Printer Friendly
The Free Library
14,558,173 articles and books
Member login
User name  
Password 
 
Join us Forgot password?

Why ISP's need LDAP.


LDAP (Lightweight Directory Access Protocol) A protocol used to access a directory listing. LDAP support is implemented in Web browsers and e-mail programs, which can query an LDAP-compliant directory.  (Lightweight Directory Access Protocol (protocol) Lightweight Directory Access Protocol - (LDAP) A protocol for accessing on-line directory services.

LDAP was defined by the IETF in order to encourage adoption of X.500 directories. ) is a widely used Internet Standard An Internet standard is a specification for an innovative internetworking technology or methodology, which the Internet Engineering Task Force (IETF) ratified as an open standard after the innovation underwent peer review.  Protocol for accessing a directory. It also defines the "information model" being accessed. The following feature looks at why an Internet Service Provider Internet service provider (ISP)

Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password.  would want to use LDAP and the benefits to an ISP (1) See in-system programmable.

(2) (Internet Service Provider) An organization that provides access to the Internet. Connection to the user is provided via dial-up, ISDN, cable, DSL and T1/T3 lines.  of holding customer information in an LDAP Directory

What is a LDAP?

LDAP is the Internet protocol See Internet and TCP/IP.

(networking) Internet Protocol - (IP) The network layer for the TCP/IP protocol suite widely used on Ethernet networks, defined in STD 5, RFC 791. IP is a connectionless, best-effort packet switching protocol.  for accessing a directory. LDAP also defines the "information model" of the directory being accessed. The core of this is very simple:

* It is hierarchical, with directory entries arranged in a "tree".

* Entries contain typed attributes, such as "phone number" or "email address See Internet address. ",

* Entries represent objects that have a defined type such as "Organization" or "Person". This type is known as the "object class", which is itself represented as a special attribute of the entry.

* Entries are named relative to their parent entry using a special attribute known as the "Relative Distinguished Name". This allows a flexible approach to naming objects. For example:

* A hierarchy such as "Country=GB", "Organization=Isode", "Role=CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. ".

* A hierarchy representing an Internet domain, such as isode.com represented by "Domain Component=com", "Domain Component=isode".

* A core schema, comprising a set of attribute types and object classes, is defined by LDAP. This helps ensure that disparate LDAP users build directories with a common core.

* The LDAP Schema is easily extensible, so users can add information to core objects or create new objects as needed as needed prn. See prn order. . The two really important things about LDAP are that it has a flexible and extensible information model, meaning that an LDAP directory is a good database for holding information about a range of generic objects, and that its inherent structure makes it straightforward to build a distributed directory, using the hierarchy of the directory to distribute data into different servers.

There are two further characteristics which are key for ISPs. These are not inherent to LDAP, but are central features of any high quality LDAP product, including lsode's M-Vault that an ISP should consider:

1. An LDAP server is a fast, efficient and sealable way to store, manage, search and retrieve data on lots of moderately complex objects.

2. Data in an LDAP server can be efficiently replicated, so that multiple servers can participate in providing an LDAP service.

Customer and Account Data

While LDAP can be used for many purposes, the primary ISP use is to hold information on customer accounts. This paper will focus on this usage. For each customer, an ISP needs to manage a range of "front end" data that is needed by the services and applications that the ISP provides to the customer. Examples of this are:

* Account name.

* Information on services subscribed to by customer (explicit or implicit).

* Authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC.

(2) Verifying the identity of a user logging into a network.  information (e.g., password information), so that services can authenticate (1) To verify (guarantee) the identity of a person or company. To ensure that the individual or organization is really who it says it is. See authentication and digital certificate.

(2) To verify (guarantee) that data has not been altered.  the customer.

* Electronic contact information (e.g., email address; instant messaging Exchanging text messages in real time between two or more people logged into a particular instant messaging (IM) service. Instant messaging is more interactive than e-mail because messages are sent immediately, whereas e-mail messages can be queued up in a mail server for seconds or  addresses).

