Oracle Fusion Middleware Evaluation Guide for Oracle Directory Server Enterprise Edition

Chapter 3 High Data Availability and Integrity

This chapter describes the Directory Server Enterprise Edition features that provide high data availability and integrity. This chapter covers the following topics:

Robust Replication

Directory Server provides a robust replication mechanism, including the following features:

Unlimited Masters for Replication

In a multi-master replication environment, data is updated on multiple masters. Each master maintains a change log, and the changes made on each master are replicated to the other servers. Each master plays the role of supplier and consumer. Directory Server has no limits on the number of masters, allowing your multi-master replication topology to include an unlimited number of masters in multiple data centers.

You can also configure your replication topology to contain only masters, eliminating the need to route operations to consumers and simplifying your overall deployment.

Prioritized Replication

Directory Server allows you to prioritize updates for replication. Priority is a boolean feature and is on or off. You can prioritize replication according to the following parameters:

The priority rules are configured on each master replica. The master can replicate an update to one or more hubs or consumer replicas. The priority of the update is then cascaded across all of the hubs and consumer replicas. If one parameter is configured for prioritized replication, all updates that have that parameter are prioritized for replication. If multiple parameters are configured for prioritized replication, only updates that match all parameters are prioritized for replication.

See Replication Priority in Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition for instructions on configuring prioritized replication using command-line tools.

Replicated Account Lockout Attributes

Directory Server replicates account lockout data that is stored when a client application fails to authenticate to the server. You can use this feature with the Directory Proxy Server capability to route binds appropriately. Together, these features provide global account lockout. Global account lockout prevents a client application from gaining more than a specified number of login attempts across an entire directory service topology.

See Preventing Authentication by Using Global Account Lockout in Oracle Fusion Middleware Deployment Planning Guide for Oracle Directory Server Enterprise Edition for an overview of the topic.

Monitoring Replication Convergence

Directory Server quickly calculates the number of pending replication changes. Directory Server finds the oldest change that the consumer is aware of and can compare it with the other servers, making it possible to calculate the replication delay. From this change, the consumer can also browse the list of changes until the most recent change, and count the number of changes that need to be applied.

Moreover, this attribute can be queried with virtually no impact to Directory Server performance, regardless of how large the change log grows.

In the Directory Service Control Center, you can view a summary of all the pending changes for a given suffix. In the Suffixes tab, the pending changes are in the Missing Changes column, as shown in the following figure.

Illustration of the Suffixes tab in the Directory Service Control Center.

Importing Many Entries to Large Replicated Suffixes

Directory Server provides a mechanism for adding new entries to an existing database. This import process checks if a given entry already exists so that data is not overwritten. This feature allows you to import an LDIF file in multiple passes at different times. Successive imports do not delete what already exists in the database.

For more information about importing entries to large replicated suffixes, see Incrementally Adding Many Entries to Large Replicated Suffixes in Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition.

Synchronized Backup and Export

All offline and online backup methods can be invoked in the CLI by using dsadm or dsconf. The default behavior for these commands is to operate in synchronous mode. The commands do not return a completion code until the task is complete.

You can use the dsconf import, dsconf export, dsconf backup, and dsconf restorecommands in an asynchronous mode by setting the -a flag.

Compacting Database Files

Directory Server now allows you to compact the database files to reduce disk use and reduce backup time. You can compact an existing suffix using the dsadm repack command. The instance must be stopped before running this command.

For more information about compacting your database files using the dsadm command, see the dsadm(1M) man page.

File System Snapshot of Frozen Database

Directory Server provides a configurable feature that enables you to stop database updates on disk so that a file system snapshot can be taken safely.

When frozen mode is set, all configured databases are taken offline. Any internal operations in progress are notified of the database going offline. LDAP operations in progress are completed, and the database environment is flushed. Subsequent incoming operations are refused until the server property is reset to read-write or read-only. In a single server topology, operations received when frozen mode is on result in an LDAP error being returned.

The standard error message for database offline is logged. In a replicated topology, a referral is returned. For this feature to work correctly, no other tasks should be running on the databases. Set the frozen mode using the dsconf set-server-prop command as follows:


dsconf set-server-prop read-write-mode:frozen

Once this property is set, you can safely take the file system snapshot.

