[Beowulf] Poll - Directory implementation

Prentice Bisbal pbisbal at pppl.gov
Wed Oct 24 12:36:17 PDT 2018

I've been using OpenLDAP for years now. I did investigate going to 
389-DS years ago and gave up on it for the following reasons:

1. The documentation was not very good. I remember setting things up 
exactly as I believe the documentation instructed, and things wouldn't 
work. A coworker with more experience with 389-DS would come over, and 
to fix the problem would do *exactly* the opposite of what I thought the 
instructions were saying to do. Very frustrating.

2. When investigating using replication,  I found the replication logs 
stored user passwords in the replication log in plain-text, and even 
labelled the data as "plaintext password". That was a show-stopper for 
me. I shared my findings with my coworkers, and agreed that was too bad 
a practice for us to accept.

When did you last look at OpenLDAP? OpenLDAP has had multi-master 
capability for a while now, but the developer advise against it, and I 
have to agree with them. For most cases, multi-master creates 
unnecessary complexity that lead to data loss in certain cases (I forget 
the details, but I think this would happen if both masters had different 
data, and both lost power before the replication completed - ask on the 
openldap mailing list for the developers arguments against multi-master).

I also would not call the OpenLDAP replication mechanism a bolted on 
script. It used to be a separate process, the slurpd daemon, but that 
was superceded by a newer mechanism that is incorporated into slapd a 
while ago.

In my environments, I never really saw a pressing need for multi-master. 
I have one read-write master, and then several read-only slaves. I'll 
make the head node of each cluster a read-only slave, so the compute 
nodes don't have to leave the clusters private network to get directory 


On 10/24/2018 12:29 PM, Tom Harvill wrote:
> Hello,
> Long time lurker, very infrequent poster - I enjoy this list very much.
> We run multiple clusters in different data centers with a single 
> directory (LDAP) for general authentication and some user grouping for 
> special purposes (eg delineating admin users for privileges). We put 
> 'extra' user data in an RDBMS.
> We currently use 389-DS (aka Fedora Directory Server) and there is 
> some internal pressure to switch to OpenLDAP.
> 389-DS is working well, we use the multi-master feature.  It really 
> hasn't failed us.
> I'm writing this list to ask:
> - what directory solution do you implement?
> - if LDAP, which flavor?
> - do you have any opinions one way or another on the topic?
> Because 389-DS has just worked, it's sort-of out of sight and mind. 
> I've been re-engaging it for a little while and from what I can see 
> it's fairly well documented (I don't remember this being the case when 
> we originally set it up 10+ years ago.)  I think OpenLDAP doesn't have 
> integrated multi-master replication - that feature appears to be a 
> bolted on script.
> Thanks in advance for your time,
> Tom
> Tom Harvill
> Holland Computing Center
> https://hcc.unl.edu
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
> To change your subscription (digest mode or unsubscribe) visit 
> http://www.beowulf.org/mailman/listinfo/beowulf

More information about the Beowulf mailing list