Finding and thoughts on LDAP (Support for Master-Slave)

[alvinquah]

I have follow this guide http://trac.ebox-platform.com/wiki/Document/HowTo/EBoxMasterSlaveSetup#Master to help me setup master/slave server. I have also browse through the forum for any thread related to master/slave issue.

After crashing couple of times on 1.4 and reinstalling 1.4 and configure again. I have found that currently Master server can only be setup as a userandgroup module. Because of the restriction of this, if we want support for master and slave, then we can only install the rest of the modules into slave server, for ex UTM module.
*after some test, ebox-asterick cannot work with userandgroup even on slave. when i click on edit users in slave server, i got a nasty bug error.

So this thoughts comes into my mind, yes the feature is good for replication/synchronization in case one of a server is down. But what is the purpose of setting up in such a way knowing that we can only install the rest of the module in slave server?
A normal perception will be all the modules should be able to be installed in master server and slave server is brought in just for the purpose of LDAP replication. It is hard to peruse customers to adopt this kind of concept...

unless that is my finding are wrong... please enlighten me. thanks

[poundjd]

Alvinquah,
     The long term plan is to remove this limitation on what can run on the Master.  Most modern directory servers can actually run in a "Multi-Master" mode where every instance is a true Master and none of them are limited to being a Slave.  But getting LDAP to that level is still several years off in my understanding.  But eBox should be able to remove the limitation on the Master server in a few versions.  Javi or another staff member can speak to that better than I.
-jeff

[Saturn2888]

There's other threads on this too. Don't wanna flood the forums.

[christian]

I fully share there is a need to solve this issue (say rather "limitation") in term of LDAP deployment)
However, I'm not convinced that solution is "multi-master" design.

I'm not in favor of master LDAP server running on platform hosting internet services (fw, proxy MTA) and would have preferred to have master internally and slave of this internet gateway.

On small LDAP landscape, multi-master is not a must because replication is supposed to be fast enough, with low latency. Then it's more a mater of defining and following referrals to make this single master transparent for applications.

Multi-master would be a must however in highly available / fault tolerant architecture but that's another topic far beyond LDAP only.

My $0.02

[Saturn2888]

Which is where they're aiming for eBox 2.0. I believe HA is going to be a priority of sorts.

[poundjd]

Christian,
I agree that for small environments MM is not as critical as it is for larger environments.

Most home users will not use it, the few that do really don't have a REQUIREMENT for it, just a desire at most.

Most everyone would agree that for HA/FT architectures it is a must.

For this product to gain more acceptance in the SMB arena then HA/FT and thus MM is a absolute requirement.

That is not to say that MM is a requirement for this next release or even this year,  But I believe that that it has to be on the road map.

-jeff

[Saturn2888]

I'm fine with my Master/Slave architecture. If I shutdown the master, the slave still works and retains my users from my experience so it's not like the entire system shuts down.

[Sam Graf]

Most everyone would agree that for HA/FT architectures it is a must.

For this product to gain more acceptance in the SMB arena then HA/FT and thus MM is a absolute requirement.

As a rural farmhand type of IT guy instead of one of you big city types , I'd appreciate some perspective here.

eBox, as it exists today, seems to me to be weighted toward the S end of the SMB/SME market. It's not built on an enterprise Linux distro, for starters. And at the S end of the implementation, HA capability just in terms of server hardware seems rare. At the far S end of the market people run commodity PC hardware as servers or NAS devices more often than true server hardware. They have Gmail accounts for business purposes. Etc.

So to me, right now rock solid backup and recovery of configuration data, user data, and stored files are more important than system redundancy--except perhaps for the WAN failover capability. The reliability and recovery basics first on a product like eBox that actually targets rural farmhand single-server IT environments, it seems to me; else how or where does eBox fit into a distinctive place in the managed server market at the S end?

This discussion probably should get split off since it raises separate and more basic questions than alvinquah raised, I think ...

[Saturn2888]

By Gmail you mean Google Apps right?

I would also say eBox is more for people like you and me doing small business, but that's not what they're aiming for because small businesses usually don't pay much for support so if it was aimed as small businesses, it'd be setup either as a pay-per-month or pay for the entire package kind of thing.

[Sam Graf]

True enough that for eBox Technologies to make money they need to have some customers outside the small business/small enterprise. But where is the chief interest in a tightly integrated all-in-one solution that by design discourages manual administration going to be? Surely even if not exclusively at the S end of the market, I would think.

The good news is that even small business/small enterprise customers might grow with eBox and become paying customers, especially in the case of service providers building solutions on eBox. Either way, the more local services eBox supplies and the more IT-sophisticated eBox allows a small business/small enterprise to become, the more likely it will be that the ROI for remote services or support will become attractive quicker vertically within the marketspace.

