Directory Development Fundamentals - PowerPoint PPT Presentation

1 / 106
About This Presentation
Title:

Directory Development Fundamentals

Description:

Operations you want to perform on eDirectory Your preferred programming language Protocol preference LDAP NDAP HTTP Novell LDAP Developer s Guide To Learn More ... – PowerPoint PPT presentation

Number of Views:298
Avg rating:3.0/5.0
Slides: 107
Provided by: NovellE6
Category:

less

Transcript and Presenter's Notes

Title: Directory Development Fundamentals


1
Directory Development Fundamentals
  • Ed Shropshire
  • NDS Partner Programs
  • Novell, Inc.
  • eshropshire_at_novell.com

2
  • Visionone Net
  • A world where networks of all typescorporate
    and public, intranets, extranets, and the
    Internetwork together as one Net and securely
    connect employees, customers, suppliers, and
    partners across organizational boundaries
  • Mission
  • To solve complex business and technical
    challenges with Net business solutions that
    enable people, processes, and systems to work
    together and our customers to profit from the
    opportunities of a networked world

3
(No Transcript)
4
Deployed Versions Novell eDirectory and Novell
Directory Services (NDS)
Product Version Build Version Platforms
NetWare 5.1 SP4 (NDS 7) DS.nlm v7.57 NetWare 5.1
NetWare 5.1 SP 4 (NDS 8) DS.nlm v8.79 NetWare 5.1
eDirectory 8 DS.nlm DS.dlm v8.79 NetWare 5.0,Win NT/2K
eDirectory 8.5.x DS v85.23 NetWare 5.x,Win,Solaris
NetWare 6 (eDirectory 8.6) DS.nlm v10110.20 NetWare 6
eDirectory 8.6.1 DS v10210.43 NW 5.1,NW 6,Win,Solaris,Linux
NetWare 6 SP1 (eDirectory 8.6.2) DS.nlm v10310.17 NetWare 6
eDirectory 8.6.2 DS v103xx.xx NW 5.1,NW 6,Win,Solaris,Linux
eDirectory 8.7 DS v10410.xx NW 5.1,NW 6,Win,Solaris,Linux,AIX
5
Differences Between eDirectory and NDS
NDS
eDirectory
NOS directory focused on managing NetWare
servers
A cross-platform, scalable, standards-based
directory used for managing identities that
span all aspects of the networkeDirectory is
the foundation for eBusiness
NetWare 5
NetWare
NetWare 6
6
Novell one Net and eBusiness Vision
Novell provides Net services software that gives
organizations the ability to simplify the
complexities of the Net, securely extend and
integrate networks and applications between
companies and accelerate eBusiness transformations
NET Services
Novell eDirectory

NW
7
Whats New with Novell eDirectory
  • Novell eDirectory 8.6.1 and 8.7
  • Product of the YearNetwork Magazine
  • The NameNovell eDirectory
  • SunTone Certification
  • Partner Redistribution Program
  • Free eDirectory for Developers
  • LDAPZone
  • AIX
  • LDAP 2000 Server Brand
  • LDAP Java SDK
  • LDAP Java Beans

8
Novell eDirectory Partner Redistribution Kit
Program
  • Get started
  • Download unlimited eDirectory licenses for
    development purposesvisit developer.novell.com/eD
    irectory/download.htm
  • Get profitable
  • Offer commercial solutions that include FREE
    250,000 user versions of eDirectory
  • Save each application customer up to a
    half-million US dollars in up-front licensing
    costs
  • Visit developer.novell.com/eDirectory

9
Novell eDirectory Partner Redistribution Kit
Program
  • OEMs/ISVs can (AT NO COST)
  • Distribute 250,000 eDirectory user versions with
    each copy of their shipping products
  • Distribute full-featured versions of eDirectory
    to an unlimited number of application customers
  • Distribute the latest Multi-OS version of
    eDirectoryWindows, Sun Solaris, Linux,
    NetWare, and IBM AIX (future)
  • Increase software/hardware/server sales
  • Rely on proven embedded technology
  • Build competitive advantage with added services
    and lower up-front deployment costs

10
LDAPzone.com
  • Why LDAPzone?
  • Comprehensive
  • Resources and information on everything LDAP
  • Community
  • Share ideas, sample code, forums, tips and tricks
  • Directions
  • The latest LDAP news, updates and developments

www.ldapzone.com
11
Novell Developer Offerings
  • Support options
  • What can you get if you pay
  • Benefits 24 hour turnaround
  • Developer labs
  • Priority support
  • Dedicated support contacts
  • Certification
  • Solutions search
  • Developer labs
  • Developer training

