Alfred Marshall's critical analysis of scientific management - Classes
LDAP Theory and Management - Brad Marshall's Website
Transcript of LDAP Theory and Management - Brad Marshall's Website
![Page 2: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/2.jpg)
Contents
What is LDAP?
Directory services
LDAP Models
Namespaces
Schema
Replication
LDIF and DSML
Search Filters
LDAP Protocol
SAGE-AU Conf 2003 – p. 2
![Page 3: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/3.jpg)
Contents cont
Directory Life Cycle
Directory Management
Namespace Design
Topology Design
Replication Design
Management Models
Data Maintanence
Metadirectories
Virtual directories
SAGE-AU Conf 2003 – p. 3
![Page 4: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/4.jpg)
History of LDAP
Originally started as a front end to X.500
Provides much of X.500’s functionality at a lowerimplementation cost
Removed redundant and rarely used operations
Uses TCP rather than OSI stack
University of Michigan wrote first LDAP implementation
Most early LDAP implementations were based on it
U.Mich eventually realized didn’t need X.500 and wrotelightweight server
Meant it was easier to deploy, and more people startedusing it
SAGE-AU Conf 2003 – p. 4
![Page 5: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/5.jpg)
What is LDAP?
LDAP = Lightweight Directory Access Protocol
Stanard protocol that can be used to access informationover a network
Based on X.500
Directory Service
Described in RFC1777 and RFC2251
Stores attribute based data
SAGE-AU Conf 2003 – p. 5
![Page 6: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/6.jpg)
What is LDAP cont
Data generally read more than written toNo transactionsNo rollback
Client-server model
Based on entriesCollection of attributesGlobally unique distinguished name (DN) - likedomain name
Entries arranged in hierarchical tree structure
SAGE-AU Conf 2003 – p. 6
![Page 7: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/7.jpg)
Directory Services
Directories are a specialized database
Used in everyday lives - phone book, TV guides, etc
Everyday directories fairly static
Online directories are dynamic, flexible, secure and canbe personalized
Examples of online directories are finger, DNS, NIS andunix password file
SAGE-AU Conf 2003 – p. 7
![Page 8: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/8.jpg)
Why use LDAP
Centrally manage users, groups and other data
Don’t have to manage separate directories for eachapplication - stops the “N + 1 directory problem”
Distribute management of data to appropriate people
Allow users to find data that they need
Not locked into a particular server
Ability to distribute servers to where they are needed
Standards available for sharing data
SAGE-AU Conf 2003 – p. 8
![Page 9: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/9.jpg)
What LDAP can do
Find things - local office phone book, Internetdirectories such as Four11, BigFoot etc
Manage things - users and groups. Removes “N + 1”directory problem
Lightweight database applications - sort bookmarks,small bits of data
Security - store username and passwords, digitalcertificates, PKI etc
SAGE-AU Conf 2003 – p. 9
![Page 10: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/10.jpg)
What LDAP can’t do
LDAP isn’t a relational databaseNo rollback for failed operations
LDAP isn’t a filesystemNo locking or seekingCan’t search blobs of data
LDAP isn’t good for dynamic objectsOptimized for read, not writeNo locking to ensure transactions occur in a certainorder - corruption could occur
No generic SQL-like reporting language
Not useful without applications
SAGE-AU Conf 2003 – p. 10
![Page 11: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/11.jpg)
LDAP vs Databases
Read-write ratio - LDAP is read optimized
Extensibility - LDAP schemas are more easily changed
Distribution - with LDAP data can be near where it isneeded, and highly distributed
Replication - with LDAP data can be stored in multiplelocations
Different performance - directories used for manydifferent applications, and queries are usually simpler,but many more of them
Data sharing - LDAP is designed for sharing data,databases designed for one application
SAGE-AU Conf 2003 – p. 11
![Page 12: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/12.jpg)
LDAP vs Databases cont
Database objects have complex relationships
Transaction model - LDAP transactions are simple -usually changing one entry, databases can modifymuch more
Size of information - LDAP is better at storing small bitsof information
Type of information - LDAP stores information inattributes
Naming model - LDAP is hierachical
Schemas - database schemas are entirely user defined,directories have core schemas to help interoperability
Standards are more important for directories - LDAPclients can talk to any LDAP server, but database clientcan only talk to the database it was designed for SAGE-AU Conf 2003 – p. 12
![Page 13: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/13.jpg)
LDAP vs NIS
Uses arbitrary ports
No data encryption
No access-control mechanism
Uses a flat (non scalable) namespace
Uses a single-key database (providing only basicsearching abilities)
All changes had to be made by the superuser on thedomain master
Does not provide directory services for non nameservice applications
No ability for clustering (slapd replication and roundrobin DNS for LDAP)
SAGE-AU Conf 2003 – p. 13
![Page 14: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/14.jpg)
X.500
Designed by International Telecom Union (ITU) andInternational Organization for Standards (ISO)
First designed in 1988
First general purpose directory system
Designed to be extensible - rich search operations
Open standard
Relies on large suite of protocols
Early implementations buggy and slow
Based on OSI network protocols, not TCP/IP
SAGE-AU Conf 2003 – p. 14
![Page 15: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/15.jpg)
LDAP Directory Services
Two general types of directory servers:
Stand alone LDAP serversLDAP is only access mechanismData stores tuned for LDAP
LDAP gateway serversTranslate betwen LDAP and some other protocolOriginal use of LDAP - gateway to X.500
Doesn’t really matter where data is stored, as long as it isaccessible via LDAP
SAGE-AU Conf 2003 – p. 15
![Page 16: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/16.jpg)
Common LDAP Applications
White pages
Authentication and authorization
Personalization
Roaming profiles
Public Key Infrastructure (PKI)
Message delivery
SAGE-AU Conf 2003 – p. 16
![Page 17: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/17.jpg)
LDAP Models
Information Model - defines the types of data and basicunits of info stored in directory
Naming Model - defines how to organise and refer tothe data
Functional Model - defines operations in LDAP protocol
Security Model - defines framework for protectinginformation
SAGE-AU Conf 2003 – p. 17
![Page 18: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/18.jpg)
Acronyms
Acronym DefinitionLDAP Lightweight Directory Access Protocol
DN Distinguish NameRDN Relative Distinguished NameDIT Directory Information Tree
LDIF LDAP Data Interchange FormatDSML Directory Services Markup Language
OID Object Identifier
SAGE-AU Conf 2003 – p. 18
![Page 19: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/19.jpg)
Namespaces
Hierarchical data structureEntries are in a tree-like structure called DirectoryInformation Tree (DIT)
Consistent view of data - uniform namespaceAnswers requestRefer to server with answer
SAGE-AU Conf 2003 – p. 19
![Page 20: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/20.jpg)
Namespaces - Hierarchal
dc=com
dc=pisoftware
ou=People ou=Group
uid=bmarshaluid=jparker
cn=dev cn=sysadmin
SAGE-AU Conf 2003 – p. 20
![Page 21: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/21.jpg)
Namespaces - Flat
dc=com
dc=pisoftware
uid=bmarshaluid=jparker
...
