Hi there,
I would like to share with this list my experiences with OpenLDAP
implementation at one financial company, which is currently my job, and they
use Oracle Internet Directory as their solution for LDAP service. This is my
third year at the company and in my early days I was responsible to make the
'dirty work' in order to keep OID (I will use acronym from now because the
name of the software is too large for keep writing :) working when the
senior analysts were too busy with other projects to fix or request a fix
for OID problems.
At some day those senior analysts left the company and I was blessed as the
'LDAP guy' by the managers. From that day I started to think by my own on
that and as a free software enthusiast plus my previous small experiences
with LDAP infrastructure turned my ideas for an obvious project, the
OpenLDAP. I will talk more about OpenLDAP later.
They have an interesting LDAP tree which has some design problems but in a
general way it is useful and support the company business process. From
infrastructure perspective its painful and the main reason is because the
replication technique which is absolutely inefficient in almost every
aspect, from performance to scalability. OID by itself is also a great
problem, it didn't respect RFC, has tons of stupid bugs that take an
eternity to get resolved, has a relational database as 'backend' and the
installation process is even worst. The replication is based on OID
changelog at database level and small applications, called agents written in
Java, are responsible to take that changes from database and replicate the
modifications across the slaves. So for each slave we have an java agent
querying Master and some thousand aditional rows at OID database. I don't
know much about why they decided to write their own replication tool instead
of using from OID but the old guys told me that Oracle replication software
(DIP) didn't work well and was a very bad piece of softaware, just as OID
BTW.
With that architecture we basically started to suffer from the following
problems:
1 - Performance with the Master
2 - Slave scalability
3 - Information integrity
The performance problem with Master was generated by the replication agents
which consume database resources to perform the replication. This first
problem also generates the second because we couldn't increase the number of
salves due to performance problems. OID bugs was also generating a
increadible number of inconsistencies in the tree.
>From that point I started a small project with first objetctive to avoid the
performance problems with Master. The project was based on OpenLDAP adoption
as replacements for OID slaves, an OpenLDAP Master would be created with two
more OpenLDAP slaves using Delta-syncrepl to replication. With OpenLDAP
slaves we could shutdown some replication agents and also the OID slaves
giving more 'air' to Master database breath.
The first OpenLDAP tests showed an unbelievable perfomance, 23560 entries
returned from a search in exaclty 4 seconds in average. The same operation
search against OID returned in 30 seconds average. The machine configuration
is almost the same, the only difference is that OID infrastructure require
two machines, one for oidldapd and other for Oracle DB and we also need a
DBA support BTW.
We've made a presentation to the managers showing the quality of OpenLDAP,
the overlay concept and how we could use that to improve in service
reliability and availability. We showed everything on our performance
comparisions and asked them to support us in that 'migration' project.
Two weeks ago we replaced the first OID infrastructure for OpenLDAP 2.4.22
and everyone here is enjoying how fast is the system response and how stable
is delta-syncrepl. I have evaluated with current numbers, that we will be
able to replace 4 OID to just 1 OpenLDAP infrastructure and that is really
pleasant. The entire migration is planned to happen in next november.
I want thank every one responsible to keep OpenLDAP project with that high
level of quality and I am really proud about that kind of quality has been
produced by a free software project (free as in freedom).
Thanks,
Matheus Morais