Integration and LDAP Consistent Sign-on and Directory Enabled Networking An LDAP Master Class Edmund J. Sutcliffe Thoughtful Solutions; Creatively Implemented.

Integration and LDAP

Consistent Sign-on and Directory Enabled Networking

An LDAP Master Class

Edmund J. SutcliffeThoughtful Solutions; CreativelyImplemented and Communicated<edmunds@panic.fluff.org><http://panic.fluff.org>+44 (0) 7976 938841

Welcome to Class

Welcome to ...Integration and LDAP

While waiting for the class to begin …Please fill out your tent card

Class will begin at ...

Class Audience

Consultants, systems engineers, and other technical personnel responsible for designing and implementing directory services using

Best suited to those with Heterogeneous OS knowledge and good Networking knowledge

You don’t have to be an LDAP expert

Class Objectives

Document Directory Data Requirements

Develop a Directory Schema

Design a Directory Tree Hierarchy

Create Directory Access Control Rules

Select Indexes to Support Your Design

Demonstrate Directory Service Interoperability

Facility Information

Please listen carefully while your instructor gives you important information about the training facility:Emergency Exits and First AidWhere to go for breaks and lunchRestroomsTelephonesOther important facts

Introductions

Who are you ?

Where are you from ?

What do you do ?

What do you know ?

What do you want from the class ?

LDAP Module Objectives

Upon completion of this module, you should be able to: Describe the role of directory services Describe LDAP, the underlying protocol used in

directory service implementation Use LDAP client applications to access

directory service data

What is a directory ?

A centralised structured repository of configuration, authentication and other network and system related information.

A system optimised for lookup based applications

It is not a databaseIt doesn’t have Relationship It isn’t TransactionalIt has poor modification performance

The Role of Directory Services

Facilitate integrated application design

Store two data types User and application data Application configuration data

Provide high performance query capabilities

Uses platform independent technologies (LDAP)

SystemsAdministrators

Current Situation

ProcessUsers

Days / Weeks

The Digital Persona of Tomorrow

Desired ArchitectureSystemsUsers

LDAP-Based Directory

Real-Time

Application Configuration Data

Application settings Physical location of application components Version information for application

components Application’s object definitions

Allows applications to query the directory for configuration information

Application Integration

LDAPServer

Client

File Server

IIS ServerSQL Server

Samba 2.2.2 PDC

NT Domain

LDAP (ASP)

SQL (ASP)

SMTP Server

POP / IMAP Server

POP / IMAP

Why does it Work ?

Common Schema between Applications

Common known Directory Information Tree (DIT)

Directory Enabled Networking

Common Encryption(I wish )

Coffee --1

A quick 10 minute Break

Integration

The How and the Why of it

Why does it Work ?

Common Schema between Applications

Common known Directory Information Tree (DIT)

Directory Enabled Networking

Common Encryption(I wish )

Build Install LDAP Server

Install pam_ldap

Install nss_ldap

Build Install Samba 2.2.2

Client Windows Servers into Domain

Drink Beer

Build OpenLDAP

OpenLDAP 2.0.15#./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc --libexecdir=/usr/sbin --mandir=/usr/share/man --with-subdir=ldap --enable-wrappers --without-cyrus-sasl#make #make install

Configure /etc/ldap/slapd.confinclude /etc/ldap/schema/core.schemainclude /etc/ldap/schema/cosine.schemainclude /etc/ldap/schema/inetorgperson.schemainclude /etc/ldap/schema/nis.schemainclude /etc/ldap/schema/samba.schema# RUN Stuffpidfile /var/run/slapd.pidargsfile /var/run/slapd.argsdatabase ldbmsuffix "dc=fluff,dc=org“rootdn "cn=Directory Manager,dc=fluff,dc=org“rootpw xxxxxxdirectory /var/openldap-ldbm## Access Control Restrictionsaccess to attr=userPassword by self write by anonymous read by * none

access to * by self write by anonymous read by users read

Make it work

Design a SchemaFind out which apps require what

Design a Tree (DIT)See where control is in your

organisation Populate the LDAP server

#/etc/init.d/slapd stop#rm -f /var/openldap-ldbm/*#/etc/init.d/slapd start#cd /etc/ldap#ldapadd -D "cn=Directory_Manager,dc=fluff,dc=org" -w xxxx -f base.ldif

LDAP Tree

Configure LDAP

Configure /etc/ldap/ldap.confBASE dc=levenshulme,dc=fluff,dc=orghost 127.0.0.1ldap_version 2port 389pam_member_attribute uniquememberpam_login_attribute uidpam_password cryptnss_base_passwd ou=People,dc=levenshulme,dc=fluff,dc=org?onenss_base_shadow ou=People,dc=levenshulme,dc=fluff,dc=org?onenss_base_group ou=Groups,dc=levenshulme,dc=fluff,dc=org?one

Find the other ldap.conf’s and point here#rm /etc/ldap.conf#ln –s /etc/ldap/ldap.conf /etc/ldap.conf

Why PAM and NSS ?

Traditional Services (telnet/ftp etc) authenticate via PAM

Traditional C programs do name searches via NSSgethostbyxxxx getpwent, getpwnam getpw

(well everywhere but Microsoft)They do ADSI (sometimes !)

