Integration and LDAP Consistent Sign-on and Directory Enabled Networking An LDAP Master Class Edmund...
-
Upload
matthew-parsons -
Category
Documents
-
view
217 -
download
0
Transcript of Integration and LDAP Consistent Sign-on and Directory Enabled Networking An LDAP Master Class Edmund...
Integration and LDAP
Consistent Sign-on and Directory Enabled Networking
An LDAP Master Class
Edmund J. SutcliffeThoughtful Solutions; CreativelyImplemented and Communicated<[email protected]><http://panic.fluff.org>+44 (0) 7976 938841
Welcome to Class
Welcome to ...Integration and LDAP
While waiting for the class to begin …Please fill out your tent card
Class will begin at ...
Class Audience
Consultants, systems engineers, and other technical personnel responsible for designing and implementing directory services using
Best suited to those with Heterogeneous OS knowledge and good Networking knowledge
You don’t have to be an LDAP expert
Class Objectives
Document Directory Data Requirements
Develop a Directory Schema
Design a Directory Tree Hierarchy
Create Directory Access Control Rules
Select Indexes to Support Your Design
Demonstrate Directory Service Interoperability
Facility Information
Please listen carefully while your instructor gives you important information about the training facility:Emergency Exits and First AidWhere to go for breaks and lunchRestroomsTelephonesOther important facts
Introductions
Who are you ?
Where are you from ?
What do you do ?
What do you know ?
What do you want from the class ?
LDAP Module Objectives
Upon completion of this module, you should be able to: Describe the role of directory services Describe LDAP, the underlying protocol used in
directory service implementation Use LDAP client applications to access
directory service data
What is a directory ?
A centralised structured repository of configuration, authentication and other network and system related information.
A system optimised for lookup based applications
It is not a databaseIt doesn’t have Relationship It isn’t TransactionalIt has poor modification performance
The Role of Directory Services
Facilitate integrated application design
Store two data types User and application data Application configuration data
Provide high performance query capabilities
Uses platform independent technologies (LDAP)
SystemsAdministrators
Current Situation
ProcessUsers
Days / Weeks
The Digital Persona of Tomorrow
Desired ArchitectureSystemsUsers
LDAP-Based Directory
Real-Time
Application Configuration Data
Application settings Physical location of application components Version information for application
components Application’s object definitions
Allows applications to query the directory for configuration information
Application Integration
LDAPServer
Client
File Server
IIS ServerSQL Server
Samba 2.2.2 PDC
NT Domain
SMB
HTTP
NT Domain
LDAP
NT Domain
NT Domain
LDAP (ASP)
SQL (ASP)
SMTP Server
SMTP
LDAP
POP / IMAP Server
SMB
SMB
POP / IMAP
LDAP
Why does it Work ?
LDAP
Common Schema between Applications
Common known Directory Information Tree (DIT)
Directory Enabled Networking
Common Encryption(I wish )
Coffee --1
A quick 10 minute Break
Integration
The How and the Why of it
Why does it Work ?
LDAP
Common Schema between Applications
Common known Directory Information Tree (DIT)
Directory Enabled Networking
Common Encryption(I wish )
How ?
Build Install LDAP Server
Install pam_ldap
Install nss_ldap
Build Install Samba 2.2.2
Client Windows Servers into Domain
Drink Beer
Build OpenLDAP
OpenLDAP 2.0.15#./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc --libexecdir=/usr/sbin --mandir=/usr/share/man --with-subdir=ldap --enable-wrappers --without-cyrus-sasl#make #make install
Configure /etc/ldap/slapd.confinclude /etc/ldap/schema/core.schemainclude /etc/ldap/schema/cosine.schemainclude /etc/ldap/schema/inetorgperson.schemainclude /etc/ldap/schema/nis.schemainclude /etc/ldap/schema/samba.schema# RUN Stuffpidfile /var/run/slapd.pidargsfile /var/run/slapd.argsdatabase ldbmsuffix "dc=fluff,dc=org“rootdn "cn=Directory Manager,dc=fluff,dc=org“rootpw xxxxxxdirectory /var/openldap-ldbm## Access Control Restrictionsaccess to attr=userPassword by self write by anonymous read by * none
access to * by self write by anonymous read by users read
Make it work
Design a SchemaFind out which apps require what
Design a Tree (DIT)See where control is in your
organisation Populate the LDAP server
#/etc/init.d/slapd stop#rm -f /var/openldap-ldbm/*#/etc/init.d/slapd start#cd /etc/ldap#ldapadd -D "cn=Directory_Manager,dc=fluff,dc=org" -w xxxx -f base.ldif
LDAP Tree
Configure LDAP
Configure /etc/ldap/ldap.confBASE dc=levenshulme,dc=fluff,dc=orghost 127.0.0.1ldap_version 2port 389pam_member_attribute uniquememberpam_login_attribute uidpam_password cryptnss_base_passwd ou=People,dc=levenshulme,dc=fluff,dc=org?onenss_base_shadow ou=People,dc=levenshulme,dc=fluff,dc=org?onenss_base_group ou=Groups,dc=levenshulme,dc=fluff,dc=org?one
Find the other ldap.conf’s and point here#rm /etc/ldap.conf#ln –s /etc/ldap/ldap.conf /etc/ldap.conf
Why PAM and NSS ?
Traditional Services (telnet/ftp etc) authenticate via PAM
Traditional C programs do name searches via NSSgethostbyxxxx getpwent, getpwnam getpw
(well everywhere but Microsoft)They do ADSI (sometimes !)
Configure PAM
Plug-able Authentication Modules Build PAM
ftp://ftp.padl.com/pub/pam_ldap-124.tgz#tar -zxvf pam_ldap-124.tgz#./configure#make#make install
Edit /etc/pam.d/files e.g. loginauth required /lib/security/pam_securetty.so debugauth required /lib/security/pam_nologin.so debugauth sufficient /lib/security/pam_ldap.so debugauth required /lib/security/pam_unix_auth.so account sufficient /lib/security/pam_ldap.so debugsession required /lib/security/pam_unix_session.so
Configure NSS
Name Services Libraries Build libnss
#ftp://ftp.padl.com/pub/libnss-172.tgz #./configure --enable-rfc2307bis#make #make install
Configure /etc/nsswitch.confpasswd: files ldapgroup: files ldaphosts: files dns ldapservices: files ldap [NOTFOUND=return] filesnetworks: files ldap [NOTFOUND=return] filesprotocols: files ldap [NOTFOUND=return] filesrpc: files ldap [NOTFOUND=return] filesethers: files ldap [NOTFOUND=return] files# no support for netmasks, bootparams, publickey yet.netmasks: filesbootparams: filespublickey: filesautomount: files
Why Samba PDC ?
