ldap directory services & identity management - os3 · maandag – uva directory services –...
TRANSCRIPT
LDAPDirectory
Services & Identity Management
● Maandag– UvA Directory Services– Historie LDAP– Theorie LDAP
● Woensdag– LDAP Theorie– LDAP Implementaties– LDAP Praktijk
Agenda
Agenda
● Definities● Waarom heeft de UvA directory services● Wat heeft de UvA gedaan● Wat heeft de UvA fout gedaan
UvA
● 24.000 studenten● 5.000 medewerkers● 50-98 lokaties● 10-25 automatiseringsafdelingen● Laat duizend bloemen bloeien
Definities
● Directory services● Identity management● Gebruikersadministratie● Telefoonboek● LDAP● Active directory● Metadirectory
Zonder LDAP
Mail Web Fileserver Inbel
Gebruikersdatabase
Unix
Gebruikersdatabase
Gebruikersdatabase
Gebruikersdatabase
Gebruikersdatabase
Naam:Wachtwoord:
Met LDAP
Mail Web Fileserver Inbel
LDAPGebruikersdatabase
Unix
Naam:Wachtwoord:
Waarom directoryservices● Meer diensten● Meer controle door gebruiker ● Meer beveiliging ?● Minder beheer● Minder ondersteuning● Minder vervuiling bestanden
Wat heeft de UvA gedaan
● 1997 Alle studenten in LDAP● 1998 Meeste studentendiensten op LDAP● 1999 Alle medewerkers in LDAP● 2000 Active Directory● 2001 Metadirectory● 2002 Meeste medewerkersdiensten op DS
Diensten● Studentenmail (webmail)● UvAHomepages ● Studieweb (tentameninschrijving)● UvAInbel ● SMS diensten● Verkiezingen● UvAweb ● Blackboard
Gebruikersadministratie
● 1 username/password● Persoonlijke
informatie● Accepteren
voorwaarden● Introductie nieuwe
diensten
Netscape LDAP
Studenten SAP/HR Alumni Overigen
E-mail Inbel Web Groupware
Passwords
NOMicrosoft Active directory
MMS
Techniek● Netscape DS / Active directory● Schema
– Inetorgperson– Eduperson ?– MS schema– Uvaperson
● DC naming (AD)● X.500 naming (LDAP)
Drempels
● Veel integratie → veel belangen● Consolidatie oude administraties● Migratietrajecten● Produktondersteuning
– geen directoryondersteuning– Eigenzinnige directoryondersteuning
● Ontwikkelwerk
Wat heeft de UvA fout gedaan
● Voorlichting ondersteuning eindgebruiker● Te vroeg ● Te technisch● Te idealistisch● Ontwikkeling onderschat● Top down/bottom up
Positieve ervaringen
● Directory services zijn schaalbaar● Bespaart op beheer● Steeds meer producten
What is LDAP?● Lightweight Directory Access Protocol● Used to access and update information in a
directory built on the X.500 model● Specification defines the content of
messages between the client and the server● Includes operations to establish and
disconnect a session from the server
Directory Services Model
DUA
DUA
DUA
DSA
DSA
DSADAP
DAP
DAP
Directory
LDAP Naming
UIDUserid
DCdomainComponent
STREETStreetAddress
CCountryName
OUOrganizationalUnitName
OOrganizationName
STStateorProvinceName
LLocalityName
CNCommonName
StringAttribute Type
Information Model
● Directory Information Base● Directory Entry● DIT● RDN & DN● Directory Schema● Naming Context
Directory Information Base
● DIB– a conceptual information model storing
information about OSI objects.– Composed of Directory entries
● Directory Entry– collection of information in the DIB about an
object in the real world.● Directory Information Tree
– Entries in the DIB are placed as nodes of a hierarchical structure called the DIT
DIT Example
Directory Entry● Entry
– A set of attributes– attribute = attribute type + attribute value– distinguished attributes : used to name the
entry● RDN
– A set of distinguished attributes– RDN are assigned to nodes of the DIT
● DN– sequences of RDNs
Directory Entry
Operational Attributes
● creatorsName● createTimestamp● modifiersName● modifyTimestamp● subschemaSubentry: the Distinguished Name
of the subschema entry (or subentry) which controls the schema for this entry.
Directory Schema
DIT Structure
Object Class
Attribute Type
Attribute Syntax
Relationship to X.500
● LDAP is an X.500 access mechanism.● An LDAP server MUST act in accordance
with the X.500(1993).● However, it is not required that an LDAP
server make use of any X.500 protocols ( e.g. LDAP can be mapped onto any other directory system so long as the X.500 data and service model as used in LDAP is not violated in the LDAP interface.)
Server-specific Data Requirements
● An LDAP server MUST provide information about itself and other information that is specific to each server.
● The following attributes of the root DSE are defined. Additional attributes may be defined in other documents.
Referral
DSAC
request
referral (to A)
DSAB
DSAA
DUA
request
The Directory
X.500● X.500 standard. CCITT 1988
– Refer ISO 9594 – X.500-X.521 of 1990
X.500● Hierarchisch● Directory service● DAP als toegangsprotocol● Topzwaar niet goed te implementeren op
beschikbare systemen
LDAP servers
Understanding LDAP● Lightweight alternative to DAP● Uses TCP/IP instead of OSI stack● Simplifies certain functions and omits
others…● Uses strings rather than DAP’s ASN.1
notation to represent data.
LDAP● Information
– Structure of information stored in an LDAP directory.● Naming
– How information is organized and identified.● Functional / Operations
– Describes what operations can be performed on the information stored in an LDAP directory.
● Security – Describes how the information can be protected from
unauthorized access.