Configure PAM

Plug-able Authentication Modules Build PAM

ftp://ftp.padl.com/pub/pam_ldap-124.tgz#tar -zxvf pam_ldap-124.tgz#./configure#make#make install

Edit /etc/pam.d/files e.g. loginauth required /lib/security/pam_securetty.so debugauth required /lib/security/pam_nologin.so debugauth sufficient /lib/security/pam_ldap.so debugauth required /lib/security/pam_unix_auth.so account sufficient /lib/security/pam_ldap.so debugsession required /lib/security/pam_unix_session.so

Configure NSS

Name Services Libraries Build libnss

#ftp://ftp.padl.com/pub/libnss-172.tgz #./configure --enable-rfc2307bis#make #make install

Configure /etc/nsswitch.confpasswd: files ldapgroup: files ldaphosts: files dns ldapservices: files ldap [NOTFOUND=return] filesnetworks: files ldap [NOTFOUND=return] filesprotocols: files ldap [NOTFOUND=return] filesrpc: files ldap [NOTFOUND=return] filesethers: files ldap [NOTFOUND=return] files# no support for netmasks, bootparams, publickey yet.netmasks: filesbootparams: filespublickey: filesautomount: files

Why Samba PDC ?

Scalability of File and Print Services

Integration with NetAtalk (Mac services)

Source (fix the features)

Performance

Cost !

Samba Through put

Response time

Configure Samba 2.2.2

Build Samba#./configure --sysconfdir=/etc/samba --with-privatedir=/etc/samba --with-lockdir=/var/state/samba --localstatedir=/var --with-syslog --with-utmp --withreadline --with-sambabook --with-ldapsam --with-msdfs --with-acl-support#make #make install

Configure samba /etc/samba/smb.conf[global] workgroup = levenshulme domain logons = yes domain admin group = @ntadmin unix password sync = yes passwd program = /etc/samba/passwdsync %u passwd chat = *OLD* %o\n *NEW* %n\n *AGAIN* %n\n *changed* passwd chat debug = true encrypt passwords = yes guest account = nobody status = yes os level = 70 domain master = yes security = user log level = 1 log file = /var/log/samba/%m.log logon drive = U: ldap admin dn = "cn=Directory Manager,dc=fluff,dc=org“ ldap filter = "(&(uid=%u)(objectclass=sambaAccount))“ ldap suffix = "ou=people,dc=levenshulme,dc=fluff,dc=org“[homes] comment = Home Directories read only = no public = no writeable = yes

smbpasswd –w xxxxxx

Samba as PDC

Grouping across platforms hold true

Single Sign-on into the Microsoft EnvironmentLogin to Windows Logs into SQL Server/Exchange

Password kept in sync with other OS’s and tools

NovellNetWare 5.0NDS Master

NovellNetWare 5.0NDS Replica

AppleMacOS

WindowsWorkstation

NovellNetWare 5.0NDS Replica

Solaris 2.6PAM

NSSDirectoryService

NDS Integration Possibilities

Apache

Apache 1.3.2

mod_auth_ldap

mod_ssl

JumpStart and PXe

Jumpstart (autobuild of Solaris Hosts)

PXe (Jumpstart for Intel)Extensions to DHCP and

DEN systemsPossible to build systems automatically

based on the roles stored within LDAPPXe can build Linux & Windows

(bpbatch + easyInternet)

Why Bother ?

Infrastructure that just works Ubiquity of configuration information Rich personalisation

Users want to set their screen colours ! Universal access

not just people but also Applications Single Point of Control We want to Drink BEER !

Coffee --2

A quick 10 minute Break

LDAP Background

LDAP - Lightweight Directory Access Protocol Protocol for providing directory services over TCP/IP Described in RFC 1823

LDAP is a standard, extensible directory access protocol Allows client and server software from many different

vendors to interoperate Is lightweight, efficient, straightforward, easy to

implement Uses a simplified set of encoding methods and runs

directly on top of TCP/IP APIs include C APIs, Java APIs and PerLDAP

Databases vs. Directories

ConventionalDatabases

DirectoryServices

SQL Yes No

Read / Writeratio

1 / 1 1000 / 1

Common Access Protocol

TransactionOriented

Directory Structure - Entries

An entry is a collection of attribute/value pairs

attribute value

uid es26336

sn Sutcliffe

cn Edmund

l Manchester

attribute value

uidNumber 26336

primaryGroupID 1793

defaultdomain fluff.org

sambahome /export/home

User Attributes Application Attributes

Directory Structure – Data Tree

Entries are arranged in a hierarchical tree-like structure

Entries are identified by a unique distinguished name (DN)

fluff.org

People

Edmund

ouGroupsou

Administrators Staff Martin

dn:uid=es26336,ou=People,dc=fluff,dc=org

dn:dc=fluff,dc=org

Suffix

Typical Directory Entry

Distinguished NameDistinguished NameRDNRDN

dn: uid=es26336,ou=People,dc=fluff,dc=org

cn: Edmund Sutcliffe

sn: Sutcliffe

givenname: Edmund

objectclass: top

objectclass: person

objectclass: organizationalPerson

objectclass: inetOrgPerson

ou: People

l: Manchester

uid: es26336

mail: edmunds@fluff.org

telephonenumber: +44 7976 938841

organizationalPerson requires objectclass, sn, cn allows description, streetaddress, telephonenumber, pagernumber,

mail, title, etc...

Schema and Objectclasses

person

objectclassacicnsn

telephonenumberdescription

organizationalperson

uidmailhost

mailquotal

streetpostalcode

Attributes Object Classes

Objectclass Inheritance

top objectclass (req)aci

person

(top)(person)objectclassacicn (req)sn (req)description

oougivennamedescriptiontitleemployeenumber

(top)objectclassacicn (req)sn (req)description

Topology

How should the directory contents be designed?

How should the directory be deployed in the physical infrastructure?