Scalability of File and Print Services
Integration with NetAtalk (Mac services)
Source (fix the features)
Performance
Cost !
Samba Through put
Response time
Configure Samba 2.2.2
Build Samba#./configure --sysconfdir=/etc/samba --with-privatedir=/etc/samba --with-lockdir=/var/state/samba --localstatedir=/var --with-syslog --with-utmp --withreadline --with-sambabook --with-ldapsam --with-msdfs --with-acl-support#make #make install
Configure samba /etc/samba/smb.conf[global] workgroup = levenshulme domain logons = yes domain admin group = @ntadmin unix password sync = yes passwd program = /etc/samba/passwdsync %u passwd chat = *OLD* %o\n *NEW* %n\n *AGAIN* %n\n *changed* passwd chat debug = true encrypt passwords = yes guest account = nobody status = yes os level = 70 domain master = yes security = user log level = 1 log file = /var/log/samba/%m.log logon drive = U: ldap admin dn = "cn=Directory Manager,dc=fluff,dc=org“ ldap filter = "(&(uid=%u)(objectclass=sambaAccount))“ ldap suffix = "ou=people,dc=levenshulme,dc=fluff,dc=org“[homes] comment = Home Directories read only = no public = no writeable = yes
smbpasswd –w xxxxxx
Samba as PDC
Grouping across platforms hold true
Single Sign-on into the Microsoft EnvironmentLogin to Windows Logs into SQL Server/Exchange
Password kept in sync with other OS’s and tools
NovellNetWare 5.0NDS Master
NovellNetWare 5.0NDS Replica
AppleMacOS
WindowsWorkstation
NovellNetWare 5.0NDS Replica
Solaris 2.6PAM
NSSDirectoryService
NDS Integration Possibilities
Apache
Apache 1.3.2
mod_auth_ldap
mod_ssl
JumpStart and PXe
Jumpstart (autobuild of Solaris Hosts)
PXe (Jumpstart for Intel)Extensions to DHCP and
DEN systemsPossible to build systems automatically
based on the roles stored within LDAPPXe can build Linux & Windows
(bpbatch + easyInternet)
Why Bother ?
Infrastructure that just works Ubiquity of configuration information Rich personalisation
Users want to set their screen colours ! Universal access
not just people but also Applications Single Point of Control We want to Drink BEER !
Coffee --2
A quick 10 minute Break
LDAP Background
LDAP - Lightweight Directory Access Protocol Protocol for providing directory services over TCP/IP Described in RFC 1823
LDAP is a standard, extensible directory access protocol Allows client and server software from many different
vendors to interoperate Is lightweight, efficient, straightforward, easy to
implement Uses a simplified set of encoding methods and runs
directly on top of TCP/IP APIs include C APIs, Java APIs and PerLDAP
Databases vs. Directories
ConventionalDatabases
DirectoryServices
Ch
ara
cte
ris
tic
SQL Yes No
Read / Writeratio
1 / 1 1000 / 1
Common Access Protocol
TransactionOriented
No
No
Yes
Yes
Directory Structure - Entries
An entry is a collection of attribute/value pairs
attribute value
uid es26336
sn Sutcliffe
cn Edmund
l Manchester
attribute value
uidNumber 26336
primaryGroupID 1793
defaultdomain fluff.org
sambahome /export/home
User Attributes Application Attributes
Directory Structure – Data Tree
Entries are arranged in a hierarchical tree-like structure
Entries are identified by a unique distinguished name (DN)
fluff.org
People
Edmund
dc
ouGroupsou
Administrators Staff Martin
dn:uid=es26336,ou=People,dc=fluff,dc=org
DN
dn:dc=fluff,dc=org
DN
Suffix
Typical Directory Entry
Distinguished NameDistinguished NameRDNRDN
dn: uid=es26336,ou=People,dc=fluff,dc=org
cn: Edmund Sutcliffe
sn: Sutcliffe
givenname: Edmund
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: People
l: Manchester
uid: es26336
mail: [email protected]
telephonenumber: +44 7976 938841
organizationalPerson requires objectclass, sn, cn allows description, streetaddress, telephonenumber, pagernumber,
mail, title, etc...
organizationalPerson requires objectclass, sn, cn allows description, streetaddress, telephonenumber, pagernumber,
mail, title, etc...
Schema and Objectclasses
person
objectclassacicnsn
telephonenumberdescription
top
organizationalperson
uidmailhost
mailquotal
streetpostalcode
st...
Attributes Object Classes
Objectclass Inheritance
top objectclass (req)aci
person
(top)(person)objectclassacicn (req)sn (req)description
organizationalperson
oougivennamedescriptiontitleemployeenumber
(top)objectclassacicn (req)sn (req)description
Topology
How should the directory contents be designed?
How should the directory be deployed in the physical infrastructure?
Directory Replication
Replication is the mechanism that…
Copies information between Directory Servers so that the same information exists on several different physical servers
Allows a master server to hold a master copy of the information and automatically copy updates to all replicas
Directory Referrals
A Directory Referral is a …
Redirection mechanism
An alternate LDAP address given back to a client requesting information
Types of referrals… Suffix Replication
Clients have to handle this !
What Is LDIF?
LDAP Directory Interchange Format ASCII representation of
directory entries
Uses in Directory Server configuration data import/export
operations Backup files schema files
Command-line utilities ldapsearch,
ldapmodify, etc.
Space = ?
dn: dc=fluff,dc=orgobjectclass: topobjectclass: domaindc: fluff
dn: ou=People, dc=fluff,dc=orgobjectclass: topobjectclass: organizationalunitou: People
dn: uid=es26336, ou=People, dc=fluff,dc=orgobjectclass: topobjectclass: personobjectclass: organizationalPersonobjectclass: inetOrgPersoncn: Edmund Sutcliffesn: Sutcliffegivenname: Edmund ou: Staffuid: es26336
dn: dc=fluff,dc=orgobjectclass: topobjectclass: domaindc: fluff
dn: ou=People, dc=fluff,dc=orgobjectclass: topobjectclass: organizationalunitou: People
dn: uid=es26336, ou=People, dc=fluff,dc=orgobjectclass: topobjectclass: personobjectclass: organizationalPersonobjectclass: inetOrgPersoncn: Edmund Sutcliffesn: Sutcliffegivenname: Edmund ou: Staffuid: es26336
?
