Got LDAP? Leif Hedstrom Leif Hedstrom Netscape Communications Corp. Deploying the Lightweight...

Got Got LDAP?LDAP?

Leif HedstromLeif Hedstrom<[email protected]><[email protected]>

Netscape Communications Netscape Communications Corp.Corp.

Deploying the Lightweight Deploying the Lightweight Directory Access ProtocolDirectory Access Protocol

December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 22

AgendaAgenda

• Brief introduction to LDAPBrief introduction to LDAP

• Why use LDAP?Why use LDAP?

• Planning your deploymentPlanning your deployment

• Architecture featuresArchitecture features

• Designing your Directory Information Designing your Directory Information TreeTree

• Managing your LDAP systemManaging your LDAP system


Agenda (cont.)Agenda (cont.)

• Selecting software Selecting software

• ConclusionsConclusions

• Resources and further readingResources and further reading


Background and history of Background and history of LDAPLDAP• Has it’s roots in X.500 (hence DAP)Has it’s roots in X.500 (hence DAP)

• Developed initially at University of Developed initially at University of Michigan, and is now an IETF standardMichigan, and is now an IETF standard

• Accepted standard for Directory Accepted standard for Directory services, embraced by all the “big” services, embraced by all the “big” playersplayers

• LDAP is a protocol, not a databaseLDAP is a protocol, not a database

• Client-server based, ASN.1 encodingClient-server based, ASN.1 encoding


LDAP Basics: AttributesLDAP Basics: Attributes

• Every entry consists of one or more Every entry consists of one or more attribute value pairsattribute value pairs

• An attribute can have one of several typesAn attribute can have one of several types– e.g. BIN, TEL, CESe.g. BIN, TEL, CES

• Attributes can be single or multi valueAttributes can be single or multi value

cn=Leif Hedstromcn=The SwedemailHost=tintin.netscape.com


What is an Objectclass?What is an Objectclass?

• Every entry must have at least one Every entry must have at least one objectclass attributeobjectclass attribute

• Defines the database schema, Defines the database schema, specifying which attributes an entry specifying which attributes an entry cancan, , and and mustmust, include, include

• Many standard classes availableMany standard classes available

• ExtensibleExtensible

• Structural, with inheritanceStructural, with inheritance


Example: Objectclass Example: Objectclass personpersonattribute cn commonName 2.5.4.3 CISattribute sn surName 2.5.4.4 CIS…

objectclass person oid 2.5.6.6 superior top requires sn, cn allows description, seeAlso, telephoneNumber, userPassword


Distinguished Name, DNDistinguished Name, DN

• The unique identifier for every entryThe unique identifier for every entry

• ExampleExample

uid=leif, ou=People, dc=Netscape, dc=comuid=leif, ou=People, dc=Netscape, dc=com

• Forms the hierarchy in your data, each Forms the hierarchy in your data, each “node” is both an entry, and a “node” is both an entry, and a potential branch pointpotential branch point

• Relative DNs (RDN), e.g. uid=leif, must Relative DNs (RDN), e.g. uid=leif, must be unique within each subtreebe unique within each subtree


Why use LDAP?Why use LDAP?

• Understand the reasons of your LDAP Understand the reasons of your LDAP deploymentdeployment– What problems are you solving?What problems are you solving?

– What is the target audience?What is the target audience?

– Key applications and clientsKey applications and clients

• Don’t deploy LDAP without a good Don’t deploy LDAP without a good reasonreason

• Make sure you have well defined and Make sure you have well defined and measurable goalsmeasurable goals


Example goals (@Netscape)Example goals (@Netscape)

• Scalability and performanceScalability and performance

• Reliable and robustReliable and robust

• SecuritySecurity

• Easy to maintain, extend and upgradeEasy to maintain, extend and upgrade

• Provide our users with services they needProvide our users with services they need

• Make system administration easier and Make system administration easier and more efficient (less manual work)more efficient (less manual work)


Preparing for your Preparing for your deploymentdeployment• Have a brilliant plan, but be flexibleHave a brilliant plan, but be flexible

• Analyze existing systems, procedures Analyze existing systems, procedures and resourcesand resources

• Get other people involved, e.g.Get other people involved, e.g.– HRHR

– LegalLegal

– Network/Telco peopleNetwork/Telco people

– IS HelpDeskIS HelpDesk


Common problemsCommon problems

• Changing existing procedures are Changing existing procedures are difficultdifficult

• Might require assigning new or Might require assigning new or different tasks to some peopledifferent tasks to some people

• Make sure you have support from Make sure you have support from managementmanagement

• Mmmm, politics...Mmmm, politics...