Directory Replication

Replication is the mechanism that…

Copies information between Directory Servers so that the same information exists on several different physical servers

Allows a master server to hold a master copy of the information and automatically copy updates to all replicas

Directory Referrals

A Directory Referral is a …

Redirection mechanism

An alternate LDAP address given back to a client requesting information

Types of referrals… Suffix Replication

Clients have to handle this !

What Is LDIF?

LDAP Directory Interchange Format ASCII representation of

directory entries

Uses in Directory Server configuration data import/export

operations Backup files schema files

Command-line utilities ldapsearch,

ldapmodify, etc.

Space = ?

dn: dc=fluff,dc=orgobjectclass: topobjectclass: domaindc: fluff

dn: ou=People, dc=fluff,dc=orgobjectclass: topobjectclass: organizationalunitou: People

dn: uid=es26336, ou=People, dc=fluff,dc=orgobjectclass: topobjectclass: personobjectclass: organizationalPersonobjectclass: inetOrgPersoncn: Edmund Sutcliffesn: Sutcliffegivenname: Edmund ou: Staffuid: es26336

dn: dc=fluff,dc=orgobjectclass: topobjectclass: domaindc: fluff

dn: ou=People, dc=fluff,dc=orgobjectclass: topobjectclass: organizationalunitou: People

dn: uid=es26336, ou=People, dc=fluff,dc=orgobjectclass: topobjectclass: personobjectclass: organizationalPersonobjectclass: inetOrgPersoncn: Edmund Sutcliffesn: Sutcliffegivenname: Edmund ou: Staffuid: es26336

Search

Criteria based

Allows the client to specifyWhere to begin searching in the

directory treeHow much of the tree to search Which attribute values to returnThe pattern to match

Using LDAP URLs

ldap://ldap.fluff.org:389/dc=fluff,dc=org?telephoneNumber?sub?(cn=Ed*)

ldap[s]:// <hostname>:<port> / <base_dn> ? <attributes> ? <scope> ? <filter>

base :== where to start

attributes :== what is shown

scope : == base| one | sub

filter :== (|(filter)(filter)) | (&(filter)(filter)) etc

Command Line Tools

ldapdelete

ldapdelete “cn=DeleteMe,dc=fluff,dc=org”-D “cn=Directory Manager,dc=fluff,dc=org”-w xxxxxxx-h ldap

-p 389

ldapmodify

ldapmodify –b –r –f/tmp/entrymoddn:cn=modifyme,dc=fluff,dc=orgchangetype: modifyreplace: mailmail: modme@fluff.org

add: titletitle: Grand Poobah

delete: description

add: jpegPhotojpegPhoto: /tmp/modme.jpg

Exercises

Perform an LDAP URL Search

Perform and LDAP Command Line Search

Dump LDAP Command line search into LDIF

Add an entry for yourself into the LDIF

Using Directory Manager add new LDIF

Coffee –3 Lunch

Back by 1:00pm

Schema Module Objectives

Upon completion of this module, you should be able to: Determine definitive sources of data Understand and extend LDAP Schema

Data Store 1Data Store 2

Data Store x

Application 1Application 2

Application nDirectory

Identify Directory Data & Users

Perform a Directory Data Requirements

Perform a Directory Applications Analysis

Review Directory Data Requirements

What Kinds of Data Belong in a Directory?

What Should Not Go Into the Directory?

Examples of Directory Data

What Belongs

Data that is read often and written infrequently

Data that can be expressed in attribute form

Data useful for more than one audience

Data accessed from more than one physical location

What Doesn’t

Data that changes frequently

Large unstructured chunks of data designed for file systems, FTP servers, web servers, or relational databases

Examples of Directory Data

Contact information for people, places, or things (telephone numbers, addresses, email, etc.)

Descriptive information (employee number, job title, manager, etc.)

Device information (printer type, location, speed, color, etc.)

Contact and billing information for Extranets

Software application configuration preferences

User preferences for applications

Resource locations, such as pointers to web servers, FTP servers, and file system locations

Application n

DirectorydB(s)

Perform a Directory Applications Analysis

What directory applications and tools do you currently have deployed, and who uses them?

What LDAP directory-enabled applications will you deploy, and who will use them?

How will these applications be used?

What other iPlanet Servers are you planning to deploy?

Directory Enabled Applications

Samba sambaAccount sambaGroup

Messaging Systems Sendmail/Exim ListServe Exchange

Posix(Unix) Login posixAccount posixGroup

Web Servers Apache Zeus Netscape/iPlanet

Application Servers Oracle iAS

Windows Services IIS SQL Server

Perform a Directory Data Stores Analysis

Where does current directory data exist in your environment?

What applications and tools do you have to support your current directory data?

What applications, tools, and processes need to change if the data is accessed using LDAP?

Data Store x

DirectorydB(s)

Data Store x

Application n

DirectorydB(s)

Exercise: Identify Directory Data Stores

Glasgow examples

Admin Unix/username

Exchange Username

NDS Username

CS Username Radius uses CS Username 50% have static hardwired password !!

Admin Ingress Common password

Student Record System, Delphi (Personnel Payroll), Advisors Online, Agresso (Finance system)

Reference Manager System Bibliographic Database (RAE)

Senate Papers

Department Systems Modification of Central NDS Unix system (Physics has NT DOMAIN)

NT Domains Desktop Support Team WinTERM Domain HelpDesk Authentication System and associated NT DOMAIN

DirectoryApplicationFields

SampleValues

SampleValues DescriptionDescription

field 1field 1

field 2field 2

field xfield x

sample 1sample 1

sample 2sample 2

sample xsample x

description 1description 1

description xdescription x

SampleValues

field 1field 1

field 2field 2

field xfield x

sample 1sample 1

sample 2sample 2

sample xsample x

VendorSchema

attribute 1attribute 1

attribute xattribute x

Document Directory Application Fields

What are the required fields for all of the identified LDAP directory applications?

