Hello OpenLDAP users,
I’m looking for some advice concerning an OpenLDAP solution I’m about to
deploy between 4 locations in company I work for.
Currently I’ve implemented a LDAP DIT in my country and we’ve had
exquisite results. I’ve integrated RADIUS for wireless authentication,
MIT Kerberos, Samba PDC, dovecot and the list can continue but that’s
not the scope of this message.
We have some global services located in one of the countries that all
other 3 countries use ( trac, svn, web2project, alfresco ).
We want that each country to have it’s own LDAP DIT ( we don’t want to
have a global LDAP with slaves in each country because some of us want
locally significant objects ( for authorization purposes ) and having a
slave LDAP means read-only ). That’s why I thought of using
multi-n-master on each of the four LDAP servers.
The ideea I had was that each country will have only a portion of the
DIT being sent to the others ( we narrow the searchbase in syncrepl ):
Country 1 sends ou=COUNTRY-1,dc=example,dc=com
Country 2 sends ou=COUNTRY-2,dc=example,dc=com
Country 3 sends ou=COUNTRY-3,dc=example,dc=com
Country 4 sends ou=COUNTRY-4,dc=example,dc=com
In each ou=COUNTRY-{1..4} they will have ou=People and ou=Groups.
Basically that’s the only thing I want to be consistent across all LDAP
DITs.
I’ve tested the solution using some virtual machines and besides the
starttls and some things each administrator will have to be cautious
about things went smoothly.
I've also read something about slapo-translucent - will now test to see
how it works.
Can I get some suggestions / maybe a whole new architecture for my needs
in case I didn’t foresee problems ?
Thx!
--
Andrei BĂNARU
Internal Support
CCNA Security, CCIP
StreamWIDE Romania
