Directory Design & Operations at Princeton University
-
Upload
kenyon-green -
Category
Documents
-
view
24 -
download
3
description
Transcript of Directory Design & Operations at Princeton University
May 12, 1999 Common Solutions Group, DS Workshop
1
Directory Design & OperationsDirectory Design & Operationsat at Princeton UniversityPrinceton University
Michael R. Gettes
Collaboration Services Group (CSG)
Enterprise Services Directorate, CIT
Common Solutions GroupCommon Solutions GroupDirectory Service/Schema Design WorkshopDirectory Service/Schema Design Workshop
May, 1999May, 1999
May 12, 1999 Common Solutions Group, DS Workshop
2
Problems to solveProblems to solve
Multiple Name SpacesOperational Data vs. PhonebookModern Apps Directory EnabledSchema Design and Data MappingProper Schema Usage vs. RealityOperations: Replication, Access,
Application Reqs, Performance, Etc.
May 12, 1999 Common Solutions Group, DS Workshop
3
Multiple Name SpacesMultiple Name Spaces
Unix, Novell, NT, VM/MVS, E-Mail/Lists Need to Unify Name Space before really
able to leverage a central directory Unified 3/99; took 4 months to do– Includes 2100 ListProc list addresses
LDAP went “production” 3/98, install 6/97 Now looking at central userid mgmt with
LDAP instead of homegrown glue.
May 12, 1999 Common Solutions Group, DS Workshop
4
Operational vs. View OnlyOperational vs. View Only
Operational – E-mail access & Routing, Web Auth,
Proxy Svcs, Certificates - a wee bit View Only– CSO before, CSO2LDAP now
View Only - NOT– No Rules, No Control– Fight the Future?
May 12, 1999 Common Solutions Group, DS Workshop
5
Schema Design @ PrincetonSchema Design @ Princeton
Keep CSO attributes alive, how far? Use what popular apps expect– Netscape, IE/Outlook
Make LDAP enabled apps work– Netscape Messaging Server only, at the time
NIS & NT user management? These schemas are not well defined. Sun v. padl
How did we do? Quite well, of course!
May 12, 1999 Common Solutions Group, DS Workshop
6
Schema Design @ PrincetonSchema Design @ Princeton
Proper Schema vs. Reality– E-mail routing (Sendmail) vs. NSMS• attribute function overload
– objectclass: puPerson (superior is inetorgperson)
– like, can you relate? • universityid/ref to solve multi-ids
– Tracking: Why a DN exists, who did last
May 12, 1999 Common Solutions Group, DS Workshop
7
Schema Design @ PrincetonSchema Design @ Princeton
Princeton Attributes defined to Netscape Directory Server
Netscape Search and Sample LDIFWhat’s in a DN?– Cn=name (addr),o=,c=
• no OU! But ou defined. Multiple locations?
DN’s are just that, not to be parsed.–Wouldn’t that be nice?
May 12, 1999 Common Solutions Group, DS Workshop
8
ResourcesResources
Michael Gettes and Lee Varian– little if any interaction with others given
data control sensitivities and most issues worked out previously because Lee generated the printed campus phonebook, permission not needed.
no $$, no formal plan, no new policy– Almost invisible, therefore successful
May 12, 1999 Common Solutions Group, DS Workshop
9
OperationsOperations
Mainframe (VM/CMS) bulk mgmt1 supplier + 3 consumersLast user visible failure - CSG 1/99Netscape DS 3.12 SolarisPerLDAP scripting very powerful– All ops on-line, NO DOWNTIME!!!
Web interface to LDAP https://directory.Princeton.EDU
FOR MORE INFO...
May 12, 1999 Common Solutions Group, DS Workshop
10
Operations: NSMS & SendmailOperations: NSMS & Sendmail
E-Mail Replica– pbind to single cpu, nice to high priority– 4000 ops per minute - NSMS inefficient– 100MB memory cache for 9000 users– Failover works for online repairs– Replica Monitoring and Notification
NSDIRSECUG Mailing List: [email protected]
FOR MORE INFO...
May 12, 1999 Common Solutions Group, DS Workshop
11
Operations: GeneralOperations: General
28,000 DNs - 80MB DB, 22MB ldifCommunicator configured for multiple
serversBackups - On-line LDIF dumps 1/hr– no good solution for backing up LDAP
Few Directory Managers (5)Help Desk has some privs for quick
support to users - access lists
May 12, 1999 Common Solutions Group, DS Workshop
12
Operations: GeneralOperations: General
Access Lists–What can users change?–What do Dir Mgrs change?– Audit
Limits– 500 max entries returned (not dumper)– near 0 look-through limit (values that
have ‘*’ in them cause problems).
May 12, 1999 Common Solutions Group, DS Workshop
13
Operations: Mailing ListsOperations: Mailing Lists
2100 Listproc Lists defined to LDAP for sendmail routing, automatically
Sendmail routes using DN which can see the lists
Would like to have Listproc keep list subscribers or obtain lists from group definitions in LDAP (merged groups).
May 12, 1999 Common Solutions Group, DS Workshop
14
Operations: Sendmail 8.9.3/8.10Operations: Sendmail 8.9.3/8.10
Based on work by StanfordPrinceton extended support for
looking up multiple attrs and returning multiple addresses.
Princeton changes available in 8.10May 4, 1999: Moved all .forward files
into LDAP, implementation by• Curt Hillegas <[email protected]>
May 12, 1999 Common Solutions Group, DS Workshop
15
Online Demo: IF PossibleOnline Demo: IF Possible
Https://directory.Princeton.EDUManage Mail AccountReplica MonitoringKerberos Backend Authentication
• let the firestorm begin!