Gavin Henry
2005-Mar-02 10:26 UTC
[Samba] Request to update slapd.conf and OpenLDAP info for Samba-Guide/happy.html
Dear Team, The OpenLDAP stuff on this page: http://us4.samba.org/samba/docs/man/Samba-Guide/happy.html is not the preferred backend, i.e. ldbm, it really, really needs to be bdb. See: http://www.openldap.org/faq/index.cgi?_highlightWords=bdb%20ldbm&file=1085 "ldbm uses a neutral storage interface which in principle could wrap dbm, ndbm, gdbm or sleepycat as underlying storage; however, only Sleepycat is considered a reliable choice, so bdb offers more interesting features (ACID). Eventually it will disappear." And: http://www.openldap.org/faq/data/cache/756.html "With back-ldbm, there is no fine-grain database locking. This means write operations are serialized. And while multiple read operations may be performed concurrently, they cannot be performed concurrently with any write operation. Additionally, LDBM databases cannot be accessed by only one program at a time (generally at the file level). (While one may be able to bypass the locking mechanism, you will likely corrupt the database (and/or obtain bogus information).) With back-bdb, databases are locked on a page level, which means that multiple threads (and processes) can operate on the databases concurrently. In OpenLDAP 2.1.4 we lifted the restriction against using the slap tools while slapd is running on back-bdb. You can perform online backups using slapcat or BDB's db_dumputility without interrupting your LDAP service. You still must not use slapadd or slapindex while slapd is running (due to application-level caching in slapd(8))." Point to highlight for disaster recovery: "You can perform online backups using slapcat or BDB's db_dumputility without interrupting your LDAP service." Therefore, can we update it for this and all the configuration that goes with using a bdb backend? I feel we are not doing the Samba community justice, if we are telling them to use lbdm. Thanks. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 742001 E ghenry@suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/
John H Terpstra
2005-Mar-02 15:16 UTC
[Samba] Request to update slapd.conf and OpenLDAP info for Samba-Guide/happy.html
Gavin, The book "Samba-3 by Example" was written at the time Samba-3.0.2 was just released. At that time (February 2004) the version of OpenLDAP that were shipping on SuSE Linux Enterprise Server and on Red Hat Enterprise Linux used ldbm. I agree entirely that this needs to be updated, in fact, it is necessary also to update all references to the smbldap-tools as well as many other subtle factors that have changed in Samba between Samba-3.0.2 and 3.0.12 (the soon to be released version). I will update the entire book at the first opportunity I get. If you wish to submit patches I would be most appreciative. Cheers, John T. On Wednesday 02 March 2005 03:24, Gavin Henry wrote:> Dear Team, > > The OpenLDAP stuff on this page: > > http://us4.samba.org/samba/docs/man/Samba-Guide/happy.html > > is not the preferred backend, i.e. ldbm, it really, really needs to be bdb. > > See: > > http://www.openldap.org/faq/index.cgi?_highlightWords=bdb%20ldbm&file=1085 > > "ldbm uses a neutral storage interface which in principle could wrap dbm, > ndbm, gdbm or sleepycat as underlying storage; however, only Sleepycat is > considered a reliable choice, so bdb offers more interesting features > (ACID). Eventually it will disappear." > > And: > > http://www.openldap.org/faq/data/cache/756.html > > "With back-ldbm, there is no fine-grain database locking. This means write > operations are serialized. And while multiple read operations may be > performed concurrently, they cannot be performed concurrently with any > write operation. Additionally, LDBM databases cannot be accessed by only > one program at a time (generally at the file level). (While one may be > able to bypass the locking mechanism, you will likely corrupt the database > (and/or obtain bogus information).) > > With back-bdb, databases are locked on a page level, which means that > multiple threads (and processes) can operate on the databases > concurrently. In OpenLDAP 2.1.4 we lifted the restriction against using > the slap tools while slapd is running on back-bdb. You can perform online > backups using slapcat or BDB's db_dumputility without interrupting your > LDAP service. You still must not use slapadd or slapindex while slapd is > running (due to application-level caching in slapd(8))." > > > Point to highlight for disaster recovery: > > "You can perform online backups using slapcat or BDB's db_dumputility > without interrupting your LDAP service." > > Therefore, > can we update it for this and all the configuration that goes with using a > bdb backend? > > I feel we are not doing the Samba community justice, if we are telling > them to use lbdm. > > Thanks. > > -- > Kind Regards, > > Gavin Henry. > Managing Director. > > T +44 (0) 1224 279484 > M +44 (0) 7930 323266 > F +44 (0) 1224 742001 > E ghenry@suretecsystems.com > > Open Source. Open Solutions(tm). > > http://www.suretecsystems.com/-- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production.
Tony Earnshaw
2005-Mar-02 19:18 UTC
[Samba] Request to update slapd.conf and OpenLDAP info for Samba-Guide/happy.html
Gavin Henry:> The OpenLDAP stuff on this page: > > > http://us4.samba.org/samba/docs/man/Samba-Guide/happy.html > > > is not the preferred backend, i.e. ldbm, it really, really needs to be > bdb. > > See: > > > http://www.openldap.org/faq/index.cgi?_highlightWords=bdb%20ldbm&file=108 > 5Pointing LDAP users toward OpenLDAP.org will hopefully get them to see that not only ldbm as backend is considered obsolete and is deprecated, but also that OL 2.0 is considered obsolete, 2.1 is obsolescent and deprecated and the latest stable version is 2.2.23. Which uses Sleepycat BDB 4.2.52 mandatorily. [...]> I feel we are not doing the Samba community justice, if we are telling > them to use lbdm.ldbm as backend will ultimately seize up on production rigs, for a number of reasons. So will BDB 4.1, though for different reasons (I've been through it all myself). OpenLDAP 2.2.13 and higher with (patched) BDB 4.2.52 will keep on running for months without attention, even after forced power-downs or -outages, with all of the advantages that you cite. However, use of BDB 4.2.52 requires specialist configuration (DB_CONFIG) for it to work at all satisfactorily. Which brings me back to my own bugbear: Samba 3 people who want to use the ldapsam DB backend should first and foremost be LDAP specialists, only subsequently adapt their Samba installation to their already successful LDAP implementation. I don't see how the Samba people can write all this up in the standard docs and there is no single HOWTO on the subject. --Tonni -- mail: tonye@billy.demon.nl http://www.billy.demon.nl