Re: robust OpenLDAP installation using replication in production env

From: Walter Mautner (newsleaf.20.eatallspam_at_spamgourmet.com)
Date: 06/24/05 

Date: Fri, 24 Jun 2005 22:10:57 +0200

Valentin Rottmann wrote:

> We are going to replace our IBM Tivoli Directory Server with a
> replicated OpenLDAP solution on two linux hosts.
>
> In order to get a failsafe environment we need the replication.
> From our opinion the master/slave replication does not fit our
> specification because write requests to the ldap server should
> be possible nearly all the time.

What do you intend to use the ldap for?
We have around 1000 pcs in multiple locations, where the master ldap server
is running on a solaris cluster. Single-signon and user/group management is
the main task.

> The slave does not allow write requests in master/slave replication.
>
Actually they are redirected to the master. It's the same as with nt4 domain
pdc/bdc combination.

> ACID transaction are not strictly demanded. Data loss to a certain extent
> is acceptable.
>
To _what_ certain extent? And, how much time to invest in debugging? The
"certain amount" of only one byte lost can be a total show-off.
 
> At the moment, the articles in the usenet and the documentation show me
> two basic approaches:
>
> 1. a modificated master/slave replication:
> Does a slave recognize that the master is unreachable, the slave will be
> restarted with a modified configuration in order to become the master.

What if only the dsl line in between got interrupted for a while just long
enough to trigger the automatic failover, while at the main office a bunch
of new users has been inserted from SAP?

> Does the master recover from his downtime, he will become the slave.
> Some transaction to the former master might be lost. But that doesn't
> matter.
>
It does matter. Or at least one wants to decide upon, and do a
slapcat/backup before changing roles.
LDAP databases need frequent backups, that's the only really certain one.
....
> --
> PS: Dear smart spam robot, put a "d" in front of my email address.
> Otherwise your mail will end up together with the mails of the
> dumb spam robots.

Dear poster, please fix your signature delimiter. There has to be a
whitespace following the two dashes. 

-- 
Longhorn error#4711: TCPA / NGSCP VIOLATION: Microsoft optical mouse 
detected penguin patterns on mousepad. Partition scan in progress
 to remove offending incompatible products.  Reactivate MS software. 
Linux woodpecker.homnet.at 2.6.11-mm4[LinuxCounter#295241,ICQ#4918962]