* Parameters needed by the services (e.g., quota for a Web service).

This is straightforward information. In a real deployment, the amount of information needed per account might be 50 or 100 attributes. An LDAP directory is an ideal reposito for this type of data. The core LDAP schema provides for many of the attributes that are typically needed. LDAP's . schema extensibility makes it straightforward to extend to core, to include any additional information needed.

It is also straightforward to extend schema in an operation directory, which is important when ISPs add in new applications with additional data requirements. For some database technologies, changing the schema in an operational system has significant operational implicatication A typical ISP application will use account data in two

User Authentication See authentication.  

An LDAP Directory can be used to authenticate the user shown above, Central authentication is important, as it allows a customer to have a single password and to chan it in one place for all applications. An application will achieve this by:

* Searching the directory using the supplied account nan in order to identify a single account.

* Binding to the directory, using this identified name, in order to verify the supplied credentials.

Obtaining application configuration information

Obtaining necessary per application configuration information needed by the application to operate. The application can use the established connection to the directory in order to obtain this information. The diagram above shows how a mail system running on multiple servers can use the LDAP directory to verify, route and deliver email.

ISP customers will do this every time an application is run or a message routed, and so lookup A data search performed within a predefined table of values (array, matrix, etc.) or within a data file.  volumes are high. The next section describes why LDAP is particularly well suited to support this usage.

Why LDAP is good for accessing Customer and Account Data

There are a number of reasons why LDAP is a good choice for this application:

A good LDAP server will be well optimized for this type of operation, where there are likely to be high volumes of lookups. For small deployments, this will lead to efficient use of system resources (1) In a computer system, system resources are the components that provide its inherent capabilities and contribute to its overall performance. System memory, cache memory, hard disk space, IRQs and DMA channels are examples. . For very large deployments, LDAP is likely to be the best or only viable option.

Good LDAP servers can be efficiently replicated. This means that an LDAP solution is straightforward to deploy over multiple locations, it also means that is has good "horizontal scaling In multiprocessing, adding more computer systems to the environment. Contrast with vertical scaling. ", and it is straightforward to increase throughput simply by adding more replica servers.

LDAP Schema extensibility makes it easy to add in new applications and to update the capabilities of existing ones. Good application support. Many products and open source solutions designed for ISP deployment, such as Radius servers This is a list of notable RADIUS server implementations. Open source / free software
  • FreeRADIUS
  • GNU Radius[1]
  • JRadius
  • OpenRADIUS
  • Cistron RADIUS
  • BSDRadius
  • TekRADIUS
Commercial products - appliances
 and Messaging servers have built in LDAP support, and so use of LDAP simplifies application integration. Authentication systems The combination of authentication server and authenticator, which may be separate devices or both reside in the same unit such as an access point or network access server. The authentication server contains a database of user names, passwords and policies, and the authenticator physically , such as PKI (Public Key Infrastructure) A framework for creating a secure method for exchanging information based on public key cryptography. The foundation of a PKI is the certificate authority (CA), which issues digital certificates that authenticate the identity of  (Public Key Infrastructure) generally use LDAP for information storage. Using LDAP enables ISPs to efficiently integrate and make use of external authentication technologies.

Accounting Data and Provisioning

The description so far has focused on "front end" data, which is needed by applications and ISP services. ISPs also need to maintain "back end" data associated with each customer, typically related to billing and accounting. ISPs are advised to manage this data separately, as:

* No single system is well optimized for both tasks. While customer billing data could be held in an LDAP server, it is not a good choice; While an accounting system could be used to hold Radius and FTP FTP
 in full file transfer protocol

Internet protocol that allows a computer to send files to or receive files from another computer. Like many Internet resources, FTP works by means of a client-server architecture; the user runs client software to connect to  information, it is not designed to provide application access to this information.

