Introduction to the Hot New LDAP Features in Novell eDirectory - PowerPoint PPT Presentation

Loading...

PPT – Introduction to the Hot New LDAP Features in Novell eDirectory PowerPoint presentation | free to download - id: 7dff9b-NTFkY



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Introduction to the Hot New LDAP Features in Novell eDirectory

Description:

Introduction to the Hot New LDAP Features in Novell eDirectory 8.7 Gary L. Anderson Senior Development Manager Novell, Inc. glanderson_at_novell.com – PowerPoint PPT presentation

Number of Views:160
Avg rating:3.0/5.0
Slides: 74
Provided by: Desi2173
Learn more at: http://www.novell.com
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Introduction to the Hot New LDAP Features in Novell eDirectory


1
Introduction to the Hot New LDAP Features in
Novell eDirectory 8.7
  • Gary L. Anderson
  • Senior Development Manager
  • Novell, Inc.
  • glanderson_at_novell.com

Alan Clark Senior Manager, eDirectory
Access Novell, Inc. aclark_at_novell.com
2
Deployed Versions Novell eDirectory and Novell
Directory Services (NDS)
Product Version Build Version Platforms
NetWare 5.1 SP4 (NDS 7) DS.nlm v7.57 NetWare 5.1
NetWare 5.1 SP 4 (NDS 8) DS.nlm v8.79 NetWare 5.1
eDirectory 8 DS.nlm DS.dlm v8.79 NetWare 5.0,Win NT/2K
eDirectory 8.5.x DS v85.23 NetWare 5.x,Win,Solaris
NetWare 6 (eDirectory 8.6) DS.nlm v10110.20 NetWare 6
eDirectory 8.6.1 DS v10210.43 NW 5.1,NW 6,Win,Solaris,Linux
NetWare 6 SP1 (eDirectory 8.6.2) DS.nlm v10310.17 NetWare 6
eDirectory 8.6.2 DS v103xx.xx NW 5.1,NW 6,Win,Solaris,Linux
eDirectory 8.7 DS v10410.xx NW 5.1,NW 6,Win,Solaris,Linux,AIX
3
Differences between eDirectory and NDS
NDS
eDirectory
NOS directory focused on managing NetWare
servers
A cross-platform, scalable, standards-based
directory used for managing identities that
span all aspects of the networkeDirectory is
the foundation for eBusiness
NetWare 5
NetWare
NetWare 6
4
Abstract
  • This session provides an overview of the hot new
    LDAP features available in eDirectory 8.7
  • Rights-based object access
  • Dynamic groups
  • Object-based schema
  • Search simplification
  • Event monitoring
  • Configurable transport security
  • Multiple LDAP authentication methods
  • Device provisioning with embedded LDAP clients
  • Specific implementation details and code samples
    are presented in DL204 and DL307

5
Welcome to Outdoor Adventures
This tree shows the logical layout of Outdoor
Adventures, the sample company used in this
presentation and in Tech Lab
6
Using LDAP to Set Directory Rights
7
Terminology
  • ACMThe Access Control Model used in a directory
    to specify who has rights to what
  • ACIThe X.500 standard name for Access Control
    Information (the rights to access objects)
  • ACLList maintained as an attribute of an object
    showing the rights that other objects have to the
    object

8
The eDirectory Access Control Model
  • Access Control Lists (ACLs) reside on resources,
    and grant permissions to individual objects,
    containers (and subtrees), and groups

How do students get rights to course information?
Grant rights to all students, registered or not
Individually grant rights to each registered
student
Grant rights to a dynamic group
9
Access Rights
  • Directory allows rights per object and user
  • Easy management of rights
  • Inheritance of rights based on tree structure
  • User abilities depend on ACLs for the object,
    the user, and the groups and subtrees the user
    belongs to
  • Rights are held in the ndsAcl attribute of each
    object

10
Effective Privileges
  • Its hard to understand exactly which rights an
    object has to a resource because
  • ACLs are held on resources, parents of resources,
    and groups
  • ACLs may be blocked by inheritance rights filters
  • eDirectory allows an objects Effective
    Privileges to be interrogated
  • Check out DL204 for details on coding in C and
    Java

