Sanga M. Collins wrote:
I think the deployment guide suggests you use pointers instead of loading large pieces of data into the directory
Sanga M. Collins
Network Engineering
~~~~~~~~~~~~~~~~~~~~~~~
IT Management LLC
6491 Sunset Strip #5,
Sunrise Fl, 33313
Tel: (954) 572 7411,
Fax: (435) 578 7411
-----Original Message-----
From: fedora-directory-users-bounces@xxxxxxxxxx [mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of Michael Ströder
Sent: Thursday, June 19, 2008 3:48 AM
To: General discussion list for the Fedora Directory server project.
Subject: Re: LDAP Load Tools
Michael Brown wrote:
I'm working with an RHDS customer (currently RHDS 7.1sp3,
hopefully moving to sp6 soon, or RHDS 8) with large attribute
requirements (some attributes 25-30 Mbytes)
Never saw a deployment where you store several MB into attributes. I'm
really curious whether that works? I know you can store this amount of
data but whether it really works for many entries.
Ciao, Michael.
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
As an FYI... The issue in the environment in which I'm working is not a
data at rest issue for the large attributes, but rather a replication
and writing issue.
This is a US Government customer who has deployed a large PKI and LDAP
infrastructure based upon the Red Hat CA and DS products, and they have
several CA's with large certificate revocation lists approaching several
tens of Mbytes each (the customer has issued tens of million of certs
from all the CAs deployed, and has revoked > 20% of these prior to
expiration at any one time for various reasons, thus the large CRLs).
These CRLs are published to Red Hat DS instances in the
certificateRevocationList;binary attribute in the entry for each CA and
replicated to consumer DS instances and customers who require the CRLs.
OCSP is also used, but CRLs are still required for many applications.
This is a reasonably mature architecture as far as PKI and LDAP are
concerned, first deployed in 1999 or thereabouts (think Netscape days),
but the large CRL growth has been problematic both in generation and in
publishing/replication at times. The publishing and replication tuning
is what I'm trying to address with additional lab testing.
The Red Hat CA and DS solutions have shown themselves to be scalable and
secure in this environment, with proper care and tuning.
Michael
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
