Title: Directory Development Fundamentals
1Directory Development Fundamentals
- Ed Shropshire
- NDS Partner Programs
- Novell, Inc.
- eshropshire_at_novell.com
2- Visionone Net
- A world where networks of all typescorporate
and public, intranets, extranets, and the
Internetwork together as one Net and securely
connect employees, customers, suppliers, and
partners across organizational boundaries - Mission
- To solve complex business and technical
challenges with Net business solutions that
enable people, processes, and systems to work
together and our customers to profit from the
opportunities of a networked world
3(No Transcript)
4Deployed Versions Novell eDirectory and Novell
Directory Services (NDS)
Product Version Build Version Platforms
NetWare 5.1 SP4 (NDS 7) DS.nlm v7.57 NetWare 5.1
NetWare 5.1 SP 4 (NDS 8) DS.nlm v8.79 NetWare 5.1
eDirectory 8 DS.nlm DS.dlm v8.79 NetWare 5.0,Win NT/2K
eDirectory 8.5.x DS v85.23 NetWare 5.x,Win,Solaris
NetWare 6 (eDirectory 8.6) DS.nlm v10110.20 NetWare 6
eDirectory 8.6.1 DS v10210.43 NW 5.1,NW 6,Win,Solaris,Linux
NetWare 6 SP1 (eDirectory 8.6.2) DS.nlm v10310.17 NetWare 6
eDirectory 8.6.2 DS v103xx.xx NW 5.1,NW 6,Win,Solaris,Linux
eDirectory 8.7 DS v10410.xx NW 5.1,NW 6,Win,Solaris,Linux,AIX
5Differences Between eDirectory and NDS
NDS
eDirectory
NOS directory focused on managing NetWare
servers
A cross-platform, scalable, standards-based
directory used for managing identities that
span all aspects of the networkeDirectory is
the foundation for eBusiness
NetWare 5
NetWare
NetWare 6
6Novell one Net and eBusiness Vision
Novell provides Net services software that gives
organizations the ability to simplify the
complexities of the Net, securely extend and
integrate networks and applications between
companies and accelerate eBusiness transformations
NET Services
Novell eDirectory
NW
7Whats New with Novell eDirectory
- Novell eDirectory 8.6.1 and 8.7
- Product of the YearNetwork Magazine
- The NameNovell eDirectory
- SunTone Certification
- Partner Redistribution Program
- Free eDirectory for Developers
- LDAPZone
- AIX
- LDAP 2000 Server Brand
- LDAP Java SDK
- LDAP Java Beans
8Novell eDirectory Partner Redistribution Kit
Program
- Get started
- Download unlimited eDirectory licenses for
development purposesvisit developer.novell.com/eD
irectory/download.htm - Get profitable
- Offer commercial solutions that include FREE
250,000 user versions of eDirectory - Save each application customer up to a
half-million US dollars in up-front licensing
costs - Visit developer.novell.com/eDirectory
9Novell eDirectory Partner Redistribution Kit
Program
- OEMs/ISVs can (AT NO COST)
- Distribute 250,000 eDirectory user versions with
each copy of their shipping products - Distribute full-featured versions of eDirectory
to an unlimited number of application customers - Distribute the latest Multi-OS version of
eDirectoryWindows, Sun Solaris, Linux,
NetWare, and IBM AIX (future) - Increase software/hardware/server sales
- Rely on proven embedded technology
- Build competitive advantage with added services
and lower up-front deployment costs
10LDAPzone.com
- Why LDAPzone?
