INTERNET-DRAFT Kurt D. Zeilenga Intended Category: Informational OpenLDAP Foundation Expires in six months 4 May 2003 LDAP Multi-master Replication Considered Harmful 1. Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Distribution of this memo is unlimited. Technical discussion of this document may take place on the IETF LDUP Working Group mailing list at . Please send editorial comments directly to the document editor at . Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress.'' The list of current Internet-Drafts can be accessed at . The list of Internet-Draft Shadow Directories can be accessed at . Copyright 2003, The Internet Society. All Rights Reserved. Please see the Copyright section near the end of this document for more information. Zeilenga LDUP is harmful [Page 1] INTERNET-DRAFT draft-zeilenga-ldup-harmful-00 4 May 2003 Abstract Over the last few years there has been significant development of Lightweight Directory Access Protocol (LDAP) replication mechansisms supporting a multi-master service model. While multi-master replication may be useful in some situations, the deployment of multi-master replication replication alters the LDAP service model in a manner which can be harmful. This memo discusses the LDAP service model, how multi-master replication alters the service model, and how this alternation is harmful to existing directory applications. 1. Introduction The Lightweight Directory Access Protocol (LDAP) [RFC3377] is a protocol for accessing directory services which act in accordance with the X.500 information and service models [X.501][X.511]. There has been significant consumer demand for "multi-master" replication of LDAP-based directory servers. However, there appears to be continued consumer confusion over data consistency issues introduced by the forms of multi-master replication being developed. Consumers tend to want "high availability", "scalability", "strong data consistency" and other qualities all at once. When engineering an information service, a balance between these qualities must be found which meets the design objectives. The designers of X.500 and LDAP designed an information service which offers "high-availability" and "scalability" of read-access through shadowing (replication) to slave (read-only) servers and "strong data consistency" through a "single master" (authoritative) server. The introduction of multi-master replication, as described in [RFC3384], to LDAP will significantly change this service model. In particular, as no one server is authoriative over an object, the protocol would not guarantee strong data consistency between its peers. This change will break applications which rely on the current LDAP service model, the changes should not be made to LDAP. Instead, a new directory access protocol should be developed where the LDAP service model is not applicable. To understand why the introduction of multi-master replication to LDAP-enabled directories, one must first understand the X.500 information and service models as used in LDAP. These models are discussed in Section 2. The introduction of multi-master replication would significantly alter Zeilenga LDUP is harmful [Page 2] INTERNET-DRAFT draft-zeilenga-ldup-harmful-00 4 May 2003 these models. Section 3 discusses these alterations. These alterations will break existing directory applications. A couple of examples of affected applications are provided in Section 4. Security Considerations are discussed in Section 5. Conclusions are discussed in Section 6. 2. X.500/LDAP Models The X.500 information model [X.501] is hierarchial, object-oriented, and designed to distributed directory systems. The model also supports single-master replication [X.525]. The X.500 service model [X.511] requires that each directory update operation be atomic. That is, a success result code is returned if and only if all portions of the update request where successfully applied to the directory. If any portion fails, a failure result code is returned and no portions of the update request shall be applied. Additionally, update operations acting upon the same target are to serially processed. For example, if two clients independently attempt to add different entries with the same name, at most one of these attempts will be successful. Likewise, if two clients independently attempt to add the same attribute but with different values, at most one of these attempts will be successful. It is noted that X.500 replication (shadowing) model allows for transient inconsistencies to exist between the shadow and master servers. As applications which update information or read authoritative information operate upon the master, these inconsistencies are not evident to these applications. 3. Multi-master Changes to X.500/LDAP Service Model RFC 3384 defines multi-master replication as follows: Multi-Master Replication - A replication model where entries can be written and updated on any of several master replica copies without requiring communication with other master replicas before the write or update is performed. For example, if two clients independently attempt to add different entries with the same name, both operations could indicate a Zeilenga LDUP is harmful [Page 3] INTERNET-DRAFT draft-zeilenga-ldup-harmful-00 4 May 2003 successful result despite the name conflict. Likewise, if two clients independently attempted to add the same attribute but with two different values, both attempts could be successful despite the attribute value conflict. Depending particulars of the multi-master replication system, such conflicts are resolved either automatically or manually. Regardless of how the conflict is resolved, it should be clear that the introduction of multi-master changes the X.500/LDAP service model. The success an update operation no longer indicates that the update was applied to the directory, but that a master will later consider apply the change to the directory. This application may fail or result in directory changes to user application data other than those requested by the user application. 