directory services
DESCRIPTION
Directory Services. CS5493/7493. Directory Services. Directory services represent a technological breakthrough by integrating into a single management tool: Authentication Access control Accounting. Directory Services. A directory service organizes data into objects. - PowerPoint PPT PresentationTRANSCRIPT
Directory Services
CS5493/7493
Directory Services
• Directory services represent a technological breakthrough by integrating into a single management tool:– Authentication– Access control – Accounting
Directory Services
• A directory service organizes data into objects.
• The directory holds the objects.
• The directory service provides the tools for accessing and modifying the objects.
Directory Service Objects
• These objects consist of a name and a group of attributes associated with the name.
• The object name is formally known as the object’s “Distinguished Name”
• An object can be a service, hardware, or user.
Directory Service Examples
• A phonebook – entries in the phonebook are indexed by name. The name has a phone number and address associated with the name.
• DNS – maps human readable names of network resources to their respective (binary) numeric network address.
Software Engineered D.S.
• A software engineered directory service stores, organizes, and provides access to electronic information in a directory.
• DNS was the first Internet directory service.
X.500
• A standard model for general-purpose directory services was developed in the late 1980’s.
• The X.500 standard emerged from this effort in 1988.
• A series of supplementary editions and refinements to X.500 followed.
X.500 Refinements
• Shadowing (copying) directory information
• Access controls
• Additional administrative capabilities
• Contexts – define actions for an object according to the context of the objects use.
• Additional security features
X.500 Concept
• There is a single directory information tree (DIT)
• The DIT is a hierarchical organization of objects distributed across one or more servers.
• Provides the protocol for querying and updating objects in the DIT.
X.500 Legacy
• The general framework of X.500 has been adopted in more popular (widely adapted) directory services like:– LDAP, lightweight directory access protocol.
OpenLDAP is available for Linux.– MicroSoft Active Directory
LDAP
• Defines a simple protocol that will manage directory objects:– Search and retrieve– Add – Modify– Delete– Rename
• LDAP uses a client-server model.
LDAP Model
• LDAP uses a client-server model.
• The LDAP protocol uses TCP/IP
LDAP Protocol
• The LDAP client establishes a connection to an LDAP server.
• The LDAP protocol usually uses port 389.• The client must authenticate itself to the
server by supplying a distinguished name and password.
• The LDAP server can restrict access to directory objects by managing permissions (access control)
MS Active Directory
• A collection of services for managing resources in a computer network (LAN, MAN, CAN, or WAN).
The AD Collection of Services
• AD Lightweight Directory Service
• AD Federation Service
• AD Certificate Service
• AD Rights Management Service
• AD Domain Service
AD Lightweight Directory Service
• A lightweight version of AD based on LDAP.
AD Federation Service
• A single sign-on service allowing a user to access services in different network environments using AD-FS.
• The different network environments can be different companies running AD-FS.
AD Certificate Service
• Issues public key certificates used for such things as authentication with smart cards; or encrypting data transmitted over a network.
• This service can renew or revoke certificates.
AD Rights Management Service
• Goes beyond access control.
• AD-RMS manages (controls) what users can do with data once they have accessed the data.– Can prevent files from being copied (this
includes disabling cut and paste.– Prevent saving or forwarding e-mail
messages.
AD Domain Services
• The traditional features of AD from previous versions.
Active Directory Summary
• A hierarchical framework of data objects.
• AD objects are categorized as– Resources: computers, printers, etc.– Services like e-mail– Users and groups of users– Any real component and its attributes
Active Directory Summary
• A logical structure = grouping objects together based on criteria other than physical location.
• A physical structure = grouping objects together based on a physical topology (all the users, equipment, and services located in a particular office building).
Active Directory Summary
• Acts as the central point for managing object security
• Individual user policies can be defined
• Group policies can be defined
• Auditing features:– Monitoring object usage– Create reports on object usage– Notify personnel of object usage
Active Directory Summary
• Objects are organized into containers called Organizational Units (OU).
• Organizational Units belong to a domain.
• A domain is an administrative boundary. All the objects in a domain operate with the same security policy.