In fact, none of the LDAP clients need (can) write the directory servers.
They (remote servers) only read informations needed to make (or upgrade)
their own config files and to authenticate their own users.
Client interfaces (web/php) allow the users to upgrade (or, according their
profile, simply consult) the informations needed. Some of them (authorized
"administrators" on remote sites) can to upgrade some more sensible
informations (create/delete new users in their department, change them from
groups, affect profile application softwares, create new emails/alias or
proxy acces, upgrade departement informations or sometime, why not,
administrate some new samba shares, ...)
On central site, technicians of the hot-line or system administrators make
the rest ...
(of course, everything is not totally ended and work remains to be done ...
What, as matter of fact, remains a good think concerning my remuneration ;-)
---
PE
-----Message d'origine-----
De : Michael Ströder [mailto:michael@stroeder.com]
Envoyé : jeudi 12 février 2009 00:29
À : Philippe EYCHART
Cc : openldap-its(a)openldap.org
Objet : Re: (ITS#5919) URI syntaxe (ldap:///dc=my%2cdc=domaine)
Philippe EYCHART wrote:
> philippe.eychart(a)informatique.gov.pf wrote:
>> Used of SRV rr is a good reponse, (in particular in case of large
Intranet
>> with many
>> remote sites -islands in pacific- and poor communication ressources -
>> satellite) but require
>> to be performed in all client applications : nssldap, samba, ldap client
>> tools
>> for rsync/mail/DNS/proxy/supervision definitions, ... or openldap.
>
> We are in this case : I work in Tahiti, for the french polynesian
> gouvernment, IT departement.
> Our intranet take in a big geographic area recovering several islands.
> I'm in charge to transfer of the totality of our management systems (and
> network config) in a centralized base (of course: openldap).
> But, in one hand, distant servers (and users) can't be submit to
> communication links quality, in particular concerning local services
> (authentifications, local messaging, samba service, etc ...) and in other
> hand, we can't multipy the number of ldap servers assuming redundence
(quite
> services merged, we already manage more than 100 servers - and about 4000
> pc).
> So, one local server in every remote site must assume ldap service for the
> other local servers (which assume different services for different
> administrative departements) to guarantee acceptable performances (and
also
> to insure a certain insensitivity in break of communication links, at
least
> for local provided services) ; so, in case of an ldap server failure, the
> redundance must be assumed by the central servers group, with the help of
> SRV resolutions that (will) allow the ... excellent openldap library ;)
> It seems to me that SRV RRs definition is actually a quite good answer
(easy
> to deploy and, why not, standardized) to this problematic.
IMHO DNS RRs are not a good failover mechanism. The LDAP clients would
have to be quite smart to do the right thing. Especially if LDAP clients
are writing to the directory servers.
Ciao, Michael.