Using LDAPv3 for Directory-Enabled Applications & Networking Greg Lavender Director of Technology Innosoft International, Inc. [email protected] 1999 Innosoft International, Inc. innosoft international inc. An LDAP-enabled Enterprise Directory Infrastructure HR, Facilities, etc. Mail,
Download ReportTranscript Using LDAPv3 for Directory-Enabled Applications & Networking Greg Lavender Director of Technology Innosoft International, Inc. [email protected] 1999 Innosoft International, Inc. innosoft international inc. An LDAP-enabled Enterprise Directory Infrastructure HR, Facilities, etc. Mail,
Using LDAPv3 for Directory-Enabled Applications & Networking Greg Lavender Director of Technology Innosoft International, Inc. [email protected] 1999 Innosoft International, Inc. innosoft international inc. An LDAP-enabled Enterprise Directory Infrastructure HR, Facilities, etc. Mail, web, chat, etc. Existing DBMS Intranet services X.509, SSO, PAM, NTDC Unified login services LDAP-enabled Enterprise Directory Backbone (multiple distributed LDAP servers) VPN Routers, Firewalls, RAS Devices Applications Telecomm, Workflow, etc. 1999 Innosoft International, Inc. PKI sync Legacy Directories System Mgmt NDS, Notes, X.500 DNS, DHCP, SLP innosoft international inc. How to Get There • Top-down – identify authoritative directory data sources • export and load data into an LDAP directory – periodic or on-change synchronization to get updates – eventually you might make the directory authoritative – incrementally deploy LDAP-enabled user applications • easiest is a white pages directory for web or email • requires you to set security and access control policies • eventually allow users to update their own information 1999 Innosoft International, Inc. innosoft international inc. How to Get There • Bottom-up – LDAP-enable the network application infrastructure • web server authentication • remote access authentication (e.g., RADIUS) • firewall user authentication • POP and IMAP mail authentication • host and IP address management • policy based routing and VPN security • directory in support of public-key authentication 1999 Innosoft International, Inc. innosoft international inc. Example Applications • Enterprise whitepages directory • Enterprise network services directory • ISP high volume messaging • Voice-over-IP use of directory 1999 Innosoft International, Inc. innosoft international inc. LDAP Enterprise Whitepages Directory Enterprise Web Users Web Servers High Availability 24x7 LDAP Directory Service Hub high availability heartbeat (Ethernet) HTTP LDAP Sun UltraSCSI Disk Array 2 x 4 GB storage Enterprise Mail Users (mirror) LDAP Directory Manager Innosoft Server 4 x 9 GB storage (primary) 2 x 4 GB storage (mirror) UltraSPARC 2 Solaris 2.6 LDAP HTTP SNMP Sun E3000 Veritas FS Solaris 2.6 1 x 300 MHz processor Veritas FS 512 MB memory 2 x 336 MHz processors 2 x 4 GB storage 2 GB memory (primary) 2 x 4 GB storage (primary) Sun Console 1999 Innosoft International, Inc. innosoft international inc. Enterprise Network Services with LDAP Proxy & Replicated Servers Web Server LDAP access for user authentication HTTP Extranet/ Internet LDAP access control load balancing & failover TCP/IP Firewall Replicated LDAP Servers LDAP Proxy SMTP/POP/IMAP LDAP access for user authentication, mail routing, and delivery options Mail Server 1999 Innosoft International, Inc. innosoft international inc. High Volume ISP Mail Services with Replicated LDAP Servers Multiple boundary SMTP relays with local LDAP replica for high performance user authentication and mail routing SMTP/POP/IMAP Internet IP Director LDAP Replication Master LDAP Server 1999 Innosoft International, Inc. innosoft international inc. LDAP Directory in a VoIP System Call Processing Server Call Processing Server Phones Phones VoIP Network Each CPS caches routing table and sets an LDAP “search trigger” to be notified in the event of a route update When routing update occurs, LDAP search trigger fires and asynchronously updates each CPS LDAP Directory Server LDAP server used as a routing and subscriber authentication database 1999 Innosoft International, Inc. innosoft international inc. Key Considerations • Performance and scalability – 500+ queries/sec with 1 CPU, millions of directory entries • Replication for high availability – multiple slaves AND multiple masters for high availability • Security and access control – SSLv3 for authentication and encryption – LDAP firewall proxy as front-line of defense • Load balancing and failover – proxy server to distribute queries and detect failures 1999 Innosoft International, Inc. innosoft international inc. High Availability • Directories have become mission critical – users get used to accessing data 24x7 – critical applications require 100% availability • Option 1: provide HA with expensive hardware – centralize data and provide hardware fault tolerance • Option 2: provide HA with lower cost hardware – distribute and replicate data for high availability – provide failover and load balancing 1999 Innosoft International, Inc. innosoft international inc. High Availability LDAP Services • Put authoritative information close to users • No single point of failure (multiple masters) • Deal with failure transparently • Distribute work load for efficiency • All of the above lead to 24x7 availability 1999 Innosoft International, Inc. innosoft international inc. Fallback Multi-Master Replication • Uses LDAPv3 – weakly consistent replication • based on “anti-entropy” protocol concepts • reduced bandwidth demands • Primary and secondary master servers – masters coordinate to remain consistent – multiple slaves for scalability and fast response time – “second-level slaves” to support replication hierarchies 1999 Innosoft International, Inc. innosoft international inc. A HA LDAP Server Scenario Primary Master Fallback Master synchronization Updates Updates Incremental Update Propagation Referral Replicated Slaves Updates Secondary Slave 1999 Innosoft International, Inc. innosoft international inc. LDAP Proxy Server • A secure “chaining” LDAP server – configurable query filtering for security • blocks denial-of-service attacks • stops “trawling” – filters connections, search requests • access control groups • can rewrite search requests/results – transparently forwards operations to one or more servers – does automatic failover 1999 Innosoft International, Inc. innosoft international inc. Load Balancing Searches or Updates Load Balancing/Failover LDAP Proxy Servers Forward Operations to a Server in a Server Group Master or Slave Servers LDAP proxy server monitors directory servers for load and balances operations across masters or slaves in a server group. Also applies coarse grained access control 1999 Innosoft International, Inc. innosoft international inc. Transparent Failover Searches or Updates Load Balancing/Failover Proxy Servers Forward Operations to a Server in a Server Group Masters or Slaves Proxy server monitors directory servers and detects server failure and redirects operations until recovery 1999 Innosoft International, Inc. innosoft international inc.