- Comprehensive
- Resources and information on everything LDAP
- Community
- Share ideas, sample code, forums, tips and tricks
- Directions
- The latest LDAP news, updates and developments
www.ldapzone.com
11Novell Developer Offerings
- Support options
- What can you get if you pay
- Benefits 24 hour turnaround
- Developer labs
- Priority support
- Dedicated support contacts
- Certification
- Solutions search
- Developer labs
- Developer training
12Novell eDirectory Architecture
DirXML
OnDemandSM
SSO
iChain
eDirectory Management Framework
LDAP
NDAP
System Abstraction Layer (SAL)
Access
Utilities Repair Merge Backup
Schema
Maintenance
Security
iManage
AIX
Replication
iMonitor
???
iInstall
Storage Management Interface (SMI)
Database
eGuide
13Net Directory Service Solutions
- eDirectory
- Novell Account Management
- Novell Authentication Services
14168 Applications Before Zero-Day Start
15 One Net Simplifies Business Processes
SSL
XML
IP
LDAP
16Enlightened Workforce (Intelligent Portal)
17The Three Views Novell eDirectory
- Lets take a look at it from a different
perspective
18What Makes It Different?
- Extensible schema
- Inherited rights
- Multi-master replication
- Filtered replica
- Referential integrity
- Scalable data store
- Multi-protocol support (discoveryaccess
protocols) - Multi-authentication support
- Developer interfaces
- Platform support
19eDirectory Features
Feature details
Filtered replica A new replica type that enables
flexible control of whats replicated Down to the
attribute level
LDAP Support LDAP v3 support including
SSL OpenLDAP SDK Improved search speed
Improved administration tools Monitoring and
repair tools in ConsoleOne ICE
(Import/Convert/Export) utility iMonitor utility
ADSI Provider Translates ADSI calls into
LDAP Apps developed to ADSI are fully supported
DirXML Support Provides foundation for
integrating network information for any system,
application, device, etc.
Cross-platform support Already runs on NetWare,
NT 4, Linux, Windows 2000 and Solaris Looking at
other UNIX and mainframe platforms (e.g AIX)
20What is LDAP?
LDAP began life as an attempt to simplify access
to x.500 (DAP) directories, thus the name
Lightweight Directory Access Protocol
- A standardized protocol for accessing X.500
directories - A version of DAP that contains less code than
DAP - An enabled client with TCP/IP access to X.500
directories - Lightweight means you dont have to manage all of
the connection overhead in your application - Lightweight doesnt mean limited access
functionality - LDAP is a client-server protocol
21Technical LDAP Benefits
- Applications can be directory-neutral
- Directories can be interchanged
- Note All directories are not equal
22Overview
- LDAP is a client/server access protocol
- LDAP also describes a data model (ACI, Schema,
Replication) - LDAP is controlled by the IETF community
- LDAP certifications
- Works with LDAP (for applications) and LDAP 2000
(for servers) - Novell is a founding member of the
Interoperability Forum/Open Group
23One Net and LDAP
- Current widespread standard for access to
directory information - Core protocol used by Net services software
24Novell eDirectory SDK
- Everything to integrate with eDirectory
- Libraries, tools, sample code, and documentation
- Platforms (server and workstation)
- NetWare
- Windows 2000
- NT
- Windows 95/98
- Solaris, Linux
- http//developer.novell.com/ndk/ndssdk.htm
25(No Transcript)
26(No Transcript)
27(No Transcript)
28(No Transcript)
29Novell ODBC Driver for eDirectory
- ODBC driver specifically designed to query and
retrieve eDirectory data - Supports standard SQL statements
- Makes reporting and retrieving data quick and
easy - Abstracts the directory tree into accessible
relational database tables - Hides the complexity of the underlying directory
syntax
30How ODBC Maps eDirectory Data
- Mapping eDirectory data to relational tables
- eDirectory hierarchical directory data is mapped
to a flattened relational database table - eDirectory object classes correspond to the
tables - eDirectory class attributes correspond to columns
of the table - Entries correspond to rows of the table
31Troubleshooting Novell ODBC Driver
- Common problems
- Insufficient resources
- Select fewer attributes or specify the attributes
rather than using a wildcard to include all
attributes - Examine the attributes you select to ensure that
only a few of them are multi-valued - Restrict the number of objects selected by
specifying only one container - eDirectory rights
- SQL statement errors
- Use the correct table and column names in SQL
statements - Read-only access to eDirectory
32(No Transcript)
33Novell eDirectory LDAP Compliance
- Novell LDAP SDKs fully implement
- IETF draft for C Interface
- draft-ietf-ldapext-c-api-05.txt
- IEFT draft for Java Interface
- draft-ietf-ldapext-java-api-13.txt