What is the purpose of each field and how is it formatted?

Are there any additional fields that can be viewed by special users?

Are there any hidden fields?

Is there a vendor supplied schema?

SampleValues

field 1field 1

field 2field 2

field xfield x

sample 1sample 1

sample 2sample 2

sample xsample x

App 1App 1 App 2App 2 App xApp xooo

Examples of Documenting Application Fields

Directory Server Gateway

Communicator Address Book

Conference Room Locator

NetMeeting(RTPerson class)

Sendmail(mail attribute)

SampleValues

field 1field 1

field 2field 2

field xfield x

sample 1sample 1

sample 2sample 2

sample xsample x

SampleValues

field 1field 1

field 2field 2

field xfield x

sample 1sample 1

sample 2sample 2

sample xsample x

VendorSchema

attribute xattribute x

Data StoreFields

SampleValues

field 1field 1

field 2field 2

field xfield x

sample 1sample 1

sample 2sample 2

sample xsample x

DataStore 1Data

Store 1Data

Store 2Data

Store XData

Store Xooo

Document Directory Data Store

What directory information exists for each identified data store?

What is the purpose of each field and how is it formatted?

Is there a vendor supplied schema?

Examples of Documenting Data Store Fields

HR Database

Facilities

PBX System

Access Control System (Badging)

Excel Spreadsheet with Departmental Contacts

Admin Spreadsheets

HR Database

HR Data Store Field Sample Values DescriptionFirst_Name Edmund Common First NameMiddle_Name James Middle Name or InitialLast_Name Sutcliffe Last NameLegal_Name Edmund J. Sutcliffe Legal NameEmployee_ID 26336 Employee ID Number (Primary Key)Email_ID edmunds@fluff.org Email AddressWork_Phone +44 7976 938841 Work Telephone NumberSalary_Amount 1000000 Base SalaryPay_Cycle 2 Pay Cycle in weeksCurrency_Code UK Currancy paid inAddress_1 Deansgate Work Address 1Address_2 Work Address 2City Manchester Work Address 3State Greater Manchester Work Address 4Postal_Code M2 7SB Work Address 5Country_Code UK Work Address 6Mail_Stop 1-9-907 Work Address (Mail Stop)Manager_Name Geoff Arnold Manager's First Name + Last NameManager_Email geoff@east.fluff.org Email AddressBusiness_Title Member TitleDepartment_Number 1149 Biling Department Number

NT, Facilities, and PBXNT Data Store Fields Sample Values DescriptionFull Name (full_name) Edmund_Sutcliffe NT full account nameUsername (name) es26336 NT account nameDescription (comment) NT description fieldPassword (password) NT password field in NTDomain fluff.org Hidden NT domain

NT Data Store Fields Sample Values DescriptionFull Name (full_name) Edmund_Sutcliffe NT full account nameUsername (name) es26336 NT account nameDescription (comment) NT description fieldPassword (password) NT password field in NTDomain fluff.org Hidden NT domain

PBX Data Store Fields Sample Values Description

E-Num 76548010Electronic PBX Tracking Number

E-Name edmunds User Name

E-Location 376120-002Physical Location Code of Phone

E-Phone +44 7976 938841

Assigned Telephone Number (Unique to PBX)

PBX Data Store Fields Sample Values Description

E-Num 76548010Electronic PBX Tracking Number

E-Name edmunds User Name

E-Location 376120-002Physical Location Code of Phone

E-Phone +44 7976 938841

Assigned Telephone Number (Unique to PBX)

Facilities Data Store Fields Sample Values DescriptionFirst_Name Edmund Common First NameLast_Name Sutcliffe Last Name

Work_Phone +44 7976 938841Work Telephone Number

Email_ID edmunds@fluff.org Email AddressBuilding_Number 1 BuildingFloor_Number 9 FloorRoom_Number 907 RoomUser_ID edmunds User ID (Primary Key)

Facilities Data Store Fields Sample Values DescriptionFirst_Name Edmund Common First NameLast_Name Sutcliffe Last Name

Work_Phone +44 7976 938841Work Telephone Number

Email_ID edmunds@fluff.org Email AddressBuilding_Number 1 BuildingFloor_Number 9 FloorRoom_Number 907 RoomUser_ID edmunds User ID (Primary Key)

Glasgow Attributes Room Allocation (Standardisation)

Phone Number

User-id Multiple users of a single user-id Data Protection Act Difficulties with Multiple use Stamp out shared usernames… POLICY STATEMENT

Password Yellow Sticky Issue !!!

Authorization Per app, Per Department, Per Position The problem of temps accruing permissions..

Departmental Privileges Right to have access to Chemicals/animal experimentations

As you develop your plan, share information about goals and milestones with everyone involvedActively use the milestones to track

progress toward your goalsThrough advertising what you hope to

accomplish and your schedule, you secure the aid of others and set expectations for the deployment process