LDAP Information Storage
LDAP Information Storage● Each attribute has a type/syntax and a
value● Can define how values behave during
searches/directory operations● Syntax: bin, ces, cis, tel, dn etc.● Usage limits: ssn – only one, jpegPhoto –
10K
LDAP Information Storage● Each ‘entry’ describes an object (Class)
– Person, Server, Printer etc.● Example Entry:
– InetOrgPerson(cn, sn, ObjectClass)● Example Attributes:
– cn (cis), sn (cis), telephoneNumber (tel), ou (cis), owner (dn), jpegPhoto (bin)
LDAP Naming● DNs consist of sequence of Relative DN
– cn=John Smith,ou=Austin,o=IBM,c=US (Leaf 2 Root) (~use \ for special)
● Directory Information Tree (DIT)● Follow geographical or organizational
scheme● Aliases: Tree-like, ● Aliases can link non-leaf nodes
LDAP Naming● Referrals: May not store entire DIT (v3)● Referrals
– objectClass=referral, attribute=ref, value=LDAPurl
● Implementation differs– Refferals/Chaining (vendor)
● RFC 1777: server chaining is expected.
LDAP Naming● Schema
– Defines what object classes allowed– Where they are stored– What attributes they have (objectClass)– Which attributes are optional (objectClass)– Type/syntax of each attribute (objectClass)
● Query server for info: zero-length DN● LDAP schema must be readable by the
client
LDAP Functions/Operations● Authentication
– BIND/UNBIND– ABANDON
● Query– Search – Compare entry
● Update– Add an entry– Delete an entry (Only Leaf nodes, no aliases)– Modify an entry, Modify DN/RDN
LDAP Security● Current LDAP version supports
– Clear text passwords– KERBEROS version 4 authentication
● Other authentication methods possible in future versions (March 1995)
● SASL support added in version 3– Kerberos deemed stronger than SASL…
LDAP Security● Security based on the BIND model● Clear text ver 1● Kerberos ver 1,2,3 (depr)● SASL ver 3
– Simple Authentication and Security Layer– uses one of many authentication methods
● Proposal for Transport Layer Security– Based on SSL v3 from Netscape
LDAP Security● Geen● Basic Authentication
– DN en wachtwoord– Clear-text of Base 64
● SASL (RFC 2222)– Keuze voor authenticatieprotocol– Encryptie optioneel
LDAP Security● LDAP using SASL using SSL/TLS
Directory Client/Server Interaction
LDAPDirectory
Services & Identity Management
RFC's * RFC 1777 - LDAPv2 * RFC 1778 - LDAPv2 String Representation of Standard Attribute Syntaxes * RFC 2254 - String Representation of LDAP Search Filters * RFC 1823 - LDAP API (in C) * RFC 2247 - Use of DNS domains in distinguished names * RFC 2251 - LDAPv3: The specification of the LDAP on-the-wire protocol * RFC 2252 - LDAPv3: Attribute Syntax Definitions * RFC 2253 - LDAPv3: UTF-8 String Representation of Distinguished Names * RFC 2254 - LDAPv3: The String Representation of LDAP Search Filters * RFC 2255 - LDAPv3: The LDAP URL Format * RFC 2256 - LDAPv3: A Summary of the X.500(96) User Schema * RFC 2829 - LDAPv3: Authentication Methods for LDAP * RFC 2830 - LDAPv3: Extension for Transport Layer Security * RFC 3377 - LDAPv3: Technical Specification * RFC 2307 - Using LDAP as a Network Information Service
Implementaties● University of Michigan● OpenLDAP● IBM Directory● Apple Open Directory ● Sun One (Netscape/Iplanet)● Novell eDirectory● Microsoft Active Directory
OPENLDAP● SLAPD
– Directory server ● SLURPD
– Replicatieserver● Libraries● Tools
– Lokaal (offline)– Via server (online)
Schema
core.schema OpenLDAP core (required)cosine.schema Cosine and Internet X.500 (useful)inetorgperson.schema InetOrgPerson (useful)misc.schema Assorted (experimental)nis.schema Network Information Services (FYI)openldap.schema OpenLDAP Project (experimental)
edupersonlibrarypersonuvaperson
LDIF in en exportdn: cn=Robert Smith,ou=people,dc=example,dc=com
objectclass: inetOrgPerson
cn: Robert Smith
cn: Robert J Smith
cn: bob smith
sn: smith
uid: rjsmith
userpassword: rJsmitH
carlicense: HISCAR 123
homephone: 555-111-2222
mail: [email protected]
mail: [email protected]
mail: [email protected]
description: swell guy
ou: Human Resources
LDIF modify
dn: cn=Robert Smith,ou=people,dc=example,dc=com
changetype: modify
telephonenumber: 123-111
Offline commando's● slappasswd● slapadd● slapcat● slapindex
Online commando's● ldappasswd● ldapadd● ldapdelete● ldapcompare● ldapmodify● ldapsearch● ldapmodrdn
LDAP Search& and
| or
! not
= equal
~= approximate
>= greater
<= less
(cn=Babs Jensen)
(!( cn=Tim Howes))
(&( objectClass=Person)(|(sn=Jensen)(cn=Babs J*)))
(o=univ*of*mich*)
Indexing● eq Equality● pres Presence● sub Substring● aprox Approximate duur !
Indexingindex uid eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index cn pres,eq,sub
index sn pres,eq,sub
index objectClass pres,eq
index nisDomain eq
index nisNetgroupTriple pres,eq,sub
index memberNisNetgroup pres,eq,sub
index nisMapName eq
ACLaccess to <what> [ by <who> <accesslevel> <control> ]+
access to *
by anonymous read
by * none
access to attr=userpassword
by self write
by anonymous auth
by * none
LDAP Proxies● Performance
– Kan subset bevatten – Load balancing
● Vertaling attribuutnamen – Aansluiten van servers met verschillend schema