-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tim Alberts wrote:
| Not really a question for a fedora user list, but this is the only | list I enjoy... | | | First, can I use a single LDAP server to maintain two different | address books (internal contacts / external contacts) and use it as | an authentication system for two (or more) Linux machines? I'm | trying to learn how to setup LDAP and I see all these tutorials for | these tasks separately, but nothing that really says I can do it | all at once with one server. | | | Second, if the computer running the LDAP server fails in some | manner is the database easily copied/mirrored to another server | that can take over? Is it as easy as copy the config and data | directory to the second machine and turn on the server? Or does | LDAP have a built in structure for maintaining information among a | primary/backup server?
You ask allot of questions, all of which are very simple.
First Addressbook vs Authentication - This is not really two address books, but two uses of the address book. After all, don't I want all my login or email users to also appear in the address book? Of course I do. On regular address book entries you will include objectClass entries for inetOrgPerson which gives me fields such as mail. But only email users also have an objectClass of qmailUser and PosixAccount in addition to the inetOrgPerson. Therefore, All entries have the ability to appear in the address book, but I need to add more information to also give them access to anything.
Second Failover Yes, you can add two LDAP server addresses in the /etc/ldap.conf file. If OL can not communicate with the first server, it will try to contact the second. So it is important to keep the servers in sync with one another.
Third Sync There are two types of sync with OL. The first is called a replica. In this situation, you always make changes to the primary server, and whenever data gets saved, the master server records the changes in a log. A program called slurpd propagates those changes to all configured replicas.
The other type of replication is called syncrepl. In this case, the replica contacts the master on a regular basis. The changes are not as immediate, but you also do not need to keep a port open on the replica for the master to communicate on. This has fantastic security possibilities, but will only work with the OL that comes in FC3, and is not quite fully baked. So it has issues.
Ideally, the idea would be to use syncrepl to case server 2, server 3, ... , server N to keep its LDAP database in sync with a primary source. Then have each server use its local cache to authenticate, with rollover to the primary source. This way even if your LDAP server stops working for any reason, your services have the ability to still get its accounts from another source.
HTH Kevin Fries -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCAbF0iFq1Eo16+CgRAqsJAJ96HKa+wOTH7xSVnCWP30aQnwbJvwCgwD26 IYLpmq38xkkj6QzlFg/OT5g= =vopD -----END PGP SIGNATURE-----