Michael Brown wrote: > Sanga M. Collins wrote: >> I think the deployment guide suggests you use pointers instead of >> loading large pieces of data into the directory >> >> Sanga M. Collins Network Engineering >> ~~~~~~~~~~~~~~~~~~~~~~~ >> IT Management LLC >> 6491 Sunset Strip #5, Sunrise Fl, 33313 >> Tel: (954) 572 7411, Fax: (435) 578 7411 >> >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >> Michael Str?der >> Sent: Thursday, June 19, 2008 3:48 AM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: LDAP Load Tools >> >> Michael Brown wrote: >> >>> I'm working with an RHDS customer (currently RHDS 7.1sp3, hopefully >>> moving to sp6 soon, or RHDS 8) with large attribute requirements >>> (some attributes 25-30 Mbytes) >>> >> >> Never saw a deployment where you store several MB into attributes. >> I'm really curious whether that works? I know you can store this >> amount of data but whether it really works for many entries. >> >> Ciao, Michael. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > As an FYI... The issue in the environment in which I'm working is not > a data at rest issue for the large attributes, but rather a > replication and writing issue. > > This is a US Government customer who has deployed a large PKI and LDAP > infrastructure based upon the Red Hat CA and DS products, and they > have several CA's with large certificate revocation lists approaching > several tens of Mbytes each (the customer has issued tens of million > of certs from all the CAs deployed, and has revoked > 20% of these > prior to expiration at any one time for various reasons, thus the > large CRLs). These CRLs are published to Red Hat DS instances in the > certificateRevocationList;binary attribute in the entry for each CA > and replicated to consumer DS instances and customers who require the > CRLs. OCSP is also used, but CRLs are still required for many > applications. > > This is a reasonably mature architecture as far as PKI and LDAP are > concerned, first deployed in 1999 or thereabouts (think Netscape > days), but the large CRL growth has been problematic both in > generation and in publishing/replication at times. The publishing and > replication tuning is what I'm trying to address with additional lab > testing. > > The Red Hat CA and DS solutions have shown themselves to be scalable > and secure in this environment, with proper care and tuning. > > Michael > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users I sometimes use rpm's or tar files to represent large attributes. M.
