EDirectory Update with 8.7.1 Gary J Porter MindWorks, Inc. gporter@mindworks-inc.com.

eDirectory Update with 8.7.1

Gary J PorterMindWorks, Inc.gporter@mindworks-inc.com

• Things you should know from 8.7•Extensible Match•Dynamic Groups•New Event Triggers•Persistent Search•TLS

• New Authentication Methods• SOAP Access• Universal Password• & much more…

Contents

Extensible Match

Extensible Match defined in LDAP v3• Support multiple matching rules for the

same types of data– Can implement new rules, e.g., “sounds like”

• Include DN elements in the search criteria– The DN specification allows matching on

specific elements of the DN of an object

cn=Terry,organizationalRole=adminAssistant,ou=sales,o=usaou=sal

Task: Find All Admin Assistants in All the Sales Groups of this Company

Sales Sales SalesManufacturing Finance Engineering

Adminassistant

Terry AliceSam Hilda

Adminassistant

EnglandUSA Germany

East West

2. In the client, evaluate each DN to see if it is subordinate to a sales-container

organizationalRole=adminAssistant,ou=sales,o=usaorganizationalRole=adminAssistant,ou=sales,o=germanyorganizationalRole=adminAssistant,ou=finance,o=germanyorganizationalRole=adminAssistant,ou=west,ou=sales,o=england

Possibility One

1. Search for all admin assistant containers in the treeC:>ldapsearch … (organizationalRole=adminAssistant)organizationalRole=adminAssistant,ou=sales,o=usaorganizationalRole=adminAssistant,ou=sales,o=germanyorganizationalRole=adminAssistant,ou=finance,o=germanyorganizationalRole=adminAssistant,ou=west,ou=sales,o=england4 matches

Possibility One (cont.)

3. Using each admin assistant container as a base, do a subtree search for users in that container

C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=usa” (objectClass=user)cn=Terry,organizationalRole=adminAssistant,ou=sales,o=usa1 matchesC:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=germany” (objectClass=user)cn=Sam,organizationalRole=adminAssistant,ou=sales,o=germanycn=Alice,organizationalRole=adminAssistant,ou=sales,o=germany2 matchesC:>ldapsearch … -b “organizationalRole=adminAssistant,ou=west,ou=sales,o=england” (objectClass=user)cn=Bill,organizationalRole=adminAssistant,ou=west,ou=sales,o=england1 matches

Possibility Two

1. Search for all sales containers in the treeC:>ldapsearch … (ou=sales)ou=sales,o=usaou=sales,o=germanyou=sales,o=england3 matches

2. Using each sales container as a base, do a subtree search for users in the admin assistant containerC:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=usa” (objectClass=user)cn=Terry, organizationalRole=adminAssistant,ou=sales,o=usa1 matchesC:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=germany” (objectClass=user)cn=Sam, organizationalRole=adminAssistant,ou=sales,o=germanycn=Alice, organizationalRole=adminAssistant,ou=sales,o=germany2 matchesC:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=england” (objectClass=user)0 matches

What’s wrong?What’s wrong?

This search assumeseverything is at the

same level!

This search assumeseverything is at the

same level!

In eDirectory 8.7...

1. Use extensibleMatch

C:>ldapsearch … (&(ou:dn:=Sales)(organizationalRole=adminAssistant))cn=Terry, organizationalRole=adminAssistant,ou=sales,o=usacn=Sam, organizationalRole=adminAssistant,ou=sales,o=germanycn=Alice, organizationalRole=adminAssistant,ou=sales,o=germanycn=Bill, organizationalRole=adminAssistant,ou=west,ou=sales,o=england4 matches

extensible = attr [":dn"] [":" matchingrule] ":=" value / [":dn"] ":" matchingrule ":=" valueextensible = attr [":dn"] [":" matchingrule] ":=" value / [":dn"] ":" matchingrule ":=" value

eDirectory Support for extensibleMatch

eDirectory 8.7, and 8.7.1, supports extensibleMatch for matching on DN values

eDirectory 8.7 treats other extensibleMatch specifications as undefined terms in the filter and will ignore them• Versions of eDirectory prior to 8.7 would return a protocol

error if an extensibleMatch term was specified in a search filter

Advertisement of matching rules in eDirectory 8.7 is done through the LDAP subschema subentry object using the standard matchingRules and matchingRuleUse schema attributes

Too_lazy_to_live

Dynamic Groups

Creating communities while reducing administrative

overhead

[RF CEW ]

Dynamic Groups

eDirectory 8.6.1 and 8.7 allow you to determine group membership dynamically

• Membership determined by use of a search filter– Search filter is in URL form (RFC 2255)

