Openldap clustering ?

Matthew Seaman m.seaman at
Thu Jul 8 21:51:54 UTC 2010

On 08/07/2010 09:21:53, Frank Bonnet wrote:

> Could anybody recommend a rock solid software to build
> an OpenLDAP cluster with FreeBSD 8.0 ?

Well, you're off to a good start with FreeBSD and OpenLDAP.  In fact,
you don't really need much more than that.  As mentioned else-thread,
you can set up master-master replication between a couple of OpenLDAP
instances quite readily: unlike say, M-M replication in MySQL, this is
pretty robust[*] and you can write to the directory on either server.

You can also expand to a ring topology with three or more servers, plus
many other possibilities, and site-to-site replication also works pretty
well over long distances, but that's probably getting beyond the scope
of what you want.

The really handy thing about LDAP is that you can do quite a reasonable
High-Availability setup with no extra software or hardware -- it's a lot
like DNS in that respect.

Simply specify a series of LDAP servers in the ldap.conf (or
pam-ldap.conf or nss-ldap.conf) on each client, and the client will try
each in turn until it reaches one it can bind to successfully.  This
does introduce a little extra latency here and there, but nothing
particularly drastic.  There is also a method of distributing traffic
using SRV records that can be managed centrally in the DNS but AFAIK,
{nss,pam}-ldap.conf don't understand it -- other clients do and will
work just fine.

You can use CARP or relayd or HW load balancers or other technologies to
make the H-A almost seamless, but frequently the extra complication just
doesn't provide enough extra performance to justify the effort or the
expense.  Test early, and test often while working up your cluster.



[*] Partly this is due to the intrinsic nature of LDAP directories,
where there tend to be far fewer uniqueness constraints, and partly its
because LDAP servers generally service far more reads than writes --
more so than typical RDBMS usage.  Mostly however, it's because LDAP
replicates the modified data, rather than replaying a stream of update
queries on the replication targets.

Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
JID: matthew at               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url :

More information about the freebsd-questions mailing list