Orange S.A., France’s largest telecommunications company with 170,000 employees, was faced with the challenge of managing the user identities of around 30 million mail accounts and handling several hundred thousand simultaneous accesses. Our solution, UCS with integrated OpenLDAP, offers a scalable identity management system that remains stable even at high workloads thanks to an LDAP cluster.

Anwender

User

With 170,000 employees, Orange S.A. is the largest telecommunications company in France with headquarters in Paris.

Checkliste

Requirements

  • Ability to manage 30 million user identities.
  • The directory service must handle more than a hundred thousand simultaneous requests.
  • Delegated administration and scalable notifications.
  • API compatibility to existing systems.
  • Highly scalable for gradual user data migration.
Lösung

Solution

  • UCS utilizing an integrated OpenLDAP as an identity management for 30 million users.
  • Creating a stable LDAP cluster capable of handling numerous simultaneous requests.
  • Implementing SOAP interfaces and provisioning and notification plugins for external APIs.
  • Integrating Open-Xchange, Dovecot, a provisioning router and broker by Tarent and many Orange specific services.

In 2014, Orange decided to overhaul its consumer e-mail platform completely, which provides each Orange customer its own e-mail account. The main components of the new platform are now the mail backend solution Dovecot, the groupware Open-Xchange as webmail and PIM solution as well as the identity management solution Univention Corporate Server (UCS) for the administration of over 30 million user identities.

Motivation and requirements

The renewal became necessary as the previous system could no longer withstand the continuous growth of the platform and the software stack was no longer up to date.

For instance, the system has to map an extremely large number of accesses to the LDAP directory service, which lead up to half a million changes in the objects stored there every day. At the same time, the IT managers at Orange valued very high reliability. They wanted two mirrored sites and an automated fail-over in the event of technical problems. In addition, it should be possible to replace the servers during live operation.

Since it was not possible to migrate all 30 million user accounts at once, a step-by-step approach has been introduced which needed a high scalability of the system for the successive migration of mail accounts. The IT managers of the project also wanted flexible roles both for delegative administration and for the content of LDAP replicas (dedicated LDAP clusters per connected service).

And finally, high data protection requirements had to be met.

The decision in favour of Univention Corporate Server

The decision of the responsible Orange IT team favoured UCS, as it enabled the flexible mapping of roles and rights both at the level of delegative administration and for selective replication of the LDAP servers. However, the possibilities offered by UCS for a scalable notification system as well as the existing and expandable interfaces were also important, since UCS also had to harmonize with the existing system. And last but not least, the human factor also played a role, as Univention’s partnership with the companies Open-Xchange and Dovecot, who were also involved in the project, as well as the committed and individual consulting and consistent implementation of sub-projects and a high-quality product support, was so reliable.

Specific challenges and their solutions

The biggest challenge of the project was the sheer size of the environment. While in typical UCS projects about 200,000 objects are stored in the LDAP database, Orange maintains more than 30,000,000 objects. UCS had not yet been used in a project of this size, even though Univention knew that the technical possibilities were available.

To cope with the large amounts of data and high system loads, LDAP clusters were chosen, which were set up as a group of UCS Replica Directory Node instances with identical subset of LDAP objects/attributes. The configuration of the database indexes, the implemented LDAP queries and the sizing of the server systems had to be coordinated in detail for these clusters. The operation of the system was distributed over two physical locations.

Another challenge was to create the system API-compatible to the existing system, Univention’s project team had to implement several specific SOAP interfaces. It was also necessary to generate provisioning or notification plug-ins for many external APIs. These APIs are part of an extended notification system specifically for the project based on Univention Directory Manager and complementary tools such as RabbitMQ.

Connection of further solutions

Connected as further solutions to the central IDM of UCS were OpenXchange as a modern, web-based mail application, the IMAP and MDA of Dovecot for incoming and outgoing e-mails and the provisioning router and broker of the Tarent company to route requests to UCS or the legacy system. In addition, various Orange-specific services had to be integrated into UCS as well as SOAP and REST APIs for communication between the components.

Project progress and goals

Following the start of the project in mid-2014, the first project release with full functionality could already be delivered in 2015. Over the course of 2016, the solution was expanded with additional functions and server roles and numerous performance tests were carried out to ensure that the system would withstand the expected extremely high workloads. At the end of the same year, the system went live with the full range of managed identities. Since then, mail accounts have been successively migrated to the new system. In addition, new requirements, such as stricter data protection regulations or new provisioning workflows, are continually being implemented.

Conclusion

Very high stability, reliability and scalability

Since going live , the system is characterized by a very high stability, reliability and scalability, so that the commissioned 24×7 support almost never had to be used.

Newsletter

Stay updated on all news about Univention and our IAM products via email.

Get started

Make an appointment and get to know our IAM solution.

Further References