Skip Headers
Oracle® Fusion Middleware Deployment Planning Guide for Oracle Directory Server Enterprise Edition
11
g
Release 1 (11.1.1.7.0)
Part Number E28974-01
Home
Index
Contact Us
Next
PDF
·
Mobi
·
ePub
Contents
List of Figures
List of Tables
Title and Copyright Information
Preface
Who Should Use This Book
Before You Read This Book
How This Book Is Organized
Examples Used in This Guide
Oracle Directory Server Enterprise Edition Documentation Set
Related Reading
Redistributable Files
Default Paths and Command Locations
Typographic Conventions
Shell Prompts in Command Examples
Symbol Conventions
Documentation, Support, and Training
Oracle Software Resources
Documentation Accessibility
Part I Overview of Deployment Planning
1
Introduction to Deployment Planning for Directory Server Enterprise Edition
1.1
About Deployment Planning
1.1.1
Directory Server Enterprise Edition Components in a Deployment
1.2
Solution Life Cycle
2
Business Analysis for Directory Server Enterprise Edition
2.1
About Business Analysis
2.2
Defining Directory Server Enterprise Edition Business Requirements
Part II Technical Requirements
3
Usage Analysis for Directory Server Enterprise Edition
3.1
Usage Analysis Factors
4
Defining Data Characteristics
4.1
Determining Data Sources and Ownership
4.1.1
Identifying Data Sources
4.1.2
Determining Data Ownership
4.1.3
Distinguishing Between User and Configuration Data
4.2
Identifying Data From Disparate Data Sources
4.3
Designing the DIT
4.3.1
Choosing a Suffix
4.3.2
Creating the DIT Structure and Naming Entries
4.3.2.1
Branch Points and Naming Considerations
4.3.2.2
Replication Considerations
4.3.2.3
Access Control Considerations
4.4
Designing a Directory Schema
4.4.1
Schema Design Process
4.4.2
Maintaining Data Consistency
4.5
Other Directory Data Resources
5
Defining Service Level Agreements
5.1
Identifying System Qualities
5.2
Defining Performance Requirements
5.2.1
Identifying Client Applications
5.2.2
Determining the Number and Size of Directory Entries
5.2.3
Determining the Number of Reads
5.2.4
Determining the Number of Writes
5.2.5
Estimating the Acceptable Response Time
5.2.6
Estimating the Acceptable Replication Latency
5.3
Defining Availability Requirements
5.4
Defining Scalability Requirements
5.5
Defining Security Requirements
5.6
Defining Latent Capacity Requirements
5.7
Defining Serviceability Requirements
6
Tuning System Characteristics and Hardware Sizing
6.1
Host System Characteristics
6.2
Port Numbers
6.2.1
Directory Server and Directory Proxy Server LDAP and LDAPS Port Numbers
6.2.2
Directory Server DSML Port Numbers
6.2.3
Directory Service Control Center and DSCC Agent Port Numbers
6.2.4
Identity Synchronization for Windows Port Numbers
6.3
Hardware Sizing For Directory Service Control Center
6.4
Hardware Sizing For Directory Proxy Server
6.4.1
Configuring Virtual Memory
6.4.2
Configuring Worker Threads and Backend Connections
6.4.3
Disk Space for Directory Proxy Server
6.4.4
Network Connections for Directory Proxy Server
6.5
Hardware Sizing For Directory Server
6.5.1
The Tuning Process
6.5.2
Making Sample Directory Data
6.5.3
What to Configure and Why
6.5.3.1
Directory Server Database Page Size
6.5.3.2
Directory Server Cache Sizes
6.5.3.3
Directory Server Indexes
6.5.3.4
Directory Server Administration Files
6.5.3.5
Directory Server Replication
6.5.3.6
Directory Server Threads and File Descriptors
6.5.3.7
Directory Server Growth
6.5.3.8
Top Tuning Tips
6.5.4
Simulating Client Application Load
6.5.5
Directory Server and Processors
6.5.6
Directory Server and Memory
