|Sun Java(TM) System Directory Server 5.2 2005Q1 Deployment Planning Guide|
Directory Server Overview
Directory Server provides a centralized directory service for your intranet, network, and extranet information. It integrates with existing systems and acts as a centralized repository for the consolidation of employee, customer, supplier, and partner information. You can extend Directory Server to manage user profiles and preferences, as well as extranet user authentication.
An introduction to basic LDAP and directory concepts is provided in the Directory Server Technical Overview. This chapter provides an overview of the server architecture, and describes at a high level the design and deployment process, including issues to be taken into account when planning a Directory Server installation. It is divided into the following sections:
Server Architecture Overview
Any Directory Server deployment includes the following elements:
Each of these elements plays a separate role in the deployment.
Directory Server stores the server and application configuration settings, as well as the user information used by other servers in the enterprise. Typically, application and server configuration information is stored in one suffix of Directory Server while user and group entries are stored in another suffix. (A suffix refers to the name of the entry in the directory tree, below which data is stored.)
The configuration directory or Configuration Directory Server (CDS) stores information about how Directory Server itself is configured. This directory is generally installed first, and every subsequent server registers with it. A single configuration directory provides for centralized administration of all servers.
The user directory stores entries for users and groups who access directory services. The user directory is generally unique to the network domain, and other servers access it for user and group information. A single user directory provides for centralized administration of users and groups.
For small deployments, it is possible to install configuration, user, and other directories on the same directory instance. For larger deployments, consider placing the configuration and user directories on separate servers.
Server Console is the front-end management application for all Sun Java System servers. It finds all servers and applications registered in the configuration directory, displays them in a graphical interface, and lets you manage and configure them.
When you log in to Server Console, it connects to an instance of Administration Server using the Hypertext Transfer Protocol (HTTP.) Administration Server manages requests for all Sun Java System products installed in a single root folder.
For more information on this architecture, see "Remote Server Administration Overview" in the Administration Server Administration Guide.
Directory Design Overview
The directory design phase involves gathering data about your directory requirements, such as environment and data sources, users, and the applications that will use the directory.
The flexibility of Directory Server enables you to rework your design to meet unexpected or changing requirements, even after deployment. However, the more modifications you can avoid through good design, the better.
The design process can be broken into the following steps:
Planning the Installation
Before installing Directory Server, ensure that you have taken the following into consideration:
- If the deployment involves centralized administration of server configuration, users, and groups for multiple directory installations, determine the appropriate configuration and user directory locations. Refer to the Administration Server Administration Guide for details on appropriate location of configuration, user, and group data.
- Restrict physical access to the host system. Although Directory Server includes a number of security features, your directory security is compromised if physical access to the host system is not controlled.
- Ensure the host system uses a static IP address.
- If the Directory Server instance is not itself providing a naming service for the network or if the deployment involves remote administration of Directory Server, ensure a naming service and the domain name for the host are properly configured.
- Select the port number you will use for each Directory Server instance at design time, and, if possible, do not change that port number once your Directory Server is in production. Changing the port number via the console at a later stage does not make the necessary changes to the following scripts and requires that these scripts be modified manually: bak2db.pl, schema_push.pl, db2bak.pl, check-slapd, db2index.pl, db2ldif.pl, monitor, ldif2db.pl, ns-accountstatus.pl, ldif2ldap, ns-activate.pl, ns-inactivate.pl.
Note that the script names given here are the standalone tool names and that the check-slapd command is not documented as it is not part of the publicly exposed API. For more information, see the Directory Server Administration Reference.
Planning Data and Data Access
Your directory will contain data, such as user names, telephone numbers, and group details. Refer to Chapter 2, "Planning and Accessing Directory Data," for information on analyzing the various sources of data in your organization and understanding their relationship with one another. This chapter describes the types of data appropriate for storage in a directory, the ways in which this data can be accessed, and other tasks you must perform when designing the contents of a directory.
Designing the Schema
Directory Server is designed to support directory-enabled applications. These applications have specific requirements of the data stored in the directory. The schema determines the characteristics of the stored data. Chapter 3, "Directory Server Schema," introduces the standard schema shipped with Directory Server, describes how to customize the schema, and provides tips for maintaining consistent schema.
Designing the Directory Tree
Once you decide what data your directory contains, you need to organize and reference this data. This is the purpose of the directory tree. Chapter 4, "The Directory Information Tree," introduces the directory tree, and guides you through the design of your data hierarchy. It also describes the mechanisms used to optimize entry grouping and attribute management, and provides sample directory tree designs.
Designing the Topology
Topology design involves determining how you divide your directory tree among multiple physical servers and how these servers communicate with one another. Chapter 5, "Distribution, Chaining, and Referrals," describes the general principles behind topology design. It discusses using multiple databases and the mechanisms available for linking distributed data together, and explains how Directory Server keeps track of distributed data.
Designing the Replication Process
With replication, multiple Directory Servers maintain the same directory data to increase read performance and provide fault tolerance. Chapter 6, "Understanding Replication," describes how replication works, what kinds of data you can replicate, common replication scenarios, and tips for building a highly available directory service.
Designing a Secure Directory
It is essential that you plan how to protect the data in your directory and design the other aspects of your service to meet the security requirements of your users and applications. Chapter 7, "Access Control, Authentication, and Encryption," describes common security threats, provides an overview of security methods, discusses the steps in analyzing your security needs, and provides tips for designing access controls and protecting the integrity of directory data.
Planning a Monitoring Strategy
A well-designed monitoring strategy will enable you to evaluate the success of your directory deployment and to follow day-to-day directory activities. Chapter 8, "Directory Server Monitoring," discusses how to monitor your directory using SNMP, Directory Server Console, the log files, database monitoring, and the replication monitoring tools provided with Directory Server.
Directory Deployment Overview
After you have designed your directory service, you start the deployment phase. The deployment phase consists of the following steps:
Piloting Your Directory
The first step of the deployment phase is installing a server instance as a pilot and testing whether the service can handle your user load. If the service is not adequate, adjust your design and pilot it again. Adjust your pilot design until you have a robust service that you can confidently introduce to your enterprise.
For a comprehensive overview of creating and implementing a directory pilot, refer to Understanding and Deploying LDAP Directory Services (T. Howes, M. Smith, G. Good, Macmillan Technical Publishing, 1999).
Putting Your Directory Into Production
Once you have piloted and tuned the service, you need to develop and execute a plan for taking the directory service from a pilot to production. Create a production plan that includes the following:
For information on administering and maintaining your directory, refer to the Directory Server Administration Guide.