Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: size of ldap directory

I have a bunch of cases open with Apple on LDAP and PasswordServer issues, when used with a moderate workload. I don't say it's heavy, because the servers aren't getting slow, but we hit them pretty hard.

My LDAP servers are mostly used for authentication. Most applications are non-Apple, so they do simple authentication (as opposed to SASL) with a password in cleartext. That's mostly okay, because all these servers are in the same room, on the same switch.

In any case, I have a lot of slapd crashes (kernel exec error) and hangs (100% cpu). I also have a case where PasswordServer just denies somebody for no good reason, only to accept them less than a second later with the same credentials. This all seems to be load-related - it happens much less frequently at off-peak hours.

There's also a case where slapd crashes immediately if there's a memberUid field with only a space, and not a valid entry. So any programmer in your enterprise could mistakenly corrupt your database with ldap-valid data but data that's not Apple-valid. It's difficult to find and fix, too, while your database is down!

With all that being said, I am using Radiator to do RADIUS-to-LDAP authentication proxy, and that works wonderful. That takes care of VPN and PPP for us, with our Cisco gear. We're also doing a fileserver where every student automatically gets an account, and every course automatically gets a set of folders, including a drop box, inside the Professor's folders.

Our course information, our new student and employee information, and personal information changes come directly from our student system or our personnel system. We don't need to manually create these accounts and enter these changes, because it's all programmed to work without intervention in most situations.

It's been wonderful! Our LDAP rollout has been a great success, and it's made life just a bit easier for all our users.

I don't think you will have a problem with the size of your database. I think you may run into problems handling the load of authentication requests from non-Apple servers, like email or web sites.

We have 4380 users and 2824 groups. I'm using 5 G4 XServes - one master and four replicas. The four replicas are in a load-balancing and redundancy system with Foundry ServerIrons, and they work really great, especially to keep the users from noticing the slapd crashes, etc.

Hope this helps,

Matt

I'm curious how other people are using their LDAP directories with Panther Server. We're trying to move a lot of our services over to authenticate against openLDAP. This would include email, vpn, ppp, lab accounts, staff and faculty file sharing, etc... To do this we are attempting to sync with a MS-SQL database that has all of our user information (staff, faculty, students, alumni, etc...). It seemed like a very simple process (ssh from the windows servers to the ldap server and run dsimportexport with a 61,000 user import file). Unfortunately, we only seem to get about 40,000 users.

All that to say, how are other people using LDAP? How many users are you managing? Is anyone out there trying to do what we're doing (or better yet, successfully doing this)?


-------------
jeff
computer support
biola university

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden 


--
Matt Richard
Access and Security Coordinator
Franklin & Marshall College
email@hidden
(717) 291-4157
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden
References: 
 >size of ldap directory (From: listreader <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.