LDAP Directory Services & Identity Management
Agenda ●
●
Maandag –
UvA Directory Services
–
Historie LDAP
–
Theorie LDAP
Woensdag –
LDAP Theorie
–
LDAP Implementaties
–
LDAP Praktijk
Agenda ● ● ● ●
Definities Waarom heeft de UvA directory services Wat heeft de UvA gedaan Wat heeft de UvA fout gedaan
UvA ● ● ● ● ●
24.000 studenten 5.000 medewerkers 50-98 lokaties 10-25 automatiseringsafdelingen Laat duizend bloemen bloeien
Definities ● ● ● ● ● ● ●
Directory services Identity management Gebruikersadministratie Telefoonboek LDAP Active directory Metadirectory
Zonder LDAP Gebruikers
Gebruikers
Gebruikers
Gebruikers
Gebruikers
database
database
database
database
database
Mail
Web
Fileserver
Inbel
Naam: Wachtwoord:
Unix
Met LDAP LDAP Gebruikers database
Mail
Web
Fileserver
Inbel
Naam: Wachtwoord:
Unix
Waarom directoryservices ● ● ● ● ● ●
Meer diensten Meer controle door gebruiker Meer beveiliging ? Minder beheer Minder ondersteuning Minder vervuiling bestanden
Wat heeft de UvA gedaan ● ● ● ● ● ●
1997 1998 1999 2000 2001 2002
Alle studenten in LDAP Meeste studentendiensten op LDAP Alle medewerkers in LDAP Active Directory Metadirectory Meeste medewerkersdiensten op DS
Diensten ● ● ● ● ● ● ● ●
Studentenmail (webmail) UvAHomepages Studieweb (tentameninschrijving) UvAInbel SMS diensten Verkiezingen UvAweb Blackboard
Gebruikersadministratie ● ●
●
●
1 username/password Persoonlijke informatie Accepteren voorwaarden Introductie nieuwe diensten
Studenten
SAP/HR
Alumni
Overigen
Netscape LDAP MMS
Passwords Microsoft Active directory
E-mail
Inbel
Web
NO
Groupware
Techniek ● ●
Netscape DS / Active directory Schema – – – –
● ●
Inetorgperson Eduperson ? MS schema Uvaperson
DC naming (AD) X.500 naming (LDAP)
Drempels ● ● ● ●
Veel integratie → veel belangen Consolidatie oude administraties Migratietrajecten Produktondersteuning – –
●
geen directoryondersteuning Eigenzinnige directoryondersteuning
Ontwikkelwerk
Wat heeft de UvA fout gedaan ● ● ● ● ● ●
Voorlichting ondersteuning eindgebruiker Te vroeg Te technisch Te idealistisch Ontwikkeling onderschat Top down/bottom up
Positieve ervaringen ● ● ●
Directory services zijn schaalbaar Bespaart op beheer Steeds meer producten
What is LDAP? ● ●
●
●
Lightweight Directory Access Protocol Used to access and update information in a directory built on the X.500 model Specification defines the content of messages between the client and the server Includes operations to establish and disconnect a session from the server
Directory Services Model
Directory DUA
DAP
DSA DSA
DUA
DAP
DSA
DAP
DUA
LDAP Naming Attribute Type
String
CommonName
CN
LocalityName
L
StateorProvinceName
ST
OrganizationName
O
OrganizationalUnitName
OU
CountryName
C
StreetAddress
STREET
domainComponent
DC
Userid
UID
Information Model ● ● ● ● ● ●
Directory Information Base Directory Entry DIT RDN & DN Directory Schema Naming Context
Directory Information Base ●
DIB – –
●
Directory Entry –
●
a conceptual information model storing information about OSI objects. Composed of Directory entries collection of information in the DIB about an object in the real world.
