One document matched: draft-zeilenga-ldup-harmful-00.txt
INTERNET-DRAFT Kurt D. Zeilenga
Intended Category: Informational OpenLDAP Foundation
Expires in six months 4 May 2003
LDAP Multi-master Replication Considered Harmful
<draft-zeilenga-ldup-harmful-00.txt>
1. Status of this Memo
This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026.
Distribution of this memo is unlimited. Technical discussion of this
document may take place on the IETF LDUP Working Group mailing list at
<ietf-ldup@imc.org>. Please send editorial comments directly to the
document editor at <Kurt@OpenLDAP.org>.
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.''
The list of current Internet-Drafts can be accessed at
<http://www.ietf.org/ietf/1id-abstracts.txt>. The list of
Internet-Draft Shadow Directories can be accessed at
<http://www.ietf.org/shadow.html>.
Copyright 2003, The Internet Society. All Rights Reserved.
Please see the Copyright section near the end of this document for
more information.
Zeilenga LDUP is harmful [Page 1]
INTERNET-DRAFT draft-zeilenga-ldup-harmful-00 4 May 2003
Abstract
Over the last few years there has been significant development of
Lightweight Directory Access Protocol (LDAP) replication mechansisms
supporting a multi-master service model. While multi-master
replication may be useful in some situations, the deployment of
multi-master replication replication alters the LDAP service model in
a manner which can be harmful.
This memo discusses the LDAP service model, how multi-master
replication alters the service model, and how this alternation is
harmful to existing directory applications.
1. Introduction
The Lightweight Directory Access Protocol (LDAP) [RFC3377] is a
protocol for accessing directory services which act in accordance with
the X.500 information and service models [X.501][X.511]. There has
been significant consumer demand for "multi-master" replication of
LDAP-based directory servers. However, there appears to be continued
consumer confusion over data consistency issues introduced by the
forms of multi-master replication being developed. Consumers tend to
want "high availability", "scalability", "strong data consistency" and
other qualities all at once. When engineering an information service,
a balance between these qualities must be found which meets the design
objectives.
The designers of X.500 and LDAP designed an information service which
offers "high-availability" and "scalability" of read-access through
shadowing (replication) to slave (read-only) servers and "strong data
consistency" through a "single master" (authoritative) server.
The introduction of multi-master replication, as described in
[RFC3384], to LDAP will significantly change this service model. In
particular, as no one server is authoriative over an object, the
protocol would not guarantee strong data consistency between its
peers. This change will break applications which rely on the current
LDAP service model, the changes should not be made to LDAP. Instead,
a new directory access protocol should be developed where the LDAP
service model is not applicable.
To understand why the introduction of multi-master replication to
LDAP-enabled directories, one must first understand the X.500
information and service models as used in LDAP. These models are
discussed in Section 2.
The introduction of multi-master replication would significantly alter
Zeilenga LDUP is harmful [Page 2]
INTERNET-DRAFT draft-zeilenga-ldup-harmful-00 4 May 2003
these models. Section 3 discusses these alterations.
These alterations will break existing directory applications. A
couple of examples of affected applications are provided in Section 4.
Security Considerations are discussed in Section 5.
Conclusions are discussed in Section 6.
2. X.500/LDAP Models
The X.500 information model [X.501] is hierarchial, object-oriented,
and designed to distributed directory systems. The model also
supports single-master replication [X.525].
The X.500 service model [X.511] requires that each directory update
operation be atomic. That is, a success result code is returned if
and only if all portions of the update request where successfully
applied to the directory. If any portion fails, a failure result code
is returned and no portions of the update request shall be applied.
Additionally, update operations acting upon the same target are to
serially processed.
For example, if two clients independently attempt to add different
entries with the same name, at most one of these attempts will be
successful. Likewise, if two clients independently attempt to add the
same attribute but with different values, at most one of these
attempts will be successful.
It is noted that X.500 replication (shadowing) model allows for
transient inconsistencies to exist between the shadow and master
servers. As applications which update information or read
authoritative information operate upon the master, these
inconsistencies are not evident to these applications.
3. Multi-master Changes to X.500/LDAP Service Model
RFC 3384 defines multi-master replication as follows:
Multi-Master Replication - A replication model where entries can
be written and updated on any of several master replica copies
without requiring communication with other master replicas before
the write or update is performed.
For example, if two clients independently attempt to add different
entries with the same name, both operations could indicate a
Zeilenga LDUP is harmful [Page 3]
INTERNET-DRAFT draft-zeilenga-ldup-harmful-00 4 May 2003
successful result despite the name conflict. Likewise, if two clients
independently attempted to add the same attribute but with two
different values, both attempts could be successful despite the
attribute value conflict.
Depending particulars of the multi-master replication system, such
conflicts are resolved either automatically or manually.
Regardless of how the conflict is resolved, it should be clear that
the introduction of multi-master changes the X.500/LDAP service model.
