270 likes | 531 Views
LDAP Content Synchronization. Kurt D. Zeilenga Jong Hyuk Choi OpenLDAP Project IBM Research. Title slide. Agenda. What is a directory? What is X.500? What is LDAP? What is the OpenLDAP Project? LDAP Content Synchronization Questions and Answers. Agenda slide. What is a Directory?.
E N D
LDAP Content Synchronization Kurt D. Zeilenga Jong Hyuk Choi OpenLDAP Project IBM Research Title slide
Agenda • What is a directory? • What is X.500? • What is LDAP? • What is the OpenLDAP Project? • LDAP Content Synchronization • Questions and Answers Agenda slide
What is a Directory? • A database organized and/or optimized for lookup, searching, browsing, and other “read” activities. • Examples: • address books • web catalogs • whois(1) • dict(1) • operating system / network information services • Domain Name System
What is X.500? • The set of ITU standards covering electronic directory services. • X.500 defines the OSI Directory Service • Hierarchical • Distributed • Replicated • Schema driven
What is LDAP? • Lightweight Directory Access Protocol • an IETF Proposed Standard • A protocol for accessing X.500 directory services over the Internet (or networks using Internet Protocols).
What is OpenLDAP? • OpenLDAP Software • “community developed LDAP software” • OpenLDAP Project • “a collaborative effort to develop a robust, commercial-grade, fully featured, and open source LDAP suite of applications and development tools” • OpenLDAP Foundation • Provides a legal umbrella for the OpenLDAP Project • http://www.openldap.org
Request Response LDAP Overview User The Directory Closing slide
Request Response Polling for content changes User The Directory X Closing slide
Problems with simple “polling” • Cannot reliably detect whether the entry named by a DN is the same entry previously named by that DN. DNs are not stable identifiers! • A complete copy of each entry is transferred with each poll • Changes not apparent until next poll
Stable Identifiers • Add an Universally Unique Identifier (UUID) to each entry. • Introduce entryUUID operational attribute • Add knowledge of superior’s UUID for each entry. • Introduce parentUUID operational attribute
Reducing traffic • Each entry in LDAP has create and modify time stamps • (&(FILTER)(|(createTimeStamp>=TIME)(modifyTimeStamp>=TIME)) • where • FILTER is our original assertion and • TIME is the greatest seen in previous content. • All entries created/modified before TIME are not transferred. • Does not detect deleted (or modified ‘out of scope’) entries. • Does not detect unchanged entries now ‘in scope’ • Search operations are not necessarily isolated from directory modifications. One cannot assume all updates made before TIME appeared in the previous content.
We need to extend LDAP to support a lightweight content synchronization mechanism!
Target Applications • Heterogeneous Data Store Synchronization • “meta directory” applications • Local content shadowing • Directory-enabled services (web, email, etc.) • Mobile clients • LDAP Replication • Single master • Partial (Sparse and/or Fractional) Replication
Design Goals • Less chatty than “simple polling” • Maintain consistency • Eventually convergent (inconsistencies are transient) • Support “polling” for changes • Support “listening” for changes • Support partial synchronization • Do not require pre-arranged synchronization agreements • Do not require server to maintain per client state information • Do not require server to maintain histories of changes • Lightweight / Simple
Non-goals • Support bi-directional synchronization • Support very small clients (e.g., PDAs) • Attribute (or finer) granularity
Synchronization Overview New Old Changed Content Renamed Content Added Content Deleted Content Unchanged Content
Basic “Refresh Mode” Protocol Design Initial Content Request Send Entries Done with Cookie Content Refresh Request Send “Changed” Entries Send “Present” Messages Done with Cookie Repeat
First things first… • Stable object identifiers • LDAP Distinguished Names are not stable • Solution: add entryUUID and parentUUID attributes to every entry • Time stamps • LDAP create/modify time stamps are generally good enough, but semantics are unclear • Solution: add change sequence numbers (CSNs) to every entry, well define the semantics
The Cookie • Synchronization State Indicator • Greatest committed change sequence number (CSN) in context which is not greater than any outstanding CSN • e.g., Change Sequence Numbers != Commit Sequence Numbers
Refresh: updates+present v. updates+deletes • If server has no histories, it cannot determine what to “delete” • If server maintains “tombstone” information for deleted entries but no content change history, it must send deletes for all new tombstones as well as all out-of-scope updated entries. • If the server can reliably determine which entries previously present in the shadow copy which are no longer present in the content and the number of such entries is less than equal the number of unchanged entries, the server may send “deletes” instead of “present” messages.
OpenLDAP Implementation • No naming/change history • Each entry has: • entryUUID/parentUUID • entryCSN - updated on entry modify • namingCSN - updated on entry (not subtree) rename • Context has: • Outstanding CSNs - ordered list • Outstanding Naming CSNs – ordered list • Allows server to detect some “no deletes” cases.
Repeat “Refresh & Persist Mode” Protocol Design Content Request Send Entries Refresh Done Send “Changed” Entries and/or “Deleted” messages New “Cookie” Cancel Done with Cookie / Acknowledge Cancel
Special Cases • Operational Attributes • Must either be treated as part of the entry’s content if transferred. • structuralObjectClass • hasSubordinates • subschemaSubentry • Alias and Referral objects • No dereferencing • Treat as normal object • Collective Attributes • Not treated as content of entries of the collection • Client must ‘watch’ the collective attributes subentries • Access and other administrative controls • Server must either generate appropriate changes to sync client • OR force reload
Summary • The LDAP Content Synchronization Operation appears to met our needs: • Supports both “Polling” and “Listening” modes • “Polling” mode is less chatty than “simple polling” • “Listening” mode is significantly less chatty than “simple polling” • Eventual convergence is assured, inconsistencies are transient. • No pre-arranged synchronization agreements are needed. • Server need not maintain histories or per-client state information. • Able to support our target applications: • Meta Directory • Content caching • LDAP Replication
Availability • IETF Technical Specification: • draft-zeilenga-ldup-sync-xx.txt • draft-zeilenga-ldup-uuid-csn-xx.txt (available soon) • Last Call this summer (hopefully) • OpenLDAP Implementation: • LDAP-sync client and server implementations committed to HEAD • First-cut LDAP Replication engine committed to HEAD • Release target: OpenLDAP 2.2 in Summer of 2003
Questions? Closing slide