Coffee --4

App 1App 1 App 2App 2 App nApp nApp 1App 1

FieldsFields

----------------------------

--------------

FieldsFields

--------------

-------

--------------

-------

--------------

-------

--------------

FieldsFields

--------------

App 2App 2 App nApp n Directory Server SchemaDirectory Server Schema

ObjectClass

Default Object Classes

Custom Object Classes

OIDOID

--------------------

AttributeAttribute

----------------------------

OIDOID

--------------------

SyntaxSyntax

------------------------

DirDir DirDir DirDir

FieldsFields

--------------

-------

--------------

-------

FieldsFields

-------

FieldsFields

-------

S2 Sn ASAS

IdentifierIdentifier

S1S1MVS2

S1MVS1Sn

ChangeChange

NotesNotes

-------

Develop Directory Schema

Develop a Directory Schema

Review the Default Schema

Match Directory Application Fields

Match Directory Data Store Fields

Extend the Schema

Identify Authoritative Sources

Identify Processes and Procedures

Review the Default Schema

Review a Typical Directory Entry

Review Object Classes and Attributes

Review Object Class Inheritance

Review Default iPlanet Directory Server Schema

Directory Server SchemaDirectory Server Schema

ObjectClass

OIDOID

--------------------

AttributeAttribute

----------------------------

OIDOID

--------------------

SyntaxSyntax

------------------------

Typical Directory Entry

Distinguished NameDistinguished NameRDNRDN

dn: uid=es26336,ou=People,dc=fluff,dc=org

cn: Edmund Sutcliffe

sn: Sutcliffe

givenname: Edmund

objectclass: top

objectclass: person

objectclass: organizationalPerson

objectclass: inetOrgPerson

ou: People

l: Manchester

uid: es26336

mail: edmunds@fluff.org

telephonenumber: +44 7976 938841

mail, title, etc...

Schema and Objectclasses

person

objectclassacicnsn

telephonenumberdescription

uidmailhost

mailquotal

streetpostalcode

Attributes Object Classes

Objectclass Inheritance

top objectclass (req)aci

person

(top)(person)objectclassacicn (req)sn (req)description

oougivennamedescriptiontitleemployeenumber

(top)objectclassacicn (req)sn (req)description

Review the Default iPlanet Directory Server Schema

00core.ldif05rfc2247.ldif05rfc2927.ldif10rfc2307.ldif20subscriber.ldif25java-object.ldif28pilot.ldif30ns-common.ldif50ns-admin.ldif50ns-calendar.ldif50ns-certificate.ldif50ns-compass.ldif50ns-delegated-admin.ldif50ns-directory.ldif50ns-legacy.ldif

50ns-mail.ldif50ns-mcd-browser.ldif50ns-mcd-config.ldif50ns-mcd-li.ldif50ns-mcd-mail.ldif50ns-media.ldif50ns-mlm.ldif50ns-msg.ldif50ns-netshare.ldif50ns-news.ldif50ns-proxy.ldif50ns-value.ldif50ns-wcal.ldif50ns-web.ldif99user.ldif

<server-root>/slapd-<instance>/config/schema/

Schema Entries in LDIF

Typical schema attribute definitionattributeTypes: ( 2.5.4.4 NAME ( 'sn' 'surName' ) DESC 'Standard LDAP attribute type' SUP name X-ORIGIN 'RFC 2256' )

attributeTypes:( 2.5.4.20 NAME ‘telephoneNumber' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 X-ORIGIN 'RFC 2256' )

Typical schema object class definitionobjectClasses: ( 2.5.6.6 NAME 'person' DESC 'Standard LDAP objectclass' SUP top MUST ( sn $ cn ) MAY ( description $ seeAlso $ telephoneNumber $ userPassword ) X-ORIGIN 'RFC 2256' )

OID Numbers

Object IDentifier numbers uniquely identify objects globally

Each new Object Class and Attribute must be assigned a unique OID

Default is based on object name followed by the characters -oidfluffPerson-oid (Object Class)TShirtSize-oid (Attribute)

Option is to maintain a unique OID registry for your organization

Attribute SYNTAX

SYNTAX key word defines the type of data an attribute can store

Each new attribute must be assigned a SYNTAX numberSYNTAX 1.3.6.1.4.1.1466.115.121.1.50SUP name (derived from this other

AttributeType)

RFC 2252 defines attribute syntaxLightweight Directory Access Protocol

(v3): Attribute Syntax Definitions

Attribute Syntax Types

bin < > Binary

ces < > IA5String

cis < > DirectoryString

dn < > DN

int < > INTEGER

tel < > TelephoneNumber

OctetString

Boolean

GeneralizedTime

Country Name

Postal Address

Sample 99user.ldif File

dn: cn=schemaobjectClass: topobjectClass: ldapSubentryobjectClass: subschemacn: schemaaci: ...... objectClasses: ( siroePerson-oid NAME 'siroePerson' SUP inetorgperson STRUCTURAL MAY TShirtSize X-ORIGIN 'user defined' )

attributeTypes: ( TShirtSize-oid NAME 'TShirtSize' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )

Default Directory Server Operation

Schema Checking Default=On

Checks if proper attributes are present Required values for

objectclass Allowed attributes

for objectclass

Replication Schema changes

made on a replica master are recorded in the changelog

During replication, changes are replicated

Do NOT modify the schema on a read-only replica

Identify the Type of Object

Select a Similar Object Class

Select a Similar Attribute

Transfer Application Field to Matrix

List Unmatched Application Fields

App 1App 1Application 1Application 1

-----------------------------------

App 1App 1Application 2Application 2

-----------------------------------

App 1App 1Application nApplication n

-----------------------------------

Directory MatrixDirectory MatrixDirectory ApplicationsDirectory Applications

App 1App 1 App 2App 2 App nApp n

Directory Server Schema

Object ClassObject Class AttributeAttribute

----------------------------

--------------

-------

--------------

-------

--------------

----------------------------

App 1App 1 App 2App 2 App nApp n

Corporate Phone Book Directory Application Fields Sample Values Description

Default Vendor Schema

First Name Edmund givennameLast Name Sutcliffe snFull Name Edmund Sutcliffe cn

Phone +44 7976 938841Work Telephone Number telephoneNumber

Pager Allow user to update pager

FaxAllow user to update or set to office fax number

facsimileTelephoneNumber

Mobile Phone Allow user to update mobileE-Mail Address edmunds@fluff.org mail

User ID jsmithUser ID for Authentication uid

Corporate Phone Book Directory Application Fields Sample Values Description

Default Vendor Schema

First Name Edmund givennameLast Name Sutcliffe snFull Name Edmund Sutcliffe cn

Phone +44 7976 938841Work Telephone Number telephoneNumber

Pager Allow user to update pager

FaxAllow user to update or set to office fax number

facsimileTelephoneNumber

Mobile Phone Allow user to update mobileE-Mail Address edmunds@fluff.org mail

User ID jsmithUser ID for Authentication uid

What type of objectdoes this field describe?

