Page 1
Got Got LDAP?LDAP?
Leif HedstromLeif Hedstrom<[email protected] ><[email protected] >
Netscape Communications Netscape Communications Corp.Corp.
Deploying the Lightweight Deploying the Lightweight Directory Access ProtocolDirectory Access Protocol
Page 2
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 22
AgendaAgenda
• Brief introduction to LDAPBrief introduction to LDAP
• Why use LDAP?Why use LDAP?
• Planning your deploymentPlanning your deployment
• Architecture featuresArchitecture features
• Designing your Directory Information Designing your Directory Information TreeTree
• Managing your LDAP systemManaging your LDAP system
Page 3
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 33
Agenda (cont.)Agenda (cont.)
• Selecting software Selecting software
• ConclusionsConclusions
• Resources and further readingResources and further reading
Page 4
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 44
Background and history of Background and history of LDAPLDAP• Has it’s roots in X.500 (hence DAP)Has it’s roots in X.500 (hence DAP)
• Developed initially at University of Developed initially at University of Michigan, and is now an IETF standardMichigan, and is now an IETF standard
• Accepted standard for Directory Accepted standard for Directory services, embraced by all the “big” services, embraced by all the “big” playersplayers
• LDAP is a protocol, not a databaseLDAP is a protocol, not a database
• Client-server based, ASN.1 encodingClient-server based, ASN.1 encoding
Page 5
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 55
LDAP Basics: AttributesLDAP Basics: Attributes
• Every entry consists of one or more Every entry consists of one or more attribute value pairsattribute value pairs
• An attribute can have one of several typesAn attribute can have one of several types– e.g. BIN, TEL, CESe.g. BIN, TEL, CES
• Attributes can be single or multi valueAttributes can be single or multi value
cn=Leif Hedstromcn=The SwedemailHost=tintin.netscape.com
Page 6
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 66
What is an Objectclass?What is an Objectclass?
• Every entry must have at least one Every entry must have at least one objectclass attributeobjectclass attribute
• Defines the database schema, Defines the database schema, specifying which attributes an entry specifying which attributes an entry cancan, , and and mustmust, include, include
• Many standard classes availableMany standard classes available
• ExtensibleExtensible
• Structural, with inheritanceStructural, with inheritance
Page 7
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 77
Example: Objectclass Example: Objectclass personpersonattribute cn commonName 2.5.4.3 CISattribute sn surName 2.5.4.4 CIS…
objectclass person oid 2.5.6.6 superior top requires sn, cn allows description, seeAlso, telephoneNumber, userPassword
Page 8
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 88
Distinguished Name, DNDistinguished Name, DN
• The unique identifier for every entryThe unique identifier for every entry
• ExampleExample
uid=leif, ou=People, dc=Netscape, dc=comuid=leif, ou=People, dc=Netscape, dc=com
• Forms the hierarchy in your data, each Forms the hierarchy in your data, each “node” is both an entry, and a “node” is both an entry, and a potential branch pointpotential branch point
• Relative DNs (RDN), e.g. uid=leif, must Relative DNs (RDN), e.g. uid=leif, must be unique within each subtreebe unique within each subtree
Page 9
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 99
Why use LDAP?Why use LDAP?
• Understand the reasons of your LDAP Understand the reasons of your LDAP deploymentdeployment– What problems are you solving?What problems are you solving?
– What is the target audience?What is the target audience?
– Key applications and clientsKey applications and clients
• Don’t deploy LDAP without a good Don’t deploy LDAP without a good reasonreason
• Make sure you have well defined and Make sure you have well defined and measurable goalsmeasurable goals
Page 10
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 1010
Example goals (@Netscape)Example goals (@Netscape)
• Scalability and performanceScalability and performance
• Reliable and robustReliable and robust
• SecuritySecurity
• Easy to maintain, extend and upgradeEasy to maintain, extend and upgrade
• Provide our users with services they needProvide our users with services they need
• Make system administration easier and Make system administration easier and more efficient (less manual work)more efficient (less manual work)
Page 11
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 1111
Preparing for your Preparing for your deploymentdeployment• Have a brilliant plan, but be flexibleHave a brilliant plan, but be flexible
• Analyze existing systems, procedures Analyze existing systems, procedures and resourcesand resources
• Get other people involved, e.g.Get other people involved, e.g.– HRHR
– LegalLegal
– Network/Telco peopleNetwork/Telco people
– IS HelpDeskIS HelpDesk
Page 12
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 1212
Common problemsCommon problems
• Changing existing procedures are Changing existing procedures are difficultdifficult
• Might require assigning new or Might require assigning new or different tasks to some peopledifferent tasks to some people
• Make sure you have support from Make sure you have support from managementmanagement
• Mmmm, politics...Mmmm, politics...