4. Harm to existing directory applications The introduction of multi-master replication will harm existing directory applications. This section describes two examples, there are numerous others. 4.1. Allocation of service entries Many directory applications allocate unique service entries for users. For example, white pages application using the naming plan for internet directory applications [RFC2377] and inetOrgPerson schema [RFC2798], each DN uniquely identifies a user. One administrator for the white pages might attempt to add an entry for Joe Smith called and another administrator might attempt to add an entry for Joe Jones . The introduction of multi-master replication would cause great harm to such deployments as it would allow both adds to succeed. 4.2. Allocation of serial numbers Many directory applications require each object (in a particular class or set of classes) to have a unique serial number assigned to it. For example, in Network Information Service [RFC2307] system, uidNumber associated with a user must be unique within an administrative domain. One approach which allows multiple instances of the administrative Zeilenga LDUP is harmful [Page 4] INTERNET-DRAFT draft-zeilenga-ldup-harmful-00 4 May 2003 client to allocate unique serial numbers, is to have an entry in the directory which holds the last assigned uidNumber. Then clients can read the uidNumber and attempt to increment it as follows: dn: cn=Last UID,dc=example,dc=com changetype: modify modify: delete delete: uidNumber uidNumber: 1020 - modify: add add: uidNumber uidNumber: 1021 - where 1020 was the value uidNumber read and 1021 is the desired value. If the modify fails because the value to be deleted no longer exists, the client can repeat as necessary. The introduction of multi-master replication would cause great harm to such applications, resulting in same serial number being assigned to different objects. 5. Security Considerations The introduction of multi-master replication will, besides breaking existing applications which affect security (see discussions above), raise a number of new security considerations. In particular, it is unclear how one can build secure directory applications where update operations do not have atomicity, consistency, isolation, and durability [ACID] properties. 6. Conclusions The X.500/LDAP information and service models does not support multi-master replication and cannot be altered to support multi-master replication without causing great harm. LDAP server developers should heed this implementation absolute imperative [RFC 2251, Section 3.3]. This document defines LDAP in terms of X.500 as an X.500 access mechanism. An LDAP server MUST act in accordance with the X.500(1993) series of ITU recommendations when providing the service. However, it is not required that an LDAP server make use of any X.500 protocols in providing this service, e.g. LDAP can be mapped onto any other directory system so long as the X.500 data and service model as used in LDAP is not violated in the LDAP Zeilenga LDUP is harmful [Page 5] INTERNET-DRAFT draft-zeilenga-ldup-harmful-00 4 May 2003 interface. 7. Acknowledgment The author would like to thank the LDUP WG for exploring the possibility of adding multi-master replication support to LDAP. 8. Normative References [RFC2251] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997. [RFC3377] J. Hodges, R.L. Morgan, "Lightweight Directory Access Protocol (v3): Technical Specification", RFC 3377, September 2002. [RFC3384] E. Stokes, et. al., "LDAPv3 Replication Requirements", RFC3384, October 2002. [X.501] ITU, "The Directory: Models", ITU-T Recommendation X.501, 1993. [X.511] ITU, "The Directory: Abstract Service Definition", ITU-T Recommendation X.511, 1993. 10. Informative References [ACID] Section 4 of ISO/IEC 10026-1:1992. [RFC2307] L. Howard, "An Approach for Using LDAP as a Network Information Service", RFC 2307, March 1998. [RFC2377] A. Grimstad, R. Huber, S. Sataluri, M. Wahl, "Naming Plan for Internet Directory-Enabled Applications", RFC 2377, September 1998. [RFC2798] M. Smith, "Definition of the inetOrgPerson LDAP Object Class", RFC 2798, April 2000. [X.500] ITU, "The Directory: Overview of Concepts, Models and Service", ITU-T Recommendation X.500, 1993. [X.525] ITU, "The Directory: Replication", ITU-T Rec. X.525, 1993. Zeilenga LDUP is harmful [Page 6] INTERNET-DRAFT draft-zeilenga-ldup-harmful-00 4 May 2003 11. IANA Considerations No IANA actions are requested. 12. Authors' Address Kurt D. Zeilenga OpenLDAP Foundation Copyright 2003, The Internet Society. All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE AUTHORS, THE INTERNET SOCIETY, AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Zeilenga LDUP is harmful [Page 7]