See Backing Up a File System in Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition for instructions on configuring frozen mode using command-line tools.

Changing Attributes While the Server Is Online

In previous versions of Directory Server, attributes such as the all IDs threshold and the data directory paths that correspond to the dsconf command properties db-env-path, db-log-path, and db-path required the server to be offline when the attribute value was changed. You can now change the values of such attributes while the instance is online.

Although the values can be changed online, changes for some attributes might not take effect until after the instance has been restarted. In addition, some changes require manual intervention before restarting. For example, you can change the data directory path settings with the server online, but before you restart the server to put the change into effect, you must perform the following procedure.

ProcedureTo Change the Data Directory Path With the Server Online

Before You Begin

The reference manual pages indicate that after you change the server db-env-path, db-log-path, or the suffix db-path, you must perform an export to LDIF, and then import from LDIF. Alternatively, you can move the data files. If, however, any of the steps in the following procedure do not complete successfully, or if the new configuration does not coincide exactly with the layout resulting from the steps of this procedure, you must reinitialize the server or restore from backup.

  1. Back up your server, or make sure that you can reinitialize the server from another instance.

  2. Create the new file system directory with the same ownership and permissions as the old file system directory.

    Make sure the new directory resides in a file system with enough free space to hold the data.

  3. Stop the server.

    If the server is not stopped cleanly, you must reinitialize the server or restore from backup.

  4. Move, do not copy, the files from the old file system directory to the new file system directory.

    Parameter

    db-env-path

    db-log-path

    db-path

    Files to move

    instance-dir/db/_db.*

    instance-dir/db/DBVERSION

    instance-dir/db/log.*

    instance-dir/db/backend-dir/*

  5. If the old directory is now empty, or contains only empty directories, delete the old directory.

  6. Restart the server.

Attribute Syntax Validation on Update

Every attribute defined in the server's schema has a syntax associated with it. The syntax defines the kind of information that is expected to be held in the attribute so that the server can perform the appropriate kinds of matching against it. The syntax definition also allows the server to properly index the values so that searches against it can be processed quickly.

Directory Server Enterprise Edition introduces a configurable option, check-syntax-enabled, set by using the dsconf command, to ensure that updated attributes adhere to the syntax definitions. Attribute values are rejected when they violate the syntax definitions. For example, when syntax checking is on, if a user tries to update an attribute with an integer syntax to include a non-numeric value, the update will be rejected.

By default, syntax checking is off. When syntax checking is on, all import and update operations are checked.

Schema Validation by Directory Proxy Server

Directory Proxy Server provides schema validation to ensure that only the allowed data is permitted on write operations. For example, when entries are aggregated using the virtual directory functionality, the aggregate entries might not match the schema of any of the backend servers participating in the entry aggregation. In this case, schema checking can occur on the Directory Proxy Server using a virtual schema.

When schema checking is enabled, Directory Proxy Server retrieves schema available in the cn=schema suffix and uses it to do schema checking. You can define the LDIF data view holding the cn=schema suffix. The content of the cn=schema suffix can point to an LDAP server or to a schema stored in an LDIF file local to the Directory Proxy Server.

Where to Go From Here

To read more about the features presented in this chapter, refer to the following documentation.

Feature

Documentation

Designing a highly available deployment 

Chapter 12, Designing a Highly Available Deployment, in Oracle Fusion Middleware Deployment Planning Guide for Oracle Directory Server Enterprise Edition

Backing up and restoring directory data 

Chapter 8, Directory Server Backup and Restore, in Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition

Using a global retro changelog 

Replication and the Retro Change Log Plug-In in Oracle Fusion Middleware Reference for Oracle Directory Server Enterprise Edition

Using global account lockout 

Preventing Authentication by Using Global Account Lockout in Oracle Fusion Middleware Deployment Planning Guide for Oracle Directory Server Enterprise Edition

Making a file system snapshot when the database is in frozen mode 

Backing Up a File System in Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition

Checking valid attribute syntax on update 

Checking Valid Attribute Syntax in Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition