Using LDAPv3 for DirectoryEnabled Applications

1
Using LDAPv3 for Directory-Enabled Applications
Networking

• Greg LavenderDirector of TechnologyInnosoft
  International, Inc.
• Greg.Lavender_at_innosoft.com

2
An LDAP-enabled Enterprise Directory
Infrastructure
X.509, SSO, PAM, NTDC
HR, Facilities, etc.
Mail, web, chat, etc.
Unified login services
Existing DBMS
Intranet services
LDAP-enabled Enterprise Directory
Backbone (multiple distributed LDAP servers)
VPN
PKI
Routers, Firewalls, RAS Devices
sync
System Mgmt
Legacy Directories
Applications
DNS, DHCP, SLP
Telecomm, Workflow, etc.
NDS, Notes, X.500
3
How to Get There

• Top-down
• identify authoritative directory data sources
• export and load data into an LDAP directory
• periodic or on-change synchronization to get
  updates
• eventually you might make the directory
  authoritative
• incrementally deploy LDAP-enabled user
  applications
• easiest is a white pages directory for web or
  email
• requires you to set security and access control
  policies
• eventually allow users to update their own
  information

4
How to Get There

• Bottom-up
• LDAP-enable the network application
  infrastructure
• web server authentication
• remote access authentication (e.g., RADIUS)
• firewall user authentication
• POP and IMAP mail authentication
• host and IP address management
• policy based routing and VPN security
• directory in support of public-key authentication

5
Example Applications

• Enterprise whitepages directory
• Enterprise network services directory
• ISP high volume messaging
• Voice-over-IP use of directory

6
LDAP Enterprise Whitepages Directory
Enterprise Web Users
Web Servers
High Availability 24x7 LDAP Directory Service
Hub
high availability heartbeat (Ethernet)
HTTP
LDAP
Sun UltraSCSI Disk Array
Innosoft Server
2 x 4 GB
2 x 4 GB
4 x 9 GB storage (primary)
storage
storage
Enterprise Mail Users
(mirror)
(mirror)
LDAP
UltraSPARC 2
Solaris 2.6
Sun E3000
Veritas FS
Solaris 2.6
1 x 300 MHz processor
Veritas FS
512 MB memory
LDAP HTTP SNMP
2 x 336 MHz processors
2 x 4 GB storage
2 GB memory
(primary)
Directory Manager
2 x 4 GB storage
(primary)
7
Enterprise Network Serviceswith LDAP Proxy
Replicated Servers
Web Server
LDAP access for user authentication
HTTP
Replicated LDAP Servers
access control load balancing failover
LDAP
LDAP Proxy
SMTP/POP/IMAP
LDAP access for user authentication, mail
routing, and delivery options
Mail Server
8
High Volume ISP Mail Serviceswith Replicated
LDAP Servers
Multiple boundary SMTP relays with local LDAP
replica for high performance user authentication
and mail routing
SMTP/POP/IMAP
LDAP Replication
Master LDAP Server
9
LDAP Directory in a VoIP System
Call Processing Server
Call Processing Server
Phones
Phones
Each CPS caches routing table and sets an LDAP
search trigger to be notified in the event of a
route update
When routing update occurs, LDAP search trigger
fires and asynchronously updates each CPS
LDAP Directory Server
LDAP server used as a routing and subscriber
authentication database
10
Key Considerations

• Performance and scalability
• 500 queries/sec with 1 CPU, millions of
  directory entries
• Replication for high availability
• multiple slaves AND multiple masters for high
  availability
• Security and access control
• SSLv3 for authentication and encryption
• LDAP firewall proxy as front-line of defense
• Load balancing and failover
• proxy server to distribute queries and detect
  failures

11
High Availability

• Directories have become mission critical
• users get used to accessing data 24x7
• critical applications require 100 availability
• Option 1 provide HA with expensive hardware
• centralize data and provide hardware fault
  tolerance
• Option 2 provide HA with lower cost hardware
• distribute and replicate data for high
  availability
• provide failover and load balancing

12
High Availability LDAP Services

• Put authoritative information close to users
• No single point of failure (multiple masters)
• Deal with failure transparently
• Distribute work load for efficiency
• All of the above lead to 24x7 availability

13
Fallback Multi-Master Replication

• Uses LDAPv3
• weakly consistent replication
• based on anti-entropy protocol concepts
• reduced bandwidth demands
• Primary and secondary master servers
• masters coordinate to remain consistent
• multiple slaves for scalability and fast
  response time
• second-level slaves to support replication
  hierarchies

14
A HA LDAP Server Scenario
Primary Master
Fallback Master
synchronization
Updates
Updates
Incremental Update Propagation
Referral
Replicated Slaves
Updates
Secondary Slave
15
LDAP Proxy Server

• A secure chaining LDAP server
• configurable query filtering for security
• blocks denial-of-service attacks
• stops trawling
• filters connections, search requests
• access control groups
• can rewrite search requests/results
• transparently forwards operations to one or more
  servers
• does automatic failover

16
Load Balancing
Load Balancing/Failover LDAP Proxy Servers
Searches or Updates
Forward Operations to a Server in a Server Group
Master or Slave Servers
LDAP proxy server monitors directory servers for
load and balances operations across masters or
slaves in a server group. Also applies coarse
grained access control
17
Transparent Failover
Load Balancing/Failover Proxy Servers
Searches or Updates
Forward Operations to a Server in a Server Group
Masters or Slaves
Proxy server monitors directory servers and
detects server failure and redirects operations
until recovery