Berkeley Database Information Index

Functional description

Daemons running

  • /usr/bin/perl -w /opt/bdii/sbin/bdii-update /opt/bdii/etc/bdii.conf
  • /usr/sbin/slapd -f /opt/bdii/var/2171/bdii-slapd.conf -h ldap://localhost:2171 -u edguser
  • bdii-fwd [accepting proxy for localhost]

Init scripts and options (start|stop|restart|...)

  • /etc/rc.d/init.d/bdii (start|stop|restart|condrestart|status)

Configuration files location with example or template

  • /opt/bdii/etc/bdii.conf
  • /opt/bdii/etc/bdii-update.conf

Logfile locations (and management) and other useful audit information

  • /opt/bdii/var/bdii.log
  • /opt/bdii/var/bdii-fwd.log

Open ports

  • 2170

Possible unit test of the service

  • GStat

Where is service state held (and can it be rebuilt)

  • In the LDAP database, restart to rebuild state

Cron jobs

  • None

Security information

Access control Mechanism description (authentication & authorization)

There is no access control mechanism. The information provided by the Site BDII and the Top BDII can be queried anonimously by any user, and there is no access restrictions to the information.

How to block/ban a user

The BDII nodes can not block users, as the service accepts anonymous queries to get the information provided by these nodes.

Network Usage

There is one service running that need network access on this node-type.
  • OpenLDAP server. Running on 2170/TCP, 2171/TCP and 2172/TCP ports, just 2170/TCP port has to be open to the internet.

In general these glite nodes (Top Level & Site BDII) has a high network usage, due to the amount of information about the infrastructure they keep and provide. For example, a top level BDII has about 1.7 TB per day of input and 4.3 TB per day of output.

Firewall configuration

The firewall configuration is quite simple, because it just needs to open the 2170/TCP port. This TCP port is where the OpenLDAP server is running and accepting all the queries, the 2171/TCP and 2172/TCP ports have to be reacheable locally. The firewall configuration should allow to access this port from everywhere in the internet.

A example for IPTABLES configuration is: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2170 -j ACCEPT

Security recommendations

As you already know, the Top Level and Site BDII services are based on OpenLDAP technology, in fact these nodes run OpenLDAP server for providing the GLite information services.

Starting on this fact, the security recommendations you should keep in mind are obviously the above suggestions and the information you can find in the following links about OpenLDAP server:

http://www.openldap.org/doc/admin24/ http://www.openldap.org/doc/admin24/security.html

Security incompatibilities

None currently known

List of externals (packages are NOT maintained by Red Hat or by gLite)

None

Other security relevant comments

None

Utility scripts

  • None

Location of reference documentation for users

Location of reference documentation for administrators

Edit | Attach | Watch | Print version | History: r11 < r10 < r9 < r8 < r7 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r11 - 2009-05-11 - CarlosFuentes
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EGEE All webs login

This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright & by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback