December 19, 2006 OpenDS Enterprise Directory Services Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007
Dec 14, 2015
December 19, 2006
OpenDS Enterprise Directory Services
Trey DrakeAssetWorld 2007
Albuquerque, New Mexico
November 2007
December 19, 2006
• Where are my users?• Weak passwords?• Users come and go• I want single sign on!• Who owns enterprise identity?• Sarbanes?! - who, what, when, where?
Look Familiar?
December 19, 2006
• Stores & organizes users & network resources
• Secure• High speed• HA• Replication• Wired into apps, os, email, routers• Upstack services
Directory Service
December 19, 2006
Virtual Directory Service
HR
FMAX
OpenDS
Virtual
Personname
schedulesalary
salary
uid
schedule
?
December 19, 2006
• Standards, Standards, Standards• Started ~ 1993• IETF (OpenLDAP, Sun, Novell, others)• OpenDS, OpenLDAP, Novell, AD, OID• Network protocol• Distributed
LDAP
December 19, 2006
• Complete directory service• Community effort • FOSS - CDDL• Bootstrapped by Sun• Progress update since 11/06 - remember?
OpenDS
December 19, 2006
• Rich password policy• All platforms• Easy install• Manageable• Extend everywhere• Embedded option• Replication
Fast Facts – Here Today
December 19, 2006
• No console• No commercial support*• No virtual• No proxy• No transactions*
Fast Facts – What's Missing
December 19, 2006
• Where are my users?• Weak passwords?• Users come and go• I want single sign on!• Who owns enterprise identity?• Sarbanes?!• Who, what, when, where?
Look Familiar (Again)?
December 19, 2006
• De-fragment users and policies• Secure, global view• Simple, well known• Extensible, roll your own “person”• Preferred repository for provisioning
systems• Pillar for single sign on
Data Consolidation
December 19, 2006
Where are your users & resources?
FMAX
PeoplesoftActive Directory
Home grown
Linux/etc/passwd
December 19, 2006
Where they should be
o=any.edu
ou=contractorsou=facultyou=students
ou=staffou=devicesFMAX
PSFT
NIS
SSO
Foo
December 19, 2006
• Simple idea, difficult to implement• Spec outlines the solution
– strength– # tries– login windows– etc
• OpenDS implements the solution• Applications and controls
Password Policy
December 19, 2006
Password PolicyOpenDS Policy PluginLDAP Client
Deny with error code/message
Fetch appropriate policy
Evaluate policy
Authenticate with policy
Success
December 19, 2006
• Onboarding - establishing access• Offboarding - terminating access
– Confident?
• Re-establishing access
User Provisioning
December 19, 2006
• Centralized user store infinitely easier• Even so
– Barren FOSS landscape - Identyx – Commercial Sun IDM– Roll your own
User provisioning
December 19, 2006
• Centralize access management• Seamless to end user • Manageable enterprise SSO requires a
consolidated view• Most SSO rely on LDAP• Requires high performance repository• Single SSO, single repository• OpenSSO & OpenDS
Single Sign On
December 19, 2006
• Who owns enterprise identity?• Centralized and federated directories• Apps requiring directory writes• Isolating directories• Crossing regulatory boundaries• OpenDS replication
Identity Ownership
December 19, 2006
• Secure channels• Centralized users and policy• Password policy• AAA - Auditing
Sarbanes
December 19, 2006
• Secure LDAP – Supports StartTLS and SSL
• Centralized users and policy• Extensive password policy via controls• Full, high performance activity logging
OpenDS & Sarbanes
December 19, 2006
• Active Directory• Sun DSEE• Oracle • OpenLDAP• Novell• Fedora• Novell• Apache
Other Directories
December 19, 2006
• Single Directory Services Stack• Standards• FOSS• Fast• Extensible• Feature rich• FOSS
OpenDS
December 19, 2006
• http://www.opends.org• http://treydrake.wordpress.com• [email protected]
Resources