Search
Criteria based
Allows the client to specifyWhere to begin searching in the
directory treeHow much of the tree to search Which attribute values to returnThe pattern to match
Using LDAP URLs
ldap://ldap.fluff.org:389/dc=fluff,dc=org?telephoneNumber?sub?(cn=Ed*)
ldap[s]:// <hostname>:<port> / <base_dn> ? <attributes> ? <scope> ? <filter>
base :== where to start
attributes :== what is shown
scope : == base| one | sub
filter :== (|(filter)(filter)) | (&(filter)(filter)) etc
Command Line Tools
ldapdelete
ldapdelete “cn=DeleteMe,dc=fluff,dc=org”-D “cn=Directory Manager,dc=fluff,dc=org”-w xxxxxxx-h ldap
-p 389
ldapmodify
ldapmodify –b –r –f/tmp/entrymoddn:cn=modifyme,dc=fluff,dc=orgchangetype: modifyreplace: mailmail: [email protected]
add: titletitle: Grand Poobah
delete: description
add: jpegPhotojpegPhoto: /tmp/modme.jpg
Exercises
Perform an LDAP URL Search
Perform and LDAP Command Line Search
Dump LDAP Command line search into LDIF
Add an entry for yourself into the LDIF
Using Directory Manager add new LDIF
Coffee –3 Lunch
LUNCH
Back by 1:00pm
Schema Module Objectives
Upon completion of this module, you should be able to: Determine definitive sources of data Understand and extend LDAP Schema
Data Store 1Data Store 2
. . .
Data Store x
Application 1Application 2
. . .
Application nDirectory
dB(s)
Identify Directory Data & Users
Perform a Directory Data Requirements
Perform a Directory Applications Analysis
Review Directory Data Requirements
What Kinds of Data Belong in a Directory?
What Should Not Go Into the Directory?
Examples of Directory Data
What Belongs
Data that is read often and written infrequently
Data that can be expressed in attribute form
Data useful for more than one audience
Data accessed from more than one physical location
What Doesn’t
Data that changes frequently
Large unstructured chunks of data designed for file systems, FTP servers, web servers, or relational databases
Examples of Directory Data
Contact information for people, places, or things (telephone numbers, addresses, email, etc.)
Descriptive information (employee number, job title, manager, etc.)
Device information (printer type, location, speed, color, etc.)
Contact and billing information for Extranets
Software application configuration preferences
User preferences for applications
Resource locations, such as pointers to web servers, FTP servers, and file system locations
Application 1Application 2
. . .
Application n
DirectorydB(s)
Perform a Directory Applications Analysis
What directory applications and tools do you currently have deployed, and who uses them?
What LDAP directory-enabled applications will you deploy, and who will use them?
How will these applications be used?
What other iPlanet Servers are you planning to deploy?
Directory Enabled Applications
Samba sambaAccount sambaGroup
Messaging Systems Sendmail/Exim ListServe Exchange
Posix(Unix) Login posixAccount posixGroup
Web Servers Apache Zeus Netscape/iPlanet
Application Servers Oracle iAS
Windows Services IIS SQL Server
Perform a Directory Data Stores Analysis
Where does current directory data exist in your environment?
What applications and tools do you have to support your current directory data?
What applications, tools, and processes need to change if the data is accessed using LDAP?
Data Store 1Data Store 2
. . .
Data Store x
DirectorydB(s)
Data Store 1Data Store 2
. . .
Data Store x
Application 1Application 2
. . .
Application n
DirectorydB(s)
Exercise: Identify Directory Data Stores
Glasgow examples
Admin Unix/username
Exchange Username
NDS Username
CS Username Radius uses CS Username 50% have static hardwired password !!
Admin Ingress Common password
Student Record System, Delphi (Personnel Payroll), Advisors Online, Agresso (Finance system)
Reference Manager System Bibliographic Database (RAE)
Senate Papers
Department Systems Modification of Central NDS Unix system (Physics has NT DOMAIN)
NT Domains Desktop Support Team WinTERM Domain HelpDesk Authentication System and associated NT DOMAIN
DirectoryApplicationFields
DirectoryApplicationFields
SampleValues
SampleValues DescriptionDescription
field 1field 1
field 2field 2
field xfield x
sample 1sample 1
sample 2sample 2
sample xsample x
description 1description 1
description 2description 2
description xdescription x
DirectoryApplicationFields
DirectoryApplicationFields
SampleValues
SampleValues DescriptionDescription
field 1field 1
field 2field 2
field xfield x
sample 1sample 1
sample 2sample 2
sample xsample x
description 1description 1
description 2description 2
description xdescription x
VendorSchema
VendorSchema
attribute 1attribute 1
attribute 2attribute 2
attribute xattribute x
Document Directory Application Fields
What are the required fields for all of the identified LDAP directory applications?
What is the purpose of each field and how is it formatted?
Are there any additional fields that can be viewed by special users?
Are there any hidden fields?
Is there a vendor supplied schema?
DirectoryApplicationFields
DirectoryApplicationFields
SampleValues
SampleValues DescriptionDescription
field 1field 1
field 2field 2
field xfield x
sample 1sample 1
sample 2sample 2
sample xsample x
description 1description 1
description 2description 2
description xdescription x
App 1App 1 App 2App 2 App xApp xooo
Examples of Documenting Application Fields
Directory Server Gateway
Communicator Address Book
Conference Room Locator
NetMeeting(RTPerson class)
Sendmail(mail attribute)
DirectoryApplicationFields
DirectoryApplicationFields
SampleValues
SampleValues DescriptionDescription
field 1field 1
field 2field 2
field xfield x
sample 1sample 1
sample 2sample 2
sample xsample x
description 1description 1
description 2description 2
description xdescription x
DirectoryApplicationFields
DirectoryApplicationFields
SampleValues
SampleValues DescriptionDescription
field 1field 1
field 2field 2
field xfield x
sample 1sample 1
sample 2sample 2
sample xsample x
description 1description 1
description 2description 2
description xdescription x
VendorSchema
VendorSchema
attribute 1attribute 1
attribute 2attribute 2
attribute xattribute x
Data StoreFields
Data StoreFields
SampleValues
SampleValues DescriptionDescription
field 1field 1
field 2field 2
field xfield x
sample 1sample 1
sample 2sample 2
sample xsample x
description 1description 1
description 2description 2
description xdescription x
DataStore 1Data
Store 1Data
Store 2Data
Store 2Data
Store XData
Store Xooo
Document Directory Data Store
What directory information exists for each identified data store?
