Presentation is loading. Please wait.

Presentation is loading. Please wait.

Operational Issues in Directories (selected)

Published byAkseli Hiltunen Modified over 5 years ago

Similar presentations

Presentation on theme: "Operational Issues in Directories (selected)"— Presentation transcript:

1 Operational Issues in Directories (selected)
_______________________________________________________________ Michael R. Gettes Principal Technologist Georgetown University

2 Site Profile dc=georgetown,dc=edu
Netscape/iPlanet DS version 4.16 2 Sun E250 dual cpu, 512MB RAM 105,000 DNs (25K campus, others = alums + etc) Directory + apps implemented in 7 months Distinguished names: uid=x,ou=people,dc=georgetown,dc=edu iDS pre-op plugin (by Authentication over SSL; Required Can do Kerberos – perf problems to resolve (LDAP2PAM) 1 supplier, 4 consumers (configured this way since Jan 2000)

3 Authentication: Overall Plan @ Georgetown
Best of all 3 worlds LDAP + Kerberos + PKI LDAP Authentication performs Kerberos Authentication out the backend. Jan to finish iPlanet plug-in. Credential Caching handled by Directory. Cooperative effort – Georgetown, GATech, Michigan All directory authentications SSL protected. Enforced with necessary exceptions Update: Rumpf(OSU) & Carter(Duke); lots of flexibility in conf Rumpf: New Kerb5 based plug-in, with caching Carter: Merged Rumpf and Gettes. New code during 11/02 Use Kerberos for Win2K Services and to derive X.509 Client Certificates One Userid/Password (single-signon vs. FSO)

4 General Operational Controls
Size limit trolling (300 or 20 entries?) Lookthru limit (set very low) Limit 3 processors for now, MP issues still! (v4) For NSDS/iDS -- don’t run less than 4.16!!! 100MB footprint, about 8000 DNs in cache Your mileage will vary – follow cache guidelines documented by iPlanet. 24x7 operations What can users change?? (Very little) No write intensive applications

5 Replica Structure Normal Ops Failure Ops MAILHOST WHITEPAGES Users
MASTER POSTOFFICE Users NetID Registry Web Servers DUMPER Normal Ops Failure Ops

6 Replication Application/user performance
Failover, user and app service Impact of DC= naming (replica init) Fixed in 4.13 and iDS 5.0 Monitoring: web page and notification Dumper replica – periodic LDIF dumps Backups? We don’t need no stinkin’ backups! Vendor Specific No good solution for backups (iPlanet) IBM uses DB2 under the covers Novell?

7 Replication (Continued)
Application/users config for mult servers Deterministic operations vs random Failover works for online repairs Config servers are replicated also Cannot cascade with DC= (iPlanet) Cascading is scary to me Differential Replica Configurations What are the issues? Dribbling, replication transaction mgmt, bottlenecks 10 to 1 SRA/CRA ratio recommended Strong recommendation: Replicate!!! RFC 3384 just came out

8 Directory Management A view of replication
Note the deeper info available under cn=monitor This web page is “ /pager” enabled. Originally posted by Netscape developers and modified by /mrg LOOK by Bellina (Notre Dame) is a great enhancement to this display LDAP Browser

9 Service DNs See LDAP-Recipe 2.6 (200210)
Critical Issue for Higher Education in USA due to FERPA Application binds to DSA with “Service DN” Access control manages what Service DN can see Application obtains data required If user authN is required: App locates user object by search uses result DN and user credential to re-bind to DSA as user

Download ppt "Operational Issues in Directories (selected)"

Similar presentations

January 6, 1999Common Solutions Group1 X.509 University Michael R. Gettes Princeton University Computing & Information Technology.

January 6, 1999Common Solutions Group1 X.509 University Michael R. Gettes Princeton University Computing & Information Technology.
Identity and Security Management Kevin Unthank Senior Product Manager Red Hat Security Management Products Cloud Business Unit.

Identity and Security Management Kevin Unthank Senior Product Manager Red Hat Security Management Products Cloud Business Unit.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.

Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.
Information Technology Registry Services Security LDAP-based Attributes and Authentication.

Information Technology Registry Services Security LDAP-based Attributes and Authentication.
PKI Georgetown University or Whaassuuuup PKI? Michael R. Gettes Lead Application Systems Integrator “LASI”

PKI Georgetown University or Whaassuuuup PKI? Michael R. Gettes Lead Application Systems Integrator “LASI”
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
Smart Clients What, Why, and Where By: Richard Arthur.

Smart Clients What, Why, and Where By: Richard Arthur.
June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park

June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.

Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.
Middleware 201.5 Directories Application Specific Issues Michael R. Gettes Principal Technologist Georgetown University Copyright.

Middleware Directories Application Specific Issues Michael R. Gettes Principal Technologist Georgetown University Copyright.
Senior Technical Writer

Senior Technical Writer
LDAP-Based Mail Routing Using Linux David Boyes Sine Nomine Associates Session L53.

LDAP-Based Mail Routing Using Linux David Boyes Sine Nomine Associates Session L53.
I2-MI Middleware 2011 CSG WORKSHOP OPERATIONAL AND DYS-FUNCTIONAL DIRECTORIES Agenda Georgetown, Stanford, Burton Group, iPlanet, Michigan, Minnesota,

I2-MI Middleware 2011 CSG WORKSHOP OPERATIONAL AND DYS-FUNCTIONAL DIRECTORIES Agenda Georgetown, Stanford, Burton Group, iPlanet, Michigan, Minnesota,
Internet2 Middleware in ? minutes Drinking Kool-Aid From A Fire Hose Michael R. Gettes Georgetown University

Internet2 Middleware in ? minutes Drinking Kool-Aid From A Fire Hose Michael R. Gettes Georgetown University
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Module 1 Introduction to Managing Microsoft® Windows Server® 2008 Environment.

Module 1 Introduction to Managing Microsoft® Windows Server® 2008 Environment.
E.halFILE 2.2 New Application Features Session II.

E.halFILE 2.2 New Application Features Session II.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Similar presentations

Ads by Google