Got%20LDAP?

1
Got LDAP?

• Deploying the Lightweight Directory Access
  Protocol

Leif Hedstromltleif_at_netscape.comgt Netscape
Communications Corp.
2
Agenda

• Brief introduction to LDAP
• Why use LDAP?
• Planning your deployment
• Architecture features
• Designing your Directory Information Tree
• Managing your LDAP system

3
Agenda (cont.)

• Selecting software
• Conclusions
• Resources and further reading

4
Background and history of LDAP

• Has its roots in X.500 (hence DAP)
• Developed initially at University of Michigan,
  and is now an IETF standard
• Accepted standard for Directory services,
  embraced by all the big players
• LDAP is a protocol, not a database
• Client-server based, ASN.1 encoding

5
LDAP Basics Attributes

• Every entry consists of one or more attribute
  value pairs
• An attribute can have one of several types
• e.g. BIN, TEL, CES
• Attributes can be single or multi value

cnLeif Hedstrom cnThe Swede mailHosttintin.net
scape.com
6
What is an Objectclass?

• Every entry must have at least one objectclass
  attribute
• Defines the database schema, specifying which
  attributes an entry can, and must, include
• Many standard classes available
• Extensible
• Structural, with inheritance

7
Example Objectclass person
attribute cn commonName 2.5.4.3 CIS attribute sn
surName 2.5.4.4 CIS objectclass person
oid 2.5.6.6 superior top
requires sn, cn
allows description,
seeAlso,
telephoneNumber, userPassword
8
Distinguished Name, DN

• The unique identifier for every entry
• Example
• uidleif, ouPeople, dcNetscape, dccom
• Forms the hierarchy in your data, each node is
  both an entry, and a potential branch point
• Relative DNs (RDN), e.g. uidleif, must be unique
  within each subtree

9
Why use LDAP?

• Understand the reasons of your LDAP deployment
• What problems are you solving?
• What is the target audience?
• Key applications and clients
• Dont deploy LDAP without a good reason
• Make sure you have well defined and measurable
  goals

10
Example goals (_at_Netscape)

• Scalability and performance
• Reliable and robust
• Security
• Easy to maintain, extend and upgrade
• Provide our users with services they need
• Make system administration easier and more
  efficient (less manual work)

11
Preparing for your deployment

• Have a brilliant plan, but be flexible
• Analyze existing systems, procedures and
  resources
• Get other people involved, e.g.
• HR
• Legal
• Network/Telco people
• IS HelpDesk

12
Common problems

• Changing existing procedures are difficult
• Might require assigning new or different tasks to
  some people
• Make sure you have support from management
• Mmmm, politics...

13
Doing a pilot deployment

• Decide on a few applications to LDAPify
• E.g. Phonebook
• Find volunteers to use your applications
• Run the deployment as if it was full scale
• Analyze the result, get feedback from users
• Modify and refine your deployment plan accordingly

14
DIT design

• Flat structure? Probably a good idea
• But, adapt to corporate and organizational needs,
  and be flexible

15
DIT design

• Decisions, decisions, decisions...
• Naming attributes (CN, UID ?)
• Replication points
• Delegation and ACL issues
• Be prepared for changes
• Organizational changes
• Geographical changes
• Changes in ownership and delegation

16
Data replication

• Replication for redundancy, performance and
  scalability
• Single master vs. Multi master
• Cascaded replication (single master)
• Scalable replication
• Efficient replication, to Europe for instance
• Reduce load on the Master server

17
Cascaded replication (_at_Netscape)
18
Delegation and data ownership

• Move responsibility of maintenance close to the
  data source (or the owner)
• Systems and applications
• Users
• Groups of users (e.g. managers)
• Reduce load on central resources
• Depends heavily on ACL mechanisms and groups

19
(No Transcript)
20
LDAP integration

• Integration with existing applications
• mail servers
• Web servers (e.g for authentication)
• Integration with existing databases
• Replace legacy systems with LDAP
• Synchronize when appropriate
• Integrated solutions (e.g. ypldapd)
• Meta Directories

21
Example _at_Netscape
22
Efficient maintenance

• LDAP server plugins/extensions
• Data consistency checks
• Trigger updates and automatic processes
• Proactive data maintenance!
• Automatic synchronization with other data
• HR PeopleSoft -gt LDAP
• LDAP to NIS, Win/NT, DNS etc.
• PBX, Badge system, Certificate server etc.