• Additional capabilities– Objects specifically excluded– Objects specifically included in the group

Web management interface in eDirectory 8.7• Available only via LDAP in eDirectory 8.6.1

Dynamic Groups—Schema

ObjectClasses• dynamicGroup—Structural class for dynamic

group• dynamicGroupAux—Auxiliary class

Attributes• memberQueryURL—The search query in URL form• excludedMember—Objects specifically excluded• uniqueMember—Objects specifically included in

the group– Reading the “uniqueMember” (or “member”)

attribute returns specifically returned objects as well as objects which satisfy the query

Dynamic Groups—Compatibility

Static groups may be converted to dynamic groups

• Add dynamicGroupAux to the objectClass attribute

• Set a search query in memberQueryURL

For either static or dynamic groups, obtain a membership list by simply reading the “member” attribute

By default, the implicit search is limited to the local server

Dynamic Groups

The student registers for a course

Student

DynamicCourse Group

Course

The student can now see the list of other

students in the course automatically because he becomes part of the dynamic group for the course

ldap:///ou=students,l=Denver, l=USA, o=OutdoorAdv??sub?(&(objectclass=aspenStudent)(aspenRegisteredSections=cn=EA-sec1, ou=sections, l=Denver, l=USA, o=OutdoorAdv))

eDirectory Events

Automate and monitor

Applications of eDirectory Events

What can I do with eDirectory Events?• eDirectory monitoring• Auditing• Automation of infrastructure changes • Automated business logic

All of these things can be done with eDirectory—they don’t exist in the same form on other directory products

Selectively Monitor eDirectory Events

eDirectory defines several directory-related events, including

• Operations on individual entries and their attributes• Partition and replica operations

These events can be used for• Debugging• Auditing• Management

Access to each event is controlled by rights checking• If the user does not have the required privileges the

request will fail or,• No event will be sent

LDAP Persistent Search

Alters the standard LDAP search operation to perform a continuous search, notifying the application of changes that occur on an LDAP server

• Persistent search allows the client to be notified when changes are made to entries that satisfy the specified search filter

• The connection to the server remains open until the search is abandoned

• Persistent search is supported by multiple directories

eDirectory Events Extension

Novell extension allowing an LDAP client to be notified of the occurrence of various events on an eDirectory server

• Utilizes the LDAPv3 extended operation extension mechanism

• It also uses an intermediate response PDU* as described in the IETF draft– draft-rharrison-ldap-intermediate-resp-00.txt

• Available on all platforms supported by Novell eDirectory 8.7

• This is Novell-specific and not standard LDAP

*Protocol Data Unit

Using eDirectory Events

Student registers for a

course

Persistent Search updates

instructor’s class list automatically

Transport Layer Security

Securing eDirectory access

Transport Layer Security (TLS)

TLS 1.0 provides privacy and data integrity between the LDAP client and the LDAP server

TLS ensures that• The connection is private • The connection is reliable• Identities can be authenticated using

asymmetric or public key cryptography

• Negotiation of a shared secret is secure (no middle man)

• The negotiation is reliable (attackers detected)

TLS = SSL

Selectable Channel Encryption

I’m connected to the directory on the clear-text port, and I want to access my credit card information. What do I do?I can drop my connection, re-authenticate to the SSL port, and get the data

I can send the StartTLS extended request along with the query to read my credit card

Connecting with TLS

• eDirectory LDAP server can now be configured to use the following TLS handshakes

• This configuration is done through iManager

• Require client certificate

• Request client certificate

• Server certificate only

Ending TLS on a Connection

Client or server sends a TLS end notification

• Connection reverts to anonymous

Who are you, anyway?

Configurable Transport Security

Instructor connects with clear textStart TLS - Instructor changes to a secure connection to see the student information

New LDAP Authentication Methods

Multiple Authentication Mechanisms (SASL)

Students authenticate with SASLEXTERNA

DIGEST-MD5

NMAS_LOGIN

Student registers thumbprint

eDirectory Replication

Students can modify their own profiles

SASL EXTERNAL

TLS handshake establishes client identity by means of certificate-based client authentication

• LDAP SASL EXTERNAL uses that identity for the user connection

SASL DIGEST_MD5

Allows password to be securely sent over a clear-text connection

Requires that the server maintain a clear-text copy of the password in the NMAS encrypted store that can be hashed using data provided in the bind and then compared to the hashed password contained in the bind

Simple bind packet with hashed password

SASL NMAS_LOGIN

Full functionality of Novell Modular Authentication Services (NMAS™) applied to LDAP binds

• Login policy maintained by the server• Provides for multiple levels of authentication

and identification

Fingerprint

Smart card

Certificate

Biometric

Web Services & Novell eDirectory 8.7

SOAP Access to eDirectory

DSML Connector

J2EE Container

DSMLDSMLSOAPSOAP

ServletServleteDirectoryeDirectory

LDAPLDAPR

rJava Java LDAPLDAPAPIAPI LDAPSOAP

SOAP UDDIDSML URL DSML WSDL

Web Server

Clientless install

(Windows only)

This provides the ability to install eDirectory on a Windows NT or 2000 server without the Novell Client.

