hi,
I have one main HDB Database for:
dc=example,dc=net -> /var/lib/ldap/
with one subtree:
ou=department,dc=example,dc=net
Now I want to let other departments use our N-Way LDAP server too. My idea was to put the new departments into different hdb databases:
ou=department-1,dc=example,dc=net -> /var/lib/ldap/department-1/ ou=department-2,dc=example,dc=net -> /var/lib/ldap/department-2/ ou=department-n,dc=example,dc=net -> /var/lib/ldap/department-n/
all with own admin access to there root dn.
How should I do that?
cu denny
Denny Fuchs wrote:
hi,
I have one main HDB Database for:
dc=example,dc=net -> /var/lib/ldap/
with one subtree:
ou=department,dc=example,dc=net
Now I want to let other departments use our N-Way LDAP server too. My idea was to put the new departments into different hdb databases:
ou=department-1,dc=example,dc=net -> /var/lib/ldap/department-1/ ou=department-2,dc=example,dc=net -> /var/lib/ldap/department-2/ ou=department-n,dc=example,dc=net -> /var/lib/ldap/department-n/
all with own admin access to there root dn.
How should I do that?
Why do you want to have separate databases? What does "use" mean in this context?
Ciao, Michael.
hi,
Am 01.11.2013 um 12:02 schrieb Michael Ströder michael@stroeder.com:
Why do you want to have separate databases? What does "use" mean in this context?
for a easier file and database management. They may need different DB options or indexes as we need, so I want to split every departure from our main DB. "Use" means: I have a up and running two node LDAP server and I want that they can use them too. So, we don't need a different/other LDAP server for every department. But I don't want to use the same hdb files for them too. If they do something strange in there "ou" three and it breaks the LDAP server/setup, I can move the directory away and start the server again, in an emergency case.
cu denny
Denny Fuchs wrote:
Am 01.11.2013 um 12:02 schrieb Michael Ströder michael@stroeder.com:
Why do you want to have separate databases? What does "use" mean in this context?
for a easier file and database management. They may need different DB options or indexes as we need, so I want to split every departure from our main DB.
I'd clarify requirements *before* doing the hassle dealing with separate databases. If you really have to deal with DB files on department level you're doing something wrong in your deployment.
"Use" means: I have a up and running two node LDAP server and I want that they can use them too. So, we don't need a different/other LDAP server for every department. But I don't want to use the same hdb files for them too. If they do something strange in there "ou" three and it breaks the LDAP server/setup, I can move the directory away and start the server again, in an emergency case.
I'd recommend to research how to implement appropriate access control to prevent that "something strange" in one sub-tree affects the stability of the whole server.
Of course you can glue several DBs with 'subordinate' directive. But it's unlikely that you really need it.
Ciao, Michael.
Am 01.11.2013 um 12:33 schrieb Michael Ströder michael@stroeder.com:
Denny Fuchs wrote:
Am 01.11.2013 um 12:02 schrieb Michael Ströder michael@stroeder.com:
Why do you want to have separate databases? What does "use" mean in this context?
for a easier file and database management. They may need different DB options or indexes as we need, so I want to split every departure from our main DB.
I'd clarify requirements *before* doing the hassle dealing with separate databases. If you really have to deal with DB files on department level you're doing something wrong in your deployment.
Ok :-) What speaks against that ? I also think, it make ACL much more easier (=readable, because not in the main hdb which has already a lot of acls)
cu denny
Denny Fuchs wrote:
Am 01.11.2013 um 12:33 schrieb Michael Ströder michael@stroeder.com:
Denny Fuchs wrote:
Am 01.11.2013 um 12:02 schrieb Michael Ströder michael@stroeder.com:
Why do you want to have separate databases? What does "use" mean in this context?
for a easier file and database management. They may need different DB options or indexes as we need, so I want to split every departure from our main DB.
I'd clarify requirements *before* doing the hassle dealing with separate databases. If you really have to deal with DB files on department level you're doing something wrong in your deployment.
Ok :-) What speaks against that ?
It's more complex. You might run into issues with overlays not fully compatible with glueing subordinate DBs.
You have to plan MDB size of separate DBs when using back-mdb.
etc.
I also think, it make ACL much more easier (=readable, because not in the main hdb which has already a lot of acls)
There are no significant differences regardings readable ACLs when using separate DBs.
Ciao, Michael.
hi,
Am 05.11.2013 um 21:21 schrieb Michael Ströder michael@stroeder.com:
It's more complex. You might run into issues with overlays not fully compatible with glueing subordinate DBs.
You have to plan MDB size of separate DBs when using back-mdb.
that are very good points, so I just leave only one hdb :-) Thanks !
cu denny
openldap-technical@openldap.org
-
Denny Fuchs -
Michael Ströder