December 19, 2006 OpenDS Enterprise Directory Services Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006

OpenDS Enterprise Directory Services

Trey DrakeAssetWorld 2007

Albuquerque, New Mexico

November 2007

December 19, 2006

• What• Why• How

Directory Services & OpenDS

December 19, 2006

• Where are my users?• Weak passwords?• Users come and go• I want single sign on!• Who owns enterprise identity?• Sarbanes?! - who, what, when, where?

Look Familiar?

December 19, 2006

What

December 19, 2006

• Stores & organizes users & network resources

• Secure• High speed• HA• Replication• Wired into apps, os, email, routers• Upstack services

Directory Service

December 19, 2006

Meta Directory – Authoritative DS

HR

FMAX

OpenDS

Meta

schedule

?

salary

user id

December 19, 2006

Virtual Directory Service

HR

FMAX

OpenDS

Virtual

Personname

schedulesalary

salary

uid

schedule

?

December 19, 2006

Proxy Directory ServiceA-M

N-Z

inactive

? sn=drake

? employee id=1001

December 19, 2006

• Standards, Standards, Standards• Started ~ 1993• IETF (OpenLDAP, Sun, Novell, others)• OpenDS, OpenLDAP, Novell, AD, OID• Network protocol• Distributed

LDAP

December 19, 2006

• Complete directory service• Community effort • FOSS - CDDL• Bootstrapped by Sun• Progress update since 11/06 - remember?

OpenDS

December 19, 2006

• Rich password policy• All platforms• Easy install• Manageable• Extend everywhere• Embedded option• Replication

Fast Facts – Here Today

December 19, 2006

• No console• No commercial support*• No virtual• No proxy• No transactions*

Fast Facts – What's Missing

December 19, 2006

On to the why...

December 19, 2006

• Where are my users?• Weak passwords?• Users come and go• I want single sign on!• Who owns enterprise identity?• Sarbanes?!• Who, what, when, where?

Look Familiar (Again)?

December 19, 2006

• De-fragment users and policies• Secure, global view• Simple, well known• Extensible, roll your own “person”• Preferred repository for provisioning

systems• Pillar for single sign on

Data Consolidation

December 19, 2006

Where are your users & resources?

FMAX

PeoplesoftActive Directory

Home grown

Linux/etc/passwd

December 19, 2006

Where they should be

o=any.edu

ou=contractorsou=facultyou=students

ou=staffou=devicesFMAX

PSFT

NIS

SSO

Foo

December 19, 2006

• Simple idea, difficult to implement• Spec outlines the solution

– strength– # tries– login windows– etc

• OpenDS implements the solution• Applications and controls

Password Policy

December 19, 2006

Password PolicyOpenDS Policy PluginLDAP Client

Deny with error code/message

Fetch appropriate policy

Evaluate policy

Authenticate with policy

Success

December 19, 2006

• Onboarding - establishing access• Offboarding - terminating access

– Confident?

• Re-establishing access

User Provisioning

December 19, 2006

User Silos

Portal HRFMAX

App DBOracle LDAP

December 19, 2006

• Centralized user store infinitely easier• Even so

– Barren FOSS landscape - Identyx – Commercial Sun IDM– Roll your own

User provisioning

December 19, 2006

• Centralize access management• Seamless to end user • Manageable enterprise SSO requires a

consolidated view• Most SSO rely on LDAP• Requires high performance repository• Single SSO, single repository• OpenSSO & OpenDS

Single Sign On

December 19, 2006

• Who owns enterprise identity?• Centralized and federated directories• Apps requiring directory writes• Isolating directories• Crossing regulatory boundaries• OpenDS replication

Identity Ownership

December 19, 2006

Identity Ownership

Portal, Blogs

FMAX

Linux, Windows

Enterpriselocal

December 19, 2006

Replication• Assured• Fractional

HIPPA filter

December 19, 2006

• Secure channels• Centralized users and policy• Password policy• AAA - Auditing

Sarbanes

December 19, 2006

• Secure LDAP – Supports StartTLS and SSL

• Centralized users and policy• Extensive password policy via controls• Full, high performance activity logging

OpenDS & Sarbanes

December 19, 2006

• Active Directory• Sun DSEE• Oracle • OpenLDAP• Novell• Fedora• Novell• Apache

Other Directories

December 19, 2006

• Single Directory Services Stack• Standards• FOSS• Fast• Extensible• Feature rich• FOSS

OpenDS

December 19, 2006

• http://www.opends.org• http://treydrake.wordpress.com• [email protected]

Resources

December 19, 2006

• Install• Addressbook• Glassfish and OpenDS

Demo!