Directory Masters Event 2008 (Day 1)

The 2008 United States Directory Masters event was held in Somerset, NJ on May 12th & 13th, 2008. This event is a gathering of LDAP and Directory Server engineers, architects, and marketing personnel. We talk about the market leading Directory Server Enterprise Edition product from Sun, we talked about LDAP in the industry, and identity management topics. We also played some music and drank some beer!

Sun dominates the Directory Services communities in Financials, Telecommunications, and other industry verticals. Customers are storing more and more types of data in Directory Server, and accessing many different types of data using the LDAP protocol, such as Web 2.0 and SOA. Sun Java System Directory Server also dominates the identity management storage and access markets in the extranet.

Directory Server Enterprise Edition

We start with a presentation about the roadmap and new features available in Directory Server Enterprise Edition. Directory Server Enterprise Edition, encompasses the Directory Server 6, the Directory Proxy Server 6, Directory Editor, the Directory Service Control Center (DSCC), and Identity Synchronization for Windows.

Directory Server Enterprise Edition (DSEE) is a service-focused product. The days of focusing on an individual server are now in the past. New command line interfaces to enable easy scripting, and a new browser-based administration GUI makes the LDAP admin's job much easier and enable the service-focused paradigm. Service manageability has been enhanced by adding the browser-based administration GUI and adding scriptable command line utilities.

Directory Proxy Server

The Directory Proxy Server (DPS) enables virtual directory capabilities in the form of a consolidated virtual view of disparate data sources, configurable load balancing and automatic fail-over, firewall-like security, prevents trawling of critical identity data, protect private directory information and still publish public information, referral handling, data abstraction, DN re-writing and DN mapping, operational load-balancing, operations-based routing, and schema mapping. Directory Proxy Server provides multiple views to service disparate application needs and security requirements. Virtual views are constructed dynamically, so there is no need for costly and error-prone synchronization. Virtual data views also smash many political barriers to data access. Virtual data views also have data transformation capabilities. Directory Proxy Server supports client affinity also, meaning that replication latency is no longer a factor in LDAP client operations and that LDAP operations from the client perspective can pass the ACID test. Directory Proxy Server makes statistics available via the cn=monitor suffix: operation counters, status, subsystem status, and debugging info are all available.

DPS supports virtual views of data sources such as LDIF, JDBC, and LDAP.

Directory Proxy Server 6's failover mechanism hides commanded or uncommanded component outages from LDAP clients. The DPS has two health-check mechanisms, reactive (no periodic polling) and proactive (periodic polling), customizable health criteria, and silent retry (when possible) on transient errors.

The DPS Load-balancing capabilities comes in 4 forms: proportional, saturation, failover and hash. Proportional is the percentage-based load balancing. Saturation switches traffic to Server 'A' when a Server 'B' is "saturated". Failover always sends traffic to the best primary server, and hashed means identical operations to the same server.

Directory Proxy Server also provides a customizable data distribution facility which gives support for massively scalable environments and tremendous performance capabilities due to unlimited horizontal scalability. Data distribution also allows customers to use smaller, discreet datasets allowing for quicker backup and recovery. There are three distribution algorithms: lexicographic, numeric, and regular expression.

Operational routing routes LDAP operations to a selected dataview. A Dataview is a portion of the DIT identified by a viewbase (base DN). Operations are routed independently of each other, go to the best, most-specific data view, and searches might span multiple dataviews.

Directory Proxy Server supports client affinity (sticky routing), which obviates replication latency (loose consistency) issues, resource limits, request/response filtering policies, and other quality of service mechanisms.

Directory Proxy Server supports three different authentication methods:

• replays client request
• proxied authentication
• DPS uses fixed DN for authentication

Directory Proxy Server supports ACIs at the proxy level, the syntax is similar to Directory Server 6 ACI syntax, except that access to entry content is not supported.

Directory Server

The Directory Server in DSEE 6 provides performance enhancements in a number of key areas. We see customers doing many more updates via LDAP, and Directory Server update performance has been dramatically increased in response.

In Directory Server 6, there is no limit on the number of suppliers (masters) that can be deployed for a database, the ALLIDSTHRESHOLD is now configurable per database, There is now a last-login time plugin, the Directory Service Control Center can be, as of 6.1, deployed as a WAR file, password policy now supports grace logins, safe password changes and LDAP controls for account status and error reporting, as of DSEE 6.3, SUSE and HP-UX 11.23 (PA-RISC) are supported, Directory Server's frozen mode allows for snapshots of a database, using ZFS, this means quick backups of even huge datasets, Directory Server as of 6.1 supports database compaction allowing databases to be shrunk (offline).

Prioritized replication is a fantastic new feature: passwords, or any attributes, can be replicated more quickly than other attributes, it's based on a prioritized replication rule. Directory Server has tremendous performance capabilities in searches also.

Directory Server 6 has performance enhancements in the area of large static groups, ACI processing, enhancements of connection management, replication optimization, and database updates. As of 6.3, replication meta-data has been reduced.

Identity Synchronization for Windows supports integration with Active Directory, reducing deployment times (saving money and decreasing time-to-market), bidirectional password synchronization with AD, and bidirectional entry creation, deletion, and activation.

The Directory Editor (DE) is a web application that gives a browser-based interface to LDAP data, which is fantastic for delegated administration. DE runs in any servlet 2.2-compliant container - I run it in Glassfish.

The Directory Server Resource Kit (DSRK) provides a number of interesting tools for performance testing, debugging, deployment utilities, and some sample LDAP applications. SLAMD is also available for benchmarking and resource testing.

Useful Directory Server Links

* Official Product Page
* Directory Server Enterprise Edition at docs.sun.com
* Sun Wiki
* Bigadmin
* SLAMD: A distributed load generation engine
* ZFS

Glossary

* LDAP: Lightweight Directory Access Protocol
* LDIF: Directory Interchange Format
* DSEE: Directory Server Enterprise Edition
* DSCC: Directory Service Control Center
* DS: Directory Server
* DPS: Directory Proxy Server
* DE: Directory Editor
* DSRK: Directory Server Resource Kit
* ZFS: Zettabyte File System
* DIT: Directory Information Tree
* ACI: Access Control Instruction
* DN: distinguished name
* ACID: Atomicity, Consistency, Isolation, Durability

[posted with ecto]

Technorati Tags: availability, collaboration, directoryserver, DSEE, identity, java, ldap, MMR, networking, opends, openSource, protocols, replication, security, software, sun, tools, zfs

Posted at 07:05AM May 13, 2008 by tgardner in LDAP  |  Comments[0]