Hi All,
We are planning to configure High Availability for OpenLDAP 2.1 on Linux CentOS.
We are looking at following options and we want to check our understanding about corresponding options and looking for your valuable suggestions.
1. Using Replica Service
a. This is not enough because if master machine goes down then LDAP updates will not be possible.
2. Migrating to OpenLDAP2.4
a. Master-Master solution looks promising but in our current project time line it is not possible to migrate.
3. Sharing LDAP file system on NFS
a. After going through the thread http://www.openldap.org/lists/openldap-software/200209/msg00256.html it is understood that OpenLDAP does not support GFS or NFS.
b. But the thread discussion happened very long back around in 2000 to 2002. ????Is that conclusion applicable to OpenLDAP 2.1????
4. Hosting LDAP Service on CentOS Cluster Suite
a. ????Is it possible to configure "Active-Passive" setup using CentOS Cluster Suite????
5. H/W based clustering
a. We don't know what are the possible solutions in this approach and cost incurred. !!!!Please share your ideas.!!!!
6. NetApp2020
a. We have NetApp 2020 Appliance http://www.b2net.co.uk/netapp/network_appliance_netapp_fas2020.htm with us. ????Does this any way help us????
7. Other alternatives
a. !!!!We need your valuable ideas and suggestions.!!!!
Please help me in this regard.
Regards, Prasad.
________________________________ The information contained in this communication is confidential, intended solely for the use of the individual or entity to whom it is addressed and may be legally privileged and protected by professional secrecy. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. This email does not constitute any commitment from Cordys Holding BV or any of its subsidiaries except when expressly agreed in a written agreement between the intended recipient and Cordys Holding BV or its subsidiaries. Cordys is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. Cordys does not guarantee that the integrity of this communication has been maintained nor that the communication is free of viruses, interceptions or interference. If you are not the intended recipient of this communication please return the communication to the sender and delete and destroy all copies.
On Thursday 07 May 2009 05:32:25 Kukkala Prasad wrote:
Hi All,
We are planning to configure High Availability for OpenLDAP 2.1 on Linux CentOS.
Why 2.1? AFAIK, no version of CentOS shipped 2.1 anyway (RHEL3 had 2.0.27. RHEL4 had 2.2.13, RHEL5 shipped with 2.3.27, but 5.3 now has a relatively decent 2.3.43).
We are looking at following options and we want to check our understanding about corresponding options and looking for your valuable suggestions.
Using Replica Servicea. This is not enough because if master machine goes down then LDAP updates will not be possible.
You haven't stated all your requirements, but if you require HA for writes, then this is not a sufficient option.
Migrating to OpenLDAP2.4a. Master-Master solution looks promising but in our current project time line it is not possible to migrate.
Why not ? OpenLDAP 2.1 is very old, and not supported any more, same for 2.2, and 2.3 is effectively end of life.
There are packages of 2.4 available for some versions of RHEL or CentOS.
Sharing LDAP file system on NFSa. After going through the thread http://www.openldap.org/lists/openldap-software/200209/msg00256.html it is understood that OpenLDAP does not support GFS or NFS.
It could work on GFS, but not concurrently, and GFS requires the same (or better) infrastructure than a simple HA cluster.
However, I hope this is not the best option you found in researching this.
NFS can't work.
b. But the thread discussion happened very long back around in 2000 to 2002. ????Is that conclusion applicable to OpenLDAP 2.1????
Hosting LDAP Service on CentOS Cluster Suitea. ????Is it possible to configure "Active-Passive" setup using CentOS Cluster Suite????
Of course. I have been running OpenLDAP masters on Red Hat Cluster Suite since 2004 on Red Hat Advanced Server 2.1 (with OpenLDAP 2.1.25). I currently have an active-passive master cluster running RHEL3 with cluster suite, with OpenLDAP 2.3.42 (will be upgraded to 2.3.43 tonight). It has seen a few minutes of downtime in the past 3 years (about one minute for each OpenLDAP upgrade as the service must be migrated twice).
You need some kind of shared storage solution for this (preferably FC SAN, but iSCSI is an option, and DRBD could do the trick).
H/W based clusteringa. We don't know what are the possible solutions in this approach and cost incurred. !!!!Please share your ideas.!!!!
NetApp2020a. We have NetApp 2020 Appliance http://www.b2net.co.uk/netapp/network_appliance_netapp_fas2020.htm with us. ????Does this any way help us????
Other alternativesa. !!!!We need your valuable ideas and suggestions.!!!!
