Operational Issues in Directories (selected)

1. Operational Issues in Directories(selected) Michael R. Gettes Principal Technologist Georgetown University Gettes@Georgetown.EDU

2. Site Profiledc=georgetown,dc=edu • Netscape/iPlanet DS version 4.16 • 2 Sun E250 dual cpu, 512MB RAM • 105,000 DNs (25K campus, others = alums + etc) • Directory + apps implemented in 7 months • Distinguished names: uid=x,ou=people,dc=georgetown,dc=edu • iDS pre-op plugin (by gettes@Princeton.EDU) • Authentication over SSL; Required • Can do Kerberos – perf problems to resolve (LDAP2PAM) • 1 supplier, 4 consumers (configured this way since Jan 2000)

3. Authentication:Overall Plan @ Georgetown • Best of all 3 worlds • LDAP + Kerberos + PKI • LDAP Authentication performs Kerberos Authentication out the backend. Jan. 2001 to finish iPlanet plug-in. • Credential Caching handled by Directory. • Cooperative effort – Georgetown, GATech, Michigan • All directory authentications SSL protected. Enforced with necessary exceptions • Update: Rumpf(OSU) & Carter(Duke); lots of flexibility in conf • Rumpf: New Kerb5 based plug-in, with caching • Carter: Merged Rumpf and Gettes. New code during 11/02 • Use Kerberos for Win2K Services and to derive X.509 Client Certificates • One Userid/Password (single-signon vs. FSO)

4. General Operational Controls • Size limit trolling (300 or 20 entries?) • Lookthru limit (set very low) • Limit 3 processors for now, MP issues still! (v4) • For NSDS/iDS -- don’t run less than 4.16!!! • 100MB footprint, about 8000 DNs in cache • Your mileage will vary – follow cache guidelines documented by iPlanet. • 24x7 operations • What can users change?? (Very little) • No write intensive applications

5. Replica Structure MAILHOST WHITEPAGES Users MASTER POSTOFFICE Users NetID Registry DUMPER Web Servers Normal Ops Failure Ops

6. Replication • Application/user performance • Failover, user and app service • Impact of DC= naming (replica init) • Fixed in 4.13 and iDS 5.0 • Monitoring: web page and notification • Dumper replica – periodic LDIF dumps • Backups? We don’t need no stinkin’ backups! • Vendor Specific • No good solution for backups (iPlanet) • IBM uses DB2 under the covers • Novell?

7. Replication (Continued) • Application/users config for mult servers • Deterministic operations vs random • Failover works for online repairs • Config servers are replicated also • Cannot cascade with DC= (iPlanet) • Cascading is scary to me • Differential Replica Configurations • What are the issues? • Dribbling, replication transaction mgmt, bottlenecks • 10 to 1 SRA/CRA ratio recommended • Strong recommendation: Replicate!!! • RFC 3384 just came out

8. Directory Management • A view of replication • https://directory.georgetown.edu/cgi-bin/ldapstatus • Note the deeper info available under cn=monitor • This web page is “email/pager” enabled. • Originally posted by Netscape developers and • modified by /mrg • LOOK by Bellina (Notre Dame) is a great • enhancement to this display • LDAP Browser • http://www.iit.edu/~gawojar/ldap/

9. Service DNs • See LDAP-Recipe 2.6 (200210) • Critical Issue for Higher Education in USA due to FERPA • Application binds to DSA with “Service DN” • Access control manages what Service DN can see • Application obtains data required • If user authN is required: • App locates user object by search • uses result DN and user credential to • re-bind to DSA as user