EDirectory Update with 8.7.1 Gary J Porter MindWorks, Inc. [email protected].

eDirectory Update with 8.7.1

Gary J PorterMindWorks, [email protected]

© April 21, 2023 Novell Inc, Confidential & Proprietary. 2

• Things you should know from 8.7•Extensible Match•Dynamic Groups•New Event Triggers•Persistent Search•TLS

• New Authentication Methods• SOAP Access• Universal Password• & much more…

Contents


Extensible Match

Extensible Match defined in LDAP v3• Support multiple matching rules for the

same types of data– Can implement new rules, e.g., “sounds like”

• Include DN elements in the search criteria– The DN specification allows matching on

specific elements of the DN of an object

cn=Terry,organizationalRole=adminAssistant,ou=sales,o=usaou=sal


Task: Find All Admin Assistants in All the Sales Groups of this Company

Sales Sales SalesManufacturing Finance Engineering

Adminassistant

Terry AliceSam Hilda

Adminassistant

Adminassistant

Bill

Adminassistant

Root

EnglandUSA Germany

East West


2. In the client, evaluate each DN to see if it is subordinate to a sales-container

organizationalRole=adminAssistant,ou=sales,o=usaorganizationalRole=adminAssistant,ou=sales,o=germanyorganizationalRole=adminAssistant,ou=finance,o=germanyorganizationalRole=adminAssistant,ou=west,ou=sales,o=england

Possibility One

1. Search for all admin assistant containers in the treeC:>ldapsearch … (organizationalRole=adminAssistant)organizationalRole=adminAssistant,ou=sales,o=usaorganizationalRole=adminAssistant,ou=sales,o=germanyorganizationalRole=adminAssistant,ou=finance,o=germanyorganizationalRole=adminAssistant,ou=west,ou=sales,o=england4 matches


Possibility One (cont.)

3. Using each admin assistant container as a base, do a subtree search for users in that container

C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=usa” (objectClass=user)cn=Terry,organizationalRole=adminAssistant,ou=sales,o=usa1 matchesC:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=germany” (objectClass=user)cn=Sam,organizationalRole=adminAssistant,ou=sales,o=germanycn=Alice,organizationalRole=adminAssistant,ou=sales,o=germany2 matchesC:>ldapsearch … -b “organizationalRole=adminAssistant,ou=west,ou=sales,o=england” (objectClass=user)cn=Bill,organizationalRole=adminAssistant,ou=west,ou=sales,o=england1 matches


Possibility Two

1. Search for all sales containers in the treeC:>ldapsearch … (ou=sales)ou=sales,o=usaou=sales,o=germanyou=sales,o=england3 matches

2. Using each sales container as a base, do a subtree search for users in the admin assistant containerC:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=usa” (objectClass=user)cn=Terry, organizationalRole=adminAssistant,ou=sales,o=usa1 matchesC:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=germany” (objectClass=user)cn=Sam, organizationalRole=adminAssistant,ou=sales,o=germanycn=Alice, organizationalRole=adminAssistant,ou=sales,o=germany2 matchesC:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=england” (objectClass=user)0 matches

What’s wrong?What’s wrong?

This search assumeseverything is at the

same level!

This search assumeseverything is at the

same level!


In eDirectory 8.7...

1. Use extensibleMatch

C:>ldapsearch … (&(ou:dn:=Sales)(organizationalRole=adminAssistant))cn=Terry, organizationalRole=adminAssistant,ou=sales,o=usacn=Sam, organizationalRole=adminAssistant,ou=sales,o=germanycn=Alice, organizationalRole=adminAssistant,ou=sales,o=germanycn=Bill, organizationalRole=adminAssistant,ou=west,ou=sales,o=england4 matches

extensible = attr [":dn"] [":" matchingrule] ":=" value / [":dn"] ":" matchingrule ":=" valueextensible = attr [":dn"] [":" matchingrule] ":=" value / [":dn"] ":" matchingrule ":=" value


eDirectory Support for extensibleMatch

eDirectory 8.7, and 8.7.1, supports extensibleMatch for matching on DN values

eDirectory 8.7 treats other extensibleMatch specifications as undefined terms in the filter and will ignore them• Versions of eDirectory prior to 8.7 would return a protocol

error if an extensibleMatch term was specified in a search filter

Advertisement of matching rules in eDirectory 8.7 is done through the LDAP subschema subentry object using the standard matchingRules and matchingRuleUse schema attributes