12
Novell eDirectory Architecture
DirXML
OnDemandSM
SSO
iChain
eDirectory Management Framework
LDAP
NDAP
System Abstraction Layer (SAL)
Access
Utilities Repair Merge Backup
Schema
Maintenance
Security
iManage
AIX
Replication
iMonitor
???
iInstall
Storage Management Interface (SMI)
Database
eGuide
13
Net Directory Service Solutions
  • eDirectory
  • Novell Account Management
  • Novell Authentication Services

14
168 Applications Before Zero-Day Start
15
One Net Simplifies Business Processes
SSL
XML
IP
LDAP
16
Enlightened Workforce (Intelligent Portal)
17
The Three Views Novell eDirectory
  • Lets take a look at it from a different
    perspective

18
What Makes It Different?
  • Extensible schema
  • Inherited rights
  • Multi-master replication
  • Filtered replica
  • Referential integrity
  • Scalable data store
  • Multi-protocol support (discoveryaccess
    protocols)
  • Multi-authentication support
  • Developer interfaces
  • Platform support

19
eDirectory Features
Feature details
Filtered replica A new replica type that enables
flexible control of whats replicated Down to the
attribute level
LDAP Support LDAP v3 support including
SSL OpenLDAP SDK Improved search speed
Improved administration tools Monitoring and
repair tools in ConsoleOne ICE
(Import/Convert/Export) utility iMonitor utility
ADSI Provider Translates ADSI calls into
LDAP Apps developed to ADSI are fully supported
DirXML Support Provides foundation for
integrating network information for any system,
application, device, etc.
Cross-platform support Already runs on NetWare,
NT 4, Linux, Windows 2000 and Solaris Looking at
other UNIX and mainframe platforms (e.g AIX)
20
What is LDAP?
LDAP began life as an attempt to simplify access
to x.500 (DAP) directories, thus the name
Lightweight Directory Access Protocol
  • A standardized protocol for accessing X.500
    directories
  • A version of DAP that contains less code than
    DAP
  • An enabled client with TCP/IP access to X.500
    directories
  • Lightweight means you dont have to manage all of
    the connection overhead in your application
  • Lightweight doesnt mean limited access
    functionality
  • LDAP is a client-server protocol

21
Technical LDAP Benefits
  • Applications can be directory-neutral
  • Directories can be interchanged
  • Note All directories are not equal

22
Overview
  • LDAP is a client/server access protocol
  • LDAP also describes a data model (ACI, Schema,
    Replication)
  • LDAP is controlled by the IETF community
  • LDAP certifications
  • Works with LDAP (for applications) and LDAP 2000
    (for servers)
  • Novell is a founding member of the
    Interoperability Forum/Open Group

23
One Net and LDAP
  • Current widespread standard for access to
    directory information
  • Core protocol used by Net services software

24
Novell eDirectory SDK
  • Everything to integrate with eDirectory
  • Libraries, tools, sample code, and documentation
  • Platforms (server and workstation)
  • NetWare
  • Windows 2000
  • NT
  • Windows 95/98
  • Solaris, Linux
  • http//developer.novell.com/ndk/ndssdk.htm

25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
Novell ODBC Driver for eDirectory
  • ODBC driver specifically designed to query and
    retrieve eDirectory data
  • Supports standard SQL statements
  • Makes reporting and retrieving data quick and
    easy
  • Abstracts the directory tree into accessible
    relational database tables
  • Hides the complexity of the underlying directory
    syntax

30
How ODBC Maps eDirectory Data
  • Mapping eDirectory data to relational tables
  • eDirectory hierarchical directory data is mapped
    to a flattened relational database table
  • eDirectory object classes correspond to the
    tables
  • eDirectory class attributes correspond to columns
    of the table
  • Entries correspond to rows of the table

31
Troubleshooting Novell ODBC Driver
  • Common problems
  • Insufficient resources
  • Select fewer attributes or specify the attributes
    rather than using a wildcard to include all
    attributes
  • Examine the attributes you select to ensure that
    only a few of them are multi-valued
  • Restrict the number of objects selected by
    specifying only one container
  • eDirectory rights
  • SQL statement errors
  • Use the correct table and column names in SQL
    statements
  • Read-only access to eDirectory