Directory Information Tree –
Entries in the DIB are placed as nodes of a hierarchical structure called the DIT
DIT Example
Directory Entry ●
Entry – – –
●
●
A set of attributes attribute = attribute type + attribute value distinguished attributes : used to name the entry
RDN – –
A set of distinguished attributes RDN are assigned to nodes of the DIT
–
sequences of RDNs
DN
Directory Entry
Operational Attributes ● ● ● ● ●
creatorsName createTimestamp modifiersName modifyTimestamp subschemaSubentry: the Distinguished Name of the subschema entry (or subentry) which controls the schema for this entry.
Directory Schema DIT Structure
Object Class
Attribute Type
Attribute Syntax
Relationship to X.500 ● ●
●
LDAP is an X.500 access mechanism. An LDAP server MUST act in accordance with the X.500(1993). However, it is not required that an LDAP server make use of any X.500 protocols ( e.g. LDAP can be mapped onto any other directory system so long as the X.500 data and service model as used in LDAP is not violated in the LDAP interface.)
Server-specific Data Requirements ●
●
An LDAP server MUST provide information about itself and other information that is specific to each server. The following attributes of the root DSE are defined. Additional attributes may be defined in other documents.
Referral
The Directory
DUA
request referral (to A)
DSA B
DSA C
DSA A request
X.500 ●
X.500 standard. CCITT 1988 –
Refer ISO 9594 – X.500-X.521 of 1990
X.500 ● ● ● ●
Hierarchisch Directory service DAP als toegangsprotocol Topzwaar niet goed te implementeren op beschikbare systemen
LDAP servers
Understanding LDAP ● ● ●
●
Lightweight alternative to DAP Uses TCP/IP instead of OSI stack Simplifies certain functions and omits others… Uses strings rather than DAP’s ASN.1 notation to represent data.
LDAP ●
Information –
●
Naming –
●
How information is organized and identified.
Functional / Operations –
●
Structure of information stored in an LDAP directory.
Describes what operations can be performed on the information stored in an LDAP directory.
Security –
Describes how the information can be protected from unauthorized access.
LDAP Information Storage
LDAP Information Storage ●
●
● ●
Each attribute has a type/syntax and a value Can define how values behave during searches/directory operations Syntax: bin, ces, cis, tel, dn etc. Usage limits: ssn – only one, jpegPhoto – 10K
LDAP Information Storage ●
Each ‘entry’ describes an object (Class) –
●
Example Entry: –
●
Person, Server, Printer etc. InetOrgPerson(cn, sn, ObjectClass)
Example Attributes: –
cn (cis), sn (cis), telephoneNumber (tel), ou (cis), owner (dn), jpegPhoto (bin)
LDAP Naming ●
DNs consist of sequence of Relative DN –
● ●
● ●
cn=John Smith,ou=Austin,o=IBM,c=US (Leaf 2 Root) (~use \ for special)
Directory Information Tree (DIT) Follow geographical or organizational scheme Aliases: Tree-like, Aliases can link non-leaf nodes
LDAP Naming ● ●
Referrals: May not store entire DIT (v3) Referrals –
●
objectClass=referral, attribute=ref, value=LDAPurl
Implementation differs –
Refferals/Chaining (vendor) ●
RFC 1777: server chaining is expected.
