Hello OpenLDAP users,
I’m looking for some advice concerning an OpenLDAP solution I’m about to deploy between 4 locations in company I work for.
Currently I’ve implemented a LDAP DIT in my country and we’ve had exquisite results. I’ve integrated RADIUS for wireless authentication, MIT Kerberos, Samba PDC, dovecot and the list can continue but that’s not the scope of this message.
We have some global services located in one of the countries that all other 3 countries use ( trac, svn, web2project, alfresco ).
We want that each country to have it’s own LDAP DIT ( we don’t want to have a global LDAP with slaves in each country because some of us want locally significant objects ( for authorization purposes ) and having a slave LDAP means read-only ). That’s why I thought of using multi-n-master on each of the four LDAP servers.
The ideea I had was that each country will have only a portion of the DIT being sent to the others ( we narrow the searchbase in syncrepl ):
Country 1 sends ou=COUNTRY-1,dc=example,dc=com Country 2 sends ou=COUNTRY-2,dc=example,dc=com Country 3 sends ou=COUNTRY-3,dc=example,dc=com Country 4 sends ou=COUNTRY-4,dc=example,dc=com
In each ou=COUNTRY-{1..4} they will have ou=People and ou=Groups.
Basically that’s the only thing I want to be consistent across all LDAP DITs.
I’ve tested the solution using some virtual machines and besides the starttls and some things each administrator will have to be cautious about things went smoothly.
I've also read something about slapo-translucent - will now test to see how it works.
Can I get some suggestions / maybe a whole new architecture for my needs in case I didn’t foresee problems ?
Thx!