Directory Service Maintenance

Previous page
Table of content
Next page
   

In this section we describe the various procedures used to maintain Netscape's internal directory service.

Data Backups and Disaster Recovery

Directory data is backed up daily via the online backup capabilities of Netscape Directory Server. With this capability, data can be backed up to disk while the server is running and accepting updates; it is not necessary to shut down the server or place it in read-only mode (see Chapter 4, Overview of Netscape Directory Server, for more information on the online backup feature). The backup files are then archived to tape along with the directory server configuration data. The backup tapes are stored in a secure location off-site (along with backup tapes of other critical applications) to protect against data loss in a disaster and to protect the security of the data.

Although tape backups are made, the primary method of restoring a directory server is to obtain recent directory data from a replica. The Netscape software's continuous replication feature is used to keep replicas always closely in sync; therefore, the replicas provide a more up-to-date copy of the directory than the daily backups do. Tapes are still required, however, in the event that directory data is damaged (for example, entries are deleted) and the damage propagates to all of the replicas.

The disaster recovery plan for Netscape's internal directory leverages the extensive disaster recovery plan already in place for the Netscape.com Web site. In a nutshell , the plan provides for continuous operations through a combination of alternate power sources at primary sites and alternate sites that contain replicas of critical data and applications.

Maintaining Data

Netscape's directory needs to coexist with several other data repositories. For some data elements, the external repositories are the authoritative source for the data. For other data elements, the directory itself is authoritative. This section describes the procedures used to maintain the relationships between the external data repositories and the directory, and the procedures used to maintain data for which the directory itself is the authoritative source.

Three main external repositories are synchronized with the directory:

  1. The Windows NT domain user and group database

  2. Unix Network Information Service (NIS)

  3. The PeopleSoft system used for HR data

This section discusses these repositories and the process used to synchronize their data with that stored in the directory service itself.

The Windows NT Domain User and Group Database

A special tool was written to run on Netscape's Windows NT primary domain controller (PDC) and synchronize the NT user database with the directory. Specific attributes in the directory for NT users, NT accounts, NT passwords, NT directory structures, and NT access control lists (ACLs) are read from the directory, and the Windows PDC information is synchronized to match the directory. This process also ensures that the password stored in the Microsoft Windows NT authentication database matches the password stored in the directory. If it does not, the synchronization tool overwrites the NT password with the authoritative password from the directory. The NT sync process starts up every three minutes, searches the directory for all entries that have changed since the last NT sync run, and then synchronizes them.

To simplify management, all Netscape NT users are part of one NT domain. If Netscape ever splits its NT user and group information into multiple NT domains, a separate synchronization service will need to run on each PDC, and a policy will need to be implemented that maps newly created user entries to a particular domain.

NIS

Netscape's Unix workstations use NIS to distribute user and group information to all workstations throughout the company. Like the NT user database, NIS represents a repository of user information that must be kept in sync with the directory. Custom scripts were developed that read directory data and generate several NIS maps, which are then imported into the NIS master server. These maps include the passwd map (user and password information), the NFS automounter map files, and the aliases map, which the sendmail message transfer agent (MTA) uses to expand mail aliases. The NIS sync process runs every 20 minutes.

PeopleSoft

The PeopleSoft system is the authoritative source for most of the information about employees . It is very important that the directory data be kept in sync with PeopleSoft.

For example, a new employee should immediately be able to access vital services such as Unix login, Microsoft Windows login, and e-mail. Similarly, when an employee leaves the company, access to these facilities must be revoked immediately.

This synchronization is accomplished with a set of Perl scripts that reconcile PeopleSoft data with the directory. Based on PerLDAP (available from the Mozilla Web site at http://mozilla.org/directory/perldap), these scripts also validate and clean up data when necessary, such as when the PeopleSoft data lacks attributes required by the directory. The scripts also report any exceptional conditions they encounter, such as entries with missing manager , organizationalUnit , or businessCategory attributes to people who can repair the problems. The PeopleSoft synchronization process runs once per hour . A variant of the PeopleSoft synchronization script that Netscape uses is available on the Web at http://www.mozilla.org/directory/tools/ldaptools.html.

Data Whose Authoritative Source Is the Directory Itself

The directory itself is the authoritative repository for some data elements, such as e-mail addresses. Unlike data elements that are synchronized from external sources, it's possible to delegate authority for these directory-mastered data elements to other people using the directory servers' access control capabilities.

One example is the home mailing address for employees. As mentioned earlier in the chapter, values for this data element are stored in the PeopleSoft database, but they are not synchronized to the directory (out of concern for employee privacy). However, employees are free to add homePostalAddress attributes to their directory entry if they want to. Also note that the home address information is not synchronized back to the PeopleSoft database (although someday it might be).

Monitoring

Netscape has deployed an extensive SNMP-based monitoring system that focuses on monitoring network devices such as routers, hubs, and server network interfaces. As in many other organizations, the group that provides this monitoring is distinct from the group that manages the directory service. Coupled with the fact that the earliest versions of Netscape Directory Server did not support monitoring via SNMP, the separation between the two groups led the directory deployment team to develop its own set of monitoring tools that check whether the following conditions hold:

  • All directory servers are running and responding to requests .

  • All replicas are in sync with the master server.

If any of these tests fail, an alert is raised and an appropriate individual is notified via electronic mail and pager.

In the future, monitoring of the directory may be integrated with the other network monitoring functions.

   

Previous page
Table of content
Next page
Understanding and Deploying LDAP Directory Services
Understanding and Deploying LDAP Directory Services (2nd Edition)
ISBN: 0672323168
EAN: 2147483647
Year: 2002
Pages: 242
Authors: Timothy A. Howes, Mark C. Smith, Gordon S. Good
BUY ON AMAZON
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
Strategies for Information Technology Governance
VBScript Programmers Reference
The CISSP and CAP Prep Guide: Platinum Edition
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy