[Samba] Samba 3 with OpenLDAP multimaster or Fedora-DS
This is a discussion on [Samba] Samba 3 with OpenLDAP multimaster or Fedora-DS within the Samba forums, part of the Networking and Network Related category; Hi, I'd like to know if any of you have ever implemented Samba 3 with OpenLDAP multimaster (using syncrepl, ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-16-2008
|
|||
|
|||
[Samba] Samba 3 with OpenLDAP multimaster or Fedora-DS
Hi,
I'd like to know if any of you have ever implemented Samba 3 with OpenLDAP multimaster (using syncrepl, maybe) or Fedora-DS. The basic idea would be: - WAN link dies, the remote office's BDC would promote itself to PDC (using some kind of monitoring script), and will start accepting changes to the user base. Also, some change to the local WINS server would be necessary. - WAN link returns, the changes are replicated back to the original PDC, and the WAN's PDC is demoted to BDC again, and changes again the WINS database. From what i've read, NT4 seems to do this "automagically", and i'm having some complaints about that. What do you guys think? Best regards, -- Carlos Eduardo Pedroza Santiviago - <carlos at santiviago.com> http://softwarelivre.net | Passo-a-passo rumo Ã* liberdade! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba 
|
|
06-17-2008
|
|||
|
|||
|
Re: [Samba] Samba 3 with OpenLDAP multimaster or Fedora-DS
Lots of folks have samba 3 running over OpenLDAP. Syncrepl is what
I'd use if I was setting it up today, but I have a very reliable and mature implementation already running slurpd, so I am going to stick with that for the moment. As for multi-master, I agree with Zeilinga's comments on LDUP. Google for "multimaster considered harmful" or read http://www.openrowley.com/2006/10/05...eally-harmful/ if you don't know what I'm talking about. We have one PDC and WINS server per physical site, which is more reliable and fault-tolerant than anything else I've tried, but it does make LDAP configuration a bit dicey since the Samba Team doesn't yet understand why anyone would want to combine a unified authentication infrastructure with geographically localized network control. Setting up domain trusts with our configuration is tricky. --Charlie On Mon, Jun 16, 2008 at 10:44 AM, Carlos Eduardo Pedroza Santiviago <carlos@santiviago.com> wrote: > Hi, > > I'd like to know if any of you have ever implemented Samba 3 with > OpenLDAP multimaster (using syncrepl, maybe) or Fedora-DS. The basic > idea would be: > > - WAN link dies, the remote office's BDC would promote itself to PDC > (using some kind of monitoring script), and will start accepting > changes to the user base. Also, some change to the local WINS server > would be necessary. > - WAN link returns, the changes are replicated back to the original > PDC, and the WAN's PDC is demoted to BDC again, and changes again the > WINS database. > > From what i've read, NT4 seems to do this "automagically", and i'm > having some complaints about that. > > What do you guys think? > > Best regards, > -- > Carlos Eduardo Pedroza Santiviago - <carlos at santiviago.com> > http://softwarelivre.net | Passo-a-passo rumo à liberdade! > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
06-18-2008
|
|||
|
|||
|
Re: [Samba] Samba 3 with OpenLDAP multimaster or Fedora-DS
On Tue, 2008-06-17 at 16:39 -0400, Charlie wrote:
> Lots of folks have samba 3 running over OpenLDAP. Syncrepl is what > I'd use if I was setting it up today, but I have a very reliable and > mature implementation already running slurpd, so I am going to stick > with that for the moment. > As for multi-master, I agree with Zeilinga's comments on LDUP. Google > for "multimaster considered harmful" or read > http://www.openrowley.com/2006/10/05...eally-harmful/ > if you don't know what I'm talking about. OpenLDAP 2.4.x provides working multi-master (although I still think not nearly as many people need multi-master as think they do). <http://www.openldap.org/doc/admin24/...on.html#N-Way% 20Multi-Master%20replication> > We have one PDC and WINS server per physical site, which is more > reliable and fault-tolerant than anything else I've tried, but it does > make LDAP configuration a bit dicey since the Samba Team doesn't yet > understand why anyone would want to combine a unified authentication > infrastructure with geographically localized network control. Setting > up domain trusts with our configuration is tricky. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
06-18-2008
|
|||
|
|||
|
Re: [Samba] Samba 3 with OpenLDAP multimaster or Fedora-DS
On Wed, Jun 18, 2008 at 10:35 AM, Carlos Eduardo Pedroza Santiviago
<carlos@santiviago.com> wrote: > > Humm, so you're not using the same domain for the entire company? In > my situation, we have 5 remote offices, and all using the same domain, > and if for some unknown reason our links (yes, we do have redundant > links) go down, these offices should be able to work with minimal > interruption (by saying this i mean, users should be able to change > their passwords, machines also should be able to update their > accounts, etc). At each site, we have a separate domain, a samba PDC/WINS server, a print server, multiple samba file servers, and multiple ethernet segments. If four or five WAN links go down simultaneously it's possible that people at one site will not be able to change their passwords until connectivity is restored, but everything will still work fine (including network browsing). If there was some reason connectivity could not be restored within 24 hours, the on-site staff would promote a local LDAP replica (the "site master") and I would manually merge any changes after the connectivity was restored with a little shell scripting. All our POSIX hosts and samba servers implement LDAP failover, so that I can take LDAP replicas in and out of service temporarily without worrying about breaking anything. The giant HP-UX monsters use HP's ldap-ux, the linux systems use PADL's nss_ldap and pam_ldap. Samba is compiled to use the OpenLDAP libraries (we use Red Hat packages as much as possible, and I build custom RPMs when Red Hat's packages are insufficient). I have no kerberos but we have LDAP-integrated RADIUS in our switches and routers. We have a lot of WAN links, to our own remote sites, and also to more than 50 other organizations that we serve. Our LDAP infrastructure has been fully functional for a long time (since before syncrepl was invented) and is pretty mature. Now that syncrepl seems to be stable technology, I am thinking about multi-mastering again, but I am not in a hurry to re-architect everything. I will probably have to set up kerberos eventually and I guess I will revisit all aspects of infrastructure design at that time. A well-integrated LDAP directory can provide single sign-on to hundreds of applications at more than 50 sites with HIPAA-compliant audit traces and access controls. Samba expands what you can do with LDAP even more, because samba allows arbitrarily defined actions to be triggered by network logon and file access events. --Charlie -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
Linear Mode