Novell iMonitor 2.1

This new version of iMonitor provides:• SSL support on all platforms• Object statistics reports• Enhanced obituary processing reports• Server advertising reports• Enhanced tracing functions• Event monitoring and statistics

Novell iManager 2.0

This utility provides a single Web-based management console for the administration of Novell products on NetWare 6.5 & NNLS iManager standardizes all Novell Web-based administration utilities into a single management framework Provides an architecture for easy development of Web-based administration and management modules through open standard application interfaces Uses Roles to delegate eDirectory administration, management, and services tasks

Novell iManager 2.0

Novell iManager consists of two pieces: • eDirectory Management Framework

(eMFrame)• eDirectory Management Toolbox (eMBox)

EMBox is the server-side piece that works with iManager to access functionality in various eDirectory utilities. Other Utilities:

• DSRepair• DSMerge• Backup and Restore• LDAP• WAN Manager• Novell Import Convert Export utility

Universal Password

In the past, administrators have had to manage multiple passwords (simple password, NDS RSA passwords) because of password limitations Administrators have also had to deal with keeping the passwords synchronized Universal Password addressed these problems by creating a single password that can be used by all protocols to authenticate users

UTF8 Encoded

In addition, all Novell utilities are now UTF8 encoded When a password is reset by a user or an administrator, the Secure Password Manager (SPM), an NMAS components, will take the unicode password and convert it to a Universal Password (UTF8-encoded) and reset the NDS password.

Backup and Restore

eDirectory 8.7 introduced a new focus for backup and restore, called "hot continuous backup

With the new Backup eMTool, you back up the eDirectory database for each server individually, and you can do it while eDirectory is running

Novell eGuide 2.11

eGuide provides a Web-based GUI for searching, viewing, and editing information stored in Novell eDirectory and other directory data sources

Because eGuide is highly customizable for any type of environment, administrators can configure it to their own specifications

EDirectory Update with 8.7.1 Gary J Porter MindWorks, Inc. gporter@mindworks-inc.com.

Documents

Transcript of EDirectory Update with 8.7.1 Gary J Porter MindWorks, Inc. gporter@mindworks-inc.com.

I A M305Developing to Novell eDirectory

NetIQ eDirectory 8.8 SP8 What's New Guide

[Nlp ebook] anne linden - mindworks - nlp tools

Mindworks. Delivering Results.

NTFF 2016 eDirectory

eDirectory Agent - Websense Knowledge Bases

RELEASE NOTES Version 8.7.1 RealPresence Collaboration ...Version 8.7.1 - New Features List Polycom, Inc. 2 Conferencing Conferencing Personal Layout in Lecture Mode Personal Layout

NetIQ eDirectory Installation Guide · Multiple Package Formats for Installing eDirectory 9.1 On Linux, you have an option to choose from various file formats while installing eDirectory

Search Engine Marketing - Kostas Matziaris, Mindworks Interactive

Flotilla 22 MT edirectory Auxinfo And more. eDirectory What is it? –eDirectory is the Auxiliary’s online Membership directory How do I get there? –.

Mindworks Therapy Sites

tips and tricks for Novell eDirectory - Hewlett Packardh10032. · tips and tricks for Novell eDirectory introduction Novell eDirectory is the access point for identity management

Novell eDirectory 8.8 Installation Guide · Novell ® novdocx (en) 11 July 2008 AUTHORIZED DOCUMENTATION Novell eDirectory 8.8 Installation Guide eDirectory TM 8.8 SP3 July 31, 2008

Integrating Novell eDirectory with FreeRADIUS

FreeRadius integration with Novell eDirectory

Mindworks Power Point Presentation 2015

2015 MTA WA Members eDirectory

What's New in eDirectory v.11

Design Service Mindworks

Novell eDirectory 8.8 SP7 Administration Guidelinux.iingen.unam.mx/pub/Linux/eDirectoryLdapNovell/Documentacion/... · Administration Guide eDirectory TM 8.8 SP7 ... 1.1 Ease of Management