OpenLDAP - PowerPoint PPT Presentation

1 / 30

About This Presentation

Title:

OpenLDAP

Description:

Not enough initial guidelines given to LDAP deployments ... meta directories rely on reading 'legacy changelog' formats (cn=changelog) ... – PowerPoint PPT presentation

Number of Views:456

Avg rating:3.0/5.0

Slides: 31

Provided by: lauri161

Category:

more less

Transcript and Presenter's Notes

Title: OpenLDAP

1

OpenLDAP
Tom Jackiewicz,
NOT the Assistant Manager of Whataburger

Tacos are totally, like, yummy
2
LDAP Overview

X.500 heavy and complicated.
Too much structure in schema.
Lightweight version of DAP over TCP
Basic schema provided
Great flexibility in extending data types

3
LDAP Overview

Thus heres our problem- Not enough initial
guidelines given to LDAP deployments- Initially,
system administrators with focus on a single
environment configured these systems

4
LDAP Overview

RFCs for LDAP starting creating more structured
environments.
RFCs for X.500 were trying to take over the IT
space.

5
Surveying Your Environment

Look at what is out there before you deploy and
start planning out basic design elements.
Many companies currently have information in many
databases and directories.

6
Surveying Your Environment

Look at existing data sources for the
authoritative sources of- Logins / Account
names- Phone information- Legal names /
Preferred Names- System access / Roles- What
else do you need?

7
Surveying Your Environment

Customize your script or use a meta directory to
consolidate information.
Identify primary keys in your other
environments to match data.
If possible, keep information consistent and easy
to generate based on values and not filters.

8
Surveying Your Environment

Most packaged/commercial meta directories rely on
reading legacy changelog formats
(cnchangelog).
OpenLDAP doesnt support this as it is not a
defined standard.
Come up with your own set of scripts/tools/librari
es for accessing information.

9
DIT

The Directory Information Tree is key to having a
working environment.
Once set, you will not want to change your DIT.
Be careful when planning to make sure that all
future goals of the company are met.

10
DIT

Your organization name (Base DN, I.e.
dcsun4c,dcnet) is at the top of the tree.
OrganizationalUnits should be based on Region,
DataCenter or relatively static information.
Organizational Units should NOT be based on
function.

11
Schema

Base Schema works for storing basic identity
information. Great if you are deploying an LDAP
phone book.
Current schema provided for NIS and other
information is ugly and often relies on a new
container for each type of data.
Dont do this! Relationships do not belong in LDAP

12
Schema

RFC 2307 - an approach for using LDAP as a
network information service.
Guidelines provided within this RFC.
PADL and other packages love these suggestions.
Linux loves these suggestions.
Theyre only suggestions.

13
NIS

Old LDAP tools for NIS integration relied on
synchronization.
NIS tables were retained and old tools were still
somewhat usable.

14
NIS

New NIS integration relies on direct (or via
module) access to LDAP directory.
PAM is popular.

15
User Management

Users should have a single DN in the directory. A
DN per service is a bad idea as the directory
grows per service and not per user.
Default management tools enforce their own
standards. Make them comply to yours instead.

16
User Management

Centralized user management is good.
By Centralized I mean centralized application
or centralized guidelines.
Defining an owner of the data is necessary.
Providing multiple methods to modify information
in the directory creates problems.

17
Replication

Master should be isolated.
Master should have fewer indexes.

18
Replication

Consumers should have more indexes and be
optimized for read.
Consider a content switch.

19
Replication

If you need to support multiple applications with
different sets of requirements, consider multiple
sets of replicas with their own sets of indexes.
Keep the rest of the data consistent.

20
Replication

Master or Masters at top.
If more than 10 consumers, consider replica
heads.
Each data center or location should have at least
2 consumers for read and a fail over.
Needs depend on what you want to store and how
often it is accessed.

21
(NIS - COEXIST)

During transition? How to coexist?
Migration of yp commands
1000s of clients
how to make scale

22
Kerberos

Openldap kerberos

23
Scaling Your System

How to determine RAM?

24
Limitations of OpenLDAP

OpenLDAP is a standards based system. This is
good in an idealistic world.
The commercial vendors of LDAP integration tools
and implementations are evil.
Commercial tools that will make it worthwhile to
implement LDAP require proprietary features.

25
Limitations of OpenLDAP

Netscape / iPlanet has taken the lead of LDAP
innovation
OpenLDAP community has not advanced LDAP and has
been focused more on integration of useful tools.
Useful tools dont move heads of your managers.

26
Limitations of OpenLDAP

Meta Directories are a big thing now.
iPlanet provides class of service
(objectclasscostemplate) to store mappings.
For example, everyone in your company that has a
location of US has the language preference set to
English. COS lets you set this as a dynamic
mapping.

27
Limitations of OpenLDAP

However, because COS is not a standard, OpenLDAP
does not support it.
Directory 10,000 users (10,000 attributes
pointing to English) 10,000 changes.
COS allows you to make a single change and
SHAZAM.

28
Limitations of OpenLDAP

Roles, relying on class of service, extend the
group infrastructure and let you extend the
usability of your system.
Once again, these arent standards so they dont
really exist in OpenLDAP

29
Limitations of OpenLDAP