Person Conference Room

Objects

Transfer Application Field to Matrix

Corporate Phone Book

Communicator

Address Book

Conference Room

Locator

Application Fields

Application Fields Object Class Attribute

top objectclassaci

Last Name Last Name person (top) sn

Full Name Name Full Name cnDescription descriptionSee Also seeAlsoPhone Phone Number telephoneNumberPassword userPassword

organizationalPerson (person) destinationIndicator

Directory Server SchemaCorporate

Phone Book

Communicator

Address Book

Conference Room

Locator

Application Fields

Application Fields Object Class Attribute

top objectclassaci

Last Name Last Name person (top) sn

Full Name Name Full Name cnDescription descriptionSee Also seeAlsoPhone Phone Number telephoneNumberPassword userPassword

organizationalPerson (person) destinationIndicator

Transfer Application

Unmatched Application Fields

Unmatched Fields

Building Number

Floor Number

Capacity

EMT List unmatched application fields

Address BookPhone

BookBuilding Number*

Floor Number*

Capacity*

Directory Applications

Select a Similar Object Class

Select a Similar Attribute

Transfer Field to Matrix

List Unmatched Data Store Fields

Object ClassObject Class

AttributeAttribute

----------------------------

Attribute Attribute

--------------

-------

--------------

-------

DirDir

AttributeAttribute

-------------- --------------

SampleSample

-------------- --------------

DescriptionDescription

-------------- --------------

DirDir

AttributeAttribute

-------------- --------------

SampleSample

-------------- --------------

DirDir

AttributeAttribute

-------------- --------------

SampleSample

-------------- --------------

Attribute Attribute

--------------

Attribute Attribute

--------------

Exercises

Review the Default Schema/etc/ldap/schema

Coffee --5

Quick 10 Minutes

Unmatched Application Fields

Building Number

Floor Number

Capacity

Object ClassObject Class

Custom Object Classes-------

AttributeAttribute

CustomAttributes -------

Unmatched Data Store Attributes

Building_Number

Floor_Number

Capacity

Extend the Schema

Group Unmatched Fields into Objects

Select Similar Attributes or Create New Ones

Create New Object Class and Attribute Names

Transfer New Definitions to Matrix

Define Attribute and Object Class Rules

Group Unmatched Fields in Objects

Unmatched Fields

Building Number

Floor Number

Capacity

What type of object does it

describe?

Are there standard attributes?

Person (inetOrgPerson)

Conference Room (top)

Building Number

Floor Number

Capacity

Phone Number

Description

telephoneNumber

description

buildingName

Application Field Default Schema Attribute

Building Number

Floor Number

buildingName

Is the object an extension of a standard

object class?

Select Similar Attributes or Create New Ones

Person

Conference Room

Select a similarobject class

Select a similarattribute?

Address BookSireoChoc Phone

BookBuilding Number*Floor Number*Capacity*

Address BookSireoChoc Phone

BookBuilding Number*Floor Number*Capacity*

Identify the typeof object

Create New Object Class Names

Building Number

Floor Number

buildingNameApplication Field Default Schema Attribute

Unmatched Fields

Building Number

Floor Number

Capacity

fluffPerson (inetorgPerson)

fluffConfRoom (top)

Building Number

Floor Number

Capacity

Phone Number

Description

telephoneNumber

description

buildingName

Create new object class names that avoid present and future

name conflicts

Create New Attribute Names

fluffPerson (inetorgPerson)

fluffConfRoom (top)

Building Number

Floor Number

Capacity

Phone Number

Description

telephoneNumber

description

buildingName

fluffBuildFloor

fluffConfRoomCapacityCreate new attribute names that avoid present and future

name conflicts

Building Number

Floor Number

buildingName

fluffBuildFloor

Unmatched Fields

Building Number

Floor Number

Capacity

Application Field Default & New Schema Attribute

EMT fluffEMT

Define Attribute and Object Class Rules

Define attribute types DirectoryString, IA5String, DN, binary,

INTEGER, and TelephoneNumber Single or Multi-value

Define object class rules Inheritance Required attributes Allowed attributes

Obtain OID Numbers X.500 compatibility

What Data Store is the authoritative source for each attribute?

App 1App 1 App 2App 2 App nApp nApp 1App 1

FieldsFields

----------------------------

--------------

FieldsFields

--------------

-------

--------------

-------

--------------

-------

--------------

FieldsFields

--------------

App 2App 2 App nApp n Directory Server SchemaDirectory Server Schema

ObjectClass

OIDOID

--------------------

AttributeAttribute

----------------------------

OIDOID

--------------------

SyntaxSyntax

------------------------

DirDir DirDir DirDir

FieldsFields

--------------

-------

--------------

-------

FieldsFields

-------

FieldsFields

-------

S2 Sn ASAS

IdentifierIdentifier

S1S1MVS2

S1MVS1Sn

ChangeChange

NotesNotes

-------

Examples of Authoritative Sources

Human Resources system: Name, Address

Phone switch: Phone Number, Cube Number

Facilities systems: Building, Floor, Access

Other directories (NT, NIS)

Other Application servers (such as Certificate): Certificates published

The Directory itself (attributes not available anywhere else or not shared by other systems for legal reasons): Home Phone Number

Data Ownership

Who makes sure data is up-to-date?Individuals accessing their own recordManagers accessing subordinate

recordsRole or Group (rather than individuals)

for other accesses

Processes that need to change to accommodate directory design Now that

HomePhoneNumber is displayed, who will maintain data accuracy?

