ldap directory services & identity management - os3 · maandag – uva directory services –...

LDAPDirectory

Services & Identity Management

● Maandag– UvA Directory Services– Historie LDAP– Theorie LDAP

● Woensdag– LDAP Theorie– LDAP Implementaties– LDAP Praktijk

Agenda

Agenda

● Definities● Waarom heeft de UvA directory services● Wat heeft de UvA gedaan● Wat heeft de UvA fout gedaan

UvA

● 24.000 studenten● 5.000 medewerkers● 50-98 lokaties● 10-25 automatiseringsafdelingen● Laat duizend bloemen bloeien

Definities

● Directory services● Identity management● Gebruikersadministratie● Telefoonboek● LDAP● Active directory● Metadirectory

Zonder LDAP

Mail Web Fileserver Inbel

Gebruikersdatabase

Unix

Gebruikersdatabase

Gebruikersdatabase

Gebruikersdatabase

Gebruikersdatabase

Naam:Wachtwoord:

Met LDAP

Mail Web Fileserver Inbel

LDAPGebruikersdatabase

Unix

Naam:Wachtwoord:

Waarom directoryservices● Meer diensten● Meer controle door gebruiker ● Meer beveiliging ?● Minder beheer● Minder ondersteuning● Minder vervuiling bestanden

Wat heeft de UvA gedaan

● 1997 Alle studenten in LDAP● 1998 Meeste studentendiensten op LDAP● 1999 Alle medewerkers in LDAP● 2000 Active Directory● 2001 Metadirectory● 2002 Meeste medewerkersdiensten op DS

Diensten● Studentenmail (webmail)● UvAHomepages ● Studieweb (tentameninschrijving)● UvAInbel ● SMS diensten● Verkiezingen● UvAweb ● Blackboard

Gebruikersadministratie

● 1 username/password● Persoonlijke

informatie● Accepteren

voorwaarden● Introductie nieuwe

diensten

Netscape LDAP

Studenten SAP/HR Alumni Overigen

E-mail Inbel Web Groupware

Passwords

NOMicrosoft Active directory

MMS

Techniek● Netscape DS / Active directory● Schema

– Inetorgperson– Eduperson ?– MS schema– Uvaperson

● DC naming (AD)● X.500 naming (LDAP)

Drempels

● Veel integratie → veel belangen● Consolidatie oude administraties● Migratietrajecten● Produktondersteuning

– geen directoryondersteuning– Eigenzinnige directoryondersteuning

● Ontwikkelwerk

Wat heeft de UvA fout gedaan

● Voorlichting ondersteuning eindgebruiker● Te vroeg ● Te technisch● Te idealistisch● Ontwikkeling onderschat● Top down/bottom up

Positieve ervaringen

● Directory services zijn schaalbaar● Bespaart op beheer● Steeds meer producten

What is LDAP?● Lightweight Directory Access Protocol● Used to access and update information in a

directory built on the X.500 model● Specification defines the content of

messages between the client and the server● Includes operations to establish and

disconnect a session from the server

Directory Services Model

DUA

DUA

DUA

DSA

DSA

DSADAP

DAP

DAP

Directory

LDAP Naming

UIDUserid

DCdomainComponent

STREETStreetAddress

CCountryName

OUOrganizationalUnitName

OOrganizationName

STStateorProvinceName

LLocalityName

CNCommonName

StringAttribute Type

Information Model

● Directory Information Base● Directory Entry● DIT● RDN & DN● Directory Schema● Naming Context

Directory Information Base

● DIB– a conceptual information model storing

information about OSI objects.– Composed of Directory entries

● Directory Entry– collection of information in the DIB about an

object in the real world.● Directory Information Tree

– Entries in the DIB are placed as nodes of a hierarchical structure called the DIT

DIT Example

Directory Entry● Entry

– A set of attributes– attribute = attribute type + attribute value– distinguished attributes : used to name the

entry● RDN

– A set of distinguished attributes– RDN are assigned to nodes of the DIT

● DN– sequences of RDNs

Directory Entry

Operational Attributes

● creatorsName● createTimestamp● modifiersName● modifyTimestamp● subschemaSubentry: the Distinguished Name

of the subschema entry (or subentry) which controls the schema for this entry.