32
(No Transcript)
33
Novell eDirectory LDAP Compliance
  • Novell LDAP SDKs fully implement
  • IETF draft for C Interface
  • draft-ietf-ldapext-c-api-05.txt
  • IEFT draft for Java Interface
  • draft-ietf-ldapext-java-api-13.txt
  • eDirectory supports all LDAP version 3 required
    functionality
  • IETF RFCs 2247, 2251, 2252, 2253, 2254, 2255 and
    2256
  • eDirectory also supports most optional
    functionality

34
More About LDAP
  • Users given server view vs. a tree view
  • LDAP uses UTF-8 encoding of character strings
  • Allowing strings of any language to be used in
    the API
  • LDAP servers listen on two TCP/IP ports
  • 389Provides clear text connections
  • 636Secure connections using SSL
  • An LDAP bind (connection) is an eDirectory login
  • LDAP requires that individual users have
    passwords
  • No password is interpreted as an anonymous bind
  • Specifies no file access mechanisms
  • Novell eDirectory event mechanism coming soon

35
Novell Extensions to LDAP
  • Novell LDAP extensions
  • Partitionssplit, join, get number of entries,
    abort operation
  • Replicasadd, remove, change type, list on
    server, return information
  • Replica synchronizationto a specified server, to
    all replicas, at a specified time
  • Schema synchronization
  • Get effective eDirectory rights for attributes
  • Get DN of logged-in caller
  • Restart the LDAP server

36
(No Transcript)
37
LDAP Class Libraries for Java
  • Now available on the Novell Developer Kit (NDK)
  • Conforms to the IETF LDAP Java interface
  • Socket, threads, queues, connection manager
  • Referrals
  • Schema management
  • Security SSL and SASL
  • Extensions and controls
  • Exposes additional classes and methods
  • ASN.1/BER Protocol Methods (APIs)

38
Benefits of LDAP Libraries for Java
  • Classes and methods reflect LDAP protocol
  • Small footprint
  • Easy to learn and use
  • Synchronous and asynchronous interfaces
  • Pure Java solution
  • Extensions for eDirectory management
  • Tuned and tested with eDirectory
  • Works with other LDAP-aware directories
  • SSL secured through Novell Security Technologies
  • Open Source available on the OpenLDAP Site
  • www.openldap.org

39
(No Transcript)
40
What is JNDI?
  • Java Naming and Directory Interface (JNDI)
  • An addition to JavaSofts enterprise API set
  • Object-oriented look and feel
  • Abstracted view
  • Naming-system neutral, enabling many different
    service providers to be accessed via the same
    interface
  • Promotes interaction between naming systems
  • Provider issues tend to show through
  • Providers may or may not be pure Java
  • Platform support is provider-dependent
  • Providers tend to be vendor-specific

41
(No Transcript)
42
Use Novell LDAP Libraries for C
  • Use the Novell LDAP Libraries for C vs. other
    SDKs
  • Extensions for eDirectory management
  • Tuned and tested for eDirectory
  • Works with other LDAP-aware directories
  • Available on NetWare, Windows, UNIX
  • Supported by Novell Worldwide Developer Support
  • Internationalized and localized
  • SSL-secured through Novell Security Technologies
  • LDAP Libraries for C Open Source
  • Novell LDAP Libraries for C leverage
    www.OpenLDAP.org

43
(No Transcript)
44
Novell JDBC Driver for eDirectory
  • Conforms to the JDBC specification
  • Requires the JNDI LDAP service provider for
    eDirectory
  • Supports standard SQL statements
  • Abstracts the directory tree into accessible
    relational database tables
  • Hides the complexity of the underlying directory
    syntax
  • Provides read only access of eDirectory

45
(No Transcript)
46
Novell Controls for ActiveX
  • Application Administration (NWAppA)
  • Bindery (NWBind)
  • Browser (NWBrowse)
  • Catalog Administration (NWCatA)
  • Client and Server Socket (NWCliSkt and NWSvrSkt)
  • Directory (NWDir)
  • Directory Administration (NWDirA)
  • Directory Authenticator (NWDirAuth)
  • Directory Query (NWDirQ)
  • Internet Directory (NWIDir)
  • Internet Directory Query (NWIDirQ)
  • Internet Directory Entries (NWIDirE)
  • NDPS Printer Administration (NWDPPrtA)
  • Network Selector (NWSelect)
  • Peer Socket (NWPrSkt)
  • Print Queue Administration (NWPQA)
  • Print Server Administration (NWPSA)
  • SecretStore (NWSecStr)
  • Server Administration (NWSrvA)
  • Session Management (NWSess)
  • User Group (NWUsrGrp)
  • Volume Administration (NWVolA)