SAGE-AU Conf 2003 – p. 21
![Page 22: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/22.jpg)
Namespaces cont
Directory tree is similar to unix file systemNo root entry in ldapEach entry in ldap can both contain data and be acontainer
In unix, an entry is either a file or a directory - notboth
LDAP distinguished names are read from bottom totop, unix file systems from top to bottom
SAGE-AU Conf 2003 – p. 22
![Page 23: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/23.jpg)
Namespaces cont
/
usr
local
bin
X11R6
bin
sshd
lib
dc=com
dc=pisoftware
ou=People
ou=Sysadmin
ou=Group
cn=dev
uid=bmarshal
dc=sun
SAGE-AU Conf 2003 – p. 23
![Page 24: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/24.jpg)
Global View
LDAPServer 1
LDAPServer 2
LDAPServer 3
Note each server must contain a subtree
SAGE-AU Conf 2003 – p. 24
![Page 25: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/25.jpg)
Distinguished Names
Defined in RFC2253 “Lightweight Directory AccessProtocol (v3): UTF-8 String Representation ofDistinguished Names”
Built up by starting at the bottom, and connecting eachlevel together with commas
Contain two partsLeft most part is called relative distinguished nameRemainder is base distinguished name
Eg: uid=bmarshal,ou=People,dc=pisoftware,dc=comRDN is uid=bmarshalBase DN is ou=People,dc=pisoftware,dc=com
SAGE-AU Conf 2003 – p. 25
![Page 26: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/26.jpg)
Distinguished Names cont
In each base DN, each RDN is uniqueThis ensures no two entries have the same DN
dc=com
dc=pisoftware dc=sun
ou=Peopleou=People
Same RDN
SAGE-AU Conf 2003 – p. 26
![Page 27: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/27.jpg)
LDAP Entry
Entries are composed of attributes
Attributes consist of types with one or more values
Type describes what the information is
Value is the actual information in text format
Attributes have a syntax which specifies what type ofdata - see Schema later on
SAGE-AU Conf 2003 – p. 27
![Page 28: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/28.jpg)
Referrals
1
23
4
LDAPServer 1
LDAPServer 2
1. Client requestsinformation
2. Server 1 returns referralto server 2
3. Client resends requestto server 2
4. Server 2 returnsinformation to client
SAGE-AU Conf 2003 – p. 28
![Page 29: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/29.jpg)
Aliases
Aliases are used to point one LDAP entry to another
Allows you to have structures that aren’t hierarchal
Similar in sense to using a symlink in unix
Not all LDAP servers support aliases - big performancehit
SAGE-AU Conf 2003 – p. 29
![Page 30: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/30.jpg)
Aliases cont
Created by:Entry with object class of aliasAttribute named aliasedObjectName that points toDN of the alias
Can use either referrals or putting a LDAP url in an entry
SAGE-AU Conf 2003 – p. 30
![Page 31: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/31.jpg)
Schema
Set of rules that describes what kind of data is stored
Helps maintain consistency and quality of data
Reduces duplication of data
Ensures applications have consistent interface to thedata
Object class attribute determines schema rules theentry must follow
SAGE-AU Conf 2003 – p. 31
![Page 32: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/32.jpg)
Schema cont
Schema contains the following:Required attributesAllowed attributesHow to compare attributesLimit what the attributes can store - ie, restrict tointeger etcRestrict what information is stored - ie, stopsduplication etc
SAGE-AU Conf 2003 – p. 32
![Page 33: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/33.jpg)
Objectclass
Used to group information
Provides the following rules:Required attributesAllowed attributesEasy way to retrieve groups of information
Entries can have multiple object classesRequired and allowed attributes are the union of theattributes of each of the classes
SAGE-AU Conf 2003 – p. 33
![Page 34: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/34.jpg)
Objectclass inheritance
Object classes can be derived from others
Extends attributes of other objectclass
No multiple inheritance
Can’t override any of the rules
Special class called top - all classes extendOnly required attribute is objectclassEnsures all entries have a objectclass
SAGE-AU Conf 2003 – p. 34
![Page 35: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/35.jpg)
Attributes
Attributes have:
Name - unique identifier, not case sensitive
Object identifier (OID) - sequence of integers separatedby dots
Attribute syntax:Data attributes can store - eg integer, string etcHow comparisons are made
If multi valued or single valued
SAGE-AU Conf 2003 – p. 35
![Page 36: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/36.jpg)
Attribute Abbreviations
See RFC2256uid User idcn Common Namesn Surname
l Locationou Organizational Unit
o Organizationdc Domain Componentst Statec Country
SAGE-AU Conf 2003 – p. 36
![Page 37: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/37.jpg)
Replication
Replication is method used to keep copy of directorydata on multiple servers
Increases:Reliability - if one copy of the directory is downAvailability - more likely to find an available serverPerformance - can use a server closer to youSpeed - can take more queries as replicas are added
Temporary inconsistencies are ok
Having replicas close to clients is important - networkgoing down is same as server going down
Removes single point of failure
SAGE-AU Conf 2003 – p. 37
![Page 38: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/38.jpg)
Replication Options - Mods to Master
LDAPClient
Modifications
Searches
LDAPmaster
(read/write)
LDAPslave
(read only)
Updatesreplica
SAGE-AU Conf 2003 – p. 38
![Page 39: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/39.jpg)
Replication Options - Referrals
LDAPClient
LDAPslave
(read only)1
2
3
4
5
LDAPmaster
(read/write)
1. Client sends modification to replica
2. Replica returns referral of master to client
3. Client resubmits modification to master
4. Master returns results to client
5. Master updates replica with change
SAGE-AU Conf 2003 – p. 39
![Page 40: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/40.jpg)
Replication Options - Chaining
1
23
4
5