11
Programmatic ACL Modification
How do I allow a student to access information
on a course section?
  • The answer is obvious, right? Use ConsoleOne or
    iManager and assign student1 as a trustee of
    section1

But how do I do this with LDAP?
12
Modifying ACLs with LDAP
  • ACLs are attributes, so no special APIs are
    required to access or update them
  • The LDIF file to allow Student1 rights to
    section1 could be
  • dn cnsection1, ousections, lAtlanta
  • changetype modify
  • add ndsACL
  • ndsAcl 1entrycnstudent1, oustudents,
    lAtlantaEntry Rights
  • ndsAcl 3entrycnstudent1, oustudents,
    lAtlantaAll Attributes Rights
  • Refer to section 5.7 of
  • http//ietf.org/internet-drafts/draft-sermersheim-
    nds-ldap-schema-02.txt

13
ACL Privileges
  • The privileges field is number that is generated
    by performing a bitwise OR on the values that
    represent the desired access rights
  • The table below shows the values

Value Attributes Entry Rights
1 Compare Browse
2 Read Add
4 Write, Add,Del Del
8 Add/Del Self Rename
16 (na) Supervisory
32 Supervisory (na)
536870912 Dynamic Dynamic
00 00 00 01
00 00 00 02
00 00 00 04
00 00 00 08
00 00 00 10
00 00 00 20
20 00 00 00
14
The New ACL in Town
  • This
  • A new ACL subjectName, it can be inheritable or
    non-inheritable
  • Reduces the need to use per object ACLs to grant
    rights to objects own attributes
  • Management now available through iManager

Question How can you give everyone rights to
modify their own phone number?
To solve this problem, you can
A Go through object by object and grant
individual access, or
B Apply read, compare, and write rights to
This for the telephoneNumber attribute high up
in the tree and let it inherit
15
Filter-Based Groups
16
Creating Communities
  • Communities in a directory exist when objects are
    formed into groups
  • The original eDirectory group provided a static
    list of members and referential integrity between
    the members list of the group and the members of
    attribute on an object

17
Dynamic Groups
  • eDirectory 8.6 and 8.7 allow you to determine
    group membership dynamically by using a search
    filter
  • Search filter is in URL form (RFC 2255)
  • ldap///ltbase-DNgt??ltscopegt?ltfiltergt
  • Example
  • ldap///ousales,oacme??sub?(titlemanager)
  • Additional capabilities
  • excludedMemberObjects specifically excluded
  • uniqueMemberObjects specifically included in the
    group
  • Web management interface in eDirectory 8.7
  • Available only via LDAP in eDirectory 8.6

18
What Is the Cost of Using Dynamic Groups?
  • Dynamic groups dont show up in the
    groupMembership attribute of a user object
  • To find out if your object is a member of the
    dynamic group, you have to run the group query
    filter against your object to see if it matches
  • ACLs are applied to dynamic group filters

19
Why Use Dynamic Groups?
  • Policy is stored in the directory
  • An application can be hard-coded to just read a
    dynamic group instead of searching with a search
    filter
  • This allows the effective filter to be modified
    at the directory without changing the application
  • ACLs may be used with dynamic groups
  • Put an ACL on a course section object granting
    access rights to the dynamic group
  • Now all students registered for the section
    (determined dynamically) will have access
  • Dynamic groups are scalable

20
Dynamic GroupsCompatibility
  • Static groups may be converted to dynamic groups
  • Add dynamicGroupAux to the objectClass attribute
  • Set a search query in memberQueryURL
  • For either static or dynamic groups, obtain a
    membership list by simply reading the member
    attribute
  • By default, the implicit search is limited to the
    local server

21
Object-Based Schema (Auxiliary Classes)
22
What Good Is Object-Based Schema?
Q Peggy and Scott are managershow can they have
attributes specific to managers? Q Bill, Jean
and Paul take turns handling the after-hours
pagerhow can the one holding the pager be
uniquely identified?
To solve these problems, you can
A. Add all attributes to base class definitions,
or
B Use auxiliary classes to meet both of these
requirements without adding attributes to other
objects
23
Auxiliary Class Definition
  • Auxiliary (or aux) classes are dynamic classes
    that can be added to the object class attribute
    of individual objects
  • The object inherits all the attributes of the aux
    class while retaining all of its own attributes
  • When the aux class is removed from the object,
    all of the aux class attributes are removed
  • Only the objects that need the attributes have
    them
  • Doesnt change the object class definition

