Networking
Preface on Directory Protocols
In TCP/IP networking, there is generally a one-to-one correspondence between a TCP port and a protocol. You don't usually listen on a given TCP port for, say, both HTTP and FTP and SSH traffic. In directory systems, network transport is logically separated from the session, such that you can reuse the same transport connection to relay multiple protocols. Hence, to clarify the use of terminology here, a "transport" means the stack of protocols by which two hosts are networked and X.500 operations are relayed between them, and an "association" is a logical connection established by a bind operation that is transported over a "transport." Within the same transport, multiple associations may be made serially (but not in parallel), via binding and unbinding.
This means that, when Meerkat DSA listens for IDM transport on a given TCP port, DAP, DOP, DISP, and DSP associations may be established using IDM transport on that TCP port. This defies the usual "one-port-per-service" model often used by TCP/IP services.
Note that the above does not apply to LDAP, since LDAP is ALWAYS transported over "raw" TCP without IDM, ITOT, or any other OSI transport mechanism layered on top.
Directory Transport Protocols
Currently, Meerkat DSA only supports the transport of X.500 protocols via IDM or IDMS (IDM encapsulated in TLS). LDAP may be used as well, and may be optionally encapsulated in TLS. For both categories of protocols, StartTLS may be used as well.
The protocols which Meerkat DSA uses can be controlled by the following environment variables, which specify the port number on which these services listen:
MEERKAT_WEB_ADMIN_PORT
(Recommended: 18080; be careful when exposing this.)MEERKAT_IDM_PORT
(Recommended: 4632)MEERKAT_IDMS_PORT
(Recommended: 44632)MEERKAT_ITOT_PORT
(Recommended: 1102)MEERKAT_ITOTS_PORT
(Recommended: 11102)MEERKAT_LDAP_PORT
(Recommended: 389; requires root privileges)MEERKAT_LDAPS_PORT
(Recommended: 636; requires root privileges)
If a port number is set, Meerkat DSA listens on that port for the given service. If no port is set, that service does not listen at all. This means that it is possible to run Meerkat DSA as an LDAP-only or X.500-only server by simply not configuring ports for those services.
Distributed Operation
For distributed operations, Meerkat DSA stores the access points obtained from
knowledge attributes in the AccessPoint
table. Currently, Meerkat DSA can only
make use of IDM-based (and IDMS-based) access points. All other access points
will be ignored.
You may directly alter the rows in the AccessPoint
table to add or remove
access points, but Meerkat DSA may have to be restarted for your changes to
take effect. (We say "may" literally: it might not require a restart if you are
not using in-memory caching of the DIT.) It is recommended that you instead use
the Directory Access Protocol with the manageDSAIT
flag set to modify
knowledge attributes rather than altering the database directly.
DNS Configuration
DNS Records
It is not necessary at all, but for the sake of service discovery, it is
recommended that you configure DNS for your domain to name your directory as
a service using SRV
records. If you want to keep your directory a secret, it
is advised that you refrain from exposing it to the global Internet at all.
SRV records should be defined for IDM, IDMS, LDAP, and LDAPS like so:
_idm._tcp.example.com 3600 IN SRV 0 5 <IDM port number> dsa01.example.com
_idms._tcp.example.com 3600 IN SRV 0 5 <IDMS port number> dsa01.example.com
_itot._tcp.example.com 3600 IN SRV 0 5 <IDMS port number> dsa01.example.com
_ldap._tcp.example.com 3600 IN SRV 0 5 <LDAP port number> dsa01.example.com
_ldaps._tcp.example.com 3600 IN SRV 0 5 <LDAPS port number> dsa01.example.com
Note that, in the above example you will need to swap out example.com
with
your domain, dsa01
with your DSA's host name, the port numbers enclosed in
brackets above and configure the other SRV record parameters as you see fit.
You will also need A and/or AAAA records corresponding to the hostnames on the right hand side of the SRV records.
Again, DNS configuration is NOT required for Meerkat DSA to work.
DNS Client
Meerkat DSA runs on NodeJS, which uses the c-ares
library under the hood.
NodeJS does not expose any functionality for tuning DNS resolution. Fortunately,
you can tune it using the RES_OPTIONS
environment variable, which is
documented here.
You generally should not mess with this unless you're seeing DNS resolution issues. I have personally seen this happen when I change networks while still connected to a VPN, but I think this is a pretty uncommon issue.
See this StackOverflow answer for help.
This is liable to change if Bun proves to be a viable NodeJS alternative. I do not know what it uses for DNS under the hood.
The Future
In the future, Meerkat DSA may support:
- TOR / Onion Routing / SOCKS Transport
- Lightweight Presentation Protocol (LPP) Transport
- X.25-over-TCP (XOT) Transport
- DIXIE Protocol