This chapter outlines the architecture of Directory Proxy Server, and describes at a high level, the most important features of this release.
The chapter covers the following topics:
Directory Proxy Server is an LDAP application-layer protocol gateway. Directory Proxy Server delivers enhanced directory access control, schema compatibility, and high availability.
The Directory Proxy Server architecture enables you to configure several objects that control how client requests are routed to backend data sources. These configuration objects are illustrated at a high level in the following simplified schematic of the Directory Proxy Server architecture. This illustration will help you to understand the architectural concepts presented in the remainder of this book.
This section briefly presents the new Directory Proxy Server architecture and what is new compared to 5.2. Its aim is to help you understand why literal translation of some 5.2 configuration attributes is not possible.
A Directory Proxy Server instance proxies client application requests to data sources through data views. Data sources and pools of data sources correspond to load balanced groups from 5.2.
Data views, however, are new. They do not correspond to anything present in 5.2. Fundamentally Directory Proxy Server handles incoming connections individually, assigning a connection handler when the connection is opened, and reassigning a connection handler upon rebind when the bind identity changes.
The connection handler gives Directory Proxy Server a set of policy rules for making decisions about what to do with operations requested through a given connection. Connection handlers correspond roughly to network groups in 5.2, yet whereas network groups are configured to use load balanced groups directly.
Directory Proxy Server uses connection handlers mainly to determine policies about a connection, so it can take appropriate decisions about operations performed on that connection. For example, if a connection handler is configured to prevent write operations on a certain connection, Directory Proxy Server can use that property of the policy to short circuit evaluations concerning write operation requests on that connection. In this case, the appropriate errors are returned to the client as soon as Directory Proxy Server has decoded the operation.
LDAP operations on a connection are handled in Directory Proxy Server first through data views. Data views enable Directory Proxy Server to perform DN-based routing. In other words, operations concerning one set of data can be sent to one set of data sources, and operations concerning another set of data can be sent elsewhere. This new architectural form seems unnecessary when you look at it from the point of view of reproducing a 5.2 configuration. Yet data views become indispensable when you want to distribute different directory data across various directories, or when you want to recover different data from disparate data sources to present a virtual directory view of those sources to a client application.
Data views therefore enable Directory Proxy Server to select the data sources via a data source pool to handle the LDAP operation. Data source pools, which correspond to 5.2 load balanced groups, represent sets of data sources each holding equivalent data. A pool defines the load balancing and failover management that Directory Proxy Server performs to spread load across different data sources. As load balancing is performed per operation, the balancing itself is by nature operation based.
Data sources can be understood as sources of data for reads, and sinks of data for writes. Directory Proxy Server handles the following kinds of data sources:
JDBC-enabled data repositories
Directory Proxy Server 5.2 was essentially a connection based router. In Directory Proxy Server 5.2, a client connection was routed to a directory server. All requests from that client connection were sent to the same directory server until the connection was broken. For compatibility, Directory Proxy Server can be configured to behave in a similar way to Directory Proxy Server 5.2. For information about how to configure this, see Configuring Directory Proxy Server as a Connection Based Router in Sun Directory Server Enterprise Edition 7.0 Administration Guide. For information about how to migrate to this version of Directory Proxy Server, see the Sun Directory Server Enterprise Edition 7.0 Upgrade and Migration Guide.
Single point of access to directory data stored on multiple directory servers
Automatic referral following
Reactive and proactive monitoring of directory servers
Configuration on the command line or with a GUI
All connections have a normal listener port and a secure listener port
Authentication and authorization
Certificate-based authentication with certificate mapping
Secure LDAP reverse proxy
LDAP control filtering
Single point of access to a directory service spread over multiple directory servers
Extensible and customizable distribution algorithm
Server affinity to address propagation delay problem
Connection pooling and partial BER-decoding for performance and scalability
Routing based on the operation or the connection
Automatic load balancing and automatic fail over and fail back among a set of replicated LDAP directory servers
Three load-balancing algorithms
Multiple virtual views for client applications
Aggregation of multiple heterogeneous data sources
Mapping of attribute names and values
Access to JDBC-compliant data repositories
Access to flat LDIF file resources