Does current contractor process need to be changed?

Identify Correct level of

authority Who owns the

information

ChangeChange

NotesNotes

DepartmentalPhone Book to be phased out.

-------

Exercises

Extend the Schema

Defining a good schema is as much art as science, and the more of it you do, the easier the process becomes. In general, good principles to follow include: Reuse existing elements as much as possible Define several smaller auxiliary object classes

to mix needed attributes into existing objects. Minimize the number of mandatory attribute

types within your object classes Do not define more than one object class or

attribute type to hold the same kind of information

When in doubt, keep it simple

Coffee –6

Directory Tree Design

Everyone has different views of the organization

Network Administrators “Everyone in a domain” “Everyone in a subnet”

Administration “Everyone in a cost-accounting group”

Facilities “Everyone in this building”

Telecom “Everyone on a particular switch”

o=glasgow

ou=Life ou=Adminou=CS ou=Engineering

cn=I Brunel

ou=Estates

DIT Design: People By DepartmentDIT Design: People By Department

ou=Staff ou=Studentou=Contractors ou=PostGrad

cn=James Currall

o=glasgow

DIT Design: Types of PeopleDIT Design: Types of People

l=Watts Bld l=Galleryl=Library l=Admin Bldl=Oakfield Ave

cn=D Montgomery

o=glasgow

DIT Design: By LocationDIT Design: By Location

dc=com

dc=Acme

l=Los Angelesl=Dallasl=New York

l=North America l=Europel=Asia

l=Singaporel=Japan l=Munichl=Manchester l=Paris

ou=People

cn=Mike Smith

DIT Design: Deep Tree By DIT Design: Deep Tree By DepartmentDepartment

ou=People

cn =SmithETcn =AikmanTA

cn =SandersDJcn = GonzalesJ

cn =ModanoMW

cn=Directory Usercn=Mail Admin

cn=Medical Admincn=Medical User

site=TX-SDsite=TX-RI

site=SW-BKsite=NY-AA

ou=Medicalou=Web Sites ou=Resumes

dc=com

o=Acme

ou=Groups ou=Locations ou=Apps ou=Systems ou=Schema

An Example DITAn Example DIT

Can result in long Distinguished Names (DN) May reflect your actual corporate structure Can result in administrative problems if your

organization is constantly changing Better chance of having unique names within a

subtree Works well if you want to distribute the data

across multiple Directory Servers

DIT Design: Deep -vs- Flat TreesDIT Design: Deep -vs- Flat Trees

No need to categorize people Short Distinguished Names, easy to type DIT is very stable: not affected by

organizational changes, and easy to administer Higher chance of name collisions Not well suited for Browsing Can result in longer load times or startup times,

depending on the Directory Product you use

DIT Design: Flat -vs- Deep TreesDIT Design: Flat -vs- Deep Trees

+ DN Guaranteed to be unique+ DN Never Changes+ More robust searching using name components

cn=0175387, ou=People, dc=Glasgow, dc=UK

dc=Glasgow

ou=People

cn = 0175387givenName = Michaelnickname = Mikesurname = Smith

- Browser shows useless information- Microsoft and Netscape mail clients expected

a real name in the commonName (cn) field.

DIT Design: Selecting a DIT Design: Selecting a Distinguished Name Distinguished Name

+ DN Guaranteed to be unique+ DN Never Changes+ More robust searching using name components

- Browser shows useless information

uid=0175387, ou=People, dc=Glasgow, dc=UK

dc=Glasgow

ou=People

uid = 0175387cn = Mike Smith givenName = Michaelnickname = Mikesurname = Smith

+ commonName (cn) field contains a real name to work well with other LDAP applications.

uid=smithmj, ou=People, dc=Glasgow, dc=UK

dc=Glasgow

ou=People

uid = smithmjcn = Mike SmithgivenName = Michaelnickname = Mikesurname = Smith

+ DN Guaranteed to be unique+ More robust searching using name components+ commonName (cn) field contains a real name+ Browser shows more useful information

(although not as ideal as a full name)+ Directly maps to a user’s logon ID

(can be used for single sign-on)

- DN has the potential to change if the name or UID changes

- Entrust product requires the commonName (cn) to be part of the DN.

cn=Mike Smith + uid=smithmj, ou=People, dc=Glasgow, dc=UK

dc=Glasgow

ou=People

cn = Mike Smith + uid = smithmjgivenName = Michaelnickname = Mikesurname = Smith

+ DN Guaranteed to be unique+ More robust searching using name components+ Directly maps to a user’s logon ID (can be used

for single signon)+ commonName (cn) field contains a real name+ commonName (cn) is part of the DN

- DN has the potential to change

- Very artificial way of achieving uniqueness

- Complicated DN syntax- More complicated Directory Logon procedures- This syntax may not be accepted as standard in

the future.