Too_lazy_to_live

Dynamic Groups

Creating communities while reducing administrative

overhead

[RF CEW ]


Dynamic Groups

eDirectory 8.6.1 and 8.7 allow you to determine group membership dynamically

• Membership determined by use of a search filter– Search filter is in URL form (RFC 2255)

• Additional capabilities– Objects specifically excluded– Objects specifically included in the group

Web management interface in eDirectory 8.7• Available only via LDAP in eDirectory 8.6.1


Dynamic Groups—Schema

ObjectClasses• dynamicGroup—Structural class for dynamic

group• dynamicGroupAux—Auxiliary class

Attributes• memberQueryURL—The search query in URL form• excludedMember—Objects specifically excluded• uniqueMember—Objects specifically included in

the group– Reading the “uniqueMember” (or “member”)

attribute returns specifically returned objects as well as objects which satisfy the query


Dynamic Groups—Compatibility

Static groups may be converted to dynamic groups

• Add dynamicGroupAux to the objectClass attribute

• Set a search query in memberQueryURL

For either static or dynamic groups, obtain a membership list by simply reading the “member” attribute

By default, the implicit search is limited to the local server


Dynamic Groups

The student registers for a course

Student

DynamicCourse Group

Course

The student can now see the list of other

students in the course automatically because he becomes part of the dynamic group for the course

ldap:///ou=students,l=Denver, l=USA, o=OutdoorAdv??sub?(&(objectclass=aspenStudent)(aspenRegisteredSections=cn=EA-sec1, ou=sections, l=Denver, l=USA, o=OutdoorAdv))


eDirectory Events

Automate and monitor


Applications of eDirectory Events

What can I do with eDirectory Events?• eDirectory monitoring• Auditing• Automation of infrastructure changes • Automated business logic

All of these things can be done with eDirectory—they don’t exist in the same form on other directory products


Selectively Monitor eDirectory Events

eDirectory defines several directory-related events, including

• Operations on individual entries and their attributes• Partition and replica operations

These events can be used for• Debugging• Auditing• Management

Access to each event is controlled by rights checking• If the user does not have the required privileges the

request will fail or,• No event will be sent


LDAP Persistent Search

Alters the standard LDAP search operation to perform a continuous search, notifying the application of changes that occur on an LDAP server

• Persistent search allows the client to be notified when changes are made to entries that satisfy the specified search filter

• The connection to the server remains open until the search is abandoned

• Persistent search is supported by multiple directories


eDirectory Events Extension

Novell extension allowing an LDAP client to be notified of the occurrence of various events on an eDirectory server

• Utilizes the LDAPv3 extended operation extension mechanism

• It also uses an intermediate response PDU* as described in the IETF draft– draft-rharrison-ldap-intermediate-resp-00.txt

• Available on all platforms supported by Novell eDirectory 8.7

• This is Novell-specific and not standard LDAP

*Protocol Data Unit


Using eDirectory Events

Student registers for a

course

Persistent Search updates

instructor’s class list automatically


Transport Layer Security

Securing eDirectory access


Transport Layer Security (TLS)

TLS 1.0 provides privacy and data integrity between the LDAP client and the LDAP server

TLS ensures that• The connection is private • The connection is reliable• Identities can be authenticated using

asymmetric or public key cryptography

• Negotiation of a shared secret is secure (no middle man)

• The negotiation is reliable (attackers detected)

TLS = SSL


Selectable Channel Encryption

I’m connected to the directory on the clear-text port, and I want to access my credit card information. What do I do?I can drop my connection, re-authenticate to the SSL port, and get the data

I can send the StartTLS extended request along with the query to read my credit card

OR


Connecting with TLS

• eDirectory LDAP server can now be configured to use the following TLS handshakes

• This configuration is done through iManager

• Require client certificate

• Request client certificate

• Server certificate only


Ending TLS on a Connection

Client or server sends a TLS end notification

• Connection reverts to anonymous

Who are you, anyway?