24
Using Auxiliary Classes
  • Two steps
  • Modify the object class of an existing object to
    include the aux class name
  • Write values to attributes as you would any other
    attributes for that class
  • Easy to remove
  • Delete the aux class name from the objectClass
    attribute
  • Auxiliary classes are available from eDirectory 8
    and beyond

25
Auxiliary Classes vs Structural Classes
Auxiliary Classes Inherited Classes
Added to individual instances of an object SuperInherited to all objects through class definition
eDirectory 8 and above All versions of eDirectory and NDS
Removable from any object Non removable from base classes
Single object may have many Aux classes Multiple Inheritance
Requires write rights to the objects object class attribute Object class rights not required
Cannot define containment Ability to define containment
All instances of use have to be removed prior to schema removal All instances of use have to be removed prior to schema removal
May contain mandatory and optional attributes, including naming attributes May contain mandatory and optional attributes, including naming attributes
26
Replication of Auxiliary Classes
8.5 v85.23 or 8.0 v8.78
eDirectory 8.7
Modify or Replication Error
-666 Incompatible DS Version
NDS 7.55d
NDS 6.14
NDS 6.x
NDS 7.x
NDS 6.13
NDS 7.55c
eDirectory 8.6
eDirectory 8.7
27
Auxiliary Class Safety Precautions
  • Upgrade your tree to all eDirectory 8 servers
  • If you cant go to all eDirectory 8, then make
    sure you have the latest released patches for
    NDS 7 and NDS 6
  • Never, never, never add auxiliary classes to
    objects on NDS 7 or NDS 6 servers
  • Break the old habit of deleting unknown objects
    if you are using auxiliary classes

28
Auxiliary Class Benefits
  • You can now apply attributes at will to objects
    in the tree, without requiring the schema
    definitions to be applied to all objects in the
    class
  • Cleanup of auxiliary classes is a snap
  • Simply remove the aux class name from the
    objectClass attribute, and all attributes
    disappear automatically

29
Using Matching Rules to Reduce Searches
30
Extensible Match
  • Extensible Match defined in LDAP v3
  • Support multiple matching rules for the same
    types of data
  • Can implement new rules, e.g., sounds like
  • Include DN elements in the search criteria
  • The DN specification allows matching on specific
    elements of the DN of an object

