[Lilug] Multi-Site Suggestions
Michael Lee
mlee456 at gmail.com
Mon Feb 9 15:25:41 PST 2009
All the VPN's stay up (ahem) 24x7. But I figure I'm going to have to have a
server at each locale and perform some form of replication of ldap stores
and other information stores.
I was playing with LDAP a while ago and I have a quick question. Will users
that authenticate against the LDAP tree be able to change their own
information. Last time I looked at it the tree was only modifiable by the
administrator. From what you said Chris, it leads me to think that
Multi-Master allows for "site" administrators to manage users.
So again we get to the issue of end-users being able to modify their own
information. Seems like it should be possible, and if so, where are rights
established in the config?
Also, I'll only mention this because It seems like it is part of the
subject. I was looking as SLES which is SUSE Linux Enterprise Server. The
Novell rep was talking to me about the Novell Directory and Xen ( or is it
Zen ... I know one is for system management and the other is for Virtual
Machines ). They also charge by seat, but open up all of their software
to support those seats. So a Multi-Server Multi-Site Directory Service does
not break the bank.
-- Mike
On Mon, Feb 9, 2009 at 5:13 PM, Chris Knadle <Chris.Knadle at coredump.us>wrote:
> On Monday 09 February 2009, Justin Dearing wrote:
> > If the offices will be always connected via a point to point VPNs
> > then there should be no need for multi master.
>
> I think you're missing the point -- it has nothing to do with VPN or
> not; it's "remote vs local" administration. Without multi-master,
> local administrators at a remote subsidiary have to log in remotely
> to the master LDAP server to make or change LDAP data for their
> organization, whereas with multi-master they can log in to their own
> local LDAP server and then have the changes propagate. The other
> issue that makes multi-master nice is the ability to easily replace
> any one of the boxes by adding a new LDAP server and then removing
> the one that needs replacing, whereas having only one Master that
> replicates to the subs is a lot riskier to try to replace, because
> it's required to run _everything_.
>
> Some directory servers also allow making user logins that only allow
> access to a sub-set of the directory tree. This is convenient when
> giving administration rights to subsidiaries, because it allows them
> to make changes for their organization but not everything globally.
> i.e. "admin-sub" vs "root". I last did this with Novell NDS (i.e.
> eDirectory), which also supports multi-master replication.
>
> > Are the offices going to be disconnected from each other on a
> > regular basis?
>
> Still a good idea to have distributed LDAP servers, regardless.
> Because it's nice to have a local cache rather than having to do
> every single LDAP lookup over the VPN -- and it's also a real wakeup
> call of "bad design" when the VPN or ISP connection doesn't work and
> thus nobody can log in to do anything locally.
>
> -- Chris
>
> --
>
> Chris Knadle
> Chris.Knadle at coredump.us
> _______________________________________________
> Lilug mailing list
> Lilug at lilug.org
> http://lists.lilug.org/listinfo.cgi/lilug-lilug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lilug.org/pipermail/lilug-lilug.org/attachments/20090209/18908b85/attachment-0003.htm>
More information about the Lilug
mailing list