The success an update operation no longer indicates that the update
was applied to the directory, but that a master will later consider
apply the change to the directory. This application may fail or
result in directory changes to user application data other than those
requested by the user application.
4. Harm to existing directory applications
The introduction of multi-master replication will harm existing
directory applications. This section describes two examples, there
are numerous others.
4.1. Allocation of service entries
Many directory applications allocate unique service entries for users.
For example, white pages application using the naming plan for
internet directory applications [RFC2377] and inetOrgPerson schema
[RFC2798], each DN uniquely identifies a user.
One administrator for the white pages might attempt to add an entry
for Joe Smith called <uid=joe@example.com,dc=example,dc=com> and
another administrator might attempt to add an entry for Joe Jones
<uid=joe@example.com,dc=example,dc=com>.
The introduction of multi-master replication would cause great harm to
such deployments as it would allow both adds to succeed.
4.2. Allocation of serial numbers
Many directory applications require each object (in a particular class
or set of classes) to have a unique serial number assigned to it. For
example, in Network Information Service [RFC2307] system, uidNumber
associated with a user must be unique within an administrative domain.
One approach which allows multiple instances of the administrative
Zeilenga LDUP is harmful [Page 4]
INTERNET-DRAFT draft-zeilenga-ldup-harmful-00 4 May 2003
client to allocate unique serial numbers, is to have an entry in the
directory which holds the last assigned uidNumber. Then clients can
read the uidNumber and attempt to increment it as follows:
dn: cn=Last UID,dc=example,dc=com
changetype: modify
modify: delete
delete: uidNumber
uidNumber: 1020
-
modify: add
add: uidNumber
uidNumber: 1021
-
where 1020 was the value uidNumber read and 1021 is the desired value.
If the modify fails because the value to be deleted no longer exists,
the client can repeat as necessary.
The introduction of multi-master replication would cause great harm to
such applications, resulting in same serial number being assigned to
different objects.
5. Security Considerations
The introduction of multi-master replication will, besides breaking
existing applications which affect security (see discussions above),
raise a number of new security considerations. In particular, it is
unclear how one can build secure directory applications where update
operations do not have atomicity, consistency, isolation, and
durability [ACID] properties.
6. Conclusions
The X.500/LDAP information and service models does not support
multi-master replication and cannot be altered to support multi-master
replication without causing great harm. LDAP server developers should
heed this implementation absolute imperative [RFC 2251, Section 3.3].
This document defines LDAP in terms of X.500 as an X.500 access
mechanism. An LDAP server MUST act in accordance with the
X.500(1993) series of ITU recommendations when providing the
service. However, it is not required that an LDAP server make use
of any X.500 protocols in providing this service, e.g. LDAP can be
mapped onto any other directory system so long as the X.500 data
and service model as used in LDAP is not violated in the LDAP
Zeilenga LDUP is harmful [Page 5]
INTERNET-DRAFT draft-zeilenga-ldup-harmful-00 4 May 2003
interface.
7. Acknowledgment
The author would like to thank the LDUP WG for exploring the
possibility of adding multi-master replication support to LDAP.
8. Normative References
[RFC2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory
Access Protocol (v3)", RFC 2251, December 1997.
[RFC3377] J. Hodges, R.L. Morgan, "Lightweight Directory Access
Protocol (v3): Technical Specification", RFC 3377,
September 2002.
[RFC3384] E. Stokes, et. al., "LDAPv3 Replication Requirements",
RFC3384, October 2002.
[X.501] ITU, "The Directory: Models", ITU-T Recommendation X.501,
1993.
[X.511] ITU, "The Directory: Abstract Service Definition", ITU-T
Recommendation X.511, 1993.
10. Informative References
[ACID] Section 4 of ISO/IEC 10026-1:1992.
[RFC2307] L. Howard, "An Approach for Using LDAP as a Network
Information Service", RFC 2307, March 1998.
[RFC2377] A. Grimstad, R. Huber, S. Sataluri, M. Wahl, "Naming Plan
for Internet Directory-Enabled Applications", RFC 2377,
September 1998.
[RFC2798] M. Smith, "Definition of the inetOrgPerson LDAP Object
Class", RFC 2798, April 2000.
[X.500] ITU, "The Directory: Overview of Concepts, Models and
Service", ITU-T Recommendation X.500, 1993.
[X.525] ITU, "The Directory: Replication", ITU-T Rec. X.525,
1993.
Zeilenga LDUP is harmful [Page 6]
INTERNET-DRAFT draft-zeilenga-ldup-harmful-00 4 May 2003
11. IANA Considerations
No IANA actions are requested.
12. Authors' Address
Kurt D. Zeilenga
OpenLDAP Foundation
<Kurt@OpenLDAP.org>
Copyright 2003, The Internet Society. All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be followed,
or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Zeilenga LDUP is harmful [Page 7]
| PAFTECH AB 2003-2026 | 2026-04-23 09:29:43 |