Hi,
As you have already may have discovered by my many posts lately, we're busy with our ldap environment, and migrating from openldap 2.4 (bdb/RHEL7) to 2.5 on mbd/RHEL9.
We've always had a duo of masters, replicating to a (READ ONLY) duo of slaves.
All clients are configured to talk to the slaves, through a load balancer, and the masters pretty much only receive updates to the DIT from IdM.
Our problem is: how to handle failed authentications (ppolicy) considering that the slaves are read-only and the slaves is where the failed authentications take place.
Hence, my request for feedback: is master-slave still considered "the best way" of doing this? And then, is there a "standard way" to handle failed authentications on read-only slaves?
Or perhaps... is it nowadays better to chose for a simpler multi-master (4 hosts) LDAP setup: four identical servers, where we choose to send clients to two specific servers (firewalled differently to handle client access) and two others to receive updates from IdM, but use multi-master replication so that all changes (either from IdM, or from failed authentications) are replicated equally between all four servers.
Seems that new approach is much simpler.
Any feedback? What is wise?
On Thu, Jun 22, 2023 at 11:07:25AM +0200, cYuSeDfZfb cYuSeDfZfb wrote:
Hi,
As you have already may have discovered by my many posts lately, we're busy with our ldap environment, and migrating from openldap 2.4 (bdb/RHEL7) to 2.5 on mbd/RHEL9.
We've always had a duo of masters, replicating to a (READ ONLY) duo of slaves.
All clients are configured to talk to the slaves, through a load balancer, and the masters pretty much only receive updates to the DIT from IdM.
Our problem is: how to handle failed authentications (ppolicy) considering that the slaves are read-only and the slaves is where the failed authentications take place.
Hence, my request for feedback: is master-slave still considered "the best way" of doing this? And then, is there a "standard way" to handle failed authentications on read-only slaves?
Or perhaps... is it nowadays better to chose for a simpler multi-master (4 hosts) LDAP setup: four identical servers, where we choose to send clients to two specific servers (firewalled differently to handle client access) and two others to receive updates from IdM, but use multi-master replication so that all changes (either from IdM, or from failed authentications) are replicated equally between all four servers.
Seems that new approach is much simpler.
Any feedback? What is wise?
Do you need the R/O servers for performance/operational/administrative reasons? If it's a no for all of the above, just a R/W cluster is fine.
Otherwise you'll have to configure ppolicy+chaining on your replicas.
Regards,
openldap-technical@openldap.org
-
cYuSeDfZfb cYuSeDfZfb -
Ondřej Kuzník