Page 13
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 1313
Doing a pilot deploymentDoing a pilot deployment
• Decide on a few applications to LDAP’ifyDecide on a few applications to LDAP’ify– E.g. PhonebookE.g. Phonebook
• Find volunteers to use your applicationsFind volunteers to use your applications
• Run the deployment as if it was full scaleRun the deployment as if it was full scale
• Analyze the result, get feedback from Analyze the result, get feedback from usersusers
• Modify and refine your deployment plan Modify and refine your deployment plan accordinglyaccordingly
Page 14
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 1414
DIT designDIT design
• Flat structure? Probably a good ideaFlat structure? Probably a good idea
• But, adapt to corporate and But, adapt to corporate and organizational needs, and be flexibleorganizational needs, and be flexible
Page 15
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 1515
DIT designDIT design
• Decisions, decisions, decisions...Decisions, decisions, decisions...– Naming attributes (CN, UID … ?)Naming attributes (CN, UID … ?)
– Replication pointsReplication points
– Delegation and ACL issuesDelegation and ACL issues
• Be prepared for changesBe prepared for changes– Organizational changesOrganizational changes
– Geographical changesGeographical changes
– Changes in ownership and delegationChanges in ownership and delegation
Page 16
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 1616
Data replicationData replication
• Replication for redundancy, Replication for redundancy, performance and scalabilityperformance and scalability
• Single master vs. Multi masterSingle master vs. Multi master
• Cascaded replication (single master)Cascaded replication (single master)– Scalable replicationScalable replication
– Efficient replication, to Europe for Efficient replication, to Europe for instanceinstance
– Reduce load on the Master serverReduce load on the Master server
Page 17
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 1717
Cascaded replication Cascaded replication (@Netscape)(@Netscape)
Page 18
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 1818
Delegation and data Delegation and data ownershipownership• Move responsibility of maintenance Move responsibility of maintenance
close to the data source (or the owner)close to the data source (or the owner)– Systems and applicationsSystems and applications
– UsersUsers
– Groups of users (e.g. managers)Groups of users (e.g. managers)
• Reduce load on central resourcesReduce load on central resources
• Depends heavily on ACL mechanisms Depends heavily on ACL mechanisms and groupsand groups
Page 19
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 1919
Page 20
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 2020
LDAP integrationLDAP integration
• Integration with existing applicationsIntegration with existing applications– mail serversmail servers
– Web servers (e.g for authentication)Web servers (e.g for authentication)
• Integration with existing databasesIntegration with existing databases– Replace legacy systems with LDAPReplace legacy systems with LDAP
– Synchronize when appropriateSynchronize when appropriate
– Integrated solutions (e.g. ypldapd)Integrated solutions (e.g. ypldapd)
– Meta DirectoriesMeta Directories
Page 21
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 2121
Example: @NetscapeExample: @Netscape
Page 22
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 2222
Efficient maintenanceEfficient maintenance
• LDAP server plugins/extensionsLDAP server plugins/extensions– Data consistency checksData consistency checks
– Trigger updates and automatic processesTrigger updates and automatic processes
– Proactive data maintenance!Proactive data maintenance!
• Automatic synchronization with other Automatic synchronization with other datadata– HR PeopleSoft -> LDAPHR PeopleSoft -> LDAP
– LDAP to NIS, Win/NT, DNS etc.LDAP to NIS, Win/NT, DNS etc.
– PBX, Badge system, Certificate server etc.PBX, Badge system, Certificate server etc.
Page 23
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 2323
Efficient maintenance Efficient maintenance (cont.)(cont.)• Management tools used by usersManagement tools used by users
– Changing their password (Web UI)Changing their password (Web UI)
– Phonebook (a NS Gateway design)Phonebook (a NS Gateway design)
• Specific Gateway used by IS HelpDeskSpecific Gateway used by IS HelpDesk
• Specific Gateway used by our Admins Specific Gateway used by our Admins and other groups of usersand other groups of users
• Custom tools developed for common Custom tools developed for common taskstasks
Page 24
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 2424
Maintenance tools for Maintenance tools for SysadminsSysadmins• SDKs available for most popular SDKs available for most popular
languageslanguages– Perl/PerLDAPPerl/PerLDAP
– CC
– JavaJava
• Some typical scriptsSome typical scripts– Adding/deleting usersAdding/deleting users
– Group managementGroup management
– Changing passwordsChanging passwords
Page 25
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 2525
PerLDAP: Searching for an PerLDAP: Searching for an entryentry
#!/usr/bin/perl5use Mozilla::LDAP::Conn;#setup global parameters, using Getopt# …
$c = new Mozilla::LDAP::Conn(\%ld);$entry = $c->search($base, $sc, $srch);while ($entry) { $entry->printLDIF(); $entry = $c->nextEntry();}$c->close();
Page 26
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 2626
PerLDAP: Updating an entryPerLDAP: Updating an entry
#!/usr/bin/perl5use Mozilla::LDAP::Conn;#setup global parameters, using Getopt# …
$c = new Mozilla::LDAP::Conn(\%ld);$entry = $c->search($base, $sc, $srch);while ($entry) { $entry->setValue(“mailhost”)=[$host]; $c->update($entry); $entry = $c->nextEntry();}$c->close();
Page 27
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 2727
MonitoringMonitoring• Monitor via scripts, or perhaps SNMPMonitor via scripts, or perhaps SNMP
– Perhaps using cn=monitor entryPerhaps using cn=monitor entry
• Try to detect data anomalies or Try to detect data anomalies or inconsistencies (but be proactive)inconsistencies (but be proactive)
• Make sure replication is workingMake sure replication is working
• Performance monitoringPerformance monitoring– Are the servers responsive? High load?Are the servers responsive? High load?