On the other hand, fragmentation of the marketspace because of reliability or recovery concerns means just more feet in the door--a door already too small for very many feet at the S end of the market. If eBox serves that end of the market reliably in v1.x, and if eBox can consolidate that market, v2.x will be an easier sell vertically within the marketspace, at least up to the point where eBox has to face off with admins who prefer at least the option of truly managing their own servers.

The basic point is that if feature set gains ground on or even lapse stability and ease of recovery in single-server environments (again, where one might expect to find integrated solutions) where the backup rule is followed faithfully even if the redundancy rule isn't, at best small business/small enterprise admins will deploy eBox only within their comfort zones, whatever that might be, before they'll write up a budget request for remote services.

Just my $0.02, of course.

[alvinquah]

thanks all for the constructive comments and feedback. I am perplexed that my thread actually derived to a lot of business perception of all who contributed.

well i will say that HA is a good selling point for eBox as well as partner since they can upsell 2 eBox instead of one  which in turn generate for revenue for deployment, hardware and managed services.. HA will definitely push more end users to look towards using eBox as a enterprise solution as a competitive price that exists in SME segment.

My tots now on eBox is that i will prefer that maybe they can launch more new features until 2.0 and concentrate on making the features stable as well as workable in all scenario that potential customer can ask for. No point trying to sell customers all the new features but at the end of the day not all features works to what customer thoughts the way it should work due to the restriction of a certain features.

In a nutshell for starting my thread, my question is with the restriction currently in master/slave mode (can't install userandgroups dependent modules on master), it will be hard for eBox partner/reseller to upsell the master/slave features.
I believe customer will have a perception of having to install whatever modules they want on master server and let the slave servers take care of the user and groups redundancy should master server fails.

[Saturn2888]

I'd actually prefer not to pay for eBox unless it was more affordable in the under $100 range, haha. I guess I have a different perspective on how things should be priced though.

HA is a fantastic selling point even if only a few people use it because those few people will benefit most from it. I'd sure like my other eBox, the one I use as a BackupPC server, to be my secondary server should my main one go down since it has the computing power to do so if needed.

The reason for going to Ubuntu over Enterprise Linuxes is driver support and the LTS release cycle as well as the enormous community of users. I think Ubuntu was the perfect choice. Other Linuxes are already in use for this kind of thing, but Ubuntu has nothing except Webmin which doesn't do this kind of stuff. Ubuntu also allows for installing on generic boxes as well as high-grade server equipment and has its own variants and a huge distro (Debian) backing it in compatibility to a degree so it's a sound choice for a forward-thinking company.

alvinquah, I still doing know what anyone else is talking about with this restriction because I seemed to have bypassed it. The slave taking over for the master would be nice, but at least your Users and Groups are in the slave while the master is offline.

[Sam Graf]

The reason for going to Ubuntu over Enterprise Linuxes is driver support and the LTS release cycle as well as the enormous community of users. I think Ubuntu was the perfect choice. Other Linuxes are already in use for this kind of thing, but Ubuntu has nothing except Webmin which doesn't do this kind of stuff. Ubuntu also allows for installing on generic boxes as well as high-grade server equipment and has its own variants and a huge distro (Debian) backing it in compatibility to a degree so it's a sound choice for a forward-thinking company.

I have nothing against Ubuntu, and I have had nothing but mostly positive experiences with Ubuntu until it came to older (read "reasonable investment option for a grand eBox experiment") server hardware. Then I knew a lot less joy than I was expecting. When the current stable release of Debian goes where no current release of Ubuntu will, and when names like Dell, Intel, and Adaptec are all over the hardware, you are entitled, I think, to ask some hard questions . Not to mention that at least one well known open source EL distro comes with long term support. And to my knowledge, there's nothing as slick as eBox available for open source enterprise Linux.

So while Ubuntu isn't at all a bad choice for the base distro, it isn't 1) the only choice, nor 2) the only choice likely to be familiar to admins at the M end of the SMB/SME market. That's all I'm saying.

[poundjd]

All,
    Ubuntu vs any other distribution is a good discussion those of you in the know can have, and I'll enjoy following it, just let me know where it is.

    In my post I was just saying what I believe to be a true path for success for both eBox as a project and the company behind it.

    I concur that stability is the most critical item.  After that it has to do what is expected.... well maybe those two should be reversed.....

     After that then I'd put HA/FT.....

     After that easy of use and breath of functionality become an issue...

But understand I am the Senior Security Technical person for a 100,000+ user federal government organization....  so my priorities are sort of biased.
-jeff

[philmills]

I'm with alvinquah on this thread.

master/slave is just too broken currently to be of any real-world use.
yes you can setup master/slave relationship, but the reality is that almost any samba stuff you try to enable on the slave fails with a Nasty Bug. Yet the usersandgroups restriction on the master strait-jackets you into enabling them on the slave.

I'm seriously considering abandoning Ebox as a slave altogether, and using Freenas for my samba server with it connecting to Ebox for Ldap. But that will leave me without an integrated print server....

grrrr