47
(No Transcript)
48
Beans for Novell eDirectory
  • eCommerce LDAP beans
  • Components for integrating web applications with
    LDAP directories
  • Enabling authentication
  • Read/write directory access
  • Contextless login
  • SSL security
  • NDS bean
  • Enables access to and manipulation of eDirectory
    entries
  • Dependent upon the Novell class libraries for
    Java
  • Requires the Novell Client

49
Scripting Options
  • Third Party Scripting Options
  • Perl
  • Python
  • PHP
  • Visit LDAPZone for a complete list and
    optionswww.LDAPZone.com

50
Supercharge Your Web Applications with Novell
eDirectory
  • Realize the benefit of using Novell eDirectory to
    personalize web server applications
  • The objective of this seminar is to provide ideas
    and examples that will assist you in developing
    and deploying more powerful and flexible
    web-based applications

51
Why Tie Web Applicationsto Novell eDirectory?
  • Enhance and strengthen business relationships
  • Allowing secure access to information and
    applications
  • Provide the ability to simply and securely
    provide access to personalized and sensitive
    information
  • This may be the difference between gaining or
    disappointing a customer or partner

52
Use Novell eDirectory to
  • Store identity profiles
  • Control data access
  • Maintain customer identity relationships
  • Manage user security
  • Manage data at the network level
  • Abstract service locations
  • Increase throughput

53
HTTP is Stateless
  • To enable session tracking, utilize
  • Realms
  • Browser passes user and password with each
    request
  • Hidden form fields
  • Hidden input types that are not displayed when
    read by the browser
  • Cookies
  • Keyed piece of data created by the server and
    stored by the client browser
  • URL rewriting
  • Requested URL is modified to include a session ID
  • Servlet HTTPsession objects
  • Enables name/value pairs to be stored per session

54
Use Novell eDirectory to Track Sessions
  • Take advantage of GUIDs
  • Identify who is accessing the site
  • GUIDs eliminate the need to store personal data
  • GUIDs are globally unique across all trees and
    servers
  • eDirectory automatically creates a GUID for each
    new entry
  • GUIDs do not change throughout life of object
  • Administrators may want to create an index on
    GUID to enhance response time
  • Operational Attribute

Globally Unique Identifiers
55
Use Novell eDirectory to Personalizethe User
Experience
  • Case example (CNN)
  • Provides worldwide news, sports, financial data
    and other information
  • Customized and personalized advertising and
    content using the GUID as a cookie
  • Customization is transparent to the user

56
CNN eDirectoryArchitecture
(ad-injection)
Netscape web servers on Solaris (CNN Web Farm)
(Cookie)
HTTP
LDAP Client
Internal Firewall
  • eDirectory on NetWare and Solaris
  • Development Servers
  • - Compaq 1850R
  • - 2GB RAM/72GB RAID 0
  • 1 Intel Pro/100 Server Adapter
  • SUN Sparc U60
  • Solaris 2.6
  • eDirectory on NetWare 5 Load Directory Servers
  • Compaq 6400R
  • - 2GB RAM/72GB RAID 0
  • 1 Intel Pro/100 Server Adapter
  • eDirectory on NetWare 5
  • Staging Server
  • - Compaq 1850R
  • 2GB RAM/72GB RAID 0
  • - 1 Intel Pro/100 Server Adapter

57
Tune Your Application and eDirectory to Achieve
High Throughput
  • Filter the scope of data searches
  • Create well-formed schema extensions
  • Tune eDirectory
  • Tune memory/cache
  • Use proper tree design
  • Co-locate servers
  • Distributed nature of eDirectory gives better
    throughput
  • Utilize filtered replicas
  • Index on critical attributes

58
Directory Services and Databases
  • Lets look at the strengths and weaknesses of
    both
  • When are they exclusive of each other?
  • When do they compliment each other?
  • The whys and wherefores

