[Lilug] Multi-Site Suggestions

[Chris Knadle]

On Monday 09 February 2009, Justin Dearing wrote:
> If the offices will be always connected via a point to point VPNs
> then there should be no need for multi master.

I think you're missing the point -- it has nothing to do with VPN or 
not; it's "remote vs local" administration.  Without multi-master, 
local administrators at a remote subsidiary have to log in remotely 
to the master LDAP server to make or change LDAP data for their 
organization, whereas with multi-master they can log in to their own 
local LDAP server and then have the changes propagate.  The other 
issue that makes multi-master nice is the ability to easily replace 
any one of the boxes by adding a new LDAP server and then removing 
the one that needs replacing, whereas having only one Master that 
replicates to the subs is a lot riskier to try to replace, because 
it's required to run _everything_.

Some directory servers also allow making user logins that only allow 
access to a sub-set of the directory tree.  This is convenient when 
giving administration rights to subsidiaries, because it allows them 
to make changes for their organization but not everything globally.  
i.e. "admin-sub" vs "root".  I last did this with Novell NDS (i.e. 
eDirectory), which also supports multi-master replication.

> Are the offices going to be disconnected from each other on a
> regular basis?

Still a good idea to have distributed LDAP servers, regardless.  
Because it's nice to have a local cache rather than having to do 
every single LDAP lookup over the VPN -- and it's also a real wakeup 
call of "bad design" when the VPN or ISP connection doesn't work and 
thus nobody can log in to do anything locally.

   -- Chris

-- 

Chris Knadle
Chris.Knadle at coredump.us