- eDirectory supports all LDAP version 3 required
functionality - IETF RFCs 2247, 2251, 2252, 2253, 2254, 2255 and
2256 - eDirectory also supports most optional
functionality
34More About LDAP
- Users given server view vs. a tree view
- LDAP uses UTF-8 encoding of character strings
- Allowing strings of any language to be used in
the API - LDAP servers listen on two TCP/IP ports
- 389Provides clear text connections
- 636Secure connections using SSL
- An LDAP bind (connection) is an eDirectory login
- LDAP requires that individual users have
passwords - No password is interpreted as an anonymous bind
- Specifies no file access mechanisms
- Novell eDirectory event mechanism coming soon
35Novell Extensions to LDAP
- Novell LDAP extensions
- Partitionssplit, join, get number of entries,
abort operation - Replicasadd, remove, change type, list on
server, return information - Replica synchronizationto a specified server, to
all replicas, at a specified time - Schema synchronization
- Get effective eDirectory rights for attributes
- Get DN of logged-in caller
- Restart the LDAP server
36(No Transcript)
37LDAP Class Libraries for Java
- Now available on the Novell Developer Kit (NDK)
- Conforms to the IETF LDAP Java interface
- Socket, threads, queues, connection manager
- Referrals
- Schema management
- Security SSL and SASL
- Extensions and controls
- Exposes additional classes and methods
- ASN.1/BER Protocol Methods (APIs)
38Benefits of LDAP Libraries for Java
- Classes and methods reflect LDAP protocol
- Small footprint
- Easy to learn and use
- Synchronous and asynchronous interfaces
- Pure Java solution
- Extensions for eDirectory management
- Tuned and tested with eDirectory
- Works with other LDAP-aware directories
- SSL secured through Novell Security Technologies
- Open Source available on the OpenLDAP Site
- www.openldap.org
39(No Transcript)
40What is JNDI?
- Java Naming and Directory Interface (JNDI)
- An addition to JavaSofts enterprise API set
- Object-oriented look and feel
- Abstracted view
- Naming-system neutral, enabling many different
service providers to be accessed via the same
interface - Promotes interaction between naming systems
- Provider issues tend to show through
- Providers may or may not be pure Java
- Platform support is provider-dependent
- Providers tend to be vendor-specific
41(No Transcript)
42Use Novell LDAP Libraries for C
- Use the Novell LDAP Libraries for C vs. other
SDKs - Extensions for eDirectory management
- Tuned and tested for eDirectory
- Works with other LDAP-aware directories
- Available on NetWare, Windows, UNIX
- Supported by Novell Worldwide Developer Support
- Internationalized and localized
- SSL-secured through Novell Security Technologies
- LDAP Libraries for C Open Source
- Novell LDAP Libraries for C leverage
www.OpenLDAP.org
43(No Transcript)
44Novell JDBC Driver for eDirectory
- Conforms to the JDBC specification
- Requires the JNDI LDAP service provider for
eDirectory - Supports standard SQL statements
- Abstracts the directory tree into accessible
relational database tables - Hides the complexity of the underlying directory
syntax - Provides read only access of eDirectory
45(No Transcript)
46 Novell Controls for ActiveX
- Application Administration (NWAppA)
- Bindery (NWBind)
- Browser (NWBrowse)
- Catalog Administration (NWCatA)
- Client and Server Socket (NWCliSkt and NWSvrSkt)
- Directory (NWDir)
- Directory Administration (NWDirA)
- Directory Authenticator (NWDirAuth)
- Directory Query (NWDirQ)
- Internet Directory (NWIDir)
- Internet Directory Query (NWIDirQ)
- Internet Directory Entries (NWIDirE)
- NDPS Printer Administration (NWDPPrtA)
- Network Selector (NWSelect)
- Peer Socket (NWPrSkt)
- Print Queue Administration (NWPQA)
- Print Server Administration (NWPSA)
- SecretStore (NWSecStr)
- Server Administration (NWSrvA)
- Session Management (NWSess)
- User Group (NWUsrGrp)
- Volume Administration (NWVolA)
47(No Transcript)
48Beans for Novell eDirectory
- eCommerce LDAP beans
- Components for integrating web applications with
LDAP directories - Enabling authentication
- Read/write directory access
- Contextless login
- SSL security
- NDS bean
- Enables access to and manipulation of eDirectory
entries - Dependent upon the Novell class libraries for
Java - Requires the Novell Client
49Scripting Options
- Third Party Scripting Options
- Perl
- Python
- PHP
- Visit LDAPZone for a complete list and
optionswww.LDAPZone.com
50Supercharge Your Web Applications with Novell
eDirectory
- Realize the benefit of using Novell eDirectory to
personalize web server applications - The objective of this seminar is to provide ideas
and examples that will assist you in developing
and deploying more powerful and flexible
web-based applications
51Why Tie Web Applicationsto Novell eDirectory?
