LDAP: ACCESS & DATA ADMINISTRATION NEWSLETTER 3/05/05 Topics: A Catalog of Anxiety: What Can Go Wrong With LDAP Administration: Part 3 Issue Contents: * A Catalog of Anxiety: What Can Go Wrong With LDAP Administration: Part 3 * Next Time: LDAP Server Performance _______________________________________________________________ This newsletter is sponsored by Alessea Consulting. Business/IT Services for small and medium businesses. Specializing in network identity, project management, and business development. Visit us and read more about the Alessea difference. URL: http://www.alessea.com Mail: info@alessea.com RSS: http://www.alessea.com/feed.xml Phone: 860-346-9121 _______________________________________________________________ By Hallett German Topic: A Catalog of Anxiety: What Can Go Wrong With LDAP Administration: Part 3 [We continue running a new series. It was inspired by a real LDAP outage caused by a software bug.] There are many things under the sun, both big and small, that can cause a healthy LDAP server to fail and a LDAP Administrator to lose a good deal of sleep. In our travels throughout the LDAP universe, we haven't found these completely documented in one place. Here is our modest attempt to correct this and provide suggested solutions as well. SOFTWARE WOES AND HOW TO AVOID THEM Even if your software is working at 100%, there are still things that can still wrong. This continues the list discussed last month. 1) The Directory Service stops and can't restart. Hopefully, you are doing continuous maintenance so this doesn't take place. But if this does happen, then it could be for a variety of reasons. An investigation of your LDAP and system logs should reveal if it is disk space, physical and virtual memory, configuration settings, database integrity, and other factors previously discussed. If all else fails, you can either do a restore or re-install. 2) Directory Needs Performance Tuning Between fighting fires and other responsibilities, the typical LDAP Administrator does not have the spare time to do continuous capacity planning and LDAP Server tuning. The result is their LDAP server that is not optimized for today's or tomorrow's needs. Many companies periodically use vendor or external consultants to do this activity. Typical activities include: 1)Get a baseline of usage based on historical data, 2) Predict what future growth will be. 3) Determine present utilization issues. And 4) Re-optimize your server settings for present/future load. This is such an important topic that we will continue discussing it next month. APPLICATIONS ARE NOT YOUR FRIENDS Applications include the range of home-grown, legacy, and commercial off-the-shelf software. Each of these can potentially cause problems for LDAP administrations. These include: 1)Bad imports into a LDAP server. 2)Bad data into a LDAP server, 3)Replication issues as previously discussed, 4)Badly written or intensive search queries. These could slow LDAP binds, searches, or updates for other users. And 5) Attempted LDAP access against an invalid server name/IP address. We will cover more on Applications and LDAP in a future issue. LDAP AND SECURITY LDAP and Security is a full topic in its own right. And rightly so because the following nightmares could happen at any time: 1)Data inadvertently world-accessible due to adding an untested ACL. 2)One or more successful/unsuccessful malevolent attempts to access LDAP data. 3) A denial of service (DoS) attack to bring down the server through malformed LDAP search. 3) The "server in the middle" attack that intercepts LDAP requests and reply to these requests as if it was the requested server. A good summary of possible LDAP attacks and how they can be thwarted can be found in RFC 2829. Other RFCS discuss security concerns as well. These threats can be thwarted by more challenging authentication methods, using access control lists to limit authorizations, disabling anonymous access, encrypted sessions, and more. This concludes looking at the many threats to server operation stability that may occur. We hope that it encourages vendors to improve their LDAP server products and LDAP administrators to incorporate more best practices into their activities. References: Here are some representative references: TROUBLESHOOTING Microsoft Site-Server LDAP Troubleshooting Guide Good information that applies to most LDAP servers and problem situations. http://www.microsoft.com/technet/prodtechnol/sscomm/reskit/ldaptsho.mspx LDAP Errors and What They Mean A listing of the standard LDAP error messages and what they mean. http://www.bemsel.com/Technology/Troubleshooting/LDAP_Troubleshooting/body_ldap_troubleshooting.html Sun - LDAP Troubleshooting Some good things to check on UNIX LDAP servers http://docs.sun.com/app/docs/doc/816-7511/6mdgu0h3s?a=view IBM Notes/Domino LDAP Troubleshooting This may apply to other LDAP servers as well http://www-12.lotus.com/ldd/doc/domino_notes/Rnext/help6_admin.nsf/f4b82fbb75e942a6852566ac0037f284/35e2e32969a22e5985256c1d0039da76?OpenDocument Troubleshooting Novell's eDirectory Book with Sample Chapter http://www.informit.com/title/0789731460 LDAP Connection with BEA WebLogic Server Again, there may be ideas here that apply across LDAP servers. http://www.fawcette.com/weblogicpro/2004_09/magazine/columns/troubleshootersdiary/default_pf.aspx SOFTWARE BUGS OpenLdap Bugs Mailing List With a searchable archive back to 1998. Typical of sort of bugs that happen for LDAP servers. http://www.openldap.org/lists/openldap-bugs/ Active Directory Backup Bug: Microsoft Comes Clean A good overview on how bugs can be detected and dealt with. http://www.windowsitpro.com/Windows/Article/ArticleID/21853/21853.html DATA ISSUES Wanted Chief Data Officer More on how to manage the data rather cleanse it. However, data cleansing should be part of the CDO's responsibilities. http://www.mail-archive.com/archive@jab.org/msg76467.html The Real Cost of Bad Data Shows it is cheaper to fix the data then to do nothing http://www.melissadata.com/enews/articles/0105/9.htm Security Some examples of a Denial of Service (DoS) and LDAP http://support.microsoft.com/kb/303448/EN-US/ -- Microsoft Exchange http://secunia.com/advisories/8287/ -- Lotus Domino http://ciac.llnl.gov/ciac/bulletins/l-116.shtml -- Historical LDAP Security Threats http://corky.net/2600/data-networks/ldap-security.shtml -- Good Summary http://www.faqs.org/rfcs/rfc2829.html -- RFC 2829 http://ks.securityfocus.com/shared/write/collateral/WTP/46524_30500_57177__LDAPinjection.pdf LDAP Query Attack Next Time: LDAP Server Performance Topic: Articles and Comments Welcome I welcome 100-800 word articles for inclusion in future issues. Vendors and LDAP data administrators are particularly welcome. Of course, you receive full credit and ownership of your article. Thanks in advance for your help. Please feel free to comment on how useful it was and what you would like to see in the future. Contact me at hallett.german@alessea.com. ______________________________________________________________ About Hal German Hallett German has 20 years experience in a variety of IT positions and in implementing stable infrastructures. This includes directories/messaging architecture, desktop support, and IT management. Hal is the founder of the Northeast SAS Users Group and former President of the REXX Language Association. He is the author of three books on scripting languages. Periodically, he writes articles on various business and IT topics. ______________________________________________________________ Contacting Hal German/Past Issues Mail: hallett.german@alessea.com Archive of the LDAP Administration Newsletter: http://www.alessea.com/newsletters.htm _______________________________________________________________ Copyright Alessea Consulting 2005 _______________________________________________________________