-users mailing list > > > Ssi...@li... > > > https://lists.sourceforge.net/lists/listinfo/ssic-linux-users > > > > > > > > > > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by: IBM Linux Tutorials > > Free Linux tutorial presented by Daniel Robbins, President and CEO of > > GenToo technologies. Learn everything from fundamentals to system > > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > > _______________________________________________ > > Ssic-linux-users mailing list > > Ssi...@li... > > https://lists.sourceforge.net/lists/listinfo/ssic-linux-users > > > > |