+ DN Guaranteed to be unique+ More robust searching using name components+ Directly maps to a user’s logon ID

(can be used for single sign-on)+ commonName (cn) field contains a real name+ commonName (cn) is part of the DN

- DN has the potential to change

cn=smithmj, ou=People, dc=Glasgow,dc=UK

dc=Glasgow

ou=People

cn = smithmjcn = Mike SmithgivenName = Michaelnickname = Mikesurname = Smithuid = smithmj

- Data is duplicated in several areas (uid and cn)- Value displayed for commonName may vary.

dc=Glasgow

ou=People ou=Certificates

uid=smithmj, ou=Certificates, dc=Glasgow,dc=UK

uid = smithmjcn = Mike SmithgivenName = Michaelnickname = Mikesurname = Smith

cn = smithmjALIAS POINTER

cn=smithmj, ou=People, dc=Glasgow, dc=UK

+ DN Guaranteed to be unique+ More robust searching using name

components+ Directly maps to a user’s logon ID

(can be used for single sign-on)+ commonName (cn) field contains a

real name+ commonName (cn) is part of the DN

- DN has the potential to change- Problems with X.500 aliases:

- no built-in referential integrity

dc=com

dc=acme

The dc named attribute stands for domain component

The idea is to map the upper levels of the tree with registered DNS Names (in this case acme.com)

DIT Design: DIT Naming Proposal DIT Design: DIT Naming Proposal (rfc2377)(rfc2377)

dc=com

dc=acme

dc=Corporate dc=Customers

Lower levels of the tree will also use the dc named attribute

dc=com

dc=acme

dc=Corporate dc=DalSite

uid = mike.smith@acme.comcn = Mike SmithgivenName = Michaelsurname = Smith

uid = jane.doe@acme.comcn = Jane DoegivenName = Janesurname = Doe

Lower levels of the tree will also use the dc named attribute

Each user is identified with the uid named attribute containing the email address.

Robust DIT Naming and design standards are not in place yet There is currently no single “right way” to design your DIT that

applies to everyone Take into consideration your organization

– the organizational structure– the organization’s tendency to change– the organization’s current size and potential to grow

Take into consideration the how you want to use the directory– what information will be stored in the directory– who will own what data and how will be be mastered– what what other systems in the infrastructure will be

using/storing the data– how and what applications will be accessing the data

Carrots and SticksCarrots and Sticks

Conclusions

" If you think technology can solve your problems, then you don't understand the problems and you don't understand the technology. " Bruce Schneier

The Directory, to be useful, needs to become part of the Business Process and the repository of the highest quality and timely information.

Remember that you are doing it FOR not TO the organisation.

Coffee –6

Security Technologies

Successful e-business is highly dependent on security

Security services provide: Confidentiality Integrity Authentication Non-Repudiation Access-Control

Remember…CIANA

Security Threats

Information disclosure

Integrity violation

Assumed identities/Masquerading

Denial of service

Generic Threats: Backdoors, Trojans, Insider Attacks, Viruses

Home Security Analogy

Systems Security is like home security

Policy Definition You choose who and what can be done in your

Access control and passwords are the keys Window and door locks keep out intruders

Log files and monitoring script A security camera watches open doors

Try to make your environment less inviting to those looking for easy pickings

Policy

A policy is a set of instructions that determine an organization’s view of security

A policy sets the limits of acceptable behavior and outlines responses to violations

A policy always exists

In the absence of a formal policy, the policy is…

Anything goes!

Security Implementations

Two key implementations of security are: SSL S/MIME

Each is implemented at different layers

SSLSSL

Network Layer(IP)Network Layer(IP)

Application LayerApplication Layer

Non-secure

Securecommunication

S/MIMES/MIME

Securecommunication

SSL as a Security Solution

SSL ensures safe and secure client-server transactions

Provides authentication, privacy, and message integrity

Data going over the network is point-to-point encrypted

SSLv3.1 approved by IETF, called Transport Layer Security

SSLSSL

Network Layer (TCP/IP)Network Layer (TCP/IP)

Application LayerApplication Layer

Securecommunication

SSL Server Authentication

Client initiates contact via https

“Here’s my certificate”

Public Key included

1. Generate secret key2. Encrypt secret key with Server’s public key

Validate Server certificate

SSL established

Transmitt data using session keys

Client Server

“I’d like to talk SSL”

Decrypt secret key using private key

Use secret keyto make session

SSL With Client Authentication

“Here’s my certificate. Where’s yours?”

Public Key included

1. Generate secret key2. Encrypt secret key with Server’s public key3. Send encrypted key and Client certificate

Validate Server certificate

Server validates Client certificate and decrypts

SSL established

Client Server

Client initiates contact via https“I’d like to talk SSL”

Transmitt data using session keys

Integration and LDAP Consistent Sign-on and Directory Enabled Networking An LDAP Master Class Edmund J. Sutcliffe Thoughtful Solutions; Creatively Implemented.

ldap tree slide

ldap expert slide

conf slide

directory service data

ldif slide

application integration

directory schema design

ldap common schema

Documents

IPv6 Support for LDAP...IPv6 Support for LDAP...

s4 Sutcliffe

Collaborating creatively

Creatively Common (#BootCamp12)

Teaching grammar creatively

Gary Sutcliffe, W9XT Copyright © 2012 Gary C. Sutcliffe.

5 6-john sutcliffe‐braithwaite

LDAP Injection & Blind LDAP Injection - ZenK-Security

Quark.humbug.org.Au Publications Ldap Ldap-Theory

Municipal Bankruptcy - Orrick, Herrington & Sutcliffe

By Alex Sutcliffe, Editor

LDAP Servers and Applications -...

LDAP Lightweight Directory Access Protocol LDAP.

LDAP . Lightweight Directory Access Protocol LDAP.

LDAP Development Using Spring LDAP

Thinking Creatively