Doing a pilot deploymentDoing a pilot deployment

• Decide on a few applications to LDAP’ifyDecide on a few applications to LDAP’ify– E.g. PhonebookE.g. Phonebook

• Find volunteers to use your applicationsFind volunteers to use your applications

• Run the deployment as if it was full scaleRun the deployment as if it was full scale

• Analyze the result, get feedback from Analyze the result, get feedback from usersusers

• Modify and refine your deployment plan Modify and refine your deployment plan accordinglyaccordingly


DIT designDIT design

• Flat structure? Probably a good ideaFlat structure? Probably a good idea

• But, adapt to corporate and But, adapt to corporate and organizational needs, and be flexibleorganizational needs, and be flexible


DIT designDIT design

• Decisions, decisions, decisions...Decisions, decisions, decisions...– Naming attributes (CN, UID … ?)Naming attributes (CN, UID … ?)

– Replication pointsReplication points

– Delegation and ACL issuesDelegation and ACL issues

• Be prepared for changesBe prepared for changes– Organizational changesOrganizational changes

– Geographical changesGeographical changes

– Changes in ownership and delegationChanges in ownership and delegation


Data replicationData replication

• Replication for redundancy, Replication for redundancy, performance and scalabilityperformance and scalability

• Single master vs. Multi masterSingle master vs. Multi master

• Cascaded replication (single master)Cascaded replication (single master)– Scalable replicationScalable replication

– Efficient replication, to Europe for Efficient replication, to Europe for instanceinstance

– Reduce load on the Master serverReduce load on the Master server


Cascaded replication Cascaded replication (@Netscape)(@Netscape)


Delegation and data Delegation and data ownershipownership• Move responsibility of maintenance Move responsibility of maintenance

close to the data source (or the owner)close to the data source (or the owner)– Systems and applicationsSystems and applications

– UsersUsers

– Groups of users (e.g. managers)Groups of users (e.g. managers)

• Reduce load on central resourcesReduce load on central resources

• Depends heavily on ACL mechanisms Depends heavily on ACL mechanisms and groupsand groups


LDAP integrationLDAP integration

• Integration with existing applicationsIntegration with existing applications– mail serversmail servers

– Web servers (e.g for authentication)Web servers (e.g for authentication)

• Integration with existing databasesIntegration with existing databases– Replace legacy systems with LDAPReplace legacy systems with LDAP

– Synchronize when appropriateSynchronize when appropriate

– Integrated solutions (e.g. ypldapd)Integrated solutions (e.g. ypldapd)

– Meta DirectoriesMeta Directories


Example: @NetscapeExample: @Netscape


Efficient maintenanceEfficient maintenance

• LDAP server plugins/extensionsLDAP server plugins/extensions– Data consistency checksData consistency checks

– Trigger updates and automatic processesTrigger updates and automatic processes

– Proactive data maintenance!Proactive data maintenance!

• Automatic synchronization with other Automatic synchronization with other datadata– HR PeopleSoft -> LDAPHR PeopleSoft -> LDAP

– LDAP to NIS, Win/NT, DNS etc.LDAP to NIS, Win/NT, DNS etc.

– PBX, Badge system, Certificate server etc.PBX, Badge system, Certificate server etc.


Efficient maintenance Efficient maintenance (cont.)(cont.)• Management tools used by usersManagement tools used by users

– Changing their password (Web UI)Changing their password (Web UI)

– Phonebook (a NS Gateway design)Phonebook (a NS Gateway design)

• Specific Gateway used by IS HelpDeskSpecific Gateway used by IS HelpDesk

• Specific Gateway used by our Admins Specific Gateway used by our Admins and other groups of usersand other groups of users

• Custom tools developed for common Custom tools developed for common taskstasks


Maintenance tools for Maintenance tools for SysadminsSysadmins• SDKs available for most popular SDKs available for most popular

languageslanguages– Perl/PerLDAPPerl/PerLDAP

– CC

– JavaJava

• Some typical scriptsSome typical scripts– Adding/deleting usersAdding/deleting users

– Group managementGroup management

– Changing passwordsChanging passwords


PerLDAP: Searching for an PerLDAP: Searching for an entryentry

#!/usr/bin/perl5use Mozilla::LDAP::Conn;#setup global parameters, using Getopt# …

$c = new Mozilla::LDAP::Conn(\%ld);$entry = $c->search($base, $sc, $srch);while ($entry) { $entry->printLDIF(); $entry = $c->nextEntry();}$c->close();