– Detect bad clients, or LDAP intensive clientsDetect bad clients, or LDAP intensive clients
Page 28
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 2828
Selecting softwareSelecting software
• Does it support your architectureDoes it support your architecture– Replication? Multi-master?Replication? Multi-master?
– ACL mechanisms?ACL mechanisms?
– Performance needs?Performance needs?
• CostCost– Initial costsInitial costs
– Maintenance costsMaintenance costs
– OS and Hardware costsOS and Hardware costs
Page 29
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 2929
Selecting software (cont.)Selecting software (cont.)
• StandardsStandards– LDAP v2 or v3?LDAP v2 or v3?
– Extensions and controls?Extensions and controls?
• Other considerationsOther considerations– OpenSource is popular...OpenSource is popular...
– SupportSupport
– PlatformsPlatforms
Page 30
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 3030
Some software productsSome software products
• Netscape Directory Server (v4.0)Netscape Directory Server (v4.0)– Very fast, powerful ACLsVery fast, powerful ACLs
– Cross platformCross platform
– Standards compliantStandards compliant
– Flexible design (plugin API)Flexible design (plugin API)
• OpenLDAP/Umich LDAPOpenLDAP/Umich LDAP– Free!Free!
– Source code, but still behind the curveSource code, but still behind the curve
Page 31
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 3131
Software products (cont.)Software products (cont.)
• Microsoft ActiveDirectoryMicrosoft ActiveDirectory– Integration with NT (for better and for Integration with NT (for better and for
worse)worse)
– Multi-master replicationMulti-master replication
– Excellent admin GUIExcellent admin GUI
– Only for NTOnly for NT
• Sun’s Directory ServerSun’s Directory Server– Integrates with NISIntegrates with NIS
Page 32
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 3232
ConclusionsConclusions
• Spend time planning, analyzing and Spend time planning, analyzing and testing your designtesting your design
• Select a DIT that is as easy as possible, Select a DIT that is as easy as possible, while still supporting your organizationwhile still supporting your organization
• Proactive and automatic maintenance Proactive and automatic maintenance is good, helps keeping consistent datais good, helps keeping consistent data
• Select the software appropriate for Select the software appropriate for your architecture and needsyour architecture and needs
Page 33
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 3333
LiteratureLiterature
• RFCs, drafts and other protocol papersRFCs, drafts and other protocol papers
• LDAP:Programming Directory Enabled LDAP:Programming Directory Enabled Applications with Lightweight Applications with Lightweight Directory Access protocolDirectory Access protocol– Tim Howes and Mark SmithTim Howes and Mark Smith
– Macmillan Technology SeriesMacmillan Technology Series
– ISBN: 1-57870-000-0ISBN: 1-57870-000-0
– ~$45~$45
Page 34
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 3434
Literature (cont.)Literature (cont.)
• Understanding and Deploying LDAP Understanding and Deploying LDAP Directory ServicesDirectory Services– Tim Howes, Mark Smith and Gordon GoodTim Howes, Mark Smith and Gordon Good
– MacMillanMacMillan
– ISBN: 1-57870-070-1ISBN: 1-57870-070-1
– ~$50~$50
– Should be out early 1999Should be out early 1999
Page 35
December 9, 1998December 9, 1998 12th Usenix LISA, 199812th Usenix LISA, 1998 3535
ResourcesResources
• Http://www.openldap.org/Http://www.openldap.org/
• http://www.mozilla.org/directory/http://www.mozilla.org/directory/
• http://www.ogre.com/ldap/http://www.ogre.com/ldap/
• Mail questions to me atMail questions to me at
[email protected] @netscape.com
oror
[email protected] @ogre.com