59
Directory Services and Databases (cont.)
  • Directory Service Strengths
  • Fast on the read
  • Distributed
  • Object-oriented
  • Hierarchical
  • Standardized schema
  • Replication
  • Attributes can be multi-valued
  • Relational Database Strengths
  • Designed to handle transactions
  • Schema tuned for exact application needs
  • Can be modeled to handle very complex needs
  • Data integrity built in
  • Management of data failures

60
When to Use What??
  • Each has its own best use
  • Directories are used most often for
  • Authentication
  • Authorization
  • Personalization
  • RDBMSs used most often for
  • Transaction processing
  • Highly volatile data
  • Very complex data requirements
  • Examples of each usage

61
Making the Choice
  • Frequency of data modifications
  • Primary data requirements
  • Security
  • Flexibility
  • Model the data needs
  • Determine transactional requirements

62
What Is So Important About Schema?
  • It sets some structure
  • Provides a framework
  • Identifies syntax
  • SchemaData Dictionary

63
What Is in the Schema?
  • Object classes
  • Attributes types
  • Syntaxes
  • Matching rules
  • Naming and containment rules

64
eDirectory Has an Extensible Schema
  • You can extend the schema, you do not change the
    schema
  • Create new classes
  • Add optional attributes
  • Use auxiliary classes
  • Delete non-base classes that do not have any
    object instantiated
  • Delete attributes that are not used in any
    classes
  • Schema extensions do not impact directory
    performance

65
Extension Options
  • You can make extensions programmatically or by
    using an LDIF file with the ldapmodify utility
  • Programmatically
  • Easier to control
  • Not as many files
  • LDIF
  • No need to recompile changes
  • Easy to run multiple

66
New Schema Recommendations
  • Determine exact purpose of new classes and
    attributes
  • Dont define anything for future use
  • Remember to include the domain containment
  • Understand any flags you use
  • Use auxiliary classes whenever possible
  • Dont add new attributes to existing classes if
    possible
  • Reuse/extend existing schema definitions
  • If small, change to existing definition
  • Add your attributes first, then your classes

67
Syntaxes
  • Define what your data looks like
  • Not extensible
  • eDirectory supports LDAP equivalence of
    eDirectory syntaxes
  • Recommendations
  • For readability limit use of octet string

68
Matching Rules
  • Equality
  • Defines how two values are compared
  • i.e., caseIgnoreMatch
  • Ordering
  • Used to determine if a value is greater or less
    than another value
  • SUBSTR
  • Defines the way substring matches work

69
Attribute Types
  • Attribute type is a string value
    containingvarious fields
  • What makes up an attribute
  • ASN.1 id - OID acts as an unique identifier
  • Human readable name
  • A description
  • Matching rules
  • Syntax
  • Flag
  • i.e., if attribute is single valued

70
Attribute Type Example
  • (2.5.4.20
  • NAME telephone number
  • DESC Standard Attribute
  • EQUALITY telephoneNumberMatch
  • SUBSTR telephoneNumberSubstringMatch
  • SYNTAX 1.3.6.1.4.1.1466.115.121.1.5032 )
  • (2.5.4.28
  • NAME preferredDeliveryMethod
  • SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
  • SINGLE-Value )

71
Attribute Types
  • MUSTMandatory Attributes
  • In LDAP these are referred to as MUST
  • When you create an object of this type, you must
    populate these attributes
  • Cannot add MUST attributes once objects are
    created from object class
  • MAYOptional Attributes
  • In LDAP these are referred to as MAY
  • eDirectory does not store these attributes with
    an object unless they have a value
  • You can add more optional attributes to a class
    after the class is created

72
LDAP Attribute Options
  • NO-USER-MODIFICATION
  • Equivalent to non-removable in eDirectory
  • SINGLE-VALUE
  • Default multi-valued
  • Upper Bound
  • Specified after syntax within

73
Operational Attributes
  • Standard
  • modifyTimeStamp
  • createTimeStamp
  • modifersName
  • creatorsName
  • subschemaSubEntry
  • eDirectory-Specific
  • structuralObjectClass (baseClass)
  • subordinateCount
  • entryFlags

74
Object Class Types
  • Structuraldefault
  • Used to create entries
  • Abstract
  • Building block class
  • Used for sub-classing
  • Auxiliary
  • Used to add attributes to existing entries
  • If type is not specified, default will be
    structural

75
Object Class Definition
  • ASN.1 id - Object ID (OID)
  • Human readable name
  • List of superior object classes
  • Identifier
  • List of required (MUST) attributes
  • List of optional (MAY) attributes

