Caching the LDAP database locally is not always necessary, and in some cases is a really bad idea. My company's network is a prime example. We have a dozen or so regional LDAP servers designed to be pounded on by thousands of clients. Authenticating a user directly from a server takes a fraction of a second. By contrast, downloading the thousands of employee records over SSL and rebuilding the LdapContrib
database takes between 10 and 15 minutes. During that period, any attempt to access the TWiki produces an internal configuration error from Apache.
Using a cron job to force the rebuild during off hours is only a marginally acceptable workaround. We can live with it now because all our users are in North America. But in the near future, we'll have users in China, and midnight here is the middle of the afternoon there.
- 21 Sep 2008