Privacy and Security Considerations

Understanding and Deploying LDAP Directory Services > 10. Replication Design > Advanced Features

<  BACK CONTINUE  >
153021169001182127177100019128036004029190136140232051053054012006218106117175075196038

Advanced Features

The advanced replication features described in the following sections are found in some, but not all, directory implementations . They offer finely tuned control when scheduling the replication process.

Scheduling Replication

There are some cases in which a directory administrator might not want changes to be sent to all replicas immediately. For example, a remote office connected via a dialup link might be better served if updates can be transmitted in one batch to save connect time charges. Or a remote office connected via a slow network link might be configured to have updates propagated to a consumer server during off-hours to improve network response for other applications during working hours.

Unfortunately, scheduling replication in this fashion means that users connecting to the consumer will see old data for potentially long periods of time. For many applications, this is perfectly acceptable; but think carefully about any requirements you might have down the road. For example, if an employee is terminated , it may be necessary to reset his password immediately so he cannot log in. However, if the directory is not scheduled to be updated for another eight hours, the password revocation will not make it to the consumer immediately, as required.

Scheduling Update Latency by Attribute Type

One solution to this latency problem is to incorporate a scheduling policy that propagates changes to certain attributes immediately and others less rapidly . With NDS ”the only system we know of that currently offers this capability ”certain attributes such as login passwords are propagated on a fast synchronization schedule (10 seconds after the attribute value is modified), whereas other attributes, such as last login timestamps in user entries, are scheduled for update on a slow synchronization schedule (30 minutes after the attribute value is modified). This feature seeks to improve update time for critical values and defers other updates to conserve network bandwidth and server processing time. The NDS synchronization schedule is fixed and may not be altered .

Schema and Replication

The purpose of replication is to provide copies of directory data in multiple physical locations. It makes sense, therefore, that supplier and consumer servers should have the same schema. Serious problems would arise if, for example, a supplier server attempted to add an entry of some object class not allowed by the consumer's schema (the operation would be rejected, and the consumer could never be brought into synchronization).

Hence, suppliers and consumers must agree on schema before replication can take place. Some directory services, such as NDS, handle this automatically; others, such as Netscape Directory Server 4.0, rely on the supplier server to enforce schema. Consumer servers assume that updates coming from the supplier comply with its schema, so they do not check the schema when applying updates.

Access Control and Replication

Virtually all directory products offer some way of controlling access to the data contained in the directory tree, usually via an access control list (ACL) mechanism. When the contents of the tree are replicated, it is desirable to also replicate any associated ACL information so that the same protections apply to both the replicated data and the original data. More information about access control can be found in Chapter 11, "Privacy and Security Design."

Most, if not all, directory software stores ACLs as attributes of entries. In most cases, this means that the ACLs merely need to be replicated along with other directory content. As long as the supplier and consumer server use the same ACL syntax, and as long as those ACLs mean the same thing on both, their directory entries will have the same access control.

Again, in most cases, it's sufficient to replicate ACLs along with directory content. The one time this gets a bit tricky is when ACLs have a scope that extends down the directory tree and crosses a unit of replication (see Figure 10.18).

Figure 10.18 Access control information stored above a replicated subtree .

In Figure 10.18, the entry dc=airius, dc=com on the supplier server contains an access control directive that applies to all entries below it. However, this entry is not contained within the replicated subtree, so the consumer server lacks the access control information it needs to properly control access to its replicated subtree.

Netscape Directory Server allows you to configure replication in this manner, so be sure when designing your replication strategy that you include ACLs at the top of all replicated subtrees. (The default in Netscape Directory Server is to completely deny access in the absence of ACL information, so a problem like the one in Figure 10.18 would not expose any directory information to unauthorized access.) NDS, on the other hand, always maintains links between partitions that allow it to automatically find and enforce ACLs stored in superior entries ”at the cost of additional network traffic, however. The X.500 model, meanwhile, specifies that any access control information contained in subentries must be provided to the consumer by the supplier, even if that information is contained in subentries above the replicated subtree.

To summarize, lightweight directory servers such as Netscape's place the responsibility for managing ACL information across replicas on the administrator, but they offer fast performance because all needed ACL information is local to the replicated server. More-heavyweight systems such as X.500 and NDS attempt to manage this information for the administrator.



Understanding and Deploying LDAP Directory Services,  2002 New Riders Publishing
<  BACK CONTINUE  >

Index terms contained in this section

access control
          replication 2nd 3rd 4th
ACLs
          replication
attributes
          scheduling replication update latency
directories
         replication
                    access control 2nd 3rd 4th
                    scheduling 2nd 3rd
                    schema
latency
         relication
                    scheduling updates by attribute type
Netscape Directory Server
         replication
                    access control
replication
          access control 2nd 3rd 4th
          scheduling 2nd
                    update latency by attribute type
          schema
scheduling
          replication 2nd
                    update latency by attribute type
schema
          replication
updates
         replication
                    scheduling latency by attribute type

2002, O'Reilly & Associates, Inc.



Understanding and Deploying LDAP Directory Services
Understanding and Deploying LDAP Directory Services (2nd Edition)
ISBN: 0672323168
EAN: 2147483647
Year: 1997
Pages: 245

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net