ousal
cnTerry,organizationalRoleadminAssistant,ousale
s,ousa
31
Task Find All Admin Assistants in All the Sales
Groups of this Company
Root
England
USA
Germany
Sales
Sales
Sales
Manufacturing
Finance
Engineering
East
West
Admin assistant
Admin assistant
Admin assistant
Admin assistant
Hilda
32
Possibility One
1. Search for all admin assistant containers in
the tree Cgtldapsearch (organizationalRoleadmin
Assistant) organizationalRoleadminAssistant,ousa
les,ousa organizationalRoleadminAssistant,ousal
es,ogermany organizationalRoleadminAssistant,ou
finance,ogermany organizationalRoleadminAssistan
t,ouwest,ousales,oengland 4 matches
2. In the client, evaluate each DN to see if it
is subordinate to a sales-container organizationa
lRoleadminAssistant,ousales,ousa organizational
RoleadminAssistant,ousales,ogermany organizatio
nalRoleadminAssistant,oufinance,ogermany organi
zationalRoleadminAssistant,ouwest,ousales,oeng
land
33
Possibility One (cont.)
3. Using each admin assistant container as a
base, do a subtree search for users in that
container Cgtldapsearch -b organizationalRole
adminAssistant,ousales,ousa (objectClassuser)
cnTerry,organizationalRoleadminAssistant,ousale
s,ousa 1 matches Cgtldapsearch -b
organizationalRoleadminAssistant,ousales,ogerm
any (objectClassuser) cnSam,organizationalRole
adminAssistant,ousales,ogermany cnAlice,organiz
ationalRoleadminAssistant,ousales,ogermany 2
matches Cgtldapsearch -b organizationalRoleadm
inAssistant,ouwest,ousales,oengland
(objectClassuser) cnBill,organizationalRoleadmi
nAssistant,ouwest,ousales,oengland 1 matches
34
Possibility Two
1. Search for all sales containers in the
tree Cgtldapsearch (ousales) ousales,ousa ou
sales,ogermany ousales,oengland 3 matches 2.
Using each sales container as a base, do a
subtree search for users in the admin assistant
container Cgtldapsearch -b organizationalRolea
dminAssistant,ousales,ousa (objectClassuser) c
nTerry, organizationalRoleadminAssistant,ousale
s,ousa 1 matches Cgtldapsearch -b
organizationalRoleadminAssistant,ousales,ogerm
any (objectClassuser) cnSam,
organizationalRoleadminAssistant,ousales,ogerma
ny cnAlice, organizationalRoleadminAssistant,ou
sales,ogermany 2 matches Cgtldapsearch -b
organizationalRoleadminAssistant,ousales,oengl
and (objectClassuser) 0 matches
This search assumes everything is at the same
level!
Whats wrong?
35
In eDirectory 8.7...
1. Use extensibleMatch Cgtldapsearch
((oudnSales)(organizationalRoleadminAssistant
)) cnTerry, organizationalRoleadminAssistant,ou
sales,ousa cnSam, organizationalRoleadminAssist
ant,ousales,ogermany cnAlice,
organizationalRoleadminAssistant,ousales,ogerma
ny cnBill, organizationalRoleadminAssistant,ouw
est,ousales,oengland 4 matches
extensible attr "dn" "" matchingrule ""
value / "dn" ""
matchingrule "" value
36
eDirectory Support for extensibleMatch
  • eDirectory 8.7, available soon, supports
    extensibleMatch for matching on DN values
  • eDirectory 8.7 treats other extensibleMatch
    specifications as undefined terms in the filter
    and will ignore them
  • Versions of eDirectory prior to 8.7 would return
    a protocol error if an extensibleMatch term was
    specified in a search filter
  • Advertisement of matching rules in eDirectory 8.7
    is done through the LDAP subschema subentry
    object using the standard matchingRules and
    matchingRuleUse schema attributes

37
Directory Events in LDAP
38
How Do I Track Directory Changes?
Q Students can change some of their own
informationhow can I track their changes in my
instructor application using LDAP?
  • I can poll the directory looking for changes
  • Requires me to keep state information in my app
  • I can use directory events
  • Persistent Search
  • LDAP eDirectory events extension

39
LDAP Persistent Search
  • Alters the standard LDAP search operation to
    perform a continuous search, notifying the
    application of changes that occur on an LDAP
    server
  • Persistent search allows the client to be
    notified when changes are made to entries that
    satisfy the specified search filter
  • The connection to the server remains open until
    the search is abandoned
  • Persistent search is supported by multiple
    directories

40
Applications of Persistent Search
  • What does Persistent Search enable?
  • Applications driven by business process events
  • Creating and updating a local cache easily
  • Auditing
  • Data logging
  • Data reporting
  • And more
  • Persistent Search is an LDAP-standard way of
    getting directory events

41
eDirectory Events Extension
  • Novell extension allowing an LDAP client to be
    notified of the occurrence of various events on
    a Novell eDirectory server
  • Utilizes the LDAP v3-extended operation extension
    mechanism
  • It also uses an intermediate response Protocol
    Data Unit (PDU) as described in the IETF draft
  • draft-rharrison-ldap-intermediate-resp-00.txt
  • Available on all platforms supported by Novell
    eDirectory 8.7
  • This is Novell-specific and not standard LDAP

42
Selectively Monitor eDirectory Events
  • Novell eDirectory defines several
    directory-related events, including
  • Operations on individual entries and their
    attributes
  • Partition and replica operations
  • These events can be used for
  • Debugging
  • Auditing
  • Management
  • Access to each event is controlled by rights
    checking
  • If the user does not have the required
    privileges, the request will fail
  • An EventExtendedResponse will be returned by the
    server with an responseCode value of
    insufficientPrivileges

43
Event Handling Priority
  • The eDirectory event system extension supports
    the equivalent of the eDirectory journal priority
  • Event notifications are sent to a client in the
    order in which the events occurred on the server
    after the underlying operations have completed
  • Order is guaranteed, and events are received
    after DS has processed the information
  • You cannot preempt an event or register for
    in-line processing