- Enhance and strengthen business relationships
- Allowing secure access to information and
applications - Provide the ability to simply and securely
provide access to personalized and sensitive
information - This may be the difference between gaining or
disappointing a customer or partner
52Use Novell eDirectory to
- Store identity profiles
- Control data access
- Maintain customer identity relationships
- Manage user security
- Manage data at the network level
- Abstract service locations
- Increase throughput
53HTTP is Stateless
- To enable session tracking, utilize
- Realms
- Browser passes user and password with each
request - Hidden form fields
- Hidden input types that are not displayed when
read by the browser - Cookies
- Keyed piece of data created by the server and
stored by the client browser - URL rewriting
- Requested URL is modified to include a session ID
- Servlet HTTPsession objects
- Enables name/value pairs to be stored per session
54Use Novell eDirectory to Track Sessions
- Take advantage of GUIDs
- Identify who is accessing the site
- GUIDs eliminate the need to store personal data
- GUIDs are globally unique across all trees and
servers - eDirectory automatically creates a GUID for each
new entry - GUIDs do not change throughout life of object
- Administrators may want to create an index on
GUID to enhance response time - Operational Attribute
Globally Unique Identifiers
55Use Novell eDirectory to Personalizethe User
Experience
- Case example (CNN)
- Provides worldwide news, sports, financial data
and other information - Customized and personalized advertising and
content using the GUID as a cookie - Customization is transparent to the user
56CNN eDirectoryArchitecture
(ad-injection)
Netscape web servers on Solaris (CNN Web Farm)
(Cookie)
HTTP
LDAP Client
Internal Firewall
- eDirectory on NetWare and Solaris
- Development Servers
- - Compaq 1850R
- - 2GB RAM/72GB RAID 0
- 1 Intel Pro/100 Server Adapter
- SUN Sparc U60
- Solaris 2.6
- eDirectory on NetWare 5 Load Directory Servers
- Compaq 6400R
- - 2GB RAM/72GB RAID 0
- 1 Intel Pro/100 Server Adapter
- eDirectory on NetWare 5
- Staging Server
- - Compaq 1850R
- 2GB RAM/72GB RAID 0
- - 1 Intel Pro/100 Server Adapter
57Tune Your Application and eDirectory to Achieve
High Throughput
- Filter the scope of data searches
- Create well-formed schema extensions
- Tune eDirectory
- Tune memory/cache
- Use proper tree design
- Co-locate servers
- Distributed nature of eDirectory gives better
throughput - Utilize filtered replicas
- Index on critical attributes
58Directory Services and Databases
- Lets look at the strengths and weaknesses of
both - When are they exclusive of each other?
- When do they compliment each other?
- The whys and wherefores
59Directory Services and Databases (cont.)
- Directory Service Strengths
- Fast on the read
- Distributed
- Object-oriented
- Hierarchical
- Standardized schema
- Replication
- Attributes can be multi-valued
- Relational Database Strengths
- Designed to handle transactions
- Schema tuned for exact application needs
- Can be modeled to handle very complex needs
- Data integrity built in
- Management of data failures
60When to Use What??
