XtremeCloud Data Grid-ldap

Concept of Operations

Introduction

The Xtremecloud Data Grid consists of three (3) different tiers of bi-directional replication (BDR) between Cloud Service Providers (CSP) or between a CSP and an on-premise private cloud.

The third tier, addressed here, is the LDAP services and replication traffic tier. We refer to this tier as XtremeCloud Data Grid - ldap. The supported XtremeCloud Data Grid-ldap solutions are shown in the XtremeCloud Applications Certification Matrix.

The XtremeCloud Data Grid-ldap service provides the primary user store for XtremeCloud Single Sign-On (SSO).

XtremeCloud SSO User Federation to XtremeCloud Data Grid-ldap - click image to enlarge

About LDAP

LDAP provides a common language that client applications and servers use to communicate with one another. LDAP is a “lightweight” version of the Directory Access Protocol (DAP) described by the ISO X.500 standard. DAP gives any application access to the directory through an extensible and robust information framework but at a high administrative cost. DAP uses a communications layer that is not the Internet standard protocol and has complex directory-naming conventions. LDAP preserves the best features of DAP while reducing administrative costs.

LDAP uses an open directory access protocol running over TCP/IP and simplified encoding methods. It retains the data model and can support millions of entries for a modest investment in hardware and network infrastructure.

XtremeCloud LDAP Services

The XtremeCloud Data Grid-ldap directory server at each Cloud Service Provider (CSP) is comprised of several components, which work together:

  • The Directory Server is the core LDAP server daemon. It is compliant with LDAPv3 standards. This component includes command-line server management and administration programs and scripts for common operations like export and backing up databases.

  • The Directory Server Console is the user interface that simplifies managing users, groups, and other LDAP data for your enterprise. The Console is used for all aspects of server management, including making backups; configuring security, replication, and databases; adding entries; and monitoring servers and viewing statistics.

  • The Administration Server is the management agent which administers Directory Servers. It communicates with the Directory Server Console and performs operations on the Directory Server instances. It also provides a simple HTML interface and online help pages. There must be one Administration Server running on a machine which has a Configuration Directory Server instance running on it.

LDAP Replication Traffic

XtremeCloud Data Grid-ldap services provide eventual consistency, which is a specific form of weak consistency. The storage system guarantees that if no new updates are made to the object, eventually all accesses will return the last updated value. If no failures occur, the maximum size of the inconsistency window can be determined based on factors such as communication delays, the load on the system, and the number of replicas involved in the replication scheme. The most popular system that implements eventual consistency is DNS (Domain Name System). Updates to a name are distributed according to a configured pattern and in combination with time-controlled caches; eventually, all clients will see the update.

The LDAP traffic is replicated between Cloud Service Providers (CSP) as depicted here:

XtremeCloud Data Grid-ldap Replicated Traffic- click image to enlarge

XtremeCloud Data Grid-ldap uses replication agreements, defined in an Ansible Playbook for rapid and consistent deployments and to define replication. A replication agreement describes replication between one Cloud Service Provider (CSP) and another CSP. By our convention, the agreement is configured on the CSP that is the lowest number between clouds in our Cloud Service Provider matrix. For example, if we are deploying XtremeCloud Single Sign-On (SSO) on Google Cloud Platform (GCP) and Microsoft Azure, the agreement is configured on GCP since it is Site 01 and Azure is Site 02. It identifies:

  • The database to replicate.
  • The consumer server to which the data is pushed.
  • The times that replication can occur.
  • The DN that the supplier server must use to bind (called the supplier bind DN).

Ansible Playbook

As a subscribed customer of Eupraxia Labs, you will be provided with Ansible Playbooks to install XtremeCloud Data Grid-ldap on virtual machines (VM) at separate Cloud Service Providers (CSP) with minimal manual intervention. Once virtual machine (VM) or raw iron prerequisites are met for the LDAP hosts, installation will normally complete in less than twenty minutes. This estimate will vary slight based on the cross-cloud interconnect speed, the number of hosts, and the compute power (number of (v)CPUs, RAM, storage types/performance) of the virtual machines. Raw iron hosts may also be used instead of virtual machines (VM).

Here is an example of the retrieval of the replication agreement from Site 01 (GCP):

Note: A VPN should be used to retrieve data from a workstation or a controller machine to the Cloud Service Provider (CSP) unless ldap over SSL (ldaps) is configured.

[centos@vm-controller roles]$ ldapsearch -h ds-site1.eupraxialabs.com -p 389 -D "cn=directory manager" -w <provide password> -s sub -b cn=config "(objectclass=nsds5ReplicationAgreement)"
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=nsds5ReplicationAgreement)
# requesting: ALL
#

# rw-to-ds-site2.eupraxialabs.com, replica, dc\3Deupraxialabs\2Cdc\3Dcom, mappi
 ng tree, config
dn: cn=rw-to-ds-site2.eupraxialabs.com,cn=replica,cn=dc\3Deupraxialabs\2Cdc\3D
 com,cn=mapping tree,cn=config
nsDS5ReplicaUpdateSchedule: 0001-2359 0123456
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicaPort: 389
nsDS5ReplicaTransportInfo: LDAP
nsDS5ReplicaBindDN: cn=Replication Manager,cn=config
objectClass: nsds5replicationagreement
objectClass: top
nsDS5ReplicaRoot: dc=eupraxialabs,dc=com
nsDS5ReplicaHost: ds-site2.eupraxialabs.com
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE authorityRevocationLis
 t
description: Agreement between ds-site1.eupraxialabs.com and ds-site2.eupraxia
 labs.com
cn: rw-to-ds-site2.eupraxialabs.com
nsDS5ReplicaCredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
 RERBNEJDUXlNekV4WmpJME5pMDBNemRqTXpBdw0KWWkwNE1UUm1NbUV5T1MwMlltUTBNalJpTXdBQ
 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCRGJNRlRZZklWdWdLLz
 ZpMW1NNlFnRA==}07xscZTKrOwyi1NnBo26IQ==
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 19700101000000Z
nsds5replicaLastUpdateEnd: 19700101000000Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: Error (19) Replication error acquiring replica: 
 Replica has different database generation ID, remote replica may need to be i
 nitialized (RUV error)
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 19700101000000Z
nsds5replicaLastInitEnd: 19700101000000Z

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

dn: cn=rw-to-ds-site2.eupraxialabs.com,cn=replica,cn=dc\3Deupraxialabs\2Cdc\3Dcom,cn=mapping tree,cn=config
changetype: modify
replace: nsds5beginreplicarefresh
nsds5beginreplicarefresh: start

Virtual Machine or Raw Iron Installation

Please refer to this Quick Start Guide for configuration and administration of XtremeCloud Data Grid-ldap.