OpenLDAP Migration Project
The LDAP Directory is an enterprise directory service that offers secure and scalable access to Rutgers user information. It is widely used by many services to authenticate and authorize users. It’s one of the core components for the Identity Management (IdM) service stack. In addition, it is considered one of the University’s data services providers that goes beyond identity data including class, address, address book, units, and, in the future group information. The LDAP service is one that is high performing, and has seen a tremendous growth in use over the last few years. The current Enterprise LDAP environment was implemented back in 2007 using Sun One Directory server (Now Oracle Enterprise Directory).
The Rutgers OIT-Enterprise Application Services department has adopted proven Open Source technologies as part of the IdM stack including Person Registry, SSO Authentication / Federation, and password stores. Following this strategy, the IdM team has researched different open source directory service technologies and concluded that OpenLDAP would best fit the university needs.
The increase in load with a combination of inefficient complex queries has caused the current LDAP service to occasionally hang. An effort was made to horizontally scale LDAP services by adding new dedicated LDAP clusters and applying latest patches. This effort has significantly improved the service availability; however the risk of encountering new unforeseen issues that can result in another hang situation is not an option.
What is changing?
- More efficient and responsive directory searches: The new Directory service is based on the Lightning Memory-Mapped Data Base (LMDB) architecture. This makes tuning a lot easier!
- Better security: Searches via port 389 will be restricted to TLS except for the public access address book ldap-ab.rutgers.edu. This also includes the Test environment test-ldap.rutgers.edu/test-ldap2.rutgers.edu.
- Better Access Control: Access to ldap.rutgers.edu/ldap2.rutgers.edu from outside of the Rutgers network will be restricted. Web Authentication from external applications must use the web SSO platform (Shibboleth/CAS).
- Improved Replication: The new directory uses a mirror mode replication with two master servers in different data centers. Mirror mode replication provides all of the consistency guarantees of single-master replication, while also providing the high availability of multi-master.
- New Environment:
- New X86 scalable virtual servers. At minimum there are two nodes for each cluster in each data center.
- New network infrastructure and improved support of High Availability.
- Moving to InCommon SSL certificates: To help with reducing cost and to be more consistent with other OIT Services, the new directory service will be using InCommon SSL certificates. Most modern clients will not need to make any changes, but some legacy LDAP clients may be required to add the InCommon CA and/or the intermediate certificates to their certificate stores. Please follow the instructions here to download the CA/Intermediate certificate and add them to your SSL certificate store : Instructions to Download and Install CA Certificate
- New dedicated LDAP clusters:
- ldap-auth.rutgers.edu / ldap2-auth.rutgers.edu: Dedicated for CAS authentication
- ldap-wireless.rutgers.edu/ ldap2-wireless.rutgers.edu: Dedicated for RU Wireless.
- openldap.rutgers.edu / openldap2.rutgers.edu: Temporarily general purpose Directory. Name will be migrated to the current “ldap.rutgers.edu/ldap2.rutgers.edu” after 2 months of the rollout.
- ldap-ab.rutgers.edu: A new address book directory, FERPA complaint address book directory will be available to public access (including outside RU). Users will need to configure their address book to use this new configuration. This will not require TLS/SSL.
What is not changing?
- LDAP Clients access control will not change: We strived to minimize impact on the current service DN’s access control. Previous access control will be imported to the new system.
- LDAP schema: We are deprecating the rulinkRutgersEduPerson schema and moving all attributes to the rutgersEduPerson schema. However, for now we have duplicated the rulink attributes so that you do not have to make any code changes. We will work with you in the near future to switch to using these new attributes.
- Accessing SafeNet via ldap: Our goal is to migrate to the DUO security for MFA in the new future. For this release, we plan to port the same SafeNet authentication to the new Directory service.
- General purpose LDAP VIPS ldap.rutgers.edu/ldap2.rutgers.edu will remain unchanged. Applications accessing the general purpose LDAP today will not be required to point to new VIPS.
- Two different data center: Continue to have presence in ASB and Hill data centers
- Central services: (CAS and RU Wireless) will immediately start using the new dedicated Directory clusters while keeping old Directory service as backup.
- No Big Bang: The General LDAP instances od ldap.rutgers.edu/ldap2.rutgers.edu, with the old LDAP implementation (Sun One), will continue to serve the general purpose LDAP access for 2 months from the new Directory rollout. This will run in parallel with the new general Directory service (OpenLDAP) openldap.rutgers.edu/openldap2.rutgers.edu. Services can volunteer to have early access to the new Directory instance for certification purposes.
- Parallel roll out: Keeping the old Directory service operational as a backup
- Real time Sync from IdM PersonRegistry to both New Directory and legacy Directory instances for 2 months. Can be extended if needed.
- Real time password activation from IdM NetID management to both New Directory and legacy Directory instances for 2 months. Can be extended if needed.
- Minimum Downtime: After two months of new Directory rollout, will switch the general purpose new Directory instance to use ldap.rutgers.edu and ldap2.rutgers.edu. This will be mostly transparent for the applications.
- System Integration Testing phase 1 (Dedicated Directory Service clusters test-openldap1.rutgers.edu/ test-openldap2.rutgers.edu): The following central services will have early access to test the new Directory service in the standard test environment:
- myRutgers RU Portal
- RU Wireless
- System Integration testing phase 2 (General purpose Directory https://test-ldap.rutgers.edu): The new general purpose Directory service will be available during system integration testing phase 2. IdM will switch the VIP to point to the new test general Directory service. This should be transparent to the applications. We are requesting that applications report any issues during this phase.
System Integration Testing phase 1: March 28, 2016 – April 8, 2016
March 28 – April 1st : EAS Applications (dev CAS, Portal and NetID Management ) (Completed)
April 04 – April 08 : RU Wireless , Printing , Other OIT are welcome test during this time (Completed)
System Integration Testing phase 2: April 12, 2016 – April 22, 2016
Switched test-ldap.rutgers.edu to the new OpenLDAP Directory Service. This change is transparent to most applications. (Completed)
Small numbers of applications needed to update their Certificate stores with InCommon SSL certificates following these instructions. (Completed)
Production: April 25, 2016 – April 29, 2016
Migration of CAS (Completed)
Migration RuWireless services (Completed )
Migrated One instance on 04/28/2016 . completed second instance migration on 06/07/2016
The General LDAP instances ldap.rutgers.edu/ldap2.rutgers.edu, with the old LDAP implementation (Sun One), will continue to serve the general purpose LDAP access for 2 months . Applications accessing this instance do not need to make any changes at this time
For those applications who did not have a test environment, and did not get the opportunity to test, we are providing openldap.rutgers.edu / openldap2.rutgers.edu in production for their validation. This instance will be available until the final cut over (two months from production )
Final Cut over: After two months of Production roll-out (June 21, 2016) (Completed)
Move of ldap.rutgers.edu/ldap2.rutgers.edu to the new infrastructure.
openldap.rutgers.edu / openldap2.rutgers.edu will no longer be available .
ldap.rutgers.edu/ldap2.rutgers.edu will not be accissble from outside of Rutgers network .