- Each has its own best use
- Directories are used most often for
- Authentication
- Authorization
- Personalization
- RDBMSs used most often for
- Transaction processing
- Highly volatile data
- Very complex data requirements
- Examples of each usage
61Making the Choice
- Frequency of data modifications
- Primary data requirements
- Security
- Flexibility
- Model the data needs
- Determine transactional requirements
62What Is So Important About Schema?
- It sets some structure
- Provides a framework
- Identifies syntax
- SchemaData Dictionary
63What Is in the Schema?
- Object classes
- Attributes types
- Syntaxes
- Matching rules
- Naming and containment rules
64eDirectory Has an Extensible Schema
- You can extend the schema, you do not change the
schema - Create new classes
- Add optional attributes
- Use auxiliary classes
- Delete non-base classes that do not have any
object instantiated - Delete attributes that are not used in any
classes - Schema extensions do not impact directory
performance
65Extension Options
- You can make extensions programmatically or by
using an LDIF file with the ldapmodify utility - Programmatically
- Easier to control
- Not as many files
- LDIF
- No need to recompile changes
- Easy to run multiple
66New Schema Recommendations
- Determine exact purpose of new classes and
attributes - Dont define anything for future use
- Remember to include the domain containment
- Understand any flags you use
- Use auxiliary classes whenever possible
- Dont add new attributes to existing classes if
possible - Reuse/extend existing schema definitions
- If small, change to existing definition
- Add your attributes first, then your classes
67Syntaxes
- Define what your data looks like
- Not extensible
- eDirectory supports LDAP equivalence of
eDirectory syntaxes - Recommendations
- For readability limit use of octet string
68Matching Rules
- Equality
- Defines how two values are compared
- i.e., caseIgnoreMatch
- Ordering
- Used to determine if a value is greater or less
than another value - SUBSTR
- Defines the way substring matches work
69Attribute Types
- Attribute type is a string value
containingvarious fields - What makes up an attribute
- ASN.1 id - OID acts as an unique identifier
- Human readable name
- A description
- Matching rules
- Syntax
- Flag
- i.e., if attribute is single valued
70Attribute Type Example
- (2.5.4.20
- NAME telephone number
- DESC Standard Attribute
- EQUALITY telephoneNumberMatch
- SUBSTR telephoneNumberSubstringMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.5032 )
- (2.5.4.28
- NAME preferredDeliveryMethod
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
- SINGLE-Value )
71Attribute Types
- MUSTMandatory Attributes
- In LDAP these are referred to as MUST
- When you create an object of this type, you must
populate these attributes - Cannot add MUST attributes once objects are
created from object class - MAYOptional Attributes
- In LDAP these are referred to as MAY
- eDirectory does not store these attributes with
an object unless they have a value - You can add more optional attributes to a class
after the class is created
72LDAP Attribute Options
- NO-USER-MODIFICATION
- Equivalent to non-removable in eDirectory
- SINGLE-VALUE
- Default multi-valued
- Upper Bound
- Specified after syntax within
73Operational Attributes
- Standard
- modifyTimeStamp
- createTimeStamp
- modifersName
- creatorsName
- subschemaSubEntry
- eDirectory-Specific
- structuralObjectClass (baseClass)
- subordinateCount
- entryFlags
74Object Class Types
- Structuraldefault
- Used to create entries
- Abstract
- Building block class
- Used for sub-classing
- Auxiliary
- Used to add attributes to existing entries
- If type is not specified, default will be
structural
75Object Class Definition
- ASN.1 id - Object ID (OID)
- Human readable name
- List of superior object classes
- Identifier
- List of required (MUST) attributes
- List of optional (MAY) attributes
76Example of Object Class Definition
- (2.5.6.6
- NAME person
- SUP top
- Structural
- MUST ( sn cn)
- MAY ( userPassword telephoneNumber seeAlso
description ) )
77Defining a New Object Class SUPInheritance
- This is the class you inherit from
- Your class automatically gets attributes from the
parent, as well as any additional that you
specify - Multiple levels of inheritance is possible
- You can add superclasses starting in eDirectory
8.5
78Naming
- The naming list specifies which attributes which
can be used to name the object - Naming can be specified in LDAP with the
X-NDS_NAMING option - Naming attribute can be multi-valued
- Complete control over how to name and access the
object - Defaults (if not supplied)
- Inherit from superclass definition if possible
- The combination of all string attributes in the
MUST and MAY lists
79Naming (cont.)
