II: Designing Your Directory Service

Understanding and Deploying LDAP Directory Services > 23. Case Study: Netscape Communications Corporation > Directory Service Maintenance

<  BACK CONTINUE  >
153021169001182127177100019128036004029190136140232051053054012003010158026087181022218

Directory Service Maintenance

In this section we describe the various procedures used to maintain the Netscape internal directory.

Data Backups and Disaster Recovery

Netscape IS backs up directory data daily using the online backup capabilities of Netscape Directory Server. With this capability, data can be backed up to disk while the server is running and accepting updates; it is not necessary to shut down the server or place it in read-only mode. The backup files are then archived to tape along with directory configuration data. Tapes are then moved offsite (along with backup tapes of other critical applications) to protect against their loss in a disaster. The offsite backups are stored in a secure location to protect the security of the data.

Although tape backups are made, the primary method of restoring a directory server is to obtain recent directory data from a replica. Replicas are always kept in sync; therefore, they provide a more up-to-date copy of the directory than backup tapes. Tapes are still required, however, in the event that directory data is damaged (e.g., entries are deleted), and any changes propagate to all replicas.

The disaster recovery plan for Netscape's internal directory leverages the extensive disaster recovery plan already in place for Netscape Netcenter. In a nutshell , the plan provides for continuous operations through a combination of alternate power sources at primary sites and alternate sites that contain replicas of critical data and applications.

Maintaining Data

Netscape's directory needs to coexist with several other data repositories. For some data elements, the external repositories are the authoritative source for the data. For other data elements, the directory itself is authoritative. This section describes the procedures used to maintain the relationships between the external data repositories and the directory, and the procedures used to maintain data that the directory itself is the authoritative source for.

Three main external repositories are synchronized with the directory:

  • The Windows NT domain user and group database

  • Network Information Service (NIS)

  • PeopleSoft

  • Data, whose authoritative source is the directory itself

These repositories, and the process used to synchronize them, are discussed in this section.

The Windows NT User and Group Database

A special tool was written to run on Netscape's NT primary domain controller (PDC) and synchronize the NT user database with the directory. Specific attributes in the directory for NT users, NT accounts, NT passwords, NT directory structures, and NT access control lists (ACLs) are read from the directory, and the Windows PDC information is synchronized to match the directory. This process also ensures that the password stored in the NT authentication database matches the password stored in the directory. If it does not, the synchronization tool overwrites the NT password with the authoritative password from the directory. The NT sync process starts up every three minutes, searches the directory for any entries that have changed since the last NT sync run, and then synchronizes them.

Netscape currently places all NT users in a single NT domain to make management simpler. If Netscape ever splits its NT user and group information into multiple NT domains, a separate synchronization service will need to run on each PDC, and a policy will need to be implemented that maps newly created user entries to a particular domain.

It should be noted that the Netscape Directory Server includes a bidirectional NT Synchronization Service that can perform these same functions and could be used in place of the existing synchronization tool. However, development of the custom NT sync script currently in use predates the development of the commercially available Synchronization Service.

NIS

Netscape's UNIX workstations use NIS to distribute user and group information to all workstations throughout the company. Like the NT user database, NIS represents a repository of user information that should be kept in sync with the directory. Custom scripts were developed that read directory data and generate several NIS maps, which are then imported into the NIS master server. These maps include the passwd map (user and password information), the NFS automounter map files, and the aliases map, which sendmail uses to expand mail aliases. The NIS sync process runs every 20 minutes.

PeopleSoft

The PeopleSoft system is the authoritative source for most of the information about employees . It is vitally important that the directory data be kept in sync with PeopleSoft. For example, when a new employee is hired , he or she should immediately be able to access vital services such as UNIX login, NT login, and email. Similarly, when an employee leaves the company, access to these facilities must be immediately revoked .

This synchronization is accomplished via a set of Perl scripts that reconcile PeopleSoft data with the directory. These scripts, which are based on PerLDAP (available at http://help.netscape.com/download/server/directory/utilities/lbap/tar.gz), also perform data validation and cleanup when needed, such as when data lacks attributes required by the directory. The scripts also report any exceptions they encounter, such as entries with missing manager , organizationalUnit , or businessCategory attributes. These exceptions are reported to the appropriate departments that can repair the problems. The PeopleSoft sync process runs once per hour .

Data Whose Authoritative Source Is the Directory Itself

The directory itself is authoritative for some of the data elements, such as email addresses. Unlike data elements that are synchronized from external sources, it's possible to delegate authority to update these directory-mastered data elements using the directory servers' ACL capabilities.

One example of this is the home mailing address for employees. These data elements are stored in the PeopleSoft database, but they are not synchronized to the directory (out of concern for employee privacy). However, employees are free to add these attributes to their directory entry if they want to. Also note that these elements are not synchronized back to the PeopleSoft database (although it's conceivable that they could be).

Monitoring

Netscape has a rather extensive SNMP-based monitoring system in place that focuses on monitoring network devices such as routers, hubs, and server network interfaces. As is the case in many organizations, the group that provides this monitoring is distinct from the group that deploys the directory. Coupled with the fact that early versions of Netscape Directory Server did not support monitoring via SNMP, this led the directory deployers to develop their own set of monitoring tools that check whether the following conditions hold:

  • All directory servers are running and responding to requests .

  • All replicas are in sync with the master server.

If any of these tests fail, an alert is raised and an appropriate individual is notified via electronic mail and pager.

In the future, monitoring of the directory may be integrated with the other network monitoring functions. In addition to monitoring the directory server itself, the procedures that synchronize the PeopleSoft database tables with the directory simultaneously perform extensive data validation. If a discrepancy is noted, the synchronization tools automatically route problem notifications to the appropriate person who can repair it.



Understanding and Deploying LDAP Directory Services,  2002 New Riders Publishing
<  BACK CONTINUE  >

Index terms contained in this section

backups
          Netscape Communications Corp. case study 2nd
case studies
         Netscape Communications Corporation
                    backups and disaster recovery 2nd
                    data maintenance 2nd 3rd 4th 5th 6th 7th 8th 9th 10th
                    monitoring 2nd
data
         maintenance
                    Netscape Communications Corp. case study 2nd 3rd 4th 5th 6th 7th 8th 9th 10th
databases
         Windows NT User and Group
                    data maintenance 2nd
directories
         case studies
                    Netscape Communications Corporation 2nd 3rd 4th 5th 6th 7th 8th 9th 10th 11th 12th 13th 14th
disaster recovery
          Netscape Communications Corp. case study 2nd
maintenance
         data
                    Netscape Communications Corp. case study 2nd 3rd 4th 5th 6th 7th 8th 9th 10th
monitoring
          Netscape Communications Corp. case study 2nd
Netscape Communications Corporation
         case study
                    backups and disaster recovery 2nd
                    data maintenance 2nd 3rd 4th 5th 6th 7th 8th 9th 10th
                    monitoring 2nd
NIS
         UNIX data maintenance
                    Netscape case study
PeopleSoft data maintenance
          Netscape case study 2nd
UNIX
         NIS
                    data maintenance
User and Group Database
          Windows NT data maintenance 2nd
Windows NT
         User and Group Database
                    data maintenance 2nd

2002, O'Reilly & Associates, Inc.



Understanding and Deploying LDAP Directory Services
Understanding and Deploying LDAP Directory Services (2nd Edition)
ISBN: 0672323168
EAN: 2147483647
Year: 1997
Pages: 245

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net