LDAPMaster
LDAPSlave
Client
1. Client sendsmodification to replica
2. Replica forwards requestto master
3. Master returns result toreplica
4. Replica forwards resultto client
5. Master updates replica
SAGE-AU Conf 2003 – p. 40
![Page 41: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/41.jpg)
Replication - Single Master
Single masterSingle server with read-write copy of dataUse read-only replicas to handle load of reading andsearchingUses referrals or chaining to deal with mods beingsent to replicasObvious single point of failureSimplest to implement
SAGE-AU Conf 2003 – p. 41
![Page 42: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/42.jpg)
Replication - Floating Master
Floating masterOnly one server with writeable copy of data at anytimeIf master becomes unavailable, new master ischosen from remaining serversActual alogorithm used depends on server - usuallyvoting
SAGE-AU Conf 2003 – p. 42
![Page 43: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/43.jpg)
Replication - Cascading
Cascading replicationMaster replicates to hub which replays updates tofuther serversHelps balance very heavy loads - master can beused for all writes, and pass off all replication to hubCan replicate out to local hubs in geographicallydisperse topologies - reduces costIncrease performance - put all reads on “bottom”servers
SAGE-AU Conf 2003 – p. 43
![Page 44: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/44.jpg)
Replication - Fractional
Fractional replicationReplicates subsets of attributesUseful for synchronizing from intranet to extranetand removing data for security reasonsCan help reduce replication costs by removingunneeded data
SAGE-AU Conf 2003 – p. 44
![Page 45: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/45.jpg)
Replication - Multi-master
Multi-masterMore than one server with writable copy of dataServers are responsible for ensuring datapropogatesNeed a conflict resolution policy - most currentservers use a last writer wins policyCan have automatic failover when one is unavailableMost complex to implement
SAGE-AU Conf 2003 – p. 45
![Page 46: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/46.jpg)
LDIF
LDAP Data Interchange FormatRepresents LDAP entries in textHuman readable formatAllows easy modification of dataUseful for doing bulk changes
dump db, run a script over, import backCan use templates for additionsGood for backups and transferring data to anothersystem
SAGE-AU Conf 2003 – p. 46
![Page 47: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/47.jpg)
LDIF Cont
If attribute contains non-ascii chars, begins with aspace, colon or less than, the value is stored in base64and type separator is ::
Can mix plain text and encoded values
Can specify URLs, type separator is :<
Entries in LDIF are separated with a blank line
Continued lines start with spaces
Utilities to convert from database to ldif and backslapcat: ldbm database to ldifslapadd: ldif to ldbm database
Few non-LDAP related servers know how to deal with it
SAGE-AU Conf 2003 – p. 47
![Page 48: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/48.jpg)
LDIF Example
dn: uid=bmarshal,ou=People,dc=pisoftware,dc=com
uid: bmarshalcn: Brad Marshallobjectclass: accountobjectclass: posixAccountobjectclass: toploginshell: /bin/bashuidnumber: 500gidnumber: 120homedirectory: /mnt/home/bmarshalgecos: Brad Marshall,,,,userpassword: {crypt}lDIOnUp17x2jc
SAGE-AU Conf 2003 – p. 48
![Page 49: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/49.jpg)
DSML
XML-based file format
Can store both schema and data
Can use as generic import/export format for directorydata
Many existing servers can deal with XML
More complex than LDIF
Not all LDAP servers support it
SAGE-AU Conf 2003 – p. 49
![Page 50: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/50.jpg)
DSML Example
<dsml:dsml xmlns:dsml="http://www.dsml.org/DSML"><dsml:directory-entries>
<dsml:entry dn="uid=bmarshal,dc=example,dc=com"><dsml:objectclass>
<dsml:oc-value>top</dsml:oc-value><dsml:oc-value>account</dsml:oc-value>
</dsml:objectclass><dsml:attr name="cn">
<dsml:value>Brad Marshall</dsml:value></dsml:attr><dsml:attr name=loginShell>
<dsml:value>/bin/bash</dsml:value></dsml:attr>
</dsml:entry></dsml:directory-entries>
</dsml:dsml>SAGE-AU Conf 2003 – p. 50
![Page 51: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/51.jpg)
Search Filters
Consists of:Base and scope - what part to searchFilter - what criteria attributes must fulfill to bereturnedAttributes - what attributes to return
Prefix notation
StandardsRFC 1960: LDAP String Representation of SearchFiltersRFC 2254: LDAPv3 Search Filters
SAGE-AU Conf 2003 – p. 51
![Page 52: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/52.jpg)
Search Filters Operators
Basic filter typesPresenceEqualitySubstringGreater-than or equalLess-than or equalApproximateExtensible
Joining filters
& and| or! not
SAGE-AU Conf 2003 – p. 52
![Page 53: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/53.jpg)
Search Filter Details
PresenceSimple checks for presence of attributeCan return everything by using (objectClass=*)
EqualityChecks for entries containing given attribute andvalueMost commonly used searchFastest and easiest to indexCase sensitivity depends on attribute syntax
SAGE-AU Conf 2003 – p. 53
![Page 54: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/54.jpg)
Search Filter Details cont
Substring matchingReturns entries with values matching givensubstringsUseful for finding information, eg in white pages etcNot wildcard or regular expression matchingRestricted to matching start, middle or end of stringsSlower than presence or equalityMiddle substring matches slower than start or end
SAGE-AU Conf 2003 – p. 54
![Page 55: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/55.jpg)
Search Filter Details cont
Ordered matching (greater-than, less-than)Order determined by attributes syntax and matchingrules
Approximate filterAlgorithm used determined by serverCommon to have soundex
ExtensibleAllows applying an explicit matching rule to a searchfilterNot very common, but powerful
SAGE-AU Conf 2003 – p. 55
![Page 56: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/56.jpg)
Search Filters Examples
(objectclass=posixAccount)
(cn=Mickey M*)
(|(uid=fred)(uid=bill))
(&(|(uid=jack)(uid=jill))(objectclass=posixAccount))
SAGE-AU Conf 2003 – p. 56
![Page 57: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/57.jpg)
Search Scope
3 types of scope:base limits to just the base object
onelevel limits to just the immediate childrensub search the entire subtree from base down
SAGE-AU Conf 2003 – p. 57
![Page 58: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/58.jpg)
Base Scope
SAGE-AU Conf 2003 – p. 58
![Page 59: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/59.jpg)
One Level Scope
SAGE-AU Conf 2003 – p. 59
![Page 60: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/60.jpg)
Subtree Scope
SAGE-AU Conf 2003 – p. 60
![Page 61: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/61.jpg)
Optimizing Searches
Index commonly accessed attributes and appropriatefilters
Reduce opening and closing connections
Only request attributes you need
Limit the search scope if possible
Minimize number of searches - combine searches intoone, if possible
Minimize updates - writes are slow
Use replicas / high availability techniques on the server
SAGE-AU Conf 2003 – p. 61
![Page 62: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/62.jpg)
Operational Attributes
Attributes used by server that usually aren’t displayed
Vary by directory vendor
Usually time stamps, server access controls, admininformation, last updated dates etc
SAGE-AU Conf 2003 – p. 62
![Page 63: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/63.jpg)
Extending Schema
To extend schemas, the process is as follows:
Obtain Object Identifier (OID)
Choose name prefix
Create local schema file
Define custom attribute types (if necessary)
Define custom object classes
(Note these examples are from OpenLDAP, others shouldbe similar)
SAGE-AU Conf 2003 – p. 63
![Page 64: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/64.jpg)
Obtaining OID
OIDs found in protocols described by ASN.1, eg SNMP
OIDs are hierachical
Do not just arbitrarily pick an OID
OIDs are obtained from IANA, under Private Enterprisearc at no cost
OID from IANA will be something like 1.3.6.1.4.1.X
For experiments, OID 1.1 is available (regarded asdead namespace)
SAGE-AU Conf 2003 – p. 64
![Page 65: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/65.jpg)
Choose name prefix
Schema elements all have names
Names should be descriptive and not likely to clash
Convention is to prefix names with few letters to localizethe changes
The smaller the organization, the longer the prefixshould be
Examples are auFirm (Aust company) orcomPisoftware (elements for pisoftware.com)
SAGE-AU Conf 2003 – p. 65
![Page 66: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/66.jpg)
Attribute Types and Object Classes
attributetype directive used to define new attribute types
Uses Attribute Type Description, as per RFC2252
objectclasses directive used to define new object class
Uses Object Class Description, as per RFC2252
SAGE-AU Conf 2003 – p. 66
![Page 67: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/67.jpg)
Attribute Type Description
AttributeTypeDescription = "(" whspnumericoid whsp ; AttributeType identifier
[ "NAME" qdescrs ] ; name used in; AttributeType
[ "DESC" qdstring ] ; description[ "OBSOLETE" whsp ][ "SUP" woid ] ; derived from this
; other AttributeType[ "EQUALITY" woid ; Matching Rule name[ "ORDERING" woid ; Matching Rule name[ "SUBSTR" woid ] ; Matching Rule name
SAGE-AU Conf 2003 – p. 67
![Page 68: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/68.jpg)
Attribute Type Description cont
[ "SYNTAX" whsp noidlen whsp ][ "SINGLE-VALUE" whsp ]
; default multi-valued[ "COLLECTIVE" whsp ]
; default not collective[ "NO-USER-MODIFICATION" whsp ]
; default user modifiable[ "USAGE" whsp AttributeUsage ]
; default userApplicationswhsp ")"
AttributeUsage ="userApplications" /"directoryOperation" /"distributedOperation" /"dSAOperation"
SAGE-AU Conf 2003 – p. 68
![Page 69: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/69.jpg)
Attribute Type Example
attributetype ( 2.5.4.41 NAME ’name’DESC ’names associated with the object’EQUALITY caseIgnoreMatchSUBSTR caseIgnoreSubstringsMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
attributetype ( 2.5.4.4 NAME ( ’sn’ ’surname’ )DESC ’surnames associated with the object’SUP name )
SAGE-AU Conf 2003 – p. 69
![Page 70: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/70.jpg)
Object Class Description
ObjectClassDescription = "(" whspnumericoid whsp ; ObjectClass identifier
[ "NAME" qdescrs ][ "DESC" qdstring ][ "OBSOLETE" whsp ][ "SUP" oids ] ; Superior ObjectClasses[ ( "ABSTRACT" / "STRUCTURAL" / "AUXILIARY" )
whsp ] ; default structural[ "MUST" oids ] ; AttributeTypes[ "MAY" oids ] ; AttributeTypeswhsp ")"
SAGE-AU Conf 2003 – p. 70
![Page 71: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/71.jpg)
Object Class Example
objectclass ( 1.3.6.1.1.1.2.0NAME ’posixAccount’SUP topAUXILIARYDESC ’Abstraction of an account
with POSIX attributes’MUST ( cn $ uid $ uidNumber $
gidNumber $ homeDirectory )MAY ( userPassword $ loginShell $
gecos $ description ) )
SAGE-AU Conf 2003 – p. 71
![Page 72: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/72.jpg)
LDAP Protocol
Uses client server model
Message oriented protocol - client sends messages toserver and gets replies
Can issue multiple requests at once - each responsehas message id to identify
9 basic protocol operations - interrogation, update andauthentication
LDAPv3 provides extended operations and controls
Uses simplified version of Basic Encoding Rules (BER)- not plain text
SAGE-AU Conf 2003 – p. 72
![Page 73: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/73.jpg)
LDAP Protocol Operations
Interrogation operationssearchcompare
Update operationsadddeletemodifyrename
Authentication and control operationsbindunbindabandon
SAGE-AU Conf 2003 – p. 73
![Page 74: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/74.jpg)
Typical LDAP conversation
Client Server
Open connection and bind
Result of bind operation
Search operation
Returned entry 1
Returned entry 2
Results of search operation
Unbind operation
Close connection
SAGE-AU Conf 2003 – p. 74
![Page 75: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/75.jpg)