6.5.7
Directory Server and Local Disk Space
6.5.8
Directory Server and Network Connectivity
6.5.9
Limiting Directory Server Resources Available to Clients
6.5.10
Limiting System Resources Used By Directory Server
6.6
Operating System Tuning For Directory Server
6.6.1
Operating System Version and Patch Support
6.6.2
Basic Security Checks
6.6.3
Accurate System Clock Time
6.6.4
Restart When System Reboots
6.6.5
System-Specific Tuning With The
idsktune
Command
6.6.5.1
File Descriptor Settings
6.6.5.2
Transmission Control Protocol (TCP) Settings
6.7
Physical Capabilities of Directory Server
6.8
Other Tips to Improve Overall Performance
6.9
Tuning Cache Settings
6.9.1
Basic Tuning Recommendations
6.9.1.1
For Maximum Search Rate (Searches Only)
6.9.1.2
For Maximum Modification Rate (Modifications Only)
6.9.2
Small, Medium, and Large Data Sets
6.9.3
Optimum Search Performance (Searches Only)
6.9.4
Optimum Modify Performance (Modifications Only)
6.10
Tuning Indexes for Performance
6.11
Basic Directory Server Sizing Example: Disk and Memory Requirements
6.11.1
System Characteristics
6.11.2
Preparing a Directory Server Instance
6.11.3
Populating the Suffix With 10,000 Sample Directory Entries
6.11.4
Populating the Suffix With 100,000 Sample Directory Entries
6.11.5
Populating the Suffix With 1,000,000 Sample Directory Entries
6.11.6
Summary of Observations
7
Identifying Security Requirements
7.1
Security Threats
7.2
Overview of Security Methods
7.3
Determining Authentication Methods
7.3.1
Anonymous Access
7.3.2
Simple Password Authentication
7.3.3
Simple Password Authentication Over a Secure Connection
7.3.4
Certificate-Based Client Authentication
7.3.5
SASL-Based Client Authentication
7.3.6
Preventing Authentication by Account Inactivation
7.3.7
Preventing Authentication by Using Global Account Lockout
7.3.8
External Authentication Mappings and Services
7.4
Proxy Authorization
7.5
Designing Password Policies
7.5.1
Password Policy Options
7.5.2
Password Policies in a Replicated Environment
7.5.3
Password Policy Migration
7.6
Password Synchronization With Windows
7.7
Determining Encryption Methods
7.7.1
Securing Connections With SSL
7.7.2
Encrypting Stored Attributes
7.7.2.1
What Is Attribute Encryption?
7.7.2.2
Attribute Encryption Implementation
7.7.2.3
Attribute Encryption and Performance
7.8
Designing Access Control With ACIs
7.8.1
Default ACIs
7.8.2
ACI Scope
7.8.3
Obtaining Effective Rights Information
7.8.4
Tips on Using ACIs
7.9
Designing Access Control With Connection Rules
7.10
Designing Access Control With Directory Proxy Server
7.10.1
How Connection Handlers Work
7.11
Grouping Entries Securely
7.11.1
Using Roles Securely
7.11.2
Using CoS Securely
7.12
Using Firewalls
7.13
Running as Non-Root
7.14
Other Security Resources
8
Identifying Administration and Monitoring Requirements
8.1
Overview of the ODSEE Administration Model
8.1.1
Administration Command-Line Utilities
8.1.2
Directory Service Control Center (DSCC)
8.1.2.1
DSCC Web Interface
8.1.2.2
DSCC Agent
8.1.2.3
DSCC Registry
8.1.3
Remote Administration
8.2
Designing Backup and Restore Policies
8.2.1
High-Level Backup and Recovery Principles
8.2.2
Choosing a Backup Method
8.2.2.1
Binary Backup
8.2.2.2
Backup to LDIF
8.2.3
Choosing a Restoration Method
8.2.3.1
Binary Restore
8.2.3.2
Restoration From LDIF
8.3
Designing a Logging Strategy
8.3.1
Defining Logging Policies
8.3.1.1
Defining Log File Creation Policies
8.3.1.2
Defining Log File Deletion Policies
8.3.1.3
Manually Creating and Deleting Log Files
8.3.1.4
Defining Permissions on Log Files
8.4
