1 / 19

CSG WORKSHOP OPERATIONAL AND DYS-FUNCTIONAL DIRECTORIES

CSG WORKSHOP OPERATIONAL AND DYS-FUNCTIONAL DIRECTORIES. Agenda Georgetown, Stanford, Burton Group, iPlanet, Michigan, Minnesota, Maryland, Colorado Edu-Person and Directory of Directories. Directory Operations It’s Getting Deeper. Internet2 Middleware 201. Michael R. Gettes

lei
Download Presentation

CSG WORKSHOP OPERATIONAL AND DYS-FUNCTIONAL DIRECTORIES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSG WORKSHOPOPERATIONAL ANDDYS-FUNCTIONALDIRECTORIES Agenda Georgetown, Stanford, Burton Group, iPlanet, Michigan, Minnesota, Maryland, Colorado Edu-Person and Directory of Directories I2-MI Middleware 201

  2. Directory Operations It’s Getting Deeper Internet2 Middleware 201 Michael R. Gettes Lead Application Systems Integrator Georgetown University gettes@Georgetown.EDU I2-MI Middleware 201

  3. How Deep? • Site Profile - configuration • Applications • General Operational Controls • Access Lists • Replication • Related Directories • Directory of Directories I2-MI Middleware 201

  4. Site Profile dc=georgetown,dc=edu • Netscape/iPlanet DS version 4.11 • 2 Sun E250 dual cpu, 512MB RAM • 65,000 DNs (25K campus, others = alums + etc) • Directory + apps implemented in 6 months • Distinguished names: uid=x,ou=people • DC rant? Where is Bob Morgan when you need him? • Does UUID in DN really work? • NSDS pre-op plugin (by gettes@Princeton.EDU) • Authentication over SSL; Required • Can do Kerberos – perf problems to resolve • 1 supplier, 4 consumers I2-MI Middleware 201

  5. Applications • Mail routing with Sendmail 8.10 (lists also) • Netscape messaging server v 4.15 (IMAP) • WebMail profile stored in LDAP • Apache web server for Netscape roaming • Apache & Netscape enterprise web servers • Blackboard CourseInfo enterprise edition • Whitepages: Directory Server GateWay • DSGW for priv’d access and maintenance I2-MI Middleware 201

  6. Applications (Continued) • Remote access with RADIUS (funk). • No SSL or proper LDAP binding (as of 3/2000). • Authenticates and authorizes for dial-up, DSL and VPN services using RADIUS called-id. • Alumni services (HoyasOnline). • External vendor in Dallas, TX (PCI). • They authenticate back to home directories. Apache used to authenticate and proxy to backend IIS server. • Email Forwarding for Life! I2-MI Middleware 201

  7. Applications (Continued) • Specialized support apps • Self service mail routing • Help Desk: mail routing, password resets, quota management via DSGW • Change password web page • Person registry populates LDAP people data, currently MVS based. • PerLDAP used quite a bit – very powerful! I2-MI Middleware 201

  8. Applications (Continued) • Georgetown Netscape communicator (CCK). • Configured for central IMAP/SSL and directory services. • Handles versions of profiles. Poor man’s MCD • Future: more apps! Host DB, Kerberos integration, win2k/ad integration?, Oracle RADIUS integration, Automatic lists, Dynamic/static Groups. I2-MI Middleware 201

  9. HoyasOnline Architecture OS/390 TMS LDAP Master LDAP Slave NET ID HRIS GU Backend Server GU provided self-service applications PCI (Dallas) Vendor-provided services SIS Alumni WWW hoyasonline Content Client Browser I2-MI Middleware 201

  10. General Operational Controls • Size limit trolling (300 or 20 entries?) • Lookthru limit (set very low) • Limit 3 processors for now, MP issues still! • 100MB footprint, about 8000 DNs in cache • Your mileage will vary – follow cache guidelines • 24x7 operations • What can users change?? (Very little) • No write intensive applications I2-MI Middleware 201

  11. General Ops Controls (cont…) • Anonymous access allowed • Needed for email clients • Anonymous access is good if you resolve FERPA and other data access issues. I2-MI Middleware 201

  12. Schema: Design & Maint • Unified namespace: there can be only one! • Schema design and maintenance • Space/time tradeoffs on indexing • Edu-person 0.9 vs. guPerson • guRestrict, guEmailBox, guAffil, guPrimAfil • guPWTimebomb, guRadProf, guType, guSSN • Relationships (guref) • Maintained by OC and AT ldif files using ldapmodify I2-MI Middleware 201

  13. Access Lists: Design & Maint • Access lists: design & maintenance • Buckley(FERPA) protection & services • Priv’d users and services • userPassword & SSN • Maintained by file using ldapmodify • Working on large group controls now at GU I2-MI Middleware 201

  14. Data/Replica Structure MAILHOST WHITEPAGES Users MASTER POSTOFFICE Users NetID Registry DUMPER Web Servers I2-MI Middleware 201

  15. Replication • Application/user performance • Failover, user and app service • Impact of DC= naming (replica init) • Monitoring: web page and notification • Dumper replica – periodic LDIF dumps • Backups? We don’t need no stinkin’ backups! • No good solution for backups I2-MI Middleware 201

  16. Replication (Continued) • Application/users config for mult servers • Deterministic operations vs random • Failover works for online repairs • Config servers are replicated also • 10 to 1 SRA/CRA ratio recommended • Cannot cascade with DC= (netscape) • Cascading is scary to me I2-MI Middleware 201

  17. Netscape Console • Java program (FAT client). • Used to create, configure and monitor Netscape servers. • Preferred the web page paradigm of the version 3 products. • Has enough bugs that it is only used by server admins, not for mere mortals. • Demo??? I2-MI Middleware 201

  18. Other Directories • Novell – abandoning GroupWise. • Active directory??? Ugh!!! • Integrate whitepages service with hospital. I2-MI Middleware 201

  19. Directory of Directories • Outgrowth of Georgetown WhitePages problem • Exposes common schema issues. Edu-person 0.9. • Performance issues for massively parallel searches. • Interesting lessons learned about LDAP API. • Working with iPlanet/Netscape to use DSGW for this project. • Will it be more than just an experiment? I2-MI Middleware 201

More Related