What is the purpose of each field and how is it formatted?
Is there a vendor supplied schema?
Examples of Documenting Data Store Fields
HR Database
NT
Facilities
PBX System
Access Control System (Badging)
Excel Spreadsheet with Departmental Contacts
Admin Spreadsheets
HR Database
HR Data Store Field Sample Values DescriptionFirst_Name Edmund Common First NameMiddle_Name James Middle Name or InitialLast_Name Sutcliffe Last NameLegal_Name Edmund J. Sutcliffe Legal NameEmployee_ID 26336 Employee ID Number (Primary Key)Email_ID [email protected] Email AddressWork_Phone +44 7976 938841 Work Telephone NumberSalary_Amount 1000000 Base SalaryPay_Cycle 2 Pay Cycle in weeksCurrency_Code UK Currancy paid inAddress_1 Deansgate Work Address 1Address_2 Work Address 2City Manchester Work Address 3State Greater Manchester Work Address 4Postal_Code M2 7SB Work Address 5Country_Code UK Work Address 6Mail_Stop 1-9-907 Work Address (Mail Stop)Manager_Name Geoff Arnold Manager's First Name + Last NameManager_Email [email protected] Email AddressBusiness_Title Member TitleDepartment_Number 1149 Biling Department Number
HR Data Store Field Sample Values DescriptionFirst_Name Edmund Common First NameMiddle_Name James Middle Name or InitialLast_Name Sutcliffe Last NameLegal_Name Edmund J. Sutcliffe Legal NameEmployee_ID 26336 Employee ID Number (Primary Key)Email_ID [email protected] Email AddressWork_Phone +44 7976 938841 Work Telephone NumberSalary_Amount 1000000 Base SalaryPay_Cycle 2 Pay Cycle in weeksCurrency_Code UK Currancy paid inAddress_1 Deansgate Work Address 1Address_2 Work Address 2City Manchester Work Address 3State Greater Manchester Work Address 4Postal_Code M2 7SB Work Address 5Country_Code UK Work Address 6Mail_Stop 1-9-907 Work Address (Mail Stop)Manager_Name Geoff Arnold Manager's First Name + Last NameManager_Email [email protected] Email AddressBusiness_Title Member TitleDepartment_Number 1149 Biling Department Number
NT, Facilities, and PBXNT Data Store Fields Sample Values DescriptionFull Name (full_name) Edmund_Sutcliffe NT full account nameUsername (name) es26336 NT account nameDescription (comment) NT description fieldPassword (password) NT password field in NTDomain fluff.org Hidden NT domain
NT Data Store Fields Sample Values DescriptionFull Name (full_name) Edmund_Sutcliffe NT full account nameUsername (name) es26336 NT account nameDescription (comment) NT description fieldPassword (password) NT password field in NTDomain fluff.org Hidden NT domain
PBX Data Store Fields Sample Values Description
E-Num 76548010Electronic PBX Tracking Number
E-Name edmunds User Name
E-Location 376120-002Physical Location Code of Phone
E-Phone +44 7976 938841
Assigned Telephone Number (Unique to PBX)
PBX Data Store Fields Sample Values Description
E-Num 76548010Electronic PBX Tracking Number
E-Name edmunds User Name
E-Location 376120-002Physical Location Code of Phone
E-Phone +44 7976 938841
Assigned Telephone Number (Unique to PBX)
Facilities Data Store Fields Sample Values DescriptionFirst_Name Edmund Common First NameLast_Name Sutcliffe Last Name
Work_Phone +44 7976 938841Work Telephone Number
Email_ID [email protected] Email AddressBuilding_Number 1 BuildingFloor_Number 9 FloorRoom_Number 907 RoomUser_ID edmunds User ID (Primary Key)
Facilities Data Store Fields Sample Values DescriptionFirst_Name Edmund Common First NameLast_Name Sutcliffe Last Name
Work_Phone +44 7976 938841Work Telephone Number
Email_ID [email protected] Email AddressBuilding_Number 1 BuildingFloor_Number 9 FloorRoom_Number 907 RoomUser_ID edmunds User ID (Primary Key)
Glasgow Attributes Room Allocation (Standardisation)
Phone Number
User-id Multiple users of a single user-id Data Protection Act Difficulties with Multiple use Stamp out shared usernames… POLICY STATEMENT
Password Yellow Sticky Issue !!!
Authorization Per app, Per Department, Per Position The problem of temps accruing permissions..
