Section Contents

Novis's deployment of M-Vault

Novis is a leading Portuguese Telecommunications company, who operate M-Vault in support of their ISP services. They run a master M-Vault server with two million entries and five shadow M-Vault servers, providing ten million searches per day in May 2003. This case study looks at Novis's use of M-Vault.

About Novis

Novis is a leading Portuguese Telecommunications company, and a subsidiary of SonaeCom, which is Sonae's communication holding. Sonae is Portugal's largest non-financial group. SonaeCom has companies providing mobile services (Optimus) an Internet free service (Clix) and a Media content group (Matrix) for which Novis provides the underlying services.

Novis' ISP department is a 100% service oriented group, providing basic and advanced network services, authentication, and information services for commercial and residential customers.

Why LDAP?

Novis maintains data on each individual customer, and every customer has at least one user profile containing:

  • Username and password
  • Information and parameters for each of the services (e.g., email; hosting; network access) to which the user subscribes. Examples are: email address; URL; calling line ID.

Prior to using M-Vault, Novis maintained different databases for each service, using technologies including db2, db3 and cdb. This approach proved too cumbersome and ineffective (for example, a 400,000 entry CDB took over 2 hours to generate). Novis sought to standardize on a data storage approach for customer information, which would meet current (1999) requirements and future expansion. Use of a relational database was considered too complex, and there were potential performance problems to support search load for anticipated growth.

LDAP was seen as a high performance open standards approach which met the architectural requirements of the services. Isode's M-Vault was selected as the LDAP product for the service in 1999. Initial operation was with 500,000 entries, which has grown to over 2 million in January 2003.

Why M-Vault

Ricardo Cerqueira, from Novis Telecom's ISP Engineering group, explains why Novis chose M-Vault as its LDAP solution:

  • Because it's a standards-compliant LDAP server: At Novis, we use applications running in different platforms, written in several languages, dedicated to multiple purposes, and from separate vendors. The only way we could ensure 100% compatibility between applications was by using a standard source of information which all services could access.
  • Because it's efficient: When put together, our services generate a high number of requests which must be answered in sub-second times. M-Vault handles this load without heavy hardware requirements, and without overloading the servers.
  • Because it's scalable: Combined with a Red Hat Linux platform and a load-balancing network switch, M-Vault's replication mechanism (Shadowing) allows us to grow as much as we need without added costs.
  • Because it's easy to maintain: M-Vault is an easy to install, easy to use product. After tuning it to our specific environment, it has proved to be a virtually hassle-free software.

Novis Architecture

The above figure shows that architecture at Novis. All configuration and business data is held in an SQL database, which is also used to support billing and other commercial functions. Customer updates are made to this database, using the IPGng service which is a provisioning system implemented in Perl, and taking updates directly from customers. The SQL database is polled by an application (IPGng-Bridge) that reflects those changes in the M-Vault master directory server. The full directory is replicated in five shadow servers. Changes are replicated from the master directory to each shadow copy using the X.500 DISP (Directory Information Shadowing Protocol). Propagation of changes from customer making a change, to having the data replicated into all of the shadow copies typically takes 1-2 seconds. This gives a customer experience of changes being reflected immediately.

A customer will use applications and services provided by Novis, which make use of the directory for customer authentication and configuration. These applications will access directory information by use of LDAP. These applications will access one of the M-Vault shadows (never the master) in order to look up the necessary information.

Novis Applications

Novis uses M-Vault to support the following applications:

  • Mail delivery and authentication
  • Hosting service, to enable customer operation of Web sites
  • Network access
    • Dial up using RADIUS (Remote Authentication Dial-In User Service)
    • DSL
  • Web service authentication and information
  • Internal (corporate) user authentication at servers

Details on how Mail Delivery, Web Hosting, and dial up (RADIUS), make use of the directory are given below. For some applications, Novis has made use of LDAP capabilities of products, and in others has added this themselves. Novis uses Perl and the Net::LDAP module as its preferred LDAP integration approach.

