Ldap
| Line 6: | Line 6: | ||
Hera backs up its database once a day into a format that can be stored by other backup mechanisms (otherwise just backing up the raw bdb will be garbage) | Hera backs up its database once a day into a format that can be stored by other backup mechanisms (otherwise just backing up the raw bdb will be garbage) | ||
| − | |||
| − | |||
See also [[Ldap_Schema]] for customized LDAP schemas that we have. | See also [[Ldap_Schema]] for customized LDAP schemas that we have. | ||
| − | Our LDAP servers are listed in a few places on each machine. They are: | + | Our LDAP servers are listed in a few places on each machine. Each file is distributed by cfengine. They are: |
* /etc/ldap/ldap.conf This contains the default server for ldapsearch operations | * /etc/ldap/ldap.conf This contains the default server for ldapsearch operations | ||
* /etc/libnss-ldap.conf This contains the ldap servers for use with NSS lookups (usernames, uids, etc) | * /etc/libnss-ldap.conf This contains the ldap servers for use with NSS lookups (usernames, uids, etc) | ||
| + | |||
| + | ==Replication== | ||
| + | |||
| + | NSS has ldap-head as a primary server, and ldap-backup as a secondary. However, there is a 5-sec timeout- if the server is up but ldap is down, this shouldn't be an issue, but if the server is nowhere to be found, you may have to wait for the timeout each time. It's kinda a pain but it works. Postfix on hermes relies on ldap-head only as it doesn't seem to do ldap replication correctly. | ||
[[Category:Sysadmin_Documentation]] | [[Category:Sysadmin_Documentation]] | ||
Revision as of 23:45, 2 May 2009
UGCS uses ldap to handle all of our "directory" information, including users, home directories, UIDs, etc. We have two ldap servers that are supposed to keep each other sync'd: hera is our main server, and zeus is the slave.
Authentication to edit ldap comes from Kerberos/GSSAPI. Sysadmins have full access to change everything, other users can only edit their own records.
ldapmodify is a very useful command that lets you input LDIF to update anything in ldap. Ldapedit is a custom command we wrote that makes it easier to update your own settings.
Hera backs up its database once a day into a format that can be stored by other backup mechanisms (otherwise just backing up the raw bdb will be garbage)
See also Ldap_Schema for customized LDAP schemas that we have.
Our LDAP servers are listed in a few places on each machine. Each file is distributed by cfengine. They are:
- /etc/ldap/ldap.conf This contains the default server for ldapsearch operations
- /etc/libnss-ldap.conf This contains the ldap servers for use with NSS lookups (usernames, uids, etc)
Replication
NSS has ldap-head as a primary server, and ldap-backup as a secondary. However, there is a 5-sec timeout- if the server is up but ldap is down, this shouldn't be an issue, but if the server is nowhere to be found, you may have to wait for the timeout each time. It's kinda a pain but it works. Postfix on hermes relies on ldap-head only as it doesn't seem to do ldap replication correctly.