I would probably go for an HA cluster with cluster suite using iSCSI for shared storage, running 2.3.43 or 2.4.16.
Multi-master might also be an option, but then you *must* 2.4.16 (with patches from CVS if you use hdb).
Regards, Buchan
Hi Buchan,
Thank you very much for such a detailed response.
We need HA for LDAP writes also.
We are using bdb.
Is it safe to upgraded to OpenLDAP 2.4 without testing compatibility/stability of it with our product?
Can I use the package available at ftp://ftp.dti.ad.jp/pub/net/OpenLDAP/openldap-stable/openldap-stable-20090411.tgz? Or do I need to get specific package for CentOS?
Regards, Prasad.
-----Original Message----- From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net] Sent: Thursday, May 07, 2009 2:53 PM To: openldap-technical@openldap.org Cc: Kukkala Prasad Subject: Re: OpenLDAP 2.1 High Availability
On Thursday 07 May 2009 05:32:25 Kukkala Prasad wrote:
Hi All,
We are planning to configure High Availability for OpenLDAP 2.1 on Linux CentOS.
Why 2.1? AFAIK, no version of CentOS shipped 2.1 anyway (RHEL3 had 2.0.27. RHEL4 had 2.2.13, RHEL5 shipped with 2.3.27, but 5.3 now has a relatively decent 2.3.43).
We are looking at following options and we want to check our understanding about corresponding options and looking for your valuable suggestions.
Using Replica Servicea. This is not enough because if master machine goes down then LDAP updates will not be possible.
You haven't stated all your requirements, but if you require HA for writes, then this is not a sufficient option.
Migrating to OpenLDAP2.4a. Master-Master solution looks promising but in our current project time line it is not possible to migrate.
Why not ? OpenLDAP 2.1 is very old, and not supported any more, same for 2.2, and 2.3 is effectively end of life.
There are packages of 2.4 available for some versions of RHEL or CentOS.
Sharing LDAP file system on NFSa. After going through the thread http://www.openldap.org/lists/openldap-software/200209/msg00256.html it is understood that OpenLDAP does not support GFS or NFS.
It could work on GFS, but not concurrently, and GFS requires the same (or better) infrastructure than a simple HA cluster.
However, I hope this is not the best option you found in researching this.
NFS can't work.
b. But the thread discussion happened very long back around in 2000 to 2002. ????Is that conclusion applicable to OpenLDAP 2.1????
Hosting LDAP Service on CentOS Cluster Suitea. ????Is it possible to configure "Active-Passive" setup using CentOS Cluster Suite????
Of course. I have been running OpenLDAP masters on Red Hat Cluster Suite since 2004 on Red Hat Advanced Server 2.1 (with OpenLDAP 2.1.25). I currently have an active-passive master cluster running RHEL3 with cluster suite, with OpenLDAP 2.3.42 (will be upgraded to 2.3.43 tonight). It has seen a few minutes of downtime in the past 3 years (about one minute for each OpenLDAP upgrade as the service must be migrated twice).
You need some kind of shared storage solution for this (preferably FC SAN, but iSCSI is an option, and DRBD could do the trick).
H/W based clusteringa. We don't know what are the possible solutions in this approach and cost incurred. !!!!Please share your ideas.!!!!
NetApp2020a. We have NetApp 2020 Appliance http://www.b2net.co.uk/netapp/network_appliance_netapp_fas2020.htm with us. ????Does this any way help us????
Other alternativesa. !!!!We need your valuable ideas and suggestions.!!!!
I would probably go for an HA cluster with cluster suite using iSCSI for shared storage, running 2.3.43 or 2.4.16.
Multi-master might also be an option, but then you *must* 2.4.16 (with patches from CVS if you use hdb).
Regards, Buchan
The information contained in this communication is confidential, intended solely for the use of the individual or entity to whom it is addressed and may be legally privileged and protected by professional secrecy. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. This email does not constitute any commitment from Cordys Holding BV or any of its subsidiaries except when expressly agreed in a written agreement between the intended recipient and Cordys Holding BV or its subsidiaries. Cordys is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. Cordys does not guarantee that the integrity of this communication has been maintained nor that the communication is free of viruses, interceptions or interference. If you are not the intended recipient of this communication please return the communication to the sender and delete and destroy all copies.
Kukkala Prasad wrote:
Is it safe to upgraded to OpenLDAP 2.4 without testing compatibility/stability of it with our product?
In general it is never safe to upgrade without testing. Upgrading from 2.1 to 2.4 I wouldn't expect too many interop problems with your LDAP client app though provided you know what you're doing.