Bind Operations
How client authenticates to directory
Opens TCP connection, gives distinguished name andcredentials
Server checks credentials are correct, returns result toclient
If credentials fail, returns an anonymous bind
Authentication lasts while connection is open, or untilclient reauthenticates
Credentials can be password, digital certificate or other
SAGE-AU Conf 2003 – p. 75
![Page 76: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/76.jpg)
Authentication Levels
There are 3 basic levels of authentication:
Anonymous - no username and passwordEnabled by default, disable using “disallowbind_anon” in slapd.conf
Unauthenticated - only username (sometimes calledreference bind)
Disabled by default, enable using “allowbind_anon_cred” in slapd.conf
Authenticated - username and correct passwordEnabled by default, disable using “disallowbind_anon_simple” in slapd.conf
SAGE-AU Conf 2003 – p. 76
![Page 77: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/77.jpg)
LDAP Security Model
AuthenticationHow to verify identities
Password policiesCriteria passwords must satisfy to be valid - ie,length, age etc
EncryptionEnsuring data is private
Access controlWho can access what data
AuditingDetermine if security model is being followed - ie,logs
SAGE-AU Conf 2003 – p. 77
![Page 78: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/78.jpg)
Security Model - Authentication
Anonymous access
Simple password
Proxy authentication
Simple password over encrypted connection
Certificate based authentication
SASL based authentication
SAGE-AU Conf 2003 – p. 78
![Page 79: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/79.jpg)
Password policies
Minimum length
Maximum age
Syntax checking
History keeping
Expiration policy
Account lockout policy
SAGE-AU Conf 2003 – p. 79
![Page 80: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/80.jpg)
Access Control
Set permissions on:
Entire directory
Subtree
Specific entries
Specific attributes
Any entry that matches a search filter
SAGE-AU Conf 2003 – p. 80
![Page 81: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/81.jpg)
LDAP URLs
Definition taken from RFC2255<ldapurl> ::= "ldap://" [ <hostport> ]
"/" <dn> [ "?" <attributes>[ "?" <scope> "?" <filter> ] ]
<hostport> ::= <hostname>[ ":" <portnumber> ]
<dn> ::= a string as defined in RFC 1485<attributes> ::= NULL | <attributelist><attributelist> ::= <attributetype>
| <attributetype>[ "," <attributelist> ]
<attributetype> ::= a string as definedin RFC 1777
<scope> ::= "base" | "one" | "sub"<filter> ::= a string as defined in RFC 1558
SAGE-AU Conf 2003 – p. 81
![Page 82: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/82.jpg)
LDAP URLs
DN Distinguished name
Attribute list List of attributes you want returned
Scope
base base object searchone one level searchsub subtree search
Filter Standard LDAP search filter
SAGE-AU Conf 2003 – p. 82
![Page 83: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/83.jpg)
LDAP URL examples
ldap://foo.bar.com/dc=bar,dc=com
ldap://argle.bargle.com/dc=bar,dc=com??sub?uid=barney
ldap://ldap.bedrock.com/dc=bar,dc=com?cn?sub?uid=barney
SAGE-AU Conf 2003 – p. 83
![Page 84: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/84.jpg)
LDAP Related Standards Bodies
Consortiums and Standard BodiesOASIS
Directory Services Markup LanguageDistributed Management Task Force (DMTF)
Common Informational Model (CIM)Network Applications Consortium (NAC)
Users GroupOpen Group Directory Interoperability Forum (DIF)
LDAP2000 InteroperabilityInternet Engineering Task Force (IETF)
LDAP Standards
SAGE-AU Conf 2003 – p. 84
![Page 85: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/85.jpg)
IETF Working Groups
IETF Working GroupsLDAPExt
Access ControlsAPIs
LDUPReplication
LDAPbisLDAPv3 Protocol revisions
SAGE-AU Conf 2003 – p. 85
![Page 86: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/86.jpg)
LDAPv3
Internationalization - using UTF-8
Referrals and Continuations
SecurityAuthentication via SASLIntegrity and Confidentiality Protection via TLS orSSL
Extensibility
Feature and schema discoveryLDAPv3 servers have a directory entry called rootDSE (Directory Server Entry)Contains: protocol supported, schemas, other usefulinfo
SAGE-AU Conf 2003 – p. 86
![Page 87: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/87.jpg)
Directory Uses
3 main uses of directories
Network directoryProvides user account management
Enterprise directoryGlobal repository for shared informationDetails about people, organisations and devices
Business directoryDetails about trading partners, customers, suppliersetc
SAGE-AU Conf 2003 – p. 87
![Page 88: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/88.jpg)
Directory Life Cycle
3 main parts to life cycle:
DesignUnderstand directory requirements and gather data
DeploymentActually try out directory
MaintenanceUpdate data, keep service running, and improve
SAGE-AU Conf 2003 – p. 88
![Page 89: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/89.jpg)
Design Cycle
Directory needsUnderstand what applications require
DataFind existing data sourcesDetermine relationship to directory
SchemaDevelop schemas for applications requirements
NamespaceOrganise data layout
SAGE-AU Conf 2003 – p. 89
![Page 90: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/90.jpg)
Design Cycle cont
TopologyDetermine where servers are locatedDetermine how data is divided
ReplicationEnsure data is available where it is needed
SecurityEssential to meeting security and privacyrequirements of users
SAGE-AU Conf 2003 – p. 90
![Page 91: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/91.jpg)
Deployment Cycle
Choose directory softwareEvaluate and choose software
PilotingInital testing to check design
Performance and scaling testingTesting to see if system can handle the task
TuningCheck process as well as technical
User feedbackExpose users to test system
Going into productionMove from pilot to production
SAGE-AU Conf 2003 – p. 91
![Page 92: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/92.jpg)
Maintenance Cycle
Data maintenanceKeeping data up to date
Data backupsEnsure backups don’t interfer with operationsReplication can help here
Schema additionsExtend schemas when adding new applications