- Registered prefixes
- Provide uniqueness
- Distinguish your extensions
- Available from Novell
- LDAP mappings
- Provide LDAP accessibility to eDirectory schema
- Automatic from eDirectory on as long as you use
valid LDAP names - Can be set for non-compatible names
80Containment
- Containment identifies the other object types
which can contain this class - Note that this is not the container flag
- If a class is a container, it can be defined to
be able to contain itself - Containment is now modifiable in eDirectory 8.5
- You can add containment
81Containment (cont.)
- Containment can be specified in LDAP with the
X-NDS_CONTAINMENT option - The defaults if not supplied are
- Inherit from Super Class definition, if possible
- C, L, O, OU, and domain
82Auxiliary Classes
- Auxiliary (or aux) classes are a collection of
attributes - Aux classes are applied at the object level
- Only the objects that need the attributes have
them - Doesnt change the object class definition
83Using Auxiliary classes
- Two steps
- Modify the object class of an existing object to
include the aux class name - Write values to attributes as you would any other
attributes for that class - Easy to remove
- Delete the aux class name from the objectClass
attribute - Noteauxiliary classes are available from
eDirectory 8 and beyond
84X-NDS Class Options
- The changes you can make to class definitions
using the X-NDS options are - Flags
- X-NDS_NOT_CONTAINER
- X-NDS_NONREMOVABLE
- Containment
- X-NDS_CONTAINMENT
- Naming
- X-NDS_NAMING
- Mapping
- X-NDS_NAME
- All X-NDS options have default values
85X-NDS Attribute Options
- Most attribute options are flags
- X-NDS_PUBLIC_READ
- X-NDS_SERVER_READ
- X-NDS_NEVER_SYNC
- NDS per replica flag
- X-NDS_NOT_SCHED_SYNC_IMMEDIATE
- X-NDS_SCHED_SYNC_NEVER
- X-NDS_NAME_VALUE_ACCESS
- NDS write managed flag
- One other attribute option
- X-NDS_LOWER_BOUND
86Schema Naming Recommendations
- LDAP schema name valid character set
- Alpha-numeric and dash
- First character must be alpha
- Nothing else
- Name format
- Lowercase prefix, followed by uppercase words
- OldMYAPPNew Attribute Name
- NewmyappNewAttributeName
- Dont use delimiter characters
87Schema Naming Recommendations
- If you follow the naming rules, LDAP mappingfor
the names are not needed - If you havent followed rules in past (or
future), then mappings are needed for access to
schema items via LDAP - What are mappings, anyway?
- Object Class objectClass
88Schema Available Definitions
- LDAP ships with a subset of inetOrgPerson mapped
to the eDirectory user class - Schema extensions are available for
- Full inetOrgPerson mapped to eDirectory user
- Full inetOrgPerson
- residentialPerson
- newPilotPerson
- www.novell.com/products/nds/schema/index.html
89ASN 1 OIDs and Prefixes
- What is an OID?
- Novells base OID 2.16.840.1.113719
- joint-iso-ccitt(2) country(16) us(840)
organization(1) Novell(113719) - LDAP allows access via the OID
- Be sure to have OIDs for your application
- How do you use your allocated sub-arc?
