In fact, none of the LDAP clients need (can) write the directory servers. They (remote servers) only read informations needed to make (or upgrade) their own config files and to authenticate their own users. Client interfaces (web/php) allow the users to upgrade (or, according their profile, simply consult) the informations needed. Some of them (authorized "administrators" on remote sites) can to upgrade some more sensible informations (create/delete new users in their department, change them from groups, affect profile application softwares, create new emails/alias or proxy acces, upgrade departement informations or sometime, why not, administrate some new samba shares, ...) On central site, technicians of the hot-line or system administrators make the rest ... (of course, everything is not totally ended and work remains to be done ... What, as matter of fact, remains a good think concerning my remuneration ;-) --- PE
-----Message d'origine----- De : Michael Ströder [mailto:michael@stroeder.com] Envoyé : jeudi 12 février 2009 00:29 À : Philippe EYCHART Cc : openldap-its@openldap.org Objet : Re: (ITS#5919) URI syntaxe (ldap:///dc=my%2cdc=domaine)
Philippe EYCHART wrote:
philippe.eychart@informatique.gov.pf wrote:
Used of SRV rr is a good reponse, (in particular in case of large
Intranet
with many remote sites -islands in pacific- and poor communication ressources - satellite) but require to be performed in all client applications : nssldap, samba, ldap client tools for rsync/mail/DNS/proxy/supervision definitions, ... or openldap.
We are in this case : I work in Tahiti, for the french polynesian gouvernment, IT departement. Our intranet take in a big geographic area recovering several islands. I'm in charge to transfer of the totality of our management systems (and network config) in a centralized base (of course: openldap). But, in one hand, distant servers (and users) can't be submit to communication links quality, in particular concerning local services (authentifications, local messaging, samba service, etc ...) and in other hand, we can't multipy the number of ldap servers assuming redundence
(quite
services merged, we already manage more than 100 servers - and about 4000 pc). So, one local server in every remote site must assume ldap service for the other local servers (which assume different services for different administrative departements) to guarantee acceptable performances (and
also
to insure a certain insensitivity in break of communication links, at
least
for local provided services) ; so, in case of an ldap server failure, the redundance must be assumed by the central servers group, with the help of SRV resolutions that (will) allow the ... excellent openldap library ;) It seems to me that SRV RRs definition is actually a quite good answer
(easy
to deploy and, why not, standardized) to this problematic.
IMHO DNS RRs are not a good failover mechanism. The LDAP clients would have to be quite smart to do the right thing. Especially if LDAP clients are writing to the directory servers.
Ciao, Michael.