Departmental Privileges Right to have access to Chemicals/animal experimentations
Tips
As you develop your plan, share information about goals and milestones with everyone involvedActively use the milestones to track
progress toward your goalsThrough advertising what you hope to
accomplish and your schedule, you secure the aid of others and set expectations for the deployment process
Coffee --4
App 1App 1 App 2App 2 App nApp nApp 1App 1
FieldsFields
----------------------------
----------------------------
--------------
--------------
FieldsFields
--------------
-------
--------------
-------
-------
--------------
-------
--------------
FieldsFields
--------------
--------------
--------------
--------------
App 2App 2 App nApp n Directory Server SchemaDirectory Server Schema
ObjectClass
ObjectClass
Default Object Classes
Default Object Classes
Custom Object Classes
Custom Object Classes
OIDOID
--------------------
--------------------
--------------------
--------------------
AttributeAttribute
----------------------------
----------------------------
----------------------------
----------------------------
OIDOID
--------------------
--------------------
--------------------
--------------------
SyntaxSyntax
------------------------
------------------------
------------------------
------------------------
DirDir DirDir DirDir
FieldsFields
--------------
-------
--------------
-------
-------
-------
-------
-------
S1
FieldsFields
-------
-------
-------
-------
FieldsFields
-------
-------
-------
-------
-------
-------
S2 Sn ASAS
IdentifierIdentifier
S1S1MVS2
S1S1MVS2
S1MVS1Sn
S1MVS1Sn
ChangeChange
NotesNotes
-------
-------
-------
-------
-------
-------
Develop Directory Schema
Develop a Directory Schema
Review the Default Schema
Match Directory Application Fields
Match Directory Data Store Fields
Extend the Schema
Identify Authoritative Sources
Identify Processes and Procedures
Review the Default Schema
Review a Typical Directory Entry
Review Object Classes and Attributes
Review Object Class Inheritance
Review Default iPlanet Directory Server Schema
Directory Server SchemaDirectory Server Schema
ObjectClass
ObjectClass
Default Object Classes
Default Object Classes
Custom Object Classes
Custom Object Classes
OIDOID
--------------------
--------------------
--------------------
--------------------
AttributeAttribute
----------------------------
----------------------------
----------------------------
----------------------------
OIDOID
--------------------
--------------------
--------------------
--------------------
SyntaxSyntax
------------------------
------------------------
------------------------
------------------------
Typical Directory Entry
Distinguished NameDistinguished NameRDNRDN
dn: uid=es26336,ou=People,dc=fluff,dc=org
cn: Edmund Sutcliffe
sn: Sutcliffe
givenname: Edmund
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: People
l: Manchester
uid: es26336
mail: [email protected]
telephonenumber: +44 7976 938841
organizationalPerson requires objectclass, sn, cn allows description, streetaddress, telephonenumber, pagernumber,
mail, title, etc...
organizationalPerson requires objectclass, sn, cn allows description, streetaddress, telephonenumber, pagernumber,
mail, title, etc...
Schema and Objectclasses
person
objectclassacicnsn
telephonenumberdescription
top
organizationalperson
uidmailhost
mailquotal
streetpostalcode
st...
Attributes Object Classes
Objectclass Inheritance
top objectclass (req)aci
person
(top)(person)objectclassacicn (req)sn (req)description
organizationalperson
oougivennamedescriptiontitleemployeenumber
(top)objectclassacicn (req)sn (req)description
Review the Default iPlanet Directory Server Schema
00core.ldif05rfc2247.ldif05rfc2927.ldif10rfc2307.ldif20subscriber.ldif25java-object.ldif28pilot.ldif30ns-common.ldif50ns-admin.ldif50ns-calendar.ldif50ns-certificate.ldif50ns-compass.ldif50ns-delegated-admin.ldif50ns-directory.ldif50ns-legacy.ldif
50ns-mail.ldif50ns-mcd-browser.ldif50ns-mcd-config.ldif50ns-mcd-li.ldif50ns-mcd-mail.ldif50ns-media.ldif50ns-mlm.ldif50ns-msg.ldif50ns-netshare.ldif50ns-news.ldif50ns-proxy.ldif50ns-value.ldif50ns-wcal.ldif50ns-web.ldif99user.ldif
<server-root>/slapd-<instance>/config/schema/
Schema Entries in LDIF
Typical schema attribute definitionattributeTypes: ( 2.5.4.4 NAME ( 'sn' 'surName' ) DESC 'Standard LDAP attribute type' SUP name X-ORIGIN 'RFC 2256' )
attributeTypes:( 2.5.4.20 NAME ‘telephoneNumber' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 X-ORIGIN 'RFC 2256' )
Typical schema object class definitionobjectClasses: ( 2.5.6.6 NAME 'person' DESC 'Standard LDAP objectclass' SUP top MUST ( sn $ cn ) MAY ( description $ seeAlso $ telephoneNumber $ userPassword ) X-ORIGIN 'RFC 2256' )
OID Numbers
Object IDentifier numbers uniquely identify objects globally
Each new Object Class and Attribute must be assigned a unique OID
Default is based on object name followed by the characters -oidfluffPerson-oid (Object Class)TShirtSize-oid (Attribute)
Option is to maintain a unique OID registry for your organization
Attribute SYNTAX
SYNTAX key word defines the type of data an attribute can store
Each new attribute must be assigned a SYNTAX numberSYNTAX 1.3.6.1.4.1.1466.115.121.1.50SUP name (derived from this other
AttributeType)
RFC 2252 defines attribute syntaxLightweight Directory Access Protocol
(v3): Attribute Syntax Definitions
Attribute Syntax Types
bin < > Binary
ces < > IA5String
cis < > DirectoryString
dn < > DN
int < > INTEGER
tel < > TelephoneNumber
OctetString
Boolean
GeneralizedTime
Country Name
Postal Address
Sample 99user.ldif File
dn: cn=schemaobjectClass: topobjectClass: ldapSubentryobjectClass: subschemacn: schemaaci: ...... objectClasses: ( siroePerson-oid NAME 'siroePerson' SUP inetorgperson STRUCTURAL MAY TShirtSize X-ORIGIN 'user defined' )
attributeTypes: ( TShirtSize-oid NAME 'TShirtSize' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )
Default Directory Server Operation
Schema Checking Default=On
Checks if proper attributes are present Required values for
objectclass Allowed attributes
for objectclass
Replication Schema changes
made on a replica master are recorded in the changelog
During replication, changes are replicated
Do NOT modify the schema on a read-only replica
Match Directory Application Fields
Identify the Type of Object
Select a Similar Object Class
Select a Similar Attribute
Transfer Application Field to Matrix
List Unmatched Application Fields
App 1App 1Application 1Application 1
-----------------------------------
-----------------------------------
-----------------------------------
-----------------------------------
-----------------------------------
-----------------------------------
App 1App 1Application 2Application 2
-----------------------------------
-----------------------------------
-----------------------------------
-----------------------------------
-----------------------------------
-----------------------------------
App 1App 1Application nApplication n
-----------------------------------
-----------------------------------
-----------------------------------
-----------------------------------
-----------------------------------
-----------------------------------
Directory MatrixDirectory MatrixDirectory ApplicationsDirectory Applications
App 1App 1 App 2App 2 App nApp n
Directory Server Schema
Directory Server Schema
Object ClassObject Class AttributeAttribute
----------------------------
----------------------------
--------------
-------
--------------
-------
--------------
--------------
Default Object Classes
Default Object Classes
----------------------------
----------------------------
App 1App 1 App 2App 2 App nApp n
Corporate Phone Book Directory Application Fields Sample Values Description
Default Vendor Schema
First Name Edmund givennameLast Name Sutcliffe snFull Name Edmund Sutcliffe cn
Phone +44 7976 938841Work Telephone Number telephoneNumber
Pager Allow user to update pager
FaxAllow user to update or set to office fax number
facsimileTelephoneNumber
Mobile Phone Allow user to update mobileE-Mail Address [email protected] mail
User ID jsmithUser ID for Authentication uid
Corporate Phone Book Directory Application Fields Sample Values Description
Default Vendor Schema
First Name Edmund givennameLast Name Sutcliffe snFull Name Edmund Sutcliffe cn
Phone +44 7976 938841Work Telephone Number telephoneNumber
Pager Allow user to update pager
FaxAllow user to update or set to office fax number
facsimileTelephoneNumber
Mobile Phone Allow user to update mobileE-Mail Address [email protected] mail
User ID jsmithUser ID for Authentication uid
Identify the Type of Object
What type of objectdoes this field describe?