PerLDAP: Updating an entryPerLDAP: Updating an entry

#!/usr/bin/perl5use Mozilla::LDAP::Conn;#setup global parameters, using Getopt# …

$c = new Mozilla::LDAP::Conn(\%ld);$entry = $c->search($base, $sc, $srch);while ($entry) { $entry->setValue(“mailhost”)=[$host]; $c->update($entry); $entry = $c->nextEntry();}$c->close();


MonitoringMonitoring• Monitor via scripts, or perhaps SNMPMonitor via scripts, or perhaps SNMP

– Perhaps using cn=monitor entryPerhaps using cn=monitor entry

• Try to detect data anomalies or Try to detect data anomalies or inconsistencies (but be proactive)inconsistencies (but be proactive)

• Make sure replication is workingMake sure replication is working

• Performance monitoringPerformance monitoring– Are the servers responsive? High load?Are the servers responsive? High load?

– Detect bad clients, or LDAP intensive clientsDetect bad clients, or LDAP intensive clients


Selecting softwareSelecting software

• Does it support your architectureDoes it support your architecture– Replication? Multi-master?Replication? Multi-master?

– ACL mechanisms?ACL mechanisms?

– Performance needs?Performance needs?

• CostCost– Initial costsInitial costs

– Maintenance costsMaintenance costs

– OS and Hardware costsOS and Hardware costs


Selecting software (cont.)Selecting software (cont.)

• StandardsStandards– LDAP v2 or v3?LDAP v2 or v3?

– Extensions and controls?Extensions and controls?

• Other considerationsOther considerations– OpenSource is popular...OpenSource is popular...

– SupportSupport

– PlatformsPlatforms


Some software productsSome software products

• Netscape Directory Server (v4.0)Netscape Directory Server (v4.0)– Very fast, powerful ACLsVery fast, powerful ACLs

– Cross platformCross platform

– Standards compliantStandards compliant

– Flexible design (plugin API)Flexible design (plugin API)

• OpenLDAP/Umich LDAPOpenLDAP/Umich LDAP– Free!Free!

– Source code, but still behind the curveSource code, but still behind the curve


Software products (cont.)Software products (cont.)

• Microsoft ActiveDirectoryMicrosoft ActiveDirectory– Integration with NT (for better and for Integration with NT (for better and for

worse)worse)

– Multi-master replicationMulti-master replication

– Excellent admin GUIExcellent admin GUI

– Only for NTOnly for NT

• Sun’s Directory ServerSun’s Directory Server– Integrates with NISIntegrates with NIS


ConclusionsConclusions

• Spend time planning, analyzing and Spend time planning, analyzing and testing your designtesting your design

• Select a DIT that is as easy as possible, Select a DIT that is as easy as possible, while still supporting your organizationwhile still supporting your organization

• Proactive and automatic maintenance Proactive and automatic maintenance is good, helps keeping consistent datais good, helps keeping consistent data

• Select the software appropriate for Select the software appropriate for your architecture and needsyour architecture and needs


LiteratureLiterature

• RFCs, drafts and other protocol papersRFCs, drafts and other protocol papers

• LDAP:Programming Directory Enabled LDAP:Programming Directory Enabled Applications with Lightweight Applications with Lightweight Directory Access protocolDirectory Access protocol– Tim Howes and Mark SmithTim Howes and Mark Smith

– Macmillan Technology SeriesMacmillan Technology Series

– ISBN: 1-57870-000-0ISBN: 1-57870-000-0

– ~$45~$45


Literature (cont.)Literature (cont.)

• Understanding and Deploying LDAP Understanding and Deploying LDAP Directory ServicesDirectory Services– Tim Howes, Mark Smith and Gordon GoodTim Howes, Mark Smith and Gordon Good

– MacMillanMacMillan

– ISBN: 1-57870-070-1ISBN: 1-57870-070-1

– ~$50~$50

– Should be out early 1999Should be out early 1999


ResourcesResources

• Http://www.openldap.org/Http://www.openldap.org/

• http://www.mozilla.org/directory/http://www.mozilla.org/directory/

• http://www.ogre.com/ldap/http://www.ogre.com/ldap/

• Mail questions to me atMail questions to me at

[email protected]@netscape.com

oror

[email protected]@ogre.com

Got LDAP? Leif Hedstrom Leif Hedstrom Netscape Communications Corp. Deploying the Lightweight...

Documents

Transcript of Got LDAP? Leif Hedstrom Leif Hedstrom Netscape Communications Corp. Deploying the Lightweight...