Q

Where to run LDAP

If you had a mainframe and various other servers (Windows, Unix, Linux) would you run LDAP on the mainframe or some other platform?

This depends on many things, of course, but I lean towards running my main servers on small, disposable systems.

For example, at PGP Corporation, our main Web site is run on a redundant set of 1U servers. They cost about $1-2K each, and we push out updates from our backend systems. If one melts down, we just put in another. Those core, backend systems are of course, highly protected, not available on the Internet, etc.

LDAP (Lightweight Directory Access Protocol) servers, however, are different in that they are essentially presentations of a database. They are more "live" than a Web server is. I don't know what's in this database and where it's stored. That you asked me about it at all leads me to believe that it is sitting on your mainframes.

Without knowing what problem you're trying to solve, any advice I give is just a guess. However, here's something to think about. LDAP servers can do "referrals" -- which is one server answering a question by referring it to someone else. You could put small Windows, Unix or Linux systems out on the network referring to your backend mainframe. This has the advantage in that you lower the request rate to your mainframe (the outer systems are caching information), while protecting them (because the outer systems can only do reads, not writes to the backend systems). This makes your cheap systems be application firewalls to your backend ones.

This principle of containment is good security. We have a rule that one system does only one thing. Mail systems do mail. Directories do directory services. DNS systems do DNS. The advantage of this is that a flaw in one subsystem (like a Web server bug that allows it to be compromised) contains damage to that subsystem.

Now of course, in the real world, budgets get in the way, and you may do something like put LDAP and DNA (Distributed interNet Applications Architecture) on the same box. However, that's merely a risk. You make intelligent decisions based on security, cost and so on. If something bad happens -- take your lumps, fix it and move on.

The advantage of using small, cheap systems is that you can even amplify this by making images of these systems, replicate, repair and propagate them as needed.


For more info on this topic, visit these SearchSecurity.com resources:
  • Best Web Links: Infrastructure and network security
  • Product & Vendor SolutionCenter: Infrastructure and Systems Management
  • This was first published in July 2003

    Dig deeper on Active Directory and LDAP Security

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close