7:57 p.m.
Hi,
I've "inherited" from a former sysadmin (among many other things) an LDAP
server to administer :) ... it's installed on Debian 6.0; it's currently
working ok but the company has another remote site now and wants to have a
secondary LDAP server on the new location (in order to support the new
remote users).
Looking into the documentation I think the best configuration option is a
N-way multi-master replication setup; unfortunately, I don't have
experience with LDAP so I found difficult to implement this; I've found
some good tutorials on the web but they're written for other versions of
LDAP (for example, they use slapd.conf but on Debian, the configuration is
in several directories under /etc/ldap/slapd.d).
My big question is: ¿do you know of any resource (url link, book, whatever)
that I can use as a reference to make this configuration? (in particular,
I'd be more than happy if provides some examples in Debian). Of course, I'm
willing to do my own work (study, research, etc) but I need some guidance
regarding where to start (assume I have little LDAP knowledge).
Thanks in advance for any help, tip, etc you may have!
1:55 a.m.
Listas de Correo wrote:
I've "inherited" from a former sysadmin (among many
other things) an LDAP
server to administer :) ... it's installed on Debian 6.0; it's currently
working ok but the company has another remote site now and wants to have a
secondary LDAP server on the new location (in order to support the new
remote users).
Looking into the documentation I think the best configuration option is a
N-way multi-master replication setup; unfortunately, I don't have
experience with LDAP so I found difficult to implement this; I've found
some good tutorials on the web but they're written for other versions of
LDAP (for example, they use slapd.conf but on Debian, the configuration is
in several directories under /etc/ldap/slapd.d).
My big question is: ¿do you know of any resource (url link, book, whatever)
that I can use as a reference to make this configuration? (in particular,
I'd be more than happy if provides some examples in Debian). Of course, I'm
willing to do my own work (study, research, etc) but I need some guidance
regarding where to start (assume I have little LDAP knowledge).
Today it's so easy to set up two virtual machines with your favourite OS and
work through the replication chapter in the admin guide.
http://www.openldap.org/doc/admin24/replication.html
You mentioned Debian. I'd recommend not to use the Debian packages and compile
OpenLDAP 2.4.36+ yourself instead.
Ciao, Michael.
7:27 a.m.
Today it's so easy to set up two virtual machines with your favourite OS
and
work through the replication chapter in the admin guide.
http://www.openldap.org/doc/admin24/replication.html
You mentioned Debian. I'd recommend not to use the Debian packages and
compile
OpenLDAP 2.4.36+ yourself instead.
Ciao, Michael.
Well, that does not look so easy to me (that's why I'm asking for help :)
), specially considering that I already have a working LDAP working with
several hundreds users relying on them to do their work, so it's not
possible to me to start from scratch, I have to use what I already have
(and not break anything in the process).
For the reason above, I can't compile OpenLDAP myself (I have to use what
is already there).
8:19 a.m.
(inline)
On Tue, Sep 17, 2013 at 11:27:53AM -0300, Listas de Correo wrote:
Today it's so easy to set up two virtual machines with your
favourite OS
and
work through the replication chapter in the admin guide.
[1]http://www.openldap.org/doc/admin24/replication.html
You mentioned Debian. I'd recommend not to use the Debian packages and
compile
OpenLDAP 2.4.36+ yourself instead.
Ciao, Michael.
Well, that does not look so easy to me (that's why I'm asking for help :)
), specially considering that I already have a working LDAP working with
several hundreds users relying on them to do their work, so it's not
possible to me to start from scratch, I have to use what I already have
(and not break anything in the process).
For the reason above, I can't compile OpenLDAP myself (I have to use what
is already there).
Yes and no, you can dump your directory from the old version and load it into the new
version (slapcat/slapadd). I've found this a straightforward process.
If I wanted to upgrade a production system, I might:
-install a new multimaster setup with consumer replicas
-stop writing data to the current production masters
-(reading is fine)
-dump the current production databases to ldifs
-load the databases into one of the new multimasters
-(or all of the new servers if you have a lot of data)
-wait for replication to sync up your new servers
-swap the load balancer from using the old server pool for ldap to using the new server
pool
-(or change ip addresses on the servers if you're not using a load balancer)
-enable data writes to the new masters
�
References
Visible links
1. http://www.openldap.org/doc/admin24/replication.html
8:21 a.m.
--On Tuesday, September 17, 2013 11:27 AM -0300 Listas de Correo
<toshiro.listas(a)gmail.com> wrote:
Well, that does not look so easy to me (that's why I'm asking
for help :)
), specially considering that I already have a working LDAP working with
several hundreds users relying on them to do their work, so it's not
possible to me to start from scratch, I have to use what I already have
(and not break anything in the process).
For the reason above, I can't compile OpenLDAP myself (I have to use what
is already there).
It is always interesting to me when someone emails the technical list,
asking for guidance from people who know the most about the software, and
then ignore it. The Debian build of OpenLDAP is old, links to a
potentially insecure SSL implementation, and has a variety of known bugs
present in it that are known to affect replication, particularly
multi-master. Understand that by continuing to use the Debian package, you
are essentially setting yourself up for failure when looking at using
Multi-Master Replication.
--Quanah
--
Quanah Gibson-Mount
Lead Engineer
Zimbra Software, LLC
--------------------
Zimbra :: the leader in open source messaging and collaboration
8:28 a.m.
