Directory Servers

  • A database accessible via LDAP
  • Primarily used for ...
    • Quick lookup of contact information (White Pages)
    • Mail routing
    • Also houses a mix of other data
  • Designed to handle a high volume of connections which read small amounts of data
  • We are currently running Sun ONE Directory Server 5.2 patch level 6
  • Can read public data without a password (anonmymous bind)
  • Private data access requires AuthN
  • AuthN methods are ...
    • Bind ID and password
      • Bind IDs are IDs (with associated passwords) that are stored in Directory Server
    • Kerberos 5
      • Uses SASL and GSSAPI behind the scenes
      • Currently available on some dev and test instances. Will become available on prod instances.
  • Clients can connect with or without SSL.
  • Load balancing via DNS round robin between 2 prod machines
  • Data is replicated to several Directory Servers
  • No automatic fail over
    • Sys admin must substitute another machine "by hand"
    • Can change DNS entry or move a "Service IP"
  • ACI (Access Control Information) controls internal AuthZ
    • Controls what information can be read/modified by different Bind IDs
    • ACI lives in Directory Server
  • OS: Solaris 5.9
  • Production: 5 machines
    • 2 of which handle most of the traffic
    • 1 of which is dedicated to just handling mail routing queries from CIT's mail servers
  • Machines are in server farm (Sun Sparc)
    • Two factor AuthN required for SSH login
    • Machines are split between Rhodes and CCC
  • Test: 2 machines
  • Dev: 1 machine
  • No labels