Designing a Monitoring Strategy
8.4.1
Monitoring Tools Provided With Directory Server Enterprise Edition
8.4.2
Identifying Monitoring Areas
Part III Logical Design
9
Designing a Basic Deployment
9.1
Basic Deployment Architecture
9.2
Basic Deployment Setup
9.3
Improving Performance in a Basic Deployment
9.3.1
Using Indexing to Speed Up Searches
9.3.2
Optimizing Cache for Search Performance
9.3.2.1
All Entries and Indexes Fit Into Memory
9.3.2.2
Sufficient Memory For 32-Bit Directory Server
9.3.2.3
Insufficient Memory
9.3.3
Optimizing Cache for Write Performance
10
Designing a Scaled Deployment
10.1
Using Load Balancing for Read Scalability
10.1.1
Using Replication for Load Balancing
10.1.1.1
Basic Replication Concepts
10.1.1.2
Assessing Initial Replication Requirements
10.1.1.3
Load Balancing With Multi-Master Replication in a Single Data Center
10.1.1.4
Load Balancing With Replication in Large Deployments
10.1.1.5
Using Server Groups to Simplify Multi-Master Topologies
10.1.2
Using Directory Proxy Server for Load Balancing
10.2
Using Distribution for Write Scalability
10.2.1
Using Multiple Databases
10.2.2
Using Directory Proxy Server for Distribution
10.2.2.1
Routing Based on the DIT
10.2.2.2
Routing Based on a Custom Algorithm
10.2.3
Using Directory Proxy Server to Distribute Requests Based on Bind DN
10.3
Distributing Data Lower Down in a DIT
10.3.1
Logical View of Distributed Data
10.3.2
Physical View of Data Storage
10.3.3
Directory Server Configuration for Sample Distribution Scenario
10.3.4
Directory Proxy Server Configuration for Sample Distribution Scenario
10.3.5
Considerations for Data Growth
10.4
Using Referrals For Distribution
10.4.1
Using Directory Proxy Server With Referrals
11
Designing a Global Deployment
11.1
Using Replication Across Multiple Data Centers
11.1.1
Multi-Master Replication
11.1.1.1
Concepts of Multi-Master Replication
11.1.1.2
Multi-Master Replication Over WAN
11.1.1.3
Fully Meshed Multi-Master Topology
11.1.2
Cascading Replication
11.1.3
Prioritized Replication
11.1.4
Fractional Replication
11.1.5
Sample Replication Strategy for an International Enterprise
11.2
Using Directory Proxy Server in a Global Deployment
11.2.1
Sample Distribution Strategy for a Global Enterprise
12
Designing a Highly Available Deployment
12.1
Availability and Single Points of Failure
12.1.1
Mitigating SPOFs
12.1.1.1
Advantages and Disadvantages of Redundancy
12.1.1.2
How Redundancy Handles SPOFs
12.1.1.3
Redundancy at the Hardware Level
12.1.1.4
Redundancy at the Software Level
12.2
Using Replication and Redundancy for High Availability
12.2.1
Using Redundant Replication Agreements
12.2.2
Promoting and Demoting Replicas
12.2.3
Using Directory Proxy Server as Part of a Redundant Solution
12.2.4
Using Application Isolation for High Availability
12.2.5
Sample Topologies Using Redundancy for High Availability
12.2.5.1
Using Replication for Availability in a Single Data Center
12.2.5.2
Using Replication for Availability Across Two Data Centers
12.2.5.3
Using Multiple Directory Proxy Servers
12.2.5.4
Using Application Isolation
Part IV Advanced Deployment Topics
13
Using LDAP-Based Naming With Solaris
13.1
Why Use an LDAP-Based Naming Service?
13.2
Migrating From NIS to LDAP
13.3
Migrating From NIS+ to LDAP
14
Deploying a Virtual Directory
14.1
When to Use a Virtual Directory
14.2
Typical Virtual Directory Scenario
14.2.1
Connecting User Identities From Different Data Sources
15
Designing a Deployment With Synchronized Data
15.1
Identity Synchronization for Windows Deployment Considerations
Index