Hi,
On 17.09.2013 16:27, Listas de Correo wrote:
Well, that does not look so easy to me (that's why I'm asking
for help :)
), specially considering that I already have a working LDAP working with
several hundreds users relying on them to do their work, so it's not
possible to me to start from scratch, I have to use what I already have
(and not break anything in the process).
I had a similar situation here a few years ago. The only viable solution
for me was to setup a new vm, compile openldap from source myself,
export data from the old ldap as plain ldif and import it into the new
one. Then test around get to know what I want, configure it and then
slowly migrate everything from the old to the new server.
I guess you won't get around that process either. Otherwise you will
have to rely on outdated OpenLDAP versions with all the bugs that this
incurs.
I suggest starting with a new vm, compiled openLDAP and the old server
slapd.conf file and try to setup your future to be server from there.
hth
--
Technische Universität Berlin - FGINET
Bernd May
System Administration
Sekr. TEL 16
Ernst-Reuter-Platz 7
10587 BERLIN
GERMANY
Mobile: 0160/90257737
E-Mail: bernd(a)inet.tu-berlin.de
WWW: inet.tu-berlin.de
9:24 a.m.
Hi,
On Tue, 17 Sep 2013, Bernd May wrote:
Hi,
On 17.09.2013 16:27, Listas de Correo wrote:
> Well, that does not look so easy to me (that's why I'm asking for help :)
> ), specially considering that I already have a working LDAP working with
> several hundreds users relying on them to do their work, so it's not
> possible to me to start from scratch, I have to use what I already have
> (and not break anything in the process).
I had a similar situation here a few years ago. The only viable solution
for me was to setup a new vm, compile openldap from source myself,
export data from the old ldap as plain ldif and import it into the new
one. Then test around get to know what I want, configure it and then
slowly migrate everything from the old to the new server.
I guess you won't get around that process either. Otherwise you will
have to rely on outdated OpenLDAP versions with all the bugs that this
incurs.
I suggest starting with a new vm, compiled openLDAP and the old server
slapd.conf file and try to setup your future to be server from there.
exactly. In the age of virtualization and cheap vms it is very hard to
understand this kind of resistance.
There is a point at which you just cannot support an ancient installation
anymore. This applies not only to openldap but also to any old linux
distro or to whatever it system.
The later you update the more pain you experience.
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
8:34 a.m.
On Tue, 2013-09-17 at 11:27 -0300, Listas de Correo wrote:
Today it's so easy to set up two virtual machines with your
favourite OS and
work through the replication chapter in the admin guide.
http://www.openldap.org/doc/admin24/replication.html
You mentioned Debian. I'd recommend not to use the Debian
packages and compile
OpenLDAP 2.4.36+ yourself instead.
Ciao, Michael.
Well, that does not look so easy to me (that's why I'm asking for
help :) ), specially considering that I already have a working LDAP
working with several hundreds users relying on them to do their work,
so it's not possible to me to start from scratch, I have to use what I
already have (and not break anything in the process).
For the reason above, I can't compile OpenLDAP myself (I have to use
what is already there).
thinking you are going to implement change in a production environment
without breaking anything is crazy, given that you have little to no
working knowledge on the subject. you have to find a non-prod
environment to work out the details in.
some resources i found (in addition to the admin guide already
suggested):
http://www.math.ucla.edu/~jimc/documents/ldap/ldap-setup-1202.html
the above helped me with some of the replication details. the article
is dated (old), but you want to understand the concepts at this point,
not the details yet.
http://www.bayour.com/LDAPv3-HOWTO.html
the above helped with some of the integration of other services, such as
kerberos and sasl. some other details covered might help you.
most important things are to read and test.
9:38 a.m.
--On Tuesday, September 17, 2013 11:34 AM -0400 Brendan Kearney
<bpk678(a)gmail.com> wrote:
That document was wrong in 2005, and is even more wrong now. It is a
travesty it has remained up despite numerous requests of the author to take
it down because it is so fundamentally flawed.
--Quanah
--
Quanah Gibson-Mount
Lead Engineer
Zimbra Software, LLC
--------------------
Zimbra :: the leader in open source messaging and collaboration
12:17 p.m.
Listas de Correo wrote:
> Today it's so easy to set up two virtual machines with your
favourite OS
> and
> work through the replication chapter in the admin guide.
>
> http://www.openldap.org/doc/admin24/replication.html
>
> You mentioned Debian. I'd recommend not to use the Debian packages and
> compile
> OpenLDAP 2.4.36+ yourself instead.
>
Well, that does not look so easy to me (that's why I'm asking for help :)
Nobody said it's "easy". But playing around in a test environment based on
virtual machines is pretty cheap nowadays.
), specially considering that I already have a working LDAP working
with
several hundreds users relying on them to do their work, so it's not
possible to me to start from scratch, I have to use what I already have
(and not break anything in the process).
For the reason above, I can't compile OpenLDAP myself (I have to use what
is already there).
There are exactly two possibilities:
1. Take responsibility and learn how to get the job done.
2. Convince your boss to hire somebody else to get the job done for you.
Your choice...
Ciao, Michael.
3730
days inactive
3730
days old
openldap-technical@openldap.org
9 comments
7 participants
participants (7)
-
Bernd May -
Brendan Kearney -
Christian Kratzer -
Christopher Wood -
Listas de Correo -
Michael Ströder -
Quanah Gibson-Mount