76
Example of Object Class Definition
  • (2.5.6.6
  • NAME person
  • SUP top
  • Structural
  • MUST ( sn cn)
  • MAY ( userPassword telephoneNumber seeAlso
    description ) )

77
Defining a New Object Class SUPInheritance
  • This is the class you inherit from
  • Your class automatically gets attributes from the
    parent, as well as any additional that you
    specify
  • Multiple levels of inheritance is possible
  • You can add superclasses starting in eDirectory
    8.5

78
Naming
  • The naming list specifies which attributes which
    can be used to name the object
  • Naming can be specified in LDAP with the
    X-NDS_NAMING option
  • Naming attribute can be multi-valued
  • Complete control over how to name and access the
    object
  • Defaults (if not supplied)
  • Inherit from superclass definition if possible
  • The combination of all string attributes in the
    MUST and MAY lists

79
Naming (cont.)
  • Registered prefixes
  • Provide uniqueness
  • Distinguish your extensions
  • Available from Novell
  • LDAP mappings
  • Provide LDAP accessibility to eDirectory schema
  • Automatic from eDirectory on as long as you use
    valid LDAP names
  • Can be set for non-compatible names

80
Containment
  • Containment identifies the other object types
    which can contain this class
  • Note that this is not the container flag
  • If a class is a container, it can be defined to
    be able to contain itself
  • Containment is now modifiable in eDirectory 8.5
  • You can add containment

81
Containment (cont.)
  • Containment can be specified in LDAP with the
    X-NDS_CONTAINMENT option
  • The defaults if not supplied are
  • Inherit from Super Class definition, if possible
  • C, L, O, OU, and domain

82
Auxiliary Classes
  • Auxiliary (or aux) classes are a collection of
    attributes
  • Aux classes are applied at the object level
  • Only the objects that need the attributes have
    them
  • Doesnt change the object class definition

83
Using Auxiliary classes
  • Two steps
  • Modify the object class of an existing object to
    include the aux class name
  • Write values to attributes as you would any other
    attributes for that class
  • Easy to remove
  • Delete the aux class name from the objectClass
    attribute
  • Noteauxiliary classes are available from
    eDirectory 8 and beyond

84
X-NDS Class Options
  • The changes you can make to class definitions
    using the X-NDS options are
  • Flags
  • X-NDS_NOT_CONTAINER
  • X-NDS_NONREMOVABLE
  • Containment
  • X-NDS_CONTAINMENT
  • Naming
  • X-NDS_NAMING
  • Mapping
  • X-NDS_NAME
  • All X-NDS options have default values

85
X-NDS Attribute Options
  • Most attribute options are flags
  • X-NDS_PUBLIC_READ
  • X-NDS_SERVER_READ
  • X-NDS_NEVER_SYNC
  • NDS per replica flag
  • X-NDS_NOT_SCHED_SYNC_IMMEDIATE
  • X-NDS_SCHED_SYNC_NEVER
  • X-NDS_NAME_VALUE_ACCESS
  • NDS write managed flag
  • One other attribute option
  • X-NDS_LOWER_BOUND

86
Schema Naming Recommendations
  • LDAP schema name valid character set
  • Alpha-numeric and dash
  • First character must be alpha
  • Nothing else
  • Name format
  • Lowercase prefix, followed by uppercase words
  • OldMYAPPNew Attribute Name
  • NewmyappNewAttributeName
  • Dont use delimiter characters

87
Schema Naming Recommendations
  • If you follow the naming rules, LDAP mappingfor
    the names are not needed
  • If you havent followed rules in past (or
    future), then mappings are needed for access to
    schema items via LDAP
  • What are mappings, anyway?
  • Object Class objectClass

88
Schema Available Definitions
  • LDAP ships with a subset of inetOrgPerson mapped
    to the eDirectory user class
  • Schema extensions are available for
  • Full inetOrgPerson mapped to eDirectory user
  • Full inetOrgPerson
  • residentialPerson
  • newPilotPerson
  • www.novell.com/products/nds/schema/index.html

