using ldapv3 for directory-enabled applications & networking

1999 Innosoft International, Inc.

innosoft internationalinc.

Using LDAPv3 for Directory-Enabled Applications & Networking

Greg LavenderDirector of Technology

Innosoft International, [email protected]



An LDAP-enabled Enterprise Directory Infrastructure

Existing DBMS Intranet services Unified loginservices

Applications Legacy Directories System Mgmt

DNS, DHCP, SLPNDS, Notes, X.500

HR, Facilities, etc. Mail, web, chat, etc.

Telecomm, Workflow, etc.

X.509, SSO, PAM, NTDC

LDAP-enabled Enterprise Directory Backbone(multiple distributed LDAP servers) PKI

sync

VPN

Routers, Firewalls,RAS Devices



How to Get There

• Top-down– identify authoritative directory data sources

• export and load data into an LDAP directory– periodic or on-change synchronization to get updates– eventually you might make the directory authoritative

– incrementally deploy LDAP-enabled user applications• easiest is a white pages directory for web or email• requires you to set security and access control policies • eventually allow users to update their own information



How to Get There

• Bottom-up– LDAP-enable the network application infrastructure

• web server authentication• remote access authentication (e.g., RADIUS)• firewall user authentication• POP and IMAP mail authentication• host and IP address management• policy based routing and VPN security• directory in support of public-key authentication



Example Applications

• Enterprise whitepages directory• Enterprise network services directory• ISP high volume messaging• Voice-over-IP use of directory



LDAP Enterprise Whitepages Directory

Sun Console

UltraSPARC 2

Solaris 2.6

Veritas FS

1 x 300 MHz processor

512 MB memory

2 x 4 GB storage

(primary)

Sun E3000

Solaris 2.6

Veritas FS

2 x 336 MHz processors

2 GB memory

2 x 4 GB storage

(primary)

high availability heartbeat (Ethernet)

2 x 4 GB

storage

(mirror)

2 x 4 GB

storage

(mirror)

Sun UltraSCSI Disk Array

Innosoft Server

4 x 9 GB storage (primary)

Hub

EnterpriseWeb Users

Web Servers High Availability 24x7 LDAP Directory Service

DirectoryManager

EnterpriseMail Users

LDAPHTTP

LDAP

LDAPHTTPSNMP



Enterprise Network Serviceswith LDAP Proxy & Replicated Servers

Extranet/Internet

ReplicatedLDAP

ServersTC P /IP F irew a ll

LDAPProxy

SMTP/POP/IMAP

HTTP

Mail Server

Web ServerLDAP access for

user authentication

LDAP access for userauthentication, mail routing,

and delivery options

access control load balancing

& failover

LDAP



High Volume ISP Mail Serviceswith Replicated LDAP Servers

Internet

Master LDAP Server

IP D ire cto r

SMTP/POP/IMAP

Multiple boundary SMTP relays with local LDAP replica for high performance

user authentication and mail routing

LDAP Replication



LDAP Directory in a VoIP System

Call Processing ServerCall Processing Server

LDAP server used as a routing and subscriber authentication database

Phones Phones

VoIPNetwork

Each CPS caches routing table and sets an LDAP “search trigger” to be notified

in the event of a route update

When routing update occurs, LDAP search trigger fires and asynchronously updates each CPS

LDAP Directory Server



Key Considerations

• Performance and scalability– 500+ queries/sec with 1 CPU, millions of directory entries

• Replication for high availability– multiple slaves AND multiple masters for high availability

• Security and access control– SSLv3 for authentication and encryption

– LDAP firewall proxy as front-line of defense

• Load balancing and failover– proxy server to distribute queries and detect failures



High Availability

• Directories have become mission critical– users get used to accessing data 24x7– critical applications require 100% availability

• Option 1: provide HA with expensive hardware– centralize data and provide hardware fault tolerance

• Option 2: provide HA with lower cost hardware– distribute and replicate data for high availability – provide failover and load balancing



High Availability LDAP Services

• Put authoritative information close to users• No single point of failure (multiple masters)• Deal with failure transparently• Distribute work load for efficiency• All of the above lead to 24x7 availability



Fallback Multi-Master Replication

• Uses LDAPv3– weakly consistent replication

• based on “anti-entropy” protocol concepts• reduced bandwidth demands

• Primary and secondary master servers– masters coordinate to remain consistent– multiple slaves for scalability and fast response time– “second-level slaves” to support replication hierarchies



A HA LDAP Server Scenario

Primary Master Fallback Master

Replicated Slaves

Secondary Slave

UpdatesUpdates

Incremental Update Propagation

Updates

Referral

synchronization



LDAP Proxy Server

• A secure “chaining” LDAP server– configurable query filtering for security

• blocks denial-of-service attacks• stops “trawling”

– filters connections, search requests• access control groups • can rewrite search requests/results

– transparently forwards operations to one or more servers– does automatic failover



Load Balancing/Failover LDAP Proxy Servers

Master or Slave Servers

Searches or

Updates

Forward Operations to a Server in a Server Group

LDAP proxy server monitors directory servers for load and balances operations across masters or slaves in a server group. Also applies coarse grained access control

Load Balancing



Transparent Failover

Load Balancing/Failover Proxy Servers

Masters or Slaves

Searches or

Updates

Forward Operations to a Server in a Server Group

Proxy server monitors directory servers and detects server failure and redirects operations until recovery

using ldapv3 for directory-enabled applications & networking

Documents

ldap directory periodic

directory authoritative

local ldap replica

encryption ldap firewall

ldap search trigger

white pages directory

gb storage mirror2 x

processors2 gb memory2