Person Conference Room
Objects
Transfer Application Field to Matrix
Corporate Phone Book
Communicator
Address Book
Conference Room
Locator
Application Fields
Application Fields
Application Fields Object Class Attribute
top objectclassaci
Last Name Last Name person (top) sn
Full Name Name Full Name cnDescription descriptionSee Also seeAlsoPhone Phone Number telephoneNumberPassword userPassword
organizationalPerson (person) destinationIndicator
Directory Server SchemaCorporate
Phone Book
Communicator
Address Book
Conference Room
Locator
Application Fields
Application Fields
Application Fields Object Class Attribute
top objectclassaci
Last Name Last Name person (top) sn
Full Name Name Full Name cnDescription descriptionSee Also seeAlsoPhone Phone Number telephoneNumberPassword userPassword
organizationalPerson (person) destinationIndicator
Directory Server Schema
Transfer Application
Field
Unmatched Application Fields
Unmatched Fields
Building Number
Floor Number
Capacity
EMT List unmatched application fields
Address BookPhone
BookBuilding Number*
Floor Number*
Capacity*
Directory Applications
EMT*
Match Directory Data Store Fields
Identify the Type of Object
Select a Similar Object Class
Select a Similar Attribute
Transfer Field to Matrix
List Unmatched Data Store Fields
Directory Server Schema
Directory Server Schema
Object ClassObject Class
Default Object Classes
Default Object Classes
AttributeAttribute
----------------------------
----------------------------
Attribute Attribute
--------------
-------
--------------
-------
DirDir
AttributeAttribute
-------------- --------------
-------------- --------------
SampleSample
-------------- --------------
-------------- --------------
DescriptionDescription
-------------- --------------
-------------- --------------
S1S1
DirDir
AttributeAttribute
-------------- --------------
-------------- --------------
SampleSample
-------------- --------------
-------------- --------------
DescriptionDescription
-------------- --------------
-------------- --------------
S2S2
DirDir
AttributeAttribute
-------------- --------------
-------------- --------------
SampleSample
-------------- --------------
-------------- --------------
DescriptionDescription
-------------- --------------
-------------- --------------
SnSn
S1S1
Attribute Attribute
--------------
S2S2
Attribute Attribute
--------------
SnSn
Exercises
Review the Default Schema/etc/ldap/schema
Match Directory Application Fields
Match Directory Data Store Fields
Coffee --5
Quick 10 Minutes
Unmatched Application Fields
Building Number
Floor Number
Capacity
EMT
Directory Server Schema
Directory Server Schema
Object ClassObject Class
Custom Object Classes-------
Custom Object Classes-------
AttributeAttribute
CustomAttributes -------
CustomAttributes -------
Unmatched Data Store Attributes
Building_Number
Floor_Number
Capacity
EMT
Extend the Schema
Group Unmatched Fields into Objects
Select Similar Attributes or Create New Ones
Create New Object Class and Attribute Names
Transfer New Definitions to Matrix
Define Attribute and Object Class Rules
Group Unmatched Fields in Objects
Unmatched Fields
Building Number
Floor Number
Capacity
EMT
What type of object does it
describe?
Are there standard attributes?
Person (inetOrgPerson)
Conference Room (top)
Building Number
Floor Number
Capacity
Name
Phone Number
Description
cn
telephoneNumber
description
buildingName
Application Field Default Schema Attribute
Building Number
Floor Number
buildingName
Application Field Default Schema Attribute
EMT
Is the object an extension of a standard
object class?
Select Similar Attributes or Create New Ones
Person
Conference Room
Select a similarobject class
Select a similarattribute?
Address BookSireoChoc Phone
BookBuilding Number*Floor Number*Capacity*
Directory Applications
Address BookSireoChoc Phone
BookBuilding Number*Floor Number*Capacity*
Directory Applications
Identify the typeof object
Create New Object Class Names
Building Number
Floor Number
buildingNameApplication Field Default Schema Attribute
EMT
Unmatched Fields
Building Number
Floor Number
Capacity
EMT
fluffPerson (inetorgPerson)
fluffConfRoom (top)
Building Number
Floor Number
Capacity
Name
Phone Number
Description
cn
telephoneNumber
description
buildingName
Application Field Default Schema Attribute
Create new object class names that avoid present and future
name conflicts
Create New Attribute Names
fluffPerson (inetorgPerson)
fluffConfRoom (top)
Building Number
Floor Number
Capacity
Name
Phone Number
Description
cn
telephoneNumber
description
buildingName
fluffBuildFloor
fluffConfRoomCapacityCreate new attribute names that avoid present and future
name conflicts
Building Number
Floor Number
buildingName
fluffBuildFloor
Unmatched Fields
Building Number
Floor Number
Capacity
EMT
Application Field Default & New Schema Attribute
Application Field Default & New Schema Attribute
EMT fluffEMT
Define Attribute and Object Class Rules
Define attribute types DirectoryString, IA5String, DN, binary,
INTEGER, and TelephoneNumber Single or Multi-value
Define object class rules Inheritance Required attributes Allowed attributes
Obtain OID Numbers X.500 compatibility
Identify Authoritative Sources
What Data Store is the authoritative source for each attribute?
