[Beowulf] Poll - Directory implementation
pbisbal at pppl.gov
Wed Oct 24 12:36:17 PDT 2018
I've been using OpenLDAP for years now. I did investigate going to
389-DS years ago and gave up on it for the following reasons:
1. The documentation was not very good. I remember setting things up
exactly as I believe the documentation instructed, and things wouldn't
work. A coworker with more experience with 389-DS would come over, and
to fix the problem would do *exactly* the opposite of what I thought the
instructions were saying to do. Very frustrating.
2. When investigating using replication, I found the replication logs
stored user passwords in the replication log in plain-text, and even
labelled the data as "plaintext password". That was a show-stopper for
me. I shared my findings with my coworkers, and agreed that was too bad
a practice for us to accept.
When did you last look at OpenLDAP? OpenLDAP has had multi-master
capability for a while now, but the developer advise against it, and I
have to agree with them. For most cases, multi-master creates
unnecessary complexity that lead to data loss in certain cases (I forget
the details, but I think this would happen if both masters had different
data, and both lost power before the replication completed - ask on the
openldap mailing list for the developers arguments against multi-master).
I also would not call the OpenLDAP replication mechanism a bolted on
script. It used to be a separate process, the slurpd daemon, but that
was superceded by a newer mechanism that is incorporated into slapd a
In my environments, I never really saw a pressing need for multi-master.
I have one read-write master, and then several read-only slaves. I'll
make the head node of each cluster a read-only slave, so the compute
nodes don't have to leave the clusters private network to get directory
On 10/24/2018 12:29 PM, Tom Harvill wrote:
> Long time lurker, very infrequent poster - I enjoy this list very much.
> We run multiple clusters in different data centers with a single
> directory (LDAP) for general authentication and some user grouping for
> special purposes (eg delineating admin users for privileges). We put
> 'extra' user data in an RDBMS.
> We currently use 389-DS (aka Fedora Directory Server) and there is
> some internal pressure to switch to OpenLDAP.
> 389-DS is working well, we use the multi-master feature. It really
> hasn't failed us.
> I'm writing this list to ask:
> - what directory solution do you implement?
> - if LDAP, which flavor?
> - do you have any opinions one way or another on the topic?
> Because 389-DS has just worked, it's sort-of out of sight and mind.
> I've been re-engaging it for a little while and from what I can see
> it's fairly well documented (I don't remember this being the case when
> we originally set it up 10+ years ago.) I think OpenLDAP doesn't have
> integrated multi-master replication - that feature appears to be a
> bolted on script.
> Thanks in advance for your time,
> Tom Harvill
> Holland Computing Center
> Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
> To change your subscription (digest mode or unsubscribe) visit
More information about the Beowulf