[Beowulf] Poll - Directory implementation

John Hearns hearnsj at googlemail.com
Thu Oct 25 05:53:53 PDT 2018


Backing up what Tony Albers and Lachlan Musicman say.
I did a lot of work with sssd this summer, and am on the FreeIPA List,
though to be honest I did not deploy FreeIPA.
Indeed I SHOUDL have deployed FreeIPA - sssd does not cope well with nested
groups when used on Linux.
As Lachlan says the mailing list is very helpful.

One caveat though - if looking at FreeIPA you will often get the answer
that bug or feature xyz is implemented int he latest release.
Be prepared to run it on an up to date OS so you get the latest versions.
I would also look at what the highest version of sssd your clients can
support is.








On Thu, 25 Oct 2018 at 12:30, Lachlan Musicman <datakid at gmail.com> wrote:

> On Thu, 25 Oct 2018 at 18:40, Tony Brian Albers <tba at kb.dk> wrote:
>
>> On Wed, 2018-10-24 at 11:42 -0500, Tom Harvill wrote:>
>> > We run multiple clusters in different data centers with a single
>> > directory (LDAP) for general authentication and some user grouping
>> > for
>> > special purposes (eg delineating admin users for privileges). We put
>> > 'extra' user data in an RDBMS.
>> >
>> > We currently use 389-DS (aka Fedora Directory Server) and there is
>> > some
>> > internal pressure to switch to OpenLDAP.
>> >
>> > 389-DS is working well, we use the multi-master feature.  It really
>> > hasn't failed us.
>> >
>> > I'm writing this list to ask:
>> >
>> > - what directory solution do you implement?
>> > - if LDAP, which flavor?
>> > - do you have any opinions one way or another on the topic?
>> >
>> > Because 389-DS has just worked, it's sort-of out of sight and mind.
>> > I've
>> > been re-engaging it for a little while and from what I can see it's
>> > fairly well documented (I don't remember this being the case when we
>> > originally set it up 10+ years ago.)  I think OpenLDAP doesn't have
>> > integrated multi-master replication - that feature appears to be a
>> > bolted on script.
>>
>> At KB one of our Hadoop clusters is using 389-DS through FreeIPA, and
>> it works great. Our 389-DS server is getting hit pretty hard from time
>> to time since everything is using kerberos and FreeIPA(all the jobs
>> running on the cluster looks up users etc. in FreeIPA), but it gets by
>> and is  very stable(we've had two unexpected service stops fixable by
>> just restarting them in 2½ years now).
>>
>> All hosts use sssd and user homedirs are automounted on them using
>> krb5.
>>
>> IMO you should consider IdM or FreeIPA since it brings quite a lot of
>> extra functionality while still using a standard LDAP backend.
>
>
> 100% agree. FreeIPA with SSSD includes 389-DS and has been perfect. Would
> always recommend. I've been following the IPA/SSSD development quite
> closely for two years now - they are a very good team and have actively
> helped me with issues on the mailing lists on numerous occasions.
>
> Cheers
> L.
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
> To change your subscription (digest mode or unsubscribe) visit
> http://www.beowulf.org/mailman/listinfo/beowulf
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.beowulf.org/pipermail/beowulf/attachments/20181025/103ed5b7/attachment-0001.html>


More information about the Beowulf mailing list