But when using multi-master replication you should be aware of some issues with data consistency when doing load-balancing/automatic fail-over between the replicas during several write requests.
Worth reading: http://tools.ietf.org/html/draft-zeilenga-ldup-harmful-02
Whether there is any issue with multi-master replication highly depends on the nature of your data and the behaviour of your application.
Ciao, Michael.
On Thursday 07 May 2009 13:58:09 Kukkala Prasad wrote:
Hi Buchan,
Thank you very much for such a detailed response.
We need HA for LDAP writes also.
We are using bdb.
Is it safe to upgraded to OpenLDAP 2.4 without testing compatibility/stability of it with our product?
You should always do *some* testing.
Can I use the package available at ftp://ftp.dti.ad.jp/pub/net/OpenLDAP/openldap-stable/openldap-stable-200904 11.tgz?
You can, but you will need to build at least one other item for a stable system ...
Or do I need to get specific package for CentOS?
What version of CentOS ?
E.g., I have 2.4.11 for RHEL 5 here, and I am trying to finish 2.4.16 for RHEL5 now (packages should be available within a day or two):
http://staff.telkomsa.net/packages/rhel5/openldap/
Regards, Buchan
Hi All,
I have downloaded "openldap-2.4.11-1.4.el4.i386.rpm" and trying to install it on CentOS 4.7 Linux machine. But it seems OpenLADP2.2.13 is already comes with CentOS. Then I tried to upgrade but failed with error "Failed dependencies".
What I am supposed to do now?
You can check the list of commands I have used and corresponding results below.
------------------------------------------- # rpm -ql openldap /etc/openldap /etc/openldap/cacerts /etc/openldap/ldap.conf /usr/lib/liblber-2.2.so.7 /usr/lib/liblber-2.2.so.7.0.6 /usr/lib/libldap-2.2.so.7 /usr/lib/libldap-2.2.so.7.0.6 /usr/lib/libldap_r-2.2.so.7 /usr/lib/libldap_r-2.2.so.7.0.6 /usr/share/doc/openldap-2.2.13 /usr/share/doc/openldap-2.2.13/ANNOUNCEMENT /usr/share/doc/openldap-2.2.13/CHANGES /usr/share/doc/openldap-2.2.13/COPYRIGHT /usr/share/doc/openldap-2.2.13/LICENSE /usr/share/doc/openldap-2.2.13/README /usr/share/man/man5/ldap.conf.5.gz /usr/share/man/man5/ldif.5.gz /usr/share/openldap ---------------------------------------------
# rpm -Uvh openldap-2.4.11-1.4.el4.i386.rpm error: Failed dependencies: liblber-2.2.so.7 is needed by (installed) cyrus-sasl-2.1.19-14.i386 liblber-2.2.so.7 is needed by (installed) libuser-0.52.5-1.el4.3.i386 liblber-2.2.so.7 is needed by (installed) autofs-4.1.3-234.i386 liblber-2.2.so.7 is needed by (installed) nss_ldap-253-5.el4.i386 liblber-2.2.so.7 is needed by (installed) sendmail-8.13.1-3.3.el4.i386 liblber-2.2.so.7 is needed by (installed) apr-util-0.9.4-22.el4.i386 liblber-2.2.so.7 is needed by (installed) httpd-2.0.52-41.ent.centos4.i3 86 liblber-2.2.so.7 is needed by (installed) mod_perl-1.99_16-4.5.i386 liblber-2.2.so.7 is needed by (installed) php-ldap-4.3.9-3.22.9.i386 liblber-2.2.so.7 is needed by (installed) squid-2.5.STABLE14-4.el4.i386 liblber-2.2.so.7 is needed by (installed) samba-common-3.0.28-0.el4.9.i3 86 liblber-2.2.so.7 is needed by (installed) samba-3.0.28-0.el4.9.i386 liblber-2.2.so.7 is needed by (installed) samba-client-3.0.28-0.el4.9.i3 86 liblber-2.2.so.7 is needed by (installed) evolution-data-server-1.0.2-14 .el4.i386 liblber-2.2.so.7 is needed by (installed) pwlib-1.6.5-11.i386 liblber-2.2.so.7 is needed by (installed) openh323-1.13.4-7.i386 liblber-2.2.so.7 is needed by (installed) gnomemeeting-1.0.2-9.i386 liblber-2.2.so.7 is needed by (installed) evolution-2.0.2-41.el4.i386 liblber-2.2.so.7 is needed by (installed) python-ldap-2.0.1-2.i386 liblber-2.2.so.7 is needed by (installed) openldap-clients-2.2.13-12.el4 .i386 libldap-2.2.so.7 is needed by (installed) cyrus-sasl-2.1.19-14.i386 libldap-2.2.so.7 is needed by (installed) libuser-0.52.5-1.el4.3.i386 libldap-2.2.so.7 is needed by (installed) autofs-4.1.3-234.i386 libldap-2.2.so.7 is needed by (installed) gnupg-1.2.6-9.i386 libldap-2.2.so.7 is needed by (installed) nfs-utils-lib-1.0.6-8.z1.i386 libldap-2.2.so.7 is needed by (installed) nss_ldap-253-5.el4.i386 libldap-2.2.so.7 is needed by (installed) sendmail-8.13.1-3.3.el4.i386 libldap-2.2.so.7 is needed by (installed) nfs-utils-1.0.6-87.EL4.i386 libldap-2.2.so.7 is needed by (installed) apr-util-0.9.4-22.el4.i386 libldap-2.2.so.7 is needed by (installed) httpd-2.0.52-41.ent.centos4.i3 86 libldap-2.2.so.7 is needed by (installed) mod_perl-1.99_16-4.5.i386 libldap-2.2.so.7 is needed by (installed) php-ldap-4.3.9-3.22.9.i386 libldap-2.2.so.7 is needed by (installed) squid-2.5.STABLE14-4.el4.i386 libldap-2.2.so.7 is needed by (installed) samba-common-3.0.28-0.el4.9.i3 86 libldap-2.2.so.7 is needed by (installed) samba-3.0.28-0.el4.9.i386 libldap-2.2.so.7 is needed by (installed) samba-client-3.0.28-0.el4.9.i3 86 libldap-2.2.so.7 is needed by (installed) evolution-data-server-1.0.2-14 .el4.i386 libldap-2.2.so.7 is needed by (installed) pwlib-1.6.5-11.i386 libldap-2.2.so.7 is needed by (installed) openh323-1.13.4-7.i386 libldap-2.2.so.7 is needed by (installed) gnomemeeting-1.0.2-9.i386 libldap-2.2.so.7 is needed by (installed) evolution-2.0.2-41.el4.i386 libldap-2.2.so.7 is needed by (installed) openldap-clients-2.2.13-12.el4 .i386 libldap_r-2.2.so.7 is needed by (installed) pwlib-1.6.5-11.i386 libldap_r-2.2.so.7 is needed by (installed) openh323-1.13.4-7.i386 libldap_r-2.2.so.7 is needed by (installed) python-ldap-2.0.1-2.i386 openldap = 2.2.13-12.el4 is needed by (installed) openldap-devel-2.2.13- 12.el4.i386 openldap = 2.2.13-12.el4 is needed by (installed) openldap-clients-2.2.1 3-12.el4.i386 ------------------------------------------------------------------------------------------------------
Regards, Prasad.
-----Original Message----- From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net] Sent: Thursday, May 07, 2009 7:23 PM To: Kukkala Prasad Cc: openldap-technical@openldap.org Subject: Re: OpenLDAP 2.1 High Availability
On Thursday 07 May 2009 13:58:09 Kukkala Prasad wrote:
Hi Buchan,
Thank you very much for such a detailed response.
We need HA for LDAP writes also.
We are using bdb.
Is it safe to upgraded to OpenLDAP 2.4 without testing compatibility/stability of it with our product?
You should always do *some* testing.
Can I use the package available at ftp://ftp.dti.ad.jp/pub/net/OpenLDAP/openldap-stable/openldap-stable-200904 11.tgz?
You can, but you will need to build at least one other item for a stable system ...
Or do I need to get specific package for CentOS?
What version of CentOS ?
E.g., I have 2.4.11 for RHEL 5 here, and I am trying to finish 2.4.16 for RHEL5 now (packages should be available within a day or two):
http://staff.telkomsa.net/packages/rhel5/openldap/
Regards, Buchan
The information contained in this communication is confidential, intended solely for the use of the individual or entity to whom it is addressed and may be legally privileged and protected by professional secrecy. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. This email does not constitute any commitment from Cordys Holding BV or any of its subsidiaries except when expressly agreed in a written agreement between the intended recipient and Cordys Holding BV or its subsidiaries. Cordys is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. Cordys does not guarantee that the integrity of this communication has been maintained nor that the communication is free of viruses, interceptions or interference. If you are not the intended recipient of this communication please return the communication to the sender and delete and destroy all copies.