- 2.16.840.1.113719.2.ltagt.4.ltxgt.ltvgt
- 2.16.840.1.113719.2.ltagt.6.ltxgt.ltvgt
- ltagt is your assigned subarc value
- ltxgt is the sequence number you assign
- ltvgt is the version number you assign
- Find out more about OIDs
- www.alvestrand.no/harald/objectid/
90ASN 1 OID Registration Sites
- Find out more about OIDs
- www.alvestrand.no/harald/objectid/
- Sites to obtain OIDs
- Novell Developer Support
- developer.novell.com/
- Will allocate and register a schema prefix for
you, and optionally allocate an OID sub-arc for
you - Internet Assigned Numbers Authority (IANA)
- www.isi.edu/cgi-bin/iana/enterprise.pl
91Sample Schema Output
This LDIF file was generated by Novell's ICE and
the LDIF destination handler. version 1 dn
cnschema changetype add ldapSyntaxes (
1.3.6.1.4.1.1466.115.121.1.1 X-NDS_SYNTAX '9'
) ldapSyntaxes ( 1.3.6.1.4.1.1466.115.121.1.2
X-NDS_SYNTAX '9' ) ldapSyntaxes (
2.16.840.1.113719.1.1.5.1.6 X-NDS_SYNTAX '6'
) objectClass top objectClass
subschema objectClasses ( 2.5.6.0 NAME 'top'
DESC 'Standard ObjectClass' STRUCTURAL MUST
objectClass MAY (cAPublicKey CAPrivateKey
certificateValidityInterval authorityRevocation
lastReferencedTime equivalentToMe ACL
backLink binderyProperty Obituary
Reference revision certificateRevocation
usedBy GUID otherGUID DirXML-Associations
creatorsName modifiersName
unknownBaseClass unknownAuxiliaryClass
auditFileLink masvProposedLabel
masvDefaultRange masvAuthorizedRange )
X-NDS_NAME 'Top' X-NDS_NONREMOVABLE '1'
) objectClasses ( 2.5.6.7 NAME
'organizationalPerson' DESC 'Standard
ObjectClass' SUP person STRUCTURAL MAY
(facsimileTelephoneNumber l eMailAddress ou
physicalDeliveryOfficeName postalAddress
postalCode postOfficeBox st street
title mailboxLocation mailboxID uid mail
employeeNumber destinationIndicator
internationaliSDNNumber preferredDeliveryMetho
d registeredAddress teletexTerminalIdentifier
telexNumber x121Address businessCategory
roomNumber x500UniqueIdentifier ) X-NDS_NAMING
('cn' 'ou' 'uid' ) X-NDS_CONTAINMENT
('organization' 'organizationalUnit 'domain' )
X-NDS_NAME 'Organizational Person'
X-NDS_NOT_CONTAINER '1' X-NDS_NONREMOVABLE '1'
) attributeTypes ( 2.5.18.1 NAME
'createTimeStamp' DESC 'Operational Attribute'
SINGLE-VALUE NO-USER-MODIFICATION SYNTAX
1.3.6.1.4.1.1466.115.121.1.24 ) attributeTypes (
2.5.4.3 NAME ( 'cn' 'commonName' ) DESC 'Standard
Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
64 X-NDS_NAME 'CN' X-NDS_LOWER_BOUND '1')
92Sample LDIF
- dn cnschema
- changetype modify
- add attributetypes
- attributetypes ( 2.16.840.1.113719.1.186.4.0
- NAME 'aspenCourseName'
- DESC 'The name of the course'
- SYNTAX 1.3.6.1.4.1.1466.115.121.