Configurable Transport Security

Instructor connects with clear textStart TLS - Instructor changes to a secure connection to see the student information


New LDAP Authentication Methods


Multiple Authentication Mechanisms (SASL)

Students authenticate with SASLEXTERNA

L

DIGEST-MD5

NMAS_LOGIN

Student registers thumbprint

eDirectory Replication

Students can modify their own profiles


SASL EXTERNAL

TLS handshake establishes client identity by means of certificate-based client authentication

• LDAP SASL EXTERNAL uses that identity for the user connection


SASL DIGEST_MD5

Allows password to be securely sent over a clear-text connection

Requires that the server maintain a clear-text copy of the password in the NMAS encrypted store that can be hashed using data provided in the bind and then compared to the hashed password contained in the bind

Simple bind packet with hashed password


SASL NMAS_LOGIN

Full functionality of Novell Modular Authentication Services (NMAS™) applied to LDAP binds

• Login policy maintained by the server• Provides for multiple levels of authentication

and identification

Fingerprint

Smart card

Certificate

Biometric


Web Services & Novell eDirectory 8.7

SOAP Access to eDirectory


DSML Connector

J2EE Container

DSMLDSMLSOAPSOAP

ServletServleteDirectoryeDirectory

LDAPLDAPR

ead

er

Write

rJava Java LDAPLDAPAPIAPI LDAPSOAP

SOAP UDDIDSML URL DSML WSDL

DSML

Web Server


Clientless install

(Windows only)

This provides the ability to install eDirectory on a Windows NT or 2000 server without the Novell Client.


Novell iMonitor 2.1

This new version of iMonitor provides:• SSL support on all platforms• Object statistics reports• Enhanced obituary processing reports• Server advertising reports• Enhanced tracing functions• Event monitoring and statistics


Novell iManager 2.0

This utility provides a single Web-based management console for the administration of Novell products on NetWare 6.5 & NNLS iManager standardizes all Novell Web-based administration utilities into a single management framework Provides an architecture for easy development of Web-based administration and management modules through open standard application interfaces Uses Roles to delegate eDirectory administration, management, and services tasks


Novell iManager 2.0

Novell iManager consists of two pieces: • eDirectory Management Framework

(eMFrame)• eDirectory Management Toolbox (eMBox)

EMBox is the server-side piece that works with iManager to access functionality in various eDirectory utilities. Other Utilities:

• DSRepair• DSMerge• Backup and Restore• LDAP• WAN Manager• Novell Import Convert Export utility


Universal Password

In the past, administrators have had to manage multiple passwords (simple password, NDS RSA passwords) because of password limitations Administrators have also had to deal with keeping the passwords synchronized Universal Password addressed these problems by creating a single password that can be used by all protocols to authenticate users


UTF8 Encoded

In addition, all Novell utilities are now UTF8 encoded When a password is reset by a user or an administrator, the Secure Password Manager (SPM), an NMAS components, will take the unicode password and convert it to a Universal Password (UTF8-encoded) and reset the NDS password.


Backup and Restore

eDirectory 8.7 introduced a new focus for backup and restore, called "hot continuous backup

With the new Backup eMTool, you back up the eDirectory database for each server individually, and you can do it while eDirectory is running


Novell eGuide 2.11

eGuide provides a Web-based GUI for searching, viewing, and editing information stored in Novell eDirectory and other directory data sources

Because eGuide is highly customizable for any type of environment, administrators can configure it to their own specifications

EDirectory Update with 8.7.1 Gary J Porter MindWorks, Inc. [email protected].

Documents

Transcript of EDirectory Update with 8.7.1 Gary J Porter MindWorks, Inc. [email protected].