MonitoringIntegrate with existing system if possible
ExpansionTry to plan for expansion - growth may surprise you
Changing requirementsDon’t get caught out SAGE-AU Conf 2003 – p. 92
![Page 93: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/93.jpg)
Directory Management
Directory management consists of:
Namespace and directory tree design
Determine root naming context
Integration with existing data
Synchronization
Maintaining data
Choosing mangement model
SAGE-AU Conf 2003 – p. 93
![Page 94: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/94.jpg)
Basic Design Steps
Define applications for directory
Find data sources and relationships
Schema design
Namespace design and topology
Replication
Extraction and population
Testing and deployment
SAGE-AU Conf 2003 – p. 94
![Page 95: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/95.jpg)
Schema Design
Be aware of existing schemas and use them if possible
Use schemas provided with applications
Define and document any new schemas required
Be prepared for schema evolution as things change
SAGE-AU Conf 2003 – p. 95
![Page 96: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/96.jpg)
Namespace Design
Designing a namespace is Hard
Requires indepth knowledge of what the directory willbe used for
Hard to reorganise once data is put in - requiresdowntime, etc
Needs to support applications that want to use it - beaware of existing standards
SAGE-AU Conf 2003 – p. 96
![Page 97: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/97.jpg)
Namespace Design cont
Try not to break out into different departments - whathappens when person moves?
Avoid designs that will have to change - eg, don’t baseon org chart
Don’t go overboard - too much hierachy can getconfusing
Probably won’t get it right first - will take some iterations
SAGE-AU Conf 2003 – p. 97
![Page 98: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/98.jpg)
Namespace Design cont
Good namespace design helps with:
Delegation of authority
Replication of data
Security and access control
Scalability
Physical placement of servers
SAGE-AU Conf 2003 – p. 98
![Page 99: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/99.jpg)
Tree Design
3 most commonly used tree designs for a single company
Organizational
Flat
Geographical
SAGE-AU Conf 2003 – p. 99
![Page 100: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/100.jpg)
Organizational Based Tree
dc=pisoftware
dc=com
ou=Sales
ou=Devel ou=Sysadmin
ou=People ou=Groups ou=Apps
SAGE-AU Conf 2003 – p. 100
![Page 101: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/101.jpg)
Organizational Based Details
Mirrors organizational structure
Good for using delegated administration managementmodel
People changing jobs mean a change to distinguishedname
Groups refer to distinguished names - no referentialintegrity checking
SAGE-AU Conf 2003 – p. 101
![Page 102: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/102.jpg)
Flat Tree
dc=pisoftware
dc=com
ou=People ou=Groups ou=Apps
SAGE-AU Conf 2003 – p. 102
![Page 103: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/103.jpg)
Flat Details
Simplest layout - all people and groups are in one leveldown from root
Entries only added or removed on hiring and firing - notinternal job changes
Most directory servers can’t split single branch acrossmultiple servers
Harder to delegate admin control
SAGE-AU Conf 2003 – p. 103
![Page 104: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/104.jpg)
Geographical Tree
dc=pisoftware
dc=com
ou=Australia
ou=Asia ou=America
ou=People ou=Groups ou=Apps
SAGE-AU Conf 2003 – p. 104
![Page 105: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/105.jpg)
Geographical Details
Branch for each geographical location of the company
Each geographical location has a master, alsoreplicates rest of tree
Rarer for people to move between geographicallocations
Geographical dispersement of company might notmatch political
SAGE-AU Conf 2003 – p. 105
![Page 106: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/106.jpg)
Choosing Root Naming Context
Root naming context is servers top level entry
Some servers can have multiple root naming contexts
Two main choices:TraditionalDomain component
Active Directory doesn’t give a choice for root namingcontext, most others do
SAGE-AU Conf 2003 – p. 106
![Page 107: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/107.jpg)
Traditional Style
Traditionally has been ‘o=company,c=country’Company is free-form string of company nameCountry is ISO 2 letter country code
Inherited from X.500
Can cause conflicts between similarly namedcompanies
SAGE-AU Conf 2003 – p. 107
![Page 108: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/108.jpg)
Domain Component Style
Use DNS name to generate base DN
See RFC2377 for more details - "Naming Plan forInternet Directory-Enabled Applications"
example.com gives dc=example,dc=com
Already globally unique
Already registered
Can trace back to who owns it easily
Some CAs only allow traditional X.500 attributes, whichdoesn’t include dc
SAGE-AU Conf 2003 – p. 108
![Page 109: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/109.jpg)
Topology Design
Directory tree can be spread over multiple physicalservers
Design is important to:Increase performanceIncrease availabilityBetter manage directoryHold more entries than a single server could
Users see one large directory
Closely related to replication design
SAGE-AU Conf 2003 – p. 109
![Page 110: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/110.jpg)
Topology Design
Each server is delegated a partition of the directory
Similar to DNS
One server is the root and is common ancestor to allsubpartitions
Partitions must be a complete subtree, and not excludeany entries
Servers can hold more than one partition, eg read-onlycopies
SAGE-AU Conf 2003 – p. 110
![Page 111: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/111.jpg)
Topology Design - References
Directory glued together using knowledge references
Immediate superior knowledge referencesPoints up the treeHooks back up to ancestor
Subordinate knowledge referencesPoints down the tree to other partitionsHook to hang other partitions off
SAGE-AU Conf 2003 – p. 111
![Page 112: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/112.jpg)