44
Applications of eDirectory Events
  • What can I do with eDirectory Events?
  • eDirectory monitoring
  • Auditing
  • Automation of infrastructure changes
  • Automated business logic
  • All of these things can be done with
    eDirectorythey dont exist in the same form on
    other directory products

45
Configurable Transport Security
46
eDirectory 8.7 Debuts Full TLS 1.0
SAS Library Novell TLS Library
SSL v3.0 support TLS 1.0 support (RFC 2246)
Cryptography using NICI Cryptography using NICI
Limited interoperability with other clients Full TLS 1.0 compliance, good interoperability
Limited support for EXTERNAL authentication Fully configurable support for EXTERNAL authentication
No support for StartTLS Supports LDAP StartTLS
47
Connecting with TLS
Please may I have your Cert?
Give me your Cert!
  • eDirectory LDAP server can now be configured to
    use the following TLS handshakes
  • Server Certificate Only
  • Request Client Certificate
  • Require Client Certificate
  • This configuration is done through iManager

48
Selectable Channel Encryption
Im connected to the directory on the clear-text
port, and I want to access my credit card
informationwhat do I do?
I can drop my connection, re-authenticate to the
SSL port, and get the data
OR
I can send the StartTLS extended request along
with the query to read my credit card
49
Ending TLS on a Connection
  • Client or server sends a TLS end notification
  • All operations are abandoned
  • TLS is turned off by both client and server
  • Connection reverts to anonymous
  • Specified in RFC 2829

50
TLS Information
  • Functionality is defined in RFC 2222, 2829, and
    2830
  • Novell TLS Library is based on the OpenSSL
    project (current version 0.9.c) with the
    cryptographic library replaced by NICI
  • This product includes software developed by the
    OpenSSL Project for use in the OpenSSL Toolkit.
    (http//www.openssl.org/)

51
New LDAP Authentication Methods
52
Is LDAP Simple Bind Secure Enough?
Are you confident that the user is who he claims
to be?
Employee Jane.Smith Password jsmith
Hacker aka Jane.Smith Password jsmith
53
SASL Exposed
  • SASL (Simple Authentication and Security Layer)
    is an authentication negotiation framework
  • Server lists registered authentication mechanisms
    in the supportedSASLMechanisms attribute of root
    DSE
  • Client chooses the authentication method
  • Server implements authentication policy
  • Official SASL mechanisms are registered with
    IANA
  • eDirectory 8.7 supports
  • EXTERNAL
  • DIGEST-MD5
  • NMAS_LOGIN

Internet Assigned Numbers Authority
54
SASL EXTERNAL
  • TLS handshake establishes client identity by
    means of certificate-based client authentication
  • LDAP SASL EXTERNAL uses that identity for the
    user connection

55
SASL DIGEST-MD5
SASL bind packet with hashed password
  • Allows password to be securely sent over a clear
    text connection
  • Requires that the server maintain a clear text
    copy of the password in the NMAS encrypted store
    that can be hashed using data provided in the
    bind and then compared to the hashed password
    contained in the bind

56
SASL NMAS_LOGIN
Fingerprint
Password
Biometric
Smart card
Certificate
  • Allows the full functionality of Novell Modular
    Authentication Services to be applied to LDAP
    binds
  • Login policy maintained by the server
  • Provides for multiple levels of authentication
    and identification

57
Device Provisioning with Embedded LDAP Clients
58
Novell Leadership in Device Provisioning
  • Through our embedded technology effort Novell has
    been in the embedded eDirectory business for
    eight years
  • iPrint and eNDPS (embedded Novell Distributed
    Print Services (NDPS) technology
  • Introducing
  • The Embedded Device Provisioning Agent (eDPrA)
  • Novell offers the market self-provisioning
    hardware managed by eDirectory

59
What Is Embedded Device Provisioning?
  • Directory-enabled device provisioning
  • Allows for non-computer connected devices to work
    with eDirectory
  • Improves security on hardware that has been
    limited by SNMP standards (simple login and
    passwords)
  • Allows for management of millions of devices at
    one time
  • Provides hands-free configuration and setup