23
Efficient maintenance (cont.)

• Management tools used by users
• Changing their password (Web UI)
• Phonebook (a NS Gateway design)
• Specific Gateway used by IS HelpDesk
• Specific Gateway used by our Admins and other
  groups of users
• Custom tools developed for common tasks

24
Maintenance tools for Sysadmins

• SDKs available for most popular languages
• Perl/PerLDAP
• C
• Java
• Some typical scripts
• Adding/deleting users
• Group management
• Changing passwords

25
PerLDAP Searching for an entry

• !/usr/bin/perl5
• use MozillaLDAPConn
• setup global parameters, using Getopt
• c new MozillaLDAPConn(\ld)
• entry c-gtsearch(base, sc, srch)
• while (entry)
• entry-gtprintLDIF()
• entry c-gtnextEntry()
• c-gtclose()

26
PerLDAP Updating an entry

• !/usr/bin/perl5
• use MozillaLDAPConn
• setup global parameters, using Getopt
• c new MozillaLDAPConn(\ld)
• entry c-gtsearch(base, sc, srch)
• while (entry)
• entry-gtsetValue(mailhost)host
• c-gtupdate(entry)
• entry c-gtnextEntry()
• c-gtclose()

27
Monitoring

• Monitor via scripts, or perhaps SNMP
• Perhaps using cnmonitor entry
• Try to detect data anomalies or inconsistencies
  (but be proactive)
• Make sure replication is working
• Performance monitoring
• Are the servers responsive? High load?
• Detect bad clients, or LDAP intensive clients

28
Selecting software

• Does it support your architecture
• Replication? Multi-master?
• ACL mechanisms?
• Performance needs?
• Cost
• Initial costs
• Maintenance costs
• OS and Hardware costs

29
Selecting software (cont.)

• Standards
• LDAP v2 or v3?
• Extensions and controls?
• Other considerations
• OpenSource is popular...
• Support
• Platforms

30
Some software products

• Netscape Directory Server (v4.0)
• Very fast, powerful ACLs
• Cross platform
• Standards compliant
• Flexible design (plugin API)
• OpenLDAP/Umich LDAP
• Free!
• Source code, but still behind the curve

31
Software products (cont.)

• Microsoft ActiveDirectory
• Integration with NT (for better and for worse)
• Multi-master replication
• Excellent admin GUI
• Only for NT
• Suns Directory Server
• Integrates with NIS

32
Conclusions

• Spend time planning, analyzing and testing your
  design
• Select a DIT that is as easy as possible, while
  still supporting your organization
• Proactive and automatic maintenance is good,
  helps keeping consistent data
• Select the software appropriate for your
  architecture and needs

33
Literature

• RFCs, drafts and other protocol papers
• LDAPProgramming Directory Enabled Applications
  with Lightweight Directory Access protocol
• Tim Howes and Mark Smith
• Macmillan Technology Series
• ISBN 1-57870-000-0
• 45

34
Literature (cont.)

• Understanding and Deploying LDAP Directory
  Services
• Tim Howes, Mark Smith and Gordon Good
• MacMillan
• ISBN 1-57870-070-1
• 50
• Should be out early 1999

35
Resources

• Http//www.openldap.org/
• http//www.mozilla.org/directory/
• http//www.ogre.com/ldap/
• Mail questions to me at
• leif_at_netscape.com
• or
• leif_at_ogre.com