App 1App 1 App 2App 2 App nApp nApp 1App 1
FieldsFields
----------------------------
----------------------------
--------------
--------------
FieldsFields
--------------
-------
--------------
-------
-------
--------------
-------
--------------
FieldsFields
--------------
--------------
--------------
--------------
App 2App 2 App nApp n Directory Server SchemaDirectory Server Schema
ObjectClass
ObjectClass
Default Object Classes
Default Object Classes
Custom Object Classes
Custom Object Classes
OIDOID
--------------------
--------------------
--------------------
--------------------
AttributeAttribute
----------------------------
----------------------------
----------------------------
----------------------------
OIDOID
--------------------
--------------------
--------------------
--------------------
SyntaxSyntax
------------------------
------------------------
------------------------
------------------------
DirDir DirDir DirDir
FieldsFields
--------------
-------
--------------
-------
-------
-------
-------
-------
S1
FieldsFields
-------
-------
-------
-------
FieldsFields
-------
-------
-------
-------
-------
-------
S2 Sn ASAS
IdentifierIdentifier
S1S1MVS2
S1S1MVS2
S1MVS1Sn
S1MVS1Sn
ChangeChange
NotesNotes
-------
-------
-------
-------
-------
-------
Examples of Authoritative Sources
Human Resources system: Name, Address
Phone switch: Phone Number, Cube Number
Facilities systems: Building, Floor, Access
Other directories (NT, NIS)
Other Application servers (such as Certificate): Certificates published
The Directory itself (attributes not available anywhere else or not shared by other systems for legal reasons): Home Phone Number
Data Ownership
Who makes sure data is up-to-date?Individuals accessing their own recordManagers accessing subordinate
recordsRole or Group (rather than individuals)
for other accesses
Identify Processes and Procedures
Processes that need to change to accommodate directory design Now that
HomePhoneNumber is displayed, who will maintain data accuracy?
Does current contractor process need to be changed?
Identify Correct level of
authority Who owns the
information
ChangeChange
NotesNotes
DepartmentalPhone Book to be phased out.
DepartmentalPhone Book to be phased out.
-------
-------
-------
-------
Exercises
Identify Processes and Procedures
Identify Authoritative Sources
Extend the Schema
Tips
Defining a good schema is as much art as science, and the more of it you do, the easier the process becomes. In general, good principles to follow include: Reuse existing elements as much as possible Define several smaller auxiliary object classes
to mix needed attributes into existing objects. Minimize the number of mandatory attribute
types within your object classes Do not define more than one object class or
attribute type to hold the same kind of information
When in doubt, keep it simple
Coffee –6
Directory Tree Design
Everyone has different views of the organization
Network Administrators “Everyone in a domain” “Everyone in a subnet”
Administration “Everyone in a cost-accounting group”
Facilities “Everyone in this building”
Telecom “Everyone on a particular switch”
c=UK
o=glasgow
ou=Life ou=Adminou=CS ou=Engineering
cn=I Brunel
ou=Estates
DIT Design: People By DepartmentDIT Design: People By Department
ou=Staff ou=Studentou=Contractors ou=PostGrad
cn=James Currall
c=UK
o=glasgow
DIT Design: Types of PeopleDIT Design: Types of People
l=Watts Bld l=Galleryl=Library l=Admin Bldl=Oakfield Ave
cn=D Montgomery
c=UK
o=glasgow
DIT Design: By LocationDIT Design: By Location
dc=com
dc=Acme
l=Los Angelesl=Dallasl=New York
l=North America l=Europel=Asia
l=Singaporel=Japan l=Munichl=Manchester l=Paris
ou=People
cn=Mike Smith
DIT Design: Deep Tree By DIT Design: Deep Tree By DepartmentDepartment
ou=People
cn =SmithETcn =AikmanTA
cn =SandersDJcn = GonzalesJ
cn =ModanoMW
cn=Directory Usercn=Mail Admin
cn=Medical Admincn=Medical User
site=TX-SDsite=TX-RI
site=SW-BKsite=NY-AA
ou=Medicalou=Web Sites ou=Resumes
dc=com
o=Acme
ou=Groups ou=Locations ou=Apps ou=Systems ou=Schema
An Example DITAn Example DIT
Can result in long Distinguished Names (DN) May reflect your actual corporate structure Can result in administrative problems if your
organization is constantly changing Better chance of having unique names within a
subtree Works well if you want to distribute the data
across multiple Directory Servers
DIT Design: Deep -vs- Flat TreesDIT Design: Deep -vs- Flat Trees
No need to categorize people Short Distinguished Names, easy to type DIT is very stable: not affected by
organizational changes, and easy to administer Higher chance of name collisions Not well suited for Browsing Can result in longer load times or startup times,
depending on the Directory Product you use
DIT Design: Flat -vs- Deep TreesDIT Design: Flat -vs- Deep Trees
+ DN Guaranteed to be unique+ DN Never Changes+ More robust searching using name components
cn=0175387, ou=People, dc=Glasgow, dc=UK
dc=UK
dc=Glasgow
ou=People
cn = 0175387givenName = Michaelnickname = Mikesurname = Smith
- Browser shows useless information- Microsoft and Netscape mail clients expected
a real name in the commonName (cn) field.
DIT Design: Selecting a DIT Design: Selecting a Distinguished Name Distinguished Name
+ DN Guaranteed to be unique+ DN Never Changes+ More robust searching using name components
- Browser shows useless information
uid=0175387, ou=People, dc=Glasgow, dc=UK
dc=UK
dc=Glasgow
ou=People
uid = 0175387cn = Mike Smith givenName = Michaelnickname = Mikesurname = Smith
+ commonName (cn) field contains a real name to work well with other LDAP applications.
DIT Design: Selecting a DIT Design: Selecting a Distinguished Name Distinguished Name
uid=smithmj, ou=People, dc=Glasgow, dc=UK
dc=UK
dc=Glasgow
ou=People
uid = smithmjcn = Mike SmithgivenName = Michaelnickname = Mikesurname = Smith
+ DN Guaranteed to be unique+ More robust searching using name components+ commonName (cn) field contains a real name+ Browser shows more useful information
(although not as ideal as a full name)+ Directly maps to a user’s logon ID
(can be used for single sign-on)
- DN has the potential to change if the name or UID changes
- Entrust product requires the commonName (cn) to be part of the DN.