Kukkala Prasad kprasad@cordys.com writes:
Hi All,
I have downloaded "openldap-2.4.11-1.4.el4.i386.rpm" and trying to install it on CentOS 4.7 Linux machine. But it seems OpenLADP2.2.13 is already comes with CentOS. Then I tried to upgrade but failed with error "Failed dependencies".
What I am supposed to do now?
Build your own binary or ask the CentOS maintainer.
-Dieter
Kukkala Prasad wrote:
KP> I have downloaded "openldap-2.4.11-1.4.el4.i386.rpm" and trying to install KP> it on CentOS 4.7 Linux machine. But it seems OpenLADP2.2.13 is KP> already comes with CentOS. Then I tried to upgrade but failed with error KP> "Failed dependencies".
KP> What I am supposed to do now?
Try our set of 2.4.11 packages for RHEL4/CentOS4:
http://pastebin.siriusit.co.uk/slapd2411rhel4/
(URL not guaranteed to work indefinitely)
The dependencies of stock CentOS stuff on liblber2.2 should be satisfied by the "compat-..." package.
Cheers
Duncan
Duncan Gibb wrote:
Kukkala Prasad wrote:
KP> I have downloaded "openldap-2.4.11-1.4.el4.i386.rpm" and trying to install KP> it on CentOS 4.7 Linux machine. But it seems OpenLADP2.2.13 is KP> already comes with CentOS. Then I tried to upgrade but failed with error KP> "Failed dependencies".
KP> What I am supposed to do now?
Try our set of 2.4.11 packages for RHEL4/CentOS4:
One should use 2.4.16 if multi-master replication is needed.
Ciao, Michael.
Michael Ströder wrote:
DG> Try our set of 2.4.11 packages for RHEL4/CentOS4:
MS> One should use 2.4.16 if multi-master replication is needed.
We have 2.4.16 for Debian/amd64, but not RHEL/i386. One generally builds packages for which one's customers have immediate need ;-)
Duncan
Duncan Gibb wrote:
Michael Ströder wrote:
DG> Try our set of 2.4.11 packages for RHEL4/CentOS4:
MS> One should use 2.4.16 if multi-master replication is needed.
We have 2.4.16 for Debian/amd64, but not RHEL/i386. One generally builds packages for which one's customers have immediate need ;-)
To stress the term "customers' immediate need" in this particular case:
The original subject was "OpenLDAP 2.1 High Availability". IIRC the original poster wanted to use multi-master replication (MMR). So given the various MMR-related fixes *after* 2.4.11 it's wrong to point him to a 2.4.11 build because he might raise issues here which are already solved.
Ciao, Michael.
Michael Ströder wrote:
MS> IIRC the original poster wanted to use multi-master MS> replication (MMR). So given the various MMR-related MS> fixes *after* 2.4.11 it's wrong to point him to a MS> 2.4.11 build because he might raise issues here which MS> are already solved.
OK. I didn't read the whole thread. I saw someone wanting to install 2.4.11 on RHEL/CentOS, which we have reasonably well-tested packages for.
I entirely agree that new deployments should use not earlier than the latest stable release, and MMR especially so.
We don't currently have 2.4.16 for RHEL, but someone will.
Cheers
Duncan
Duncan Gibb wrote:
Michael Ströder wrote:
MS> IIRC the original poster wanted to use multi-master MS> replication (MMR). So given the various MMR-related MS> fixes *after* 2.4.11 it's wrong to point him to a MS> 2.4.11 build because he might raise issues here which MS> are already solved.
OK. I didn't read the whole thread. I saw someone wanting to install 2.4.11 on RHEL/CentOS, which we have reasonably well-tested packages for.
I entirely agree that new deployments should use not earlier than the latest stable release, and MMR especially so.
We don't currently have 2.4.16 for RHEL, but someone will.
Indeed.
http://www.symas.com/updates/ http://www.symas.com/updates/?p=32
Kukkala Prasad wrote:
We are planning to configure High Availability for OpenLDAP 2.1 on Linux CentOS.
2.1 is a really ancient release.
Using Replica Servicea. This is not enough because if master machine goes down then LDAP updates will not be possible.
You could set up a failover mechanism.
Migrating to OpenLDAP2.4a. Master-Master solution looks promising but in our current project time line it is not possible to migrate.
I really wonder why you think that the migration is so much effort. Just go for it.
Ciao, Michael.
openldap-technical@openldap.org
-
Buchan Milne -
Dieter Kluenter -
Duncan Gibb -
Howard Chu -
Kukkala Prasad -
Michael Ströder