Topology Design - Why Partition
Too many entries for a single server
Increase performance and scalability
Applications mostly read and modify entries in localsection of tree
Replication traffic to a single partition is too large
If partitioning allows traffic to remain local, won’t have tocross slow WAN links
If directory use will rapidly expand
SAGE-AU Conf 2003 – p. 112
![Page 113: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/113.jpg)
Topology Design - Why Not Partition
All entries can fit on a single server
Applications modify entries across whole tree
Not much replication traffic
Organisation is centrally located, no slow WAN links
Directory use is static and won’t exceed capabilities ofsingle server
SAGE-AU Conf 2003 – p. 113
![Page 114: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/114.jpg)
Topology Design - Considerations
Consider directory enabled applications andperformance requirements
Understand server software limitations and capabilities
Consider physical layout of network and location ofapplications
Ensure namespace design fits within constraints - ie,flat namespace isn’t good for partitioning
SAGE-AU Conf 2003 – p. 114
![Page 115: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/115.jpg)
Replication Design
Increases reliability and performance
Allows locating data close to users and applications thatneed them
Can manage data where it is being used
Gives redundancy - applications can fail over to replicas
Can distribute load across multiple servers, increasingperformance
Closely related to topology design
SAGE-AU Conf 2003 – p. 115
![Page 116: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/116.jpg)
Replication Design Strategy
High availabilityMultiple directories at one siteUse multi-master to ensure write-failover
Local availabilityReplicas at local officesUseful if network links are unreliable or intermittantHelps reduce load on master serverMasters can be at:
Central officeLocal server is master for local part of directorytree
SAGE-AU Conf 2003 – p. 116
![Page 117: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/117.jpg)
Replication Design Strategy cont
Disaster recoveryTwo masters at geograhically disperse locationsProvides failover and data protection
Load balancingSpread user connections over serversDedicate servers to read-only activitiesDedicate servers to particular activities - ie, serverfor mail
SAGE-AU Conf 2003 – p. 117
![Page 118: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/118.jpg)
Replication Issues to Consider
Quality of links between remote sites
Amount of bandwidth between sitesIs replication traffic too much for link
Physical location of usersHow many usersWhat type of work they do
Number of applications
Type and proportion of operations done
Size of directory
SAGE-AU Conf 2003 – p. 118
![Page 119: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/119.jpg)
Management Models
3 main management models
Centralized administration
Distributed administration
User self-administration
SAGE-AU Conf 2003 – p. 119
![Page 120: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/120.jpg)
Centralized Administration
Good for smaller organisations
All changes are made in the one location or group ofpeople
Minimal admin infrastruture
Low potential for duplication of data
Can cause bottlenecks in changes being made - longdelays
Often seen as most secure - not always the casePossibly too much trust in central groupWithin sub-departments, possibility that changesmay not happen quickly enough - eg, employee isfired and notification takes time to make it to centralaccounts department
SAGE-AU Conf 2003 – p. 120
![Page 121: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/121.jpg)
Distributed Administration
Centralised department co-ordinates sub-groups, whodo actual admin work
Reduces admin bottlenecks
Very scalable
Similar to how DNS admin is done - root nameservershandle top level, then delegated out
Namespace design is important - hard to distributeacross flat namespace
SAGE-AU Conf 2003 – p. 121
![Page 122: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/122.jpg)
User Self-Administrated
User creates and manages own account - eg Internetshopping
Web forms often used to let end users admin ownaccounts
Common to seperate end user admined accounts fromother part of directory
Lower level of trust of data done this way
Usually use other form of data / contact - eg frequentflyers database, using email address
SAGE-AU Conf 2003 – p. 122
![Page 123: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/123.jpg)
Data Maintenance
Maintenance is most important part
Usually involved with maintance the longest, often leastthough about aspect
Configuration is comparitively simple, managingcontents is hard
The best designed directory is useless with out of dateor incomplete data
SAGE-AU Conf 2003 – p. 123
![Page 124: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/124.jpg)
Managing Directory Contents
People can have multiple accounts, or a single account(or group) can have multiple people associated
Need to manage association between accounts andpeople, as well as managing the people
This is essential to be able to terminate all accountsassociated with a terminated employee
Important as ldap doesn’t ensure referential integrity -can be left with dangling references
SAGE-AU Conf 2003 – p. 124
![Page 125: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/125.jpg)
Managing Data Flow
Managing data integration between directories has anumber of approaches:
Replication
Data export/import
Scripting
Metadirectories
Virtual Directories
SAGE-AU Conf 2003 – p. 125
![Page 126: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/126.jpg)
Replication
Exactly duplicating data between directories
This creates a copy of data for distribution,performance, scalability and redundancy
No LDAP standard for replication, so hard to replicatebetween different vendors
IETF is developing LDUP, an independant replicationprotocol
SAGE-AU Conf 2003 – p. 126
![Page 127: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/127.jpg)
Data export/import
Export data out from one directory, then import into next
Can manipulate data after exporting
Servers must support either of 2 main standardsLDIFDSML