* It makes sense to keep the back end data well protected, as it will contain business critical information, and customer payment data. Front end data must be accessed by many services, and is less sensitive. Therefore it makes sense to use separate systems.

As part of the ISP's provisioning system, customers and operators will need to access both front end and back end data, from a common interface, which will generally be a Web front end. There are two basic approaches that an ISP can take:

Drive everything through the back end system (see diagram above). In this model, provisioning is completely associated with the back end system, and all customer parameters and managed information are stored there. The LDAP directory is "loaded" from the back end system, and effectively acts as a high performance replicated mechanism for applications to access necessary data.

* Integrated management (see diagram above), in this model, there will just be a single key that relates front end and back end account information. When accounts are created and deleted, the LDAP Directory and back end system will be managed in parallel. Data is stored in the 'right' place. This approach has the advantage of not duplicating information in the back end system, at the expense of a slightly more complex overall structure.

What does an ISP Need from an LDAP Server?

The paper so far has looked at the reasons an ISP would use an LDAP server, and why LDAP servers are a good choice. This section looks at features which an ISP should look for in an LDAP server:

* Scaling and Performance. This is critical for ISP deployments, and should be verified carefully.

* Replication. A good managed and efficient approach to data replication. It is important to verify that replication scales as well as the core server.

* Management tools. An appropriate set of graphical and scripting tools should be available.

* Online backup Using the Web to store copies of data for backup. There are numerous providers on the Internet that charge for storage, and fees are typically based on capacity. Online backup services provide offsite backup, which is essential for disaster recovery. See backup types. . ISPs will need to back up directory servers, without taking them offline. This backup should be appropriate for disaster recovery.

* Schema propagation. An ISP will generally make schema changes infrequently. The changes will typically be designed carefully on a test system. It is important that it is easy to update operational servers with new schema.

* Delegated administration Delegated administration describes the decentralization of role-based-access-control systems. Many enterprises use a centralized model of access control. For large organizations, this model scales poorly and IT teams become burdened with menial role-change requests. . An access control schema, which enables the ISP to delegate management of portions of the DIT, can be useful where the ISP offers managed services An umbrella term for third-party monitoring and maintaining of computers, networks and software. The actual equipment may be inhouse or at the third-party's facilities, but the "managed" implies an ongoing effort; for example, making sure the equipment is running at a certain quality .

* Appropriate character set support, for the target customer base.

* Support for storing X.509 certificates is necessary if PKI (Public Key Infrastructure) services are needed.
COPYRIGHT 2005 A.P. Publications Ltd.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2005, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

 Reader Opinion

Title:

Comment:



 

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:DEFINITIONS
Publication:Database and Network Journal
Date:Dec 1, 2005
Words:1487
Previous Article:4c v 3.0s. Next generation preview technology.(DEFINITIONS)
Next Article:MP3 players causing mayhem for company IT.(DATABASE TECHNIQUES)



Related Articles
Whole Earth Networks vice president of engineering Scott Mueller. (on spamming) (News Briefs)
Internet Service Provider, TCPnet, Offers ByeDesk Link for Northern California.
Control Data Announces Major New Enhancements to its Rialto Suite.
United Messaging Launches New Version of e-mail Firewall Service; Message Control Version 1.2 provides greater client control and increased...
SelectAccess 3.0.(Baltimore Technologies)(Product Announcement)
MOTOROLA SELECTS QUEST SOFTWARE TO MANAGE WINDOWS 2000 AND ACTIVE DIRECTORY MIGRATION PROJECT.
Tear down the walls: universities are building bridges between their software applications. Will the new links stand the test of time?(Application...
Seapine Software Announces the Immediate Availability of TestTrack Pro 7.0.
Upgraded time management solution.(What's new: looking for higher-education and technology products and services?)
ISWest leads way as local ISP industry consolidates.

Terms of use | Copyright © 2009 Farlex, Inc. | Feedback | For webmasters | Submit articles