Customer Data

A typical customer will have basic LDAP information in the customer's directory entry, as set out below:

dn: uid=username,ou=users,ou=businessunit,o=novis
objectClass: ...
uid: username
userPassword: mypassword
mail: me@example.com
homeDirectory: /path/to/my/home/
restCallerID: 210104000
urlPath: www.example.com
mailQuota: 10000000
ftpQuota: 20000000

As the various applications make use of attributes within the directory, a typical directory entry at Novis has around 30 attributes.

Email Usage

Novis uses Qmail for message switching and for POP3 mail storage (both open source products). These use the directory in the following way:

  • A mail message arrives for "me@example.com".
  • Qmail searches the LDAP server for "mail=me@example.com", requesting 'homeDirectory' and 'mailQuota'.
    Both values are returned, the server checks if the actual mailbox size is not over 'mailQuota', and then delivers the message to '/path/to/my/home'.
  • When the user access the POP3 service, the user will log in over the POP3 protocol as 'username', giving 'mypassword' as his password.
  • The POP3 server searches for 'uid=username' (which will be unique), and fetches the directory Distinguished Name and the user's homeDirectory.
  • An LDAP bind is sent using the distinguished name and 'mypassword' (from the POP3 login). The LDAP bind is being used to authenticate the POP3 user. If the LDAP bind was successful, the POP3 server changes to the user’s home and the user access his mail.

It can be seen that M-Vault is being used to manage configuration for the email application (directory location and quota), and to authenticate logon. This authentication approach is used by all of the Novis services.

Hosting Usage

Novis offers hosting services for the residential and corporate markets, where customers can operate their own Web sites. FTP (File Transfer Protocol) is used to transfer Web data between the customer and Novis (an approach supported by all Web site editing programs). This works as follows:

  • The customer accesses the FTP service, logging in as 'username', giving 'mypassword' as his password.
  • The FTP server searches for 'uid=username', and fetches the distinguished name, homeDirectory and ftpQuota.
  • An LDAP bind is sent using the distinguished name and 'mypassword'. As with email access LDAP handles the authentication credentials.
  • If the LDAP bind is successful, the FTP server changes to the user’s home and calculates the current quota usage.
  • The user can now transfer files and make changes to the Web site.

The Web server also utilizes the directory, in order to access hosted data:

  • If a request arrives at the Web server for "http://www.example.com/", the Web server searches for 'urlPath=www.example.com', and fetches 'homeDirectory'.
  • The Web server uses the home directory attribute '/path/to/my/home' to set the HTTP DocumentRoot enabling the Web server to access the correct hosted files.

Dial up Service (RADIUS)

Novis uses RADIUS to manage authentication, and uses the Radiator product to support this. Radiator has build in LDAP support, and is used directly with M-Vault. Authentication works as follows:

  • The customer accesses the RADIUS service providing 'username', and giving 'mypassword' as the password.
  • The RADIUS server searches for 'uid=username', and fetches the distinguished name.
  • An LDAP bind is sent using the distinguished name and 'mypassword', which authenticates the user.

Configuration Details

The six M-Vault servers run on Dell Poweredge dual 1GHz processor Pentium 3 servers. Applications only read data from the shadow servers - the master directory is only used for updates. The primary purpose of the shadow servers is to provide redundancy. The system can meet performance targets using three out of the five servers. Applications see the five shadow servers as a single logical service (a virtual LDAP server). The shadow servers are load-balanced by an Alteon ACEDirector switch to provide this service.

Statistics

Novis has seen the following operational data for their M-Vault service:

  • Data growth from 500,000 to 2,000,000 entries from 1999 to January 2003.
  • 2,800 entries are added every day
  • 60,000+ modify operations per day.
  • An average of 437 shadow updates are performed each hour (7 per minute), mostly as a result of modification operations.
  • Each shadow server handles an average of 23 search operations per second (18 binds/sec). At peak hours, this increases to 45 searches per second. (Data for one server on a typical day is shown below)
  • Across the service this search level is 115 operations per second (90 binds per second) on average, with 225 searches per second at peak hours.

Future Plans

Novis anticipates continued customer growth for this service, and on adding to the services which access the M-Vault directory. In particular, Novis plans to add an internal directory service (address book and white pages service).

Copyright © 2008 Isode privacy   feedback Subscribe to our rss newsfeed