1.2 How LDAP Proxy Works

NetIQ LDAP Proxy is designed to analyze the network traffic from various interfaces and regulate requests and responses among LDAP server directories, based on policies.

Architecture

The high-level architecture of NetIQ LDAP Proxy is made up of four layers: the proxy engine layer, protocol handler layer, message processing layer, and connector layer. Each of these layers is designed to supply certain functionality for the proxy, and the architecture is extensible to allow easy adoption of new protocols and different back-end stores such as databases.

Figure 1-1 High-Level Architecture of NetIQ LDAP Proxy

  1. The Proxy Engine Layer: A protocol-independent layer that performs several tasks:

    • Listens for client connection requests. LDAP Proxy can listen on multiple interfaces.

    • Acts as the directory firewall and filters traffic by allowing only trusted networks to establish a connection.

    • Creates and monitors a session for each accepted connection.

    • Schedules and handles the connection requests.

  2. The Protocol Handler Layer: A protocol-specific layer. After a client connection is established, all incoming requests and outgoing responses are passed on to the protocol layer. This layer performs the following tasks:

    • Decodes the LDAP requests.

    • Executes the Connection Route policy to determine the identity group of the client on every first request and subsequent Bind request. Based on the identity group, the policy determines the policies to be applied and identifies the back-end server group to which the connection needs to be routed.

    • Dispatches the incoming LDAP requests to the underlying message processing layer.

    • Receives the LDAP responses from the message processing layer and forwards the response to the LDAP client.

    • Collects monitoring statistics for proxy listeners.

  3. The Message Processing Layer: An optional layer that evaluates the policies. This layer performs the following tasks:

    • Receives the requests from the protocol layer and responses from the connector layer.

    • Evaluates the associated policy for an incoming request/outgoing response.

    • Dispatches the requests and responses to the next level based on the policy defined.

  4. The Connector Layer: Acts as an interface that forwards the processed requests to the appropriate directory server. This layer performs the following tasks:

    • Receives the requests from the message processing layer and forwards them to the appropriate back-end server.

    • Provides load balancing and failover.

    • Chains the requests if a referral response is received.

    • Decodes the LDAP responses received from the back-end server and dispatches the responses to the message processing layer.

    • Collects monitoring statistics for back-end servers.

    • Provides connection pooling to enhance performance.