[Beowulf] Poll - Directory implementation

Lachlan Musicman datakid at gmail.com
Thu Oct 25 04:29:53 PDT 2018


On Thu, 25 Oct 2018 at 18:40, Tony Brian Albers <tba at kb.dk> wrote:

> On Wed, 2018-10-24 at 11:42 -0500, Tom Harvill wrote:>
> > We run multiple clusters in different data centers with a single
> > directory (LDAP) for general authentication and some user grouping
> > for
> > special purposes (eg delineating admin users for privileges). We put
> > 'extra' user data in an RDBMS.
> >
> > We currently use 389-DS (aka Fedora Directory Server) and there is
> > some
> > internal pressure to switch to OpenLDAP.
> >
> > 389-DS is working well, we use the multi-master feature.  It really
> > hasn't failed us.
> >
> > I'm writing this list to ask:
> >
> > - what directory solution do you implement?
> > - if LDAP, which flavor?
> > - do you have any opinions one way or another on the topic?
> >
> > Because 389-DS has just worked, it's sort-of out of sight and mind.
> > I've
> > been re-engaging it for a little while and from what I can see it's
> > fairly well documented (I don't remember this being the case when we
> > originally set it up 10+ years ago.)  I think OpenLDAP doesn't have
> > integrated multi-master replication - that feature appears to be a
> > bolted on script.
>
> At KB one of our Hadoop clusters is using 389-DS through FreeIPA, and
> it works great. Our 389-DS server is getting hit pretty hard from time
> to time since everything is using kerberos and FreeIPA(all the jobs
> running on the cluster looks up users etc. in FreeIPA), but it gets by
> and is  very stable(we've had two unexpected service stops fixable by
> just restarting them in 2½ years now).
>
> All hosts use sssd and user homedirs are automounted on them using
> krb5.
>
> IMO you should consider IdM or FreeIPA since it brings quite a lot of
> extra functionality while still using a standard LDAP backend.


100% agree. FreeIPA with SSSD includes 389-DS and has been perfect. Would
always recommend. I've been following the IPA/SSSD development quite
closely for two years now - they are a very good team and have actively
helped me with issues on the mailing lists on numerous occasions.

Cheers
L.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.beowulf.org/pipermail/beowulf/attachments/20181025/b51f3e8c/attachment.html>


More information about the Beowulf mailing list