DIT Design: Selecting a DIT Design: Selecting a Distinguished Name Distinguished Name
cn=Mike Smith + uid=smithmj, ou=People, dc=Glasgow, dc=UK
dc=UK
dc=Glasgow
ou=People
cn = Mike Smith + uid = smithmjgivenName = Michaelnickname = Mikesurname = Smith
+ DN Guaranteed to be unique+ More robust searching using name components+ Directly maps to a user’s logon ID (can be used
for single signon)+ commonName (cn) field contains a real name+ commonName (cn) is part of the DN
- DN has the potential to change
- Very artificial way of achieving uniqueness
- Complicated DN syntax- More complicated Directory Logon procedures- This syntax may not be accepted as standard in
the future.
DIT Design: Selecting a DIT Design: Selecting a Distinguished Name Distinguished Name
+ DN Guaranteed to be unique+ More robust searching using name components+ Directly maps to a user’s logon ID
(can be used for single sign-on)+ commonName (cn) field contains a real name+ commonName (cn) is part of the DN
- DN has the potential to change
cn=smithmj, ou=People, dc=Glasgow,dc=UK
dc=UK
dc=Glasgow
ou=People
cn = smithmjcn = Mike SmithgivenName = Michaelnickname = Mikesurname = Smithuid = smithmj
- Data is duplicated in several areas (uid and cn)- Value displayed for commonName may vary.
DIT Design: Selecting a DIT Design: Selecting a Distinguished Name Distinguished Name
dc=UK
dc=Glasgow
ou=People ou=Certificates
uid=smithmj, ou=Certificates, dc=Glasgow,dc=UK
uid = smithmjcn = Mike SmithgivenName = Michaelnickname = Mikesurname = Smith
cn = smithmjALIAS POINTER
cn=smithmj, ou=People, dc=Glasgow, dc=UK
+ DN Guaranteed to be unique+ More robust searching using name
components+ Directly maps to a user’s logon ID
(can be used for single sign-on)+ commonName (cn) field contains a
real name+ commonName (cn) is part of the DN
- DN has the potential to change- Problems with X.500 aliases:
- no built-in referential integrity
DIT Design: Selecting a DIT Design: Selecting a Distinguished Name Distinguished Name
dc=com
dc=acme
The dc named attribute stands for domain component
The idea is to map the upper levels of the tree with registered DNS Names (in this case acme.com)
DIT Design: DIT Naming Proposal DIT Design: DIT Naming Proposal (rfc2377)(rfc2377)
dc=com
dc=acme
dc=Corporate dc=Customers
The dc named attribute stands for domain component
The idea is to map the upper levels of the tree with registered DNS Names (in this case acme.com)
Lower levels of the tree will also use the dc named attribute
DIT Design: DIT Naming Proposal DIT Design: DIT Naming Proposal (rfc2377)(rfc2377)
dc=com
dc=acme
dc=Corporate dc=DalSite
uid = [email protected] = Mike SmithgivenName = Michaelsurname = Smith
uid = [email protected] = Jane DoegivenName = Janesurname = Doe
The dc named attribute stands for domain component
The idea is to map the upper levels of the tree with registered DNS Names (in this case acme.com)
Lower levels of the tree will also use the dc named attribute
Each user is identified with the uid named attribute containing the email address.
DIT Design: DIT Naming Proposal DIT Design: DIT Naming Proposal (rfc2377)(rfc2377)
Robust DIT Naming and design standards are not in place yet There is currently no single “right way” to design your DIT that
applies to everyone Take into consideration your organization
– the organizational structure– the organization’s tendency to change– the organization’s current size and potential to grow
Take into consideration the how you want to use the directory– what information will be stored in the directory– who will own what data and how will be be mastered– what what other systems in the infrastructure will be
using/storing the data– how and what applications will be accessing the data
Carrots and SticksCarrots and Sticks
Conclusions
" If you think technology can solve your problems, then you don't understand the problems and you don't understand the technology. " Bruce Schneier
The Directory, to be useful, needs to become part of the Business Process and the repository of the highest quality and timely information.
Remember that you are doing it FOR not TO the organisation.
Coffee –6
Security Technologies
Successful e-business is highly dependent on security
Security services provide: Confidentiality Integrity Authentication Non-Repudiation Access-Control
Remember…CIANA
Security Threats
Information disclosure
Integrity violation
Assumed identities/Masquerading
Denial of service
Generic Threats: Backdoors, Trojans, Insider Attacks, Viruses
Home Security Analogy
Systems Security is like home security
Policy Definition You choose who and what can be done in your
home
Access control and passwords are the keys Window and door locks keep out intruders
Log files and monitoring script A security camera watches open doors
Try to make your environment less inviting to those looking for easy pickings
Policy
A policy is a set of instructions that determine an organization’s view of security
A policy sets the limits of acceptable behavior and outlines responses to violations
A policy always exists
In the absence of a formal policy, the policy is…
Anything goes!
Security Implementations
Two key implementations of security are: SSL S/MIME
Each is implemented at different layers
SSLSSL
Network Layer(IP)Network Layer(IP)
Application LayerApplication Layer
Non-secure
Securecommunication
S/MIMES/MIME
Securecommunication
SSL as a Security Solution
SSL ensures safe and secure client-server transactions
Provides authentication, privacy, and message integrity
Data going over the network is point-to-point encrypted
SSLv3.1 approved by IETF, called Transport Layer Security
SSLSSL
Network Layer (TCP/IP)Network Layer (TCP/IP)
Application LayerApplication Layer
Securecommunication
SSL Server Authentication
Client initiates contact via https
“Here’s my certificate”
Public Key included
1. Generate secret key2. Encrypt secret key with Server’s public key
Validate Server certificate
SSL established
Transmitt data using session keys
Client Server
“I’d like to talk SSL”
Decrypt secret key using private key
Use secret keyto make session
keys
Use secret keyto make session
keys
SSL With Client Authentication
“Here’s my certificate. Where’s yours?”
Public Key included
1. Generate secret key2. Encrypt secret key with Server’s public key3. Send encrypted key and Client certificate
Validate Server certificate
Server validates Client certificate and decrypts
SSL established
Client Server
Client initiates contact via https“I’d like to talk SSL”
Transmitt data using session keys