On 07/04/2011 15:52, Vedrin Jeliazkov wrote:
>> Given your below results, the most important
>> step besides upgrading will be a real powerful LDAP service for
>> configuration store.
> 
> Yes, this is simply a must. In fact I'm convinced that as long as we
> stick to the current rather resource demanding AA solution that we've
> designed and implemented, we should probably run it on bare hardware,
> not "in the cloud", in order to ensure satisfying performance. Another
> important aspect would be fault tolerance (both OpenAM and OpenDJ
> support load-balancing, failover and federating but this needs to be
> investigated/tested further). In addition, for such a critical
> component such as AA it is often required to have multiple servers,
> running at different physical locations, to ensure proper level of
> availability.

Hope you don't mind if I add yet another aspect: security. From this
standpoint, not only it's desirable to avoid virtualization (as the
added technical complexity means much less control), but it's even
better to deploy such services on dedicated hardware.

Overall, a serious centralized AA system would require careful planning
starting from the very physical location where it would be deployed (it
should, obviously, allow for tight control of who and when has access to
the hardware). And, as security is by definition a dynamic process,
never a static condition, that system would need constant attention:
monitoring, software management (at the very least, patching regularly),
proactive protection and contingency preparedness.

This, again, all speaks strongly in favour of a dedicated system.

Best regards,
Luchesar