1.15 - SINGLE-VALUE
- )
- If not present, this creates testAttr1, then
adds a mapping to the just created or existing
Test Attr 1 attribute
93LDIF File ExampleinetOrgPerson
Full definition of the standard inetOrgPerson
as a separate class version 1 Delete the
existing class mapping "inetOrgPerson gt User"
class to allow "inetOrgPerson gt
inetOrgPerson". dn cnschema changetype
modify delete objectclasses objectclasses (
2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson'
X-NDS_NAME 'User') Add the inetOrgPerson object
class - 17 dn cnschema changetype modify add
objectclasses objectclasses ( 2.16.840.1.113730.3
.2.2 NAME 'inetOrgPerson' SUP organizationalPerson
MAY ( audio businessCategory carLicense
departmentNumber employeeNumber employeeType
givenName homePhone homePostalAddress
initials jpegPhoto labeledUri mail
manager mobile pager ldapPhoto
preferredLanguage roomNumber secretary uid
userCertificate userSMIMECertificate
x500UniqueIdentifier displayName )
X-NDS_CONTAINMENT ( 'country' 'locality'
'organizationalUnit' 'organization' 'domain' )
X-NDS_NAMING ( 'cn' 'uid' 'givenName' 'mail' 'sn'
) )
94Schema Changes in eDirectory 8.5
- Some attributes made public read, some made
multivalued - New classes defineddomain and ndsLoginProperties
- Syntax changed on existing attributes
- Several classes changed to be containers
- Some changed to be effective or added domain
containment - O and OU added ndsLoginProperties
- Device class now effective
- Operational attributes
- creatorsName
- modifiersName
- modifyTimeStamp
- createTimeStamp
95Schema Changes in eDirectory 8.6
- Unlimited LDAP schema name sizeup to 63K long
(was previously 64 characters) - Ability to have more that 63K total worth of
schema name mappings (depending on size of names,
was limited to less than 2000 mappings) - Ability to save and retrieve the description
field from a schema definition - New schema definitions for dynamic groups and for
persistent search
96Schema Changes in eDirectory 8.7
97Informational Draft
- LDAP Schema for eDirectory document
- http//search.ietf.org/internet-drafts/
98The Novell Import Convert Export Tool
- Features
- Client/server (remote) architecture
- LDIF import
- LDIF export
- Data migration between LDAP servers
- Efficient
- Availability
- Included with eDirectory 8.5
- ConsoleOne snap-in
- Included in Novell Developer Kit (NDK)in C
Libraries for LDAP - Command line only (developer use)
99Architecture
100ICE Engine
- Orchestrates the interaction between source and
destination handler - Provides logging facility
- Provides an error LDIF logging facility
- Writes all records that fail to an output file in
LDIF format - Used to help debug import or export sessions
- Can aid in dealing with rogue records
101Currently Available Handlers
- Source Handlers
- LDIF
- Reads in a LDIF data file
- LDAP
- Performs searches and retrieves LDAP data
- Destination Handlers
- LDIF
- Writes to an LDIF data file
- LDAP
- Writes to an LDAP server
- SupportsLBURP (up to 10 times faster adds),
forward references, hashed passwords, and more
102What Handlers Are Comingin the Future?
- Source Handlers
- DELIM
- Reads in data from a delimited file
- DirLoad
- Generates data from a template and data files
- For creating test trees and environments
- ECM
- Generates a LDAP record from an LDAP search
- For example you can create a group from all
usersthat are from Provo (L Provo) - SCH
- Reads in data from a SCH file (SCH files are
legacy NDS schema data files)
103What Handlers Are Comingin the Future? (cont.)
- Destination Handlers
- DELIM
- Writes to a delimited data file
104Novell eDirectory Development Options
- Broad range of SDKs available
- Pick appropriate SDK based on
- Information needed from Novell eDirectory
- Are you looking for data from eDirectory or to
manage the directory itself? - Operations you want to perform on eDirectory
- Your preferred programming language
- Protocol preference
- LDAP
- NDAP
- HTTP
105Novell LDAP Developers Guide
106To Learn More About LDAP
- www.LDAPZone.com
- Novell LDAP Developer Guide
- Novell NDS Developer Guide
- DeveloperNet University
- http//developer.novell.com/education/
- http//developer.novell.com/nds/
- http//developer.novell.com/nds/ndsldap.htm
- http//developer.novell.com/ndk/doc/ldapover/
107The LDAP Community
- IETF LDAP discussions and proposals
- www.ietf.org
- www.ietf.org/maillist.html
- IETF announcement list
- E-mail ietf-announce-request_at_ietf.org
- subj subscribe
- body subscribe
- IETF general discussion list
- E-mail ietf-request_at_ietf.org
- subj subscribe
- body subscribe
108(No Transcript)