Updates only happen periodically, data is out of syncbetween these times
SAGE-AU Conf 2003 – p. 127
![Page 128: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/128.jpg)
Scripting
Writing scripts to manipulate data between servers
Allows choosing subset of data to transfer
Easy to change / manipulate data
Common languages are Perl, Java and C
SAGE-AU Conf 2003 – p. 128
![Page 129: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/129.jpg)
Metadirectories
Consolidates subsets of data from various locations
Presents it as LDAP, XML, HTTP etc
Consolidates and aggregates details about objects
Can provide multiple views of data
Helps manage relationships between directories
Manages data flow between directories
Can reflect information back to original or new datasources
Not just a consolidated directory of all information
SAGE-AU Conf 2003 – p. 129
![Page 130: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/130.jpg)
Metadirectories cont
Consists of:Metadirectory namespaceJoin engineConnectors
Comes in two different formsAdd on to existing directoryStand alone directory
SAGE-AU Conf 2003 – p. 130
![Page 131: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/131.jpg)
Metadirectories Namespace
Also called meta view
Unified view of underlying directories / data sources
Usually stored in a LDAP directory
Uses join engine to synchronize underlying sources
SAGE-AU Conf 2003 – p. 131
![Page 132: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/132.jpg)
Metadirectories Join Engine
Managed data flow between external sources andmetadirectory views
Defines authoritive source for each bit of data
Controls which data sources can be changed via metadirectory
Manipulates and unifies connector views to providemeta view
Links items in connector views with items in meta view
Can construct attributes from other values
SAGE-AU Conf 2003 – p. 132
![Page 133: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/133.jpg)
Metadirectories Connectors
Provides data from external sources to join engine
Connects between directory and data sources
Can provide name mapping to translate from originaldata source to LDAP
Defines which attributes to use or discard
Provides a connector view
Two types:Direct connector: talks directly to source, usuallyeither LDAP or SQLIndirect connector: converts from source data intoLDAP
SAGE-AU Conf 2003 – p. 133
![Page 134: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/134.jpg)
Virtual Directories
LDAP frontend to databases / directories
Provides schema adaptors
Failover and load balancing
Namespace conversions
Value manipulationsAdd/modify/delete attributesRemove or construct attributes based on criteria
SAGE-AU Conf 2003 – p. 134
![Page 135: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/135.jpg)
Data Flow Analysis
Schema mappingMapping schemas between directories
Determining authoritative sourceFind which directory has most up to date for eachpart of data
Data tranformationNot all systems store data in the same format, egmay use extra lookup tablesChange data representation to be the same formatin each directory
Namespace translationSometimes can’t translate directly - can get conflictsSometimes can just change root naming context
SAGE-AU Conf 2003 – p. 135
![Page 136: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/136.jpg)
Data Sources
Existing directory services
Operating systems
Existing databases
Flat files or spreadsheets
Applications
Sysadmins
End users
SAGE-AU Conf 2003 – p. 136
![Page 137: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/137.jpg)
Common Data Problems
Things to be careful of:
Too much information - can’t find what is needed
Not enough information
Poor quality information
Out of date information
SAGE-AU Conf 2003 – p. 137
![Page 138: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/138.jpg)
Tips for Success
Carefully pick and stick to scope of project
Start small, show incremental successes
Pick low hanging fruit, and stay visible
Deploy in parallel with existing systems
Design for end result - doesn’t have to get there straightaway
Identify who’s responsible early
Use info with greatest value first
Allow time for political and process issues
Be careful what you promise and manage expectations
SAGE-AU Conf 2003 – p. 138
![Page 139: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/139.jpg)
Important RFCs
RFC TitleRFC2247 Using Domains in LDAP DNsRFC2251 LDAPv3 ProtocolRFC2252 LDAPv3 Attribute TypesRFC2253 LDAPv3 Disinguished NameRFC2254 LDAPv3 Search FiltersRFC2255 LDAPv3 URL FormatRFC2256 A Summary of the X.500(96) User SchemaRFC2307 LDAP Network Information Services SchemaRFC2377 LDAP Naming Plan
SAGE-AU Conf 2003 – p. 139
![Page 140: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/140.jpg)
Important RFCs cont
RFC TitleRFC2798 LDAP inetOrgPerson schemaRFC2829 LDAPv3: Authentication MethodsRFC2830 LDAPv3: Start TLSRFC2849 LDIFv1RFC2891 LDAPv3: Server Side Sorting of Search ResultsRFC3112 LDAP Authentication Password SchemaRFC3377 LDAP(v3): Technical Specification
SAGE-AU Conf 2003 – p. 140
![Page 141: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/141.jpg)
References
Understanding and Deploying LDAP Directory ServicesTimothy A. Howes, Mark C. Smith and Gordon S. GoodMacmillan Network Architecture and Development Series
Implementing LDAPMark WilcoxWrox Press Ltd
LDAP Programming, Management and IntegrationClayton DonleyManning Publications
SAGE-AU Conf 2003 – p. 141
![Page 142: LDAP Theory and Management - Brad Marshall's Website](https://reader031.fdocuments.us/reader031/viewer/2022021022/6204edbb4c89d3190e0ca2bc/html5/thumbnails/142.jpg)
References cont
Summary Report from Catalyst 99 DirectoryNamespace and Best Practices Workshop, The BurtonGroup and The Network Applications Consortium
OpenLDAP 2.1 Administrators Guide,http://www.openldap.org/doc/admin21/
LDAP Linux HOWTO, Luiz Ernesto Pinheiro Malere,Linux Documentation Project
LDAP Implementation HOWTO, Roel van Meer, LinuxDocumentation Project
SunONE Directory Server 5.2 Deployment Guide
SunONE Meta Directory Server 5.1 Deployment Guide
The Slapd and Slurpd Administrator’s Guide, Universityof Michigan, Release 3.3
SAGE-AU Conf 2003 – p. 142