Directory Schema

DIT Structure

Object Class

Attribute Type

Attribute Syntax

Relationship to X.500

● LDAP is an X.500 access mechanism.● An LDAP server MUST act in accordance

with the X.500(1993).● However, it is not required that an LDAP

server make use of any X.500 protocols ( e.g. LDAP can be mapped onto any other directory system so long as the X.500 data and service model as used in LDAP is not violated in the LDAP interface.)

Server-specific Data Requirements

● An LDAP server MUST provide information about itself and other information that is specific to each server.

● The following attributes of the root DSE are defined. Additional attributes may be defined in other documents.

Referral

DSAC

request

referral (to A)

DSAB

DSAA

DUA

request

The Directory

X.500● X.500 standard. CCITT 1988

– Refer ISO 9594 – X.500-X.521 of 1990

X.500● Hierarchisch● Directory service● DAP als toegangsprotocol● Topzwaar niet goed te implementeren op

beschikbare systemen

LDAP servers

Understanding LDAP● Lightweight alternative to DAP● Uses TCP/IP instead of OSI stack● Simplifies certain functions and omits

others…● Uses strings rather than DAP’s ASN.1

notation to represent data.

LDAP● Information

– Structure of information stored in an LDAP directory.● Naming

– How information is organized and identified.● Functional / Operations

– Describes what operations can be performed on the information stored in an LDAP directory.

● Security – Describes how the information can be protected from

unauthorized access.

LDAP Information Storage

LDAP Information Storage● Each attribute has a type/syntax and a

value● Can define how values behave during

searches/directory operations● Syntax: bin, ces, cis, tel, dn etc.● Usage limits: ssn – only one, jpegPhoto –

10K

LDAP Information Storage● Each ‘entry’ describes an object (Class)

– Person, Server, Printer etc.● Example Entry:

– InetOrgPerson(cn, sn, ObjectClass)● Example Attributes:

– cn (cis), sn (cis), telephoneNumber (tel), ou (cis), owner (dn), jpegPhoto (bin)

LDAP Naming● DNs consist of sequence of Relative DN

– cn=John Smith,ou=Austin,o=IBM,c=US (Leaf 2 Root) (~use \ for special)

● Directory Information Tree (DIT)● Follow geographical or organizational

scheme● Aliases: Tree-like, ● Aliases can link non-leaf nodes

LDAP Naming● Referrals: May not store entire DIT (v3)● Referrals

– objectClass=referral, attribute=ref, value=LDAPurl

● Implementation differs– Refferals/Chaining (vendor)

● RFC 1777: server chaining is expected.

LDAP Naming● Schema

– Defines what object classes allowed– Where they are stored– What attributes they have (objectClass)– Which attributes are optional (objectClass)– Type/syntax of each attribute (objectClass)

● Query server for info: zero-length DN● LDAP schema must be readable by the

client

LDAP Functions/Operations● Authentication

– BIND/UNBIND– ABANDON

● Query– Search – Compare entry

● Update– Add an entry– Delete an entry (Only Leaf nodes, no aliases)– Modify an entry, Modify DN/RDN

LDAP Security● Current LDAP version supports

– Clear text passwords– KERBEROS version 4 authentication

● Other authentication methods possible in future versions (March 1995)

● SASL support added in version 3– Kerberos deemed stronger than SASL…

LDAP Security● Security based on the BIND model● Clear text ver 1● Kerberos ver 1,2,3 (depr)● SASL ver 3

– Simple Authentication and Security Layer– uses one of many authentication methods

