Problem solve Get help with specific problems with your technologies, process and projects.

Where to run LDAP

If you had a mainframe and various other servers (Windows, Unix, Linux) would you run LDAP on the mainframe or some other platform?

This depends on many things, of course, but I lean towards running my main servers on small, disposable systems.

For example, at PGP Corporation, our main Web site is run on a redundant set of 1U servers. They cost about $1-2K each, and we push out updates from our backend systems. If one melts down, we just put in another. Those core, backend systems are of course, highly protected, not available on the Internet, etc.

LDAP (Lightweight Directory Access Protocol) servers, however, are different in that they are essentially presentations of a database. They are more "live" than a Web server is. I don't know what's in this database and where it's stored. That you asked me about it at all leads me to believe that it is sitting on your mainframes.

Without knowing what problem you're trying to solve, any advice I give is just a guess. However, here's something to think about. LDAP servers can do "referrals" -- which is one server answering a question by referring it to someone else. You could put small Windows, Unix or Linux systems out on the network referring to your backend mainframe. This has the advantage in that you lower the request rate to your mainframe (the outer systems are caching information), while protecting them (because the outer systems can only do reads, not writes to the backend systems). This makes your cheap systems be application firewalls to your backend ones.

This principle of containment is good security. We have a rule that one system does only one thing. Mail systems do mail. Directories do directory services. DNS systems do DNS. The advantage of this is that a flaw in one subsystem (like a Web server bug that allows it to be compromised) contains damage to that subsystem.

Now of course, in the real world, budgets get in the way, and you may do something like put LDAP and DNA (Distributed interNet Applications Architecture) on the same box. However, that's merely a risk. You make intelligent decisions based on security, cost and so on. If something bad happens -- take your lumps, fix it and move on.

The advantage of using small, cheap systems is that you can even amplify this by making images of these systems, replicate, repair and propagate them as needed.

For more info on this topic, visit these SearchSecurity.com resources:
This was last published in July 2003

Dig Deeper on Active Directory security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.