Operational Issues in Directories (selected)

9 pages
6 views

Please download to get full document.

View again

of 9
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Share
Description
Operational Issues in Directories (selected). Michael R. Gettes Principal Technologist Georgetown University Gettes@Georgetown.EDU. Site Profile dc=georgetown,dc=edu. Netscape/iPlanet DS version 4.16 2 Sun E250 dual cpu, 512MB RAM 105,000 DNs (25K campus, others = alums + etc)
Transcript
Operational Issues in Directories(selected)Michael R. GettesPrincipal TechnologistGeorgetown UniversityGettes@Georgetown.EDUSite Profiledc=georgetown,dc=edu
  • Netscape/iPlanet DS version 4.16
  • 2 Sun E250 dual cpu, 512MB RAM
  • 105,000 DNs (25K campus, others = alums + etc)
  • Directory + apps implemented in 7 months
  • Distinguished names: uid=x,ou=people,dc=georgetown,dc=edu
  • iDS pre-op plugin (by gettes@Princeton.EDU)
  • Authentication over SSL; Required
  • Can do Kerberos – perf problems to resolve (LDAP2PAM)
  • 1 supplier, 4 consumers (configured this way since Jan 2000)
  • Authentication:Overall Plan @ Georgetown
  • Best of all 3 worlds
  • LDAP + Kerberos + PKI
  • LDAP Authentication performs Kerberos Authentication out the backend. Jan. 2001 to finish iPlanet plug-in.
  • Credential Caching handled by Directory.
  • Cooperative effort – Georgetown, GATech, Michigan
  • All directory authentications SSL protected. Enforced with necessary exceptions
  • Update: Rumpf(OSU) & Carter(Duke); lots of flexibility in conf
  • Rumpf: New Kerb5 based plug-in, with caching
  • Carter: Merged Rumpf and Gettes. New code during 11/02
  • Use Kerberos for Win2K Services and to derive X.509 Client Certificates
  • One Userid/Password (single-signon vs. FSO)
  • General Operational Controls
  • Size limit trolling (300 or 20 entries?)
  • Lookthru limit (set very low)
  • Limit 3 processors for now, MP issues still! (v4)
  • For NSDS/iDS -- don’t run less than 4.16!!!
  • 100MB footprint, about 8000 DNs in cache
  • Your mileage will vary – follow cache guidelines documented by iPlanet.
  • 24x7 operations
  • What can users change?? (Very little)
  • No write intensive applications
  • Replica StructureMAILHOSTWHITEPAGESUsersMASTERPOSTOFFICEUsersNetID RegistryDUMPERWeb ServersNormal OpsFailure OpsReplication
  • Application/user performance
  • Failover, user and app service
  • Impact of DC= naming (replica init)
  • Fixed in 4.13 and iDS 5.0
  • Monitoring: web page and notification
  • Dumper replica – periodic LDIF dumps
  • Backups? We don’t need no stinkin’ backups!
  • Vendor Specific
  • No good solution for backups (iPlanet)
  • IBM uses DB2 under the covers
  • Novell?
  • Replication (Continued)
  • Application/users config for mult servers
  • Deterministic operations vs random
  • Failover works for online repairs
  • Config servers are replicated also
  • Cannot cascade with DC= (iPlanet)
  • Cascading is scary to me
  • Differential Replica Configurations
  • What are the issues?
  • Dribbling, replication transaction mgmt, bottlenecks
  • 10 to 1 SRA/CRA ratio recommended
  • Strong recommendation: Replicate!!!
  • RFC 3384 just came out
  • Directory Management
  • A view of replication
  • https://directory.georgetown.edu/cgi-bin/ldapstatus
  • Note the deeper info available under cn=monitor
  • This web page is “email/pager” enabled.
  • Originally posted by Netscape developers and
  • modified by /mrg
  • LOOK by Bellina (Notre Dame) is a great
  • enhancement to this display
  • LDAP Browser
  • http://www.iit.edu/~gawojar/ldap/
  • Service DNs
  • See LDAP-Recipe 2.6 (200210)
  • Critical Issue for Higher Education in USA due to FERPA
  • Application binds to DSA with “Service DN”
  • Access control manages what Service DN can see
  • Application obtains data required
  • If user authN is required:
  • App locates user object by search
  • uses result DN and user credential to
  • re-bind to DSA as user
  • Related Search
    We Need Your Support
    Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

    Thanks to everyone for your continued support.

    No, Thanks