60
How a Directory Helps Provisioning
  • Increases deployment speeds of embedded hardware
  • Improves management of the overall system
  • Enhanced security from multiple authentication
    methods
  • More scalable than SNMP

61
Directory-based Provisioning
Provisioning of Devices within the Enterprise
Billing
HR
Work order
Order entry
Management console
Novell eDirectory
Provisioning policies Trouble alert
policies Billing policies Data sync
policies Security
Wireless device
CPE
Router
Caching or other hardware
DirXML Data
Internet Data
62
Bringing It All Together
63
Outdoor Adventures Bringing It All Together
  • Lets look at how these new features can benefit
    a hypothetical company, Outdoor Adventures
  • Auxiliary classes are used to identify students
    and instructors
  • ACLs are used to give students and instructors
    rights to view information they need on the web
  • The This ACL is used to allow students to
    modify their own object attributes
  • Access to specific course information is allowed
    by assigning ACLs to dynamic groups that identify
    students

64
Outdoor Adventures Bringing It All Together
  • Instructors use Persistent Search to dynamically
    update their web display of class members
  • Searches in the tree simplified with DN matching
    rules
  • Credit card information is transmitted over TLS
    connections
  • Advanced authentication (thumbprint) is required
    for instructors to access student and course
    information
  • Outdoor Adventures network is run using switches
    and routers configured from the directory

65
Outdoor Adventures Bringing It All Together
  • Want to learn more about these concepts and see
    them in operation?
  • The How To information is given in sessions
    DL204, DL307, and TUT242
  • The Outdoor Adventures web site showcasing all of
    these concepts can be experienced in the tech lab

66
Novell eDirectory 8.7Its Not Just a NOS
Directory Anymore
How do I get this great full-service LDAP
directory product for re-distribution with my
applications?
You can have your customers go out and buy
individual licenses as needed,
OR
Developers can sign up for the Novell eDirectory
Re-distribution Kit by visiting
developer.novell.com/edirectory/ and receiving
250,000 eDirectory licenses for free (now thats
a DEAL)
67
  • Visionone Net
  • A world where networks of all typescorporate
    and public, intranets, extranets, and the
    Internetwork together as one Net and securely
    connect employees, customers, suppliers, and
    partners across organizational boundaries
  • Mission
  • To solve complex business and technical
    challenges with Net business solutions that
    enable people, processes, and systems to work
    together and our customers to profit from the
    opportunities of a networked world

68
(No Transcript)
69
(No Transcript)
70
Developer References
  • Novell Developer LDAP SDKs, documentation, and
    samples
  • http//developer.novell/ndk
  • Novell eDirectory Evaluation Version and
    Redistribution kit
  • http//www.novell.com/products/edirectory/
  • Novell Modular Authentication (NMAS)
  • http//www.novell.com/products/nmas
  • Novell Developer AppNotes
  • http//developer.novell.com/research

71
Developer References
  • LDAP Zone The latest information and resources
    for LDAP
  • http//www.ldapzone.com
  • Directory Interoperability Forum
  • http//www.opengroup.org/dif
  • Works with LDAP certification
  • http//www.wwldap.org

72
Developer References
  • LDAP IETF standards
  • Filters and extensibleMatch
  • http//www.ietf.org/rfc/rfc2254.txt
  • http//www.ietf.org/rfc/rfc2251.txt
  • The TLS protocol
  • http//www.ietf.org/rfc/rfc2246.txt
  • Extension for TLS (startTLS)
  • http//www.ietf.org/rfc/rfc2830.txt
  • SASL (Simple Authentication and Security Layer)
  • http//www.ietf.org/rfc/rfc2222.txt

73
References
  • eDirectory ACLs
  • http//www.ietf.org/internet-drafts/draft-sermersh
    eim-nds-ldap-schema-02.txt Section 5.7
  • Dynamic Groups
  • http//www.ietf.org/internet-drafts/draft-haripriy
    a-dynamicgroup-00.txt
  • App note on http//www.developer.novell.com
  • Persistent Search
  • http//www.ietf.org/internet-drafts/draft-smith-pe
    search-00.txt
  • Soon to be App note on http//www.developer.novell
    .com
About PowerShow.com