LDAP Naming ●
Schema – – – – –
● ●
Defines what object classes allowed Where they are stored What attributes they have (objectClass) Which attributes are optional (objectClass) Type/syntax of each attribute (objectClass)
Query server for info: zero-length DN LDAP schema must be readable by the client
LDAP Functions/Operations ●
Authentication – –
●
Query – –
●
BIND/UNBIND ABANDON Search Compare entry
Update – – –
Add an entry Delete an entry (Only Leaf nodes, no aliases) Modify an entry, Modify DN/RDN
LDAP Security ●
Current LDAP version supports – –
●
●
Clear text passwords KERBEROS version 4 authentication
Other authentication methods possible in future versions (March 1995) SASL support added in version 3 –
Kerberos deemed stronger than SASL…
LDAP Security ● ● ● ●
Security based on the BIND model Clear text ver 1 Kerberos ver 1,2,3 (depr) SASL ver 3 – –
●
Simple Authentication and Security Layer uses one of many authentication methods
Proposal for Transport Layer Security –
Based on SSL v3 from Netscape
LDAP Security ● ●
Geen Basic Authentication – –
●
DN en wachtwoord Clear-text of Base 64
SASL (RFC 2222) – –
Keuze voor authenticatieprotocol Encryptie optioneel
LDAP Security ●
LDAP using SASL using SSL/TLS
Directory Client/Server Interaction
LDAP Directory Services & Identity Management
RFC's * RFC 1777 - LDAPv2 * RFC 1778 - LDAPv2 String Representation of Standard Attribute Syntaxes * RFC 2254 - String Representation of LDAP Search Filters * RFC 1823 - LDAP API (in C) * RFC 2247 - Use of DNS domains in distinguished names * RFC 2251 - LDAPv3: The specification of the LDAP on-the-wire protocol * RFC 2252 - LDAPv3: Attribute Syntax Definitions * RFC 2253 - LDAPv3: UTF-8 String Representation of Distinguished Names * RFC 2254 - LDAPv3: The String Representation of LDAP Search Filters * RFC 2255 - LDAPv3: The LDAP URL Format * RFC 2256 - LDAPv3: A Summary of the X.500(96) User Schema * RFC 2829 - LDAPv3: Authentication Methods for LDAP * RFC 2830 - LDAPv3: Extension for Transport Layer Security * RFC 3377 - LDAPv3: Technical Specification * RFC 2307 - Using LDAP as a Network Information Service
Implementaties ●
University of Michigan
●
OpenLDAP
●
IBM Directory
●
Apple Open Directory
●
Sun One (Netscape/Iplanet)
●
Novell eDirectory
●
Microsoft Active Directory
OPENLDAP ●
SLAPD –
●
Directory server
SLURPD –
Replicatieserver
●
Libraries
●
Tools –
Lokaal (offline)
–
Via server (online)
Schema core.schema cosine.schema inetorgperson.schema misc.schema nis.schema openldap.schema eduperson libraryperson uvaperson
OpenLDAP core (required) Cosine and Internet X.500 (useful) InetOrgPerson (useful) Assorted (experimental) Network Information Services (FYI) OpenLDAP Project (experimental)
LDIF in en export dn: cn=Robert Smith,ou=people,dc=example,dc=com objectclass: inetOrgPerson cn: Robert Smith cn: Robert J Smith cn: bob
smith
sn: smith uid: rjsmith userpassword: rJsmitH carlicense: HISCAR 123 homephone: 555-111-2222 mail:
[email protected] mail:
[email protected] mail:
[email protected] description: swell guy ou: Human Resources
LDIF modify
dn: cn=Robert Smith,ou=people,dc=example,dc=com changetype: modify telephonenumber: 123-111
Offline commando's ●
slappasswd
●
slapadd
●
slapcat
●
slapindex
Online commando's ●
ldappasswd
●
ldapadd
●
ldapdelete
●
ldapcompare
●
ldapmodify
●
ldapsearch
●
ldapmodrdn
LDAP Search &
and
|
or
!
not
=
equal
~=
approximate
>=
greater
<=
less
(cn=Babs Jensen) (!( cn=Tim Howes)) (&( objectClass=Person)(|(sn=Jensen)(cn=Babs J*))) (o=univ*of*mich*)
Indexing ●
eq
Equality
●
pres
Presence
●
sub
Substring
●
aprox
Approximate duur !
Indexing index
uid
eq
index
uidNumber
eq
index
gidNumber
eq
index
memberUid
eq
index
cn
pres,eq,sub
index
sn
pres,eq,sub
index
objectClass
pres,eq
index
nisDomain
eq
index
nisNetgroupTriple
pres,eq,sub
index
memberNisNetgroup
pres,eq,sub
index
nisMapName
eq
ACL access to <what> [ by <who>
]+
access to * by anonymous
read
by *
none
access to attr=userpassword by self
write
by anonymous
auth
by *
none
LDAP Proxies ●
●
Performance –
Kan subset bevatten
–
Load balancing
Vertaling attribuutnamen –
Aansluiten van servers met verschillend schema