89
ASN 1 OIDs and Prefixes
  • What is an OID?
  • Novells base OID 2.16.840.1.113719
  • joint-iso-ccitt(2) country(16) us(840)
    organization(1) Novell(113719)
  • LDAP allows access via the OID
  • Be sure to have OIDs for your application
  • How do you use your allocated sub-arc?
  • 2.16.840.1.113719.2.ltagt.4.ltxgt.ltvgt
  • 2.16.840.1.113719.2.ltagt.6.ltxgt.ltvgt
  • ltagt is your assigned subarc value
  • ltxgt is the sequence number you assign
  • ltvgt is the version number you assign
  • Find out more about OIDs
  • www.alvestrand.no/harald/objectid/

90
ASN 1 OID Registration Sites
  • Find out more about OIDs
  • www.alvestrand.no/harald/objectid/
  • Sites to obtain OIDs
  • Novell Developer Support
  • developer.novell.com/
  • Will allocate and register a schema prefix for
    you, and optionally allocate an OID sub-arc for
    you
  • Internet Assigned Numbers Authority (IANA)
  • www.isi.edu/cgi-bin/iana/enterprise.pl

91
Sample Schema Output
This LDIF file was generated by Novell's ICE and
the LDIF destination handler. version 1 dn
cnschema changetype add ldapSyntaxes (
1.3.6.1.4.1.1466.115.121.1.1 X-NDS_SYNTAX '9'
) ldapSyntaxes ( 1.3.6.1.4.1.1466.115.121.1.2
X-NDS_SYNTAX '9' ) ldapSyntaxes (
2.16.840.1.113719.1.1.5.1.6 X-NDS_SYNTAX '6'
) objectClass top objectClass
subschema objectClasses ( 2.5.6.0 NAME 'top'
DESC 'Standard ObjectClass' STRUCTURAL MUST
objectClass MAY (cAPublicKey CAPrivateKey
certificateValidityInterval authorityRevocation
lastReferencedTime equivalentToMe ACL
backLink binderyProperty Obituary
Reference revision certificateRevocation
usedBy GUID otherGUID DirXML-Associations
creatorsName modifiersName
unknownBaseClass unknownAuxiliaryClass
auditFileLink masvProposedLabel
masvDefaultRange masvAuthorizedRange )
X-NDS_NAME 'Top' X-NDS_NONREMOVABLE '1'
) objectClasses ( 2.5.6.7 NAME
'organizationalPerson' DESC 'Standard
ObjectClass' SUP person STRUCTURAL MAY
(facsimileTelephoneNumber l eMailAddress ou
physicalDeliveryOfficeName postalAddress
postalCode postOfficeBox st street
title mailboxLocation mailboxID uid mail
employeeNumber destinationIndicator
internationaliSDNNumber preferredDeliveryMetho
d registeredAddress teletexTerminalIdentifier
telexNumber x121Address businessCategory
roomNumber x500UniqueIdentifier ) X-NDS_NAMING
('cn' 'ou' 'uid' ) X-NDS_CONTAINMENT
('organization' 'organizationalUnit 'domain' )
X-NDS_NAME 'Organizational Person'
X-NDS_NOT_CONTAINER '1' X-NDS_NONREMOVABLE '1'
) attributeTypes ( 2.5.18.1 NAME
'createTimeStamp' DESC 'Operational Attribute'
SINGLE-VALUE NO-USER-MODIFICATION SYNTAX
1.3.6.1.4.1.1466.115.121.1.24 ) attributeTypes (
2.5.4.3 NAME ( 'cn' 'commonName' ) DESC 'Standard
Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
64 X-NDS_NAME 'CN' X-NDS_LOWER_BOUND '1')
92
Sample LDIF
  • dn cnschema
  • changetype modify
  • add attributetypes
  • attributetypes ( 2.16.840.1.113719.1.186.4.0
  • NAME 'aspenCourseName'
  • DESC 'The name of the course'
  • SYNTAX 1.3.6.1.4.1.1466.115.121.
    1.15
  • SINGLE-VALUE
  • )
  • If not present, this creates testAttr1, then
    adds a mapping to the just created or existing
    Test Attr 1 attribute

