OpenLDAP is a distributed directory containing various attributes which comprise a digital identity (NetID). Examples of attributes include affiliation, name, and postal information. Values of these attributes can be used to supply applications with required user data and authorization information. LDAP can also perform user authentications through the use of Kerberos and works in support of other authentication platforms, such as RADIUS, CAS and Shibboleth.
The University’s current OpenLDAP implementation is a multi-tiered replicated infrastructure. Data is replicated between all nodes, which are distributed among multiple data centers. The OpenLDAP infrastructure has been designed with performance, data integrity and high availability as its core tenants.
The diagram above shows the layout of the OpenLDAP servers and how the communicate. The master nodes are the only writeable servers. When writes are received by the masters, the data is replicated to the rest of the OpenLDAP nodes. The replica nodes are the nodes that data is read from. They hold the LDAP data in memory at all times to increase the speed in which they can service requests for data. The nodes shown above are distributed between our two data centers and Azure. Under nominal conditions all LDAP requests will be pointing at one of the replica nodes. We have a high-availability pair of load-balancers that will forward requests to the least busy non-Azure node. The name spaces (i.e. master.ldap.uconn.edu and ldap.uconn.edu) are controlled by our Infoblox system. In cases of a disaster, one of the Infoblox nodes, either on campus or in Hartford will automatically re-point the workload to Azure.
Service accounts used to query LDAP data, are available upon request.