Michael Brown wrote:
Sanga M. Collins wrote:
I think the deployment guide suggests you use pointers instead of
loading large pieces of data into the directory
Sanga M. Collins Network Engineering
~~~~~~~~~~~~~~~~~~~~~~~
IT Management LLC
6491 Sunset Strip #5, Sunrise Fl, 33313
Tel: (954) 572 7411, Fax: (435) 578 7411
-----Original Message-----
From: fedora-directory-users-bounces@xxxxxxxxxx
[mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of
Michael Ströder
Sent: Thursday, June 19, 2008 3:48 AM
To: General discussion list for the Fedora Directory server project.
Subject: Re: LDAP Load Tools
Michael Brown wrote:
I'm working with an RHDS customer (currently RHDS 7.1sp3, hopefully
moving to sp6 soon, or RHDS 8) with large attribute requirements
(some attributes 25-30 Mbytes)
Never saw a deployment where you store several MB into attributes.
I'm really curious whether that works? I know you can store this
amount of data but whether it really works for many entries.
Ciao, Michael.
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
As an FYI... The issue in the environment in which I'm working is not
a data at rest issue for the large attributes, but rather a
replication and writing issue.
This is a US Government customer who has deployed a large PKI and LDAP
infrastructure based upon the Red Hat CA and DS products, and they
have several CA's with large certificate revocation lists approaching
several tens of Mbytes each (the customer has issued tens of million
of certs from all the CAs deployed, and has revoked > 20% of these
prior to expiration at any one time for various reasons, thus the
large CRLs). These CRLs are published to Red Hat DS instances in the
certificateRevocationList;binary attribute in the entry for each CA
and replicated to consumer DS instances and customers who require the
CRLs. OCSP is also used, but CRLs are still required for many
applications.
This is a reasonably mature architecture as far as PKI and LDAP are
concerned, first deployed in 1999 or thereabouts (think Netscape
days), but the large CRL growth has been problematic both in
generation and in publishing/replication at times. The publishing and
replication tuning is what I'm trying to address with additional lab
testing.
The Red Hat CA and DS solutions have shown themselves to be scalable
and secure in this environment, with proper care and tuning.
Michael
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
I sometimes use rpm's or tar files to represent large attributes.
M.
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
