02.23.06

Managing HA Utility computing… Part 1 (LDAP and NFS)

Posted in Work at 5:54 am by iosakwe

In my environment, we have about 400+ Sun servers, mostly Sun fires that range from v210s to 15k domains.Managing these servers individually could be an nightmare, especially for user, device and host management.. Can you imagine, editting >400 servers just to add a user.. Oucch! In order to streamline such processes, a reliable and robust method to attaining such tasks was necessary, which brings us to the meat of this discussion.

For the past couple of months, I have been designing an infrastructure that will scale reliability to meet our needs, henceforth. For naming services, we chose LDAP because it’s much more flexible, extensible (most ISV’s have builtin API support), better security model and built-in replication framework. Most establishments that i worked at such as Morgan Stanley and ML, NIS was the name service of choice but these environments were built many years ago when LDAP was not even ratified. Some even incorporated kerberos to get over the security setback in NIS. LDAP, on the other hand, is ideal for newer shops that just building out an Infrastructure from scratch and even those mature environments that currently rely on the Yellow Pages (NIS). One of many attributes of LDAP over NIS is the replication mechanism. In NIS, when the master makes a change, the slaves need to explicity pull the specific map or the server pushes the entire database. In other words, if you add a new user, you need to update at least 3 maps, password, shadow and netgroup. To add insult to injury you need to make sure the slaves are aware, say you have a password database of over ~100000 users, that means you are pushing the same database that already exists on the slave just to update one attribute. This can costly because of the load on the network especially during business hours. One solution I saw to this was to store the changes in a database that gets propagated to the clients during off hours. While this was an ideal solution, it had limitations. If you needed to build a new server or add a new user, you needed to wait until the 24 hours for the user to be globally defined. LDAP, unlike NIS, will replicate only the deltas thus minimizing the load of flooding your production network to update one attribute . Another cool feature of LDAP, based on the x.500 uses a hierachy name space whereas NIS uses flat based name space. Extended security framework (ACL) that can applied down to the attribute level via aci (access control instructions). Lastly, Sun One Directory 5.2 allows you to have 4 multi-master servers now. This boosts service availability because password updates, syncs, new attributes, etc.. can be applied virtually any one of the RW (read write) Replicas even 3 masters are down.

These are just some of the nice features about LDAP, there are many more than the minute points i mentioned here. Stay tuned for my follow up to HA computing.

02.14.06

I have landed!

Posted in Random at 9:10 pm by iosakwe

Hey there,

Welcome to my humble contribution to the Virtual Galaxy. My name is Ikenna Osakwe but most people call me Ike, especially my American friends. Currenly I am a UNIX administrator for DOITT and a full time student at Baruch City University of New York. I am majoring in Computer Science with a focus on the business side. Not really looking to delve into management but I believe the best technologists understand business processes and can mesh both to solve problems. At this stage, I actually enjoy tackling, integrating and solving problems… Possibly many years in my career, this perception will change. It’s left to be determined.

My journals will encompass different things that go thru this mind of my mine. I love technology but will also be talking about Politics, Ethics and Aspirations. Please come back and visit me some time, hopefully you can enjoy my thoughts.