● Proposal for Transport Layer Security– Based on SSL v3 from Netscape

LDAP Security● Geen● Basic Authentication

– DN en wachtwoord– Clear-text of Base 64

● SASL (RFC 2222)– Keuze voor authenticatieprotocol– Encryptie optioneel

LDAP Security● LDAP using SASL using SSL/TLS

Directory Client/Server Interaction

LDAPDirectory

Services & Identity Management

RFC's * RFC 1777 - LDAPv2 * RFC 1778 - LDAPv2 String Representation of Standard Attribute Syntaxes * RFC 2254 - String Representation of LDAP Search Filters * RFC 1823 - LDAP API (in C) * RFC 2247 - Use of DNS domains in distinguished names * RFC 2251 - LDAPv3: The specification of the LDAP on-the-wire protocol * RFC 2252 - LDAPv3: Attribute Syntax Definitions * RFC 2253 - LDAPv3: UTF-8 String Representation of Distinguished Names * RFC 2254 - LDAPv3: The String Representation of LDAP Search Filters * RFC 2255 - LDAPv3: The LDAP URL Format * RFC 2256 - LDAPv3: A Summary of the X.500(96) User Schema * RFC 2829 - LDAPv3: Authentication Methods for LDAP * RFC 2830 - LDAPv3: Extension for Transport Layer Security * RFC 3377 - LDAPv3: Technical Specification * RFC 2307 - Using LDAP as a Network Information Service

Implementaties● University of Michigan● OpenLDAP● IBM Directory● Apple Open Directory ● Sun One (Netscape/Iplanet)● Novell eDirectory● Microsoft Active Directory

OPENLDAP● SLAPD

– Directory server ● SLURPD

– Replicatieserver● Libraries● Tools

– Lokaal (offline)– Via server (online)

Schema

core.schema OpenLDAP core (required)cosine.schema Cosine and Internet X.500 (useful)inetorgperson.schema InetOrgPerson (useful)misc.schema Assorted (experimental)nis.schema Network Information Services (FYI)openldap.schema OpenLDAP Project (experimental)

edupersonlibrarypersonuvaperson

LDIF in en exportdn: cn=Robert Smith,ou=people,dc=example,dc=com

objectclass: inetOrgPerson

cn: Robert Smith

cn: Robert J Smith

cn: bob smith

sn: smith

uid: rjsmith

userpassword: rJsmitH

carlicense: HISCAR 123

homephone: 555-111-2222

mail: r.smith@example.com

mail: rsmith@example.com

mail: bob.smith@example.com

description: swell guy

ou: Human Resources

LDIF modify

dn: cn=Robert Smith,ou=people,dc=example,dc=com

changetype: modify

telephonenumber: 123-111

Offline commando's● slappasswd● slapadd● slapcat● slapindex

Online commando's● ldappasswd● ldapadd● ldapdelete● ldapcompare● ldapmodify● ldapsearch● ldapmodrdn

LDAP Search& and

| or

! not

= equal

~= approximate

>= greater

<= less

(cn=Babs Jensen)

(!( cn=Tim Howes))

(&( objectClass=Person)(|(sn=Jensen)(cn=Babs J*)))

(o=univ*of*mich*)

Indexing● eq Equality● pres Presence● sub Substring● aprox Approximate duur !

Indexingindex uid eq

index uidNumber eq

index gidNumber eq

index memberUid eq

index cn pres,eq,sub

index sn pres,eq,sub

index objectClass pres,eq

index nisDomain eq

index nisNetgroupTriple pres,eq,sub

index memberNisNetgroup pres,eq,sub

index nisMapName eq

ACLaccess to <what> [ by <who> <accesslevel> <control> ]+

access to *

by anonymous read

by * none

access to attr=userpassword

by self write

by anonymous auth

by * none

LDAP Proxies● Performance

– Kan subset bevatten – Load balancing

● Vertaling attribuutnamen – Aansluiten van servers met verschillend schema