93
LDIF File ExampleinetOrgPerson
Full definition of the standard inetOrgPerson
as a separate class version 1 Delete the
existing class mapping "inetOrgPerson gt User"
class to allow "inetOrgPerson gt
inetOrgPerson". dn cnschema changetype
modify delete objectclasses objectclasses (
2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson'
X-NDS_NAME 'User') Add the inetOrgPerson object
class - 17 dn cnschema changetype modify add
objectclasses objectclasses ( 2.16.840.1.113730.3
.2.2 NAME 'inetOrgPerson' SUP organizationalPerson
MAY ( audio businessCategory carLicense
departmentNumber employeeNumber employeeType
givenName homePhone homePostalAddress
initials jpegPhoto labeledUri mail
manager mobile pager ldapPhoto
preferredLanguage roomNumber secretary uid
userCertificate userSMIMECertificate
x500UniqueIdentifier displayName )
X-NDS_CONTAINMENT ( 'country' 'locality'
'organizationalUnit' 'organization' 'domain' )
X-NDS_NAMING ( 'cn' 'uid' 'givenName' 'mail' 'sn'
) )
94
Schema Changes in eDirectory 8.5
  • Some attributes made public read, some made
    multivalued
  • New classes defineddomain and ndsLoginProperties
  • Syntax changed on existing attributes
  • Several classes changed to be containers
  • Some changed to be effective or added domain
    containment
  • O and OU added ndsLoginProperties
  • Device class now effective
  • Operational attributes
  • creatorsName
  • modifiersName
  • modifyTimeStamp
  • createTimeStamp

95
Schema Changes in eDirectory 8.6
  • Unlimited LDAP schema name sizeup to 63K long
    (was previously 64 characters)
  • Ability to have more that 63K total worth of
    schema name mappings (depending on size of names,
    was limited to less than 2000 mappings)
  • Ability to save and retrieve the description
    field from a schema definition
  • New schema definitions for dynamic groups and for
    persistent search

96
Schema Changes in eDirectory 8.7
97
Informational Draft
  • LDAP Schema for eDirectory document
  • http//search.ietf.org/internet-drafts/

98
The Novell Import Convert Export Tool
  • Features
  • Client/server (remote) architecture
  • LDIF import
  • LDIF export
  • Data migration between LDAP servers
  • Efficient
  • Availability
  • Included with eDirectory 8.5
  • ConsoleOne snap-in
  • Included in Novell Developer Kit (NDK)in C
    Libraries for LDAP
  • Command line only (developer use)

99
Architecture
100
ICE Engine
  • Orchestrates the interaction between source and
    destination handler
  • Provides logging facility
  • Provides an error LDIF logging facility
  • Writes all records that fail to an output file in
    LDIF format
  • Used to help debug import or export sessions
  • Can aid in dealing with rogue records

101
Currently Available Handlers
  • Source Handlers
  • LDIF
  • Reads in a LDIF data file
  • LDAP
  • Performs searches and retrieves LDAP data
  • Destination Handlers
  • LDIF
  • Writes to an LDIF data file
  • LDAP
  • Writes to an LDAP server
  • SupportsLBURP (up to 10 times faster adds),
    forward references, hashed passwords, and more

102
What Handlers Are Comingin the Future?
  • Source Handlers
  • DELIM
  • Reads in data from a delimited file
  • DirLoad
  • Generates data from a template and data files
  • For creating test trees and environments
  • ECM
  • Generates a LDAP record from an LDAP search
  • For example you can create a group from all
    usersthat are from Provo (L Provo)
  • SCH
  • Reads in data from a SCH file (SCH files are
    legacy NDS schema data files)

103
What Handlers Are Comingin the Future? (cont.)
  • Destination Handlers
  • DELIM
  • Writes to a delimited data file

104
Novell eDirectory Development Options
  • Broad range of SDKs available
  • Pick appropriate SDK based on
  • Information needed from Novell eDirectory
  • Are you looking for data from eDirectory or to
    manage the directory itself?
  • Operations you want to perform on eDirectory
  • Your preferred programming language
  • Protocol preference
  • LDAP
  • NDAP
  • HTTP

105
Novell LDAP Developers Guide
106
To Learn More About LDAP
  • www.LDAPZone.com
  • Novell LDAP Developer Guide
  • Novell NDS Developer Guide
  • DeveloperNet University
  • http//developer.novell.com/education/
  • http//developer.novell.com/nds/
  • http//developer.novell.com/nds/ndsldap.htm
  • http//developer.novell.com/ndk/doc/ldapover/

107
The LDAP Community
  • IETF LDAP discussions and proposals
  • www.ietf.org
  • www.ietf.org/maillist.html
  • IETF announcement list
  • E-mail ietf-announce-request_at_ietf.org
  • subj subscribe
  • body subscribe
  • IETF general discussion list
  • E-mail ietf-request_at_ietf.org
  • subj subscribe
  • body subscribe

108
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com