Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Management Technical Training LDAP and Directory Services Joachim Andres Guillaume Andru Renaud Métrich Sun Microsystems, Inc.

Published byIsabella Sherman Modified over 8 years ago

Similar presentations

Presentation on theme: "Identity Management Technical Training LDAP and Directory Services Joachim Andres Guillaume Andru Renaud Métrich Sun Microsystems, Inc."— Presentation transcript:

1 Identity Management Technical Training LDAP and Directory Services Joachim Andres Guillaume Andru Renaud Métrich Sun Microsystems, Inc.

2 Sun Proprietary/Confidential: Internal and Authorized Partners Only Agenda Part 1: Introduction in LDAP and Directory Services Part 2: LDAP/DS Use Cases Part 3: LDAP Protocol Fundamentals Part 4: Directory Server Technologies Part 5: LDAP/DS Client Tools Part 6: LDAP/DS Learning Resources

3 Sun Proprietary/Confidential: Internal and Authorized Partners Only Part 1 Introduction in LDAP and Directory Services

4 Sun Proprietary/Confidential: Internal and Authorized Partners Only Introduction LDAP = Lightweight Directory Access Protocol LDAP is a client-server access protocol An LDAP directory server is a data store where data can be stored, retrieved and updated using the LDAP protocol => The technology implementing the protocol stack

5 Sun Proprietary/Confidential: Internal and Authorized Partners Only History Telecommunication companies introduced the concept of directory services in the 1980s which resulted in a set of specifications, X.500 in the late 1980s and early 1990s LDAP was intended as the lightweight alternative through a simpler TCP/IP stack (X.500 required OSI) around 1993 and is since governed by the Internet Engineering Task Force (IETF)

6 Sun Proprietary/Confidential: Internal and Authorized Partners Only Advantages of LDAP Flexible information model > Standard schema and extensible Simplicity > Standard (well-defined) Protocol > Accessibility (from any platform supporting TCP/IP) > Cross platform (do not need to worry where the server is running) Allows fine grained access control Allows flexible deployment architectures (high availability, geographic replication, etc.)

7 Sun Proprietary/Confidential: Internal and Authorized Partners Only LDAP Adoption Today Stable standard > Has not changed in years > Companies more willing to invest Many ldap-aware applications > [client side] Applications allowing to plug-in an LDAP server as data store > [server side] Exposing LDAP access to hosted data

8 Sun Proprietary/Confidential: Internal and Authorized Partners Only When to store data in LDAP? If the answer to each of the following questions is Yes, then storing your data in LDAP is a good idea. > Is the data model object oriented or hierarchical ? > Would you like your data to be available cross-platform? > Do you need to access this data from a number of computers or applications? > Do you need to access the data more often than you modify it ? Do you need a very frequent and fast access ? > Does it make sense to store this type of data in a flat database instead of a relational database? That is, could you effectively store all the data for a given item in a single record? > Does the record format change (can be extended)?

9 Sun Proprietary/Confidential: Internal and Authorized Partners Only Part 2 LDAP and Directory Services Use Cases

10 Sun Proprietary/Confidential: Internal and Authorized Partners Only Enterprise Use Case Main client applications to support > Corporate White Pages (phone book) > User Profile store (preferences, access profiles) > Authentication Service Requirements characteristics: > High number of client applications > 1 - 100,000 Users > More complex schema, access control and grouping Customer Story: Peugeot Citroën, Daimler Chrysler

11 Sun Proprietary/Confidential: Internal and Authorized Partners Only Extranet Use Case Main client applications to support > Internet facing applications (banks, retail, telecos) Requirements characteristics: > Limited number of client applications > Great number of users, can be > 100,000,000 > Massive performance requirements > Strong availability requirements (24x7) Customer Story: Vodafone (http://www.sun.com/smi/Press/sunflash/2003- 06/sunflash.20030610.5.xml)

12 Sun Proprietary/Confidential: Internal and Authorized Partners Only Part 3 LDAP Protocol Fundamentals

13 Sun Proprietary/Confidential: Internal and Authorized Partners Only A directory is a tree of directory entries DIT = Directory Information Tree An entry consists of a set of attributes An attribute has a name and one or more attributes. The attributes are defined in the schema. Directory Structure

14 Sun Proprietary/Confidential: Internal and Authorized Partners Only Distinguished Name Each entry has a unique identifier, its Distinguished Name (DN) Consists of its Relative Distinguished Name (RDN) constructed from some attribute(s) in the entry, followed by the parent entry's DN. Think of the DN as a full filename and the RDN as a relative filename in a folder

15 Sun Proprietary/Confidential: Internal and Authorized Partners Only LDAP Entry An entry can look like this when represented in LDAP Data Interchange Format (LDIF) - LDAP itself is the access protocol: dn: cn=John Doe,dc=example,dc=com cn: John Doe givenName: John sn: Doe telephoneNumber: +1 888 555 6789 telephoneNumber: +1 888 555 1234 mail: john@example.com manager: cn=Barbara Doe,dc=example,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top

16 Sun Proprietary/Confidential: Internal and Authorized Partners Only LDAP Operations (1 of 2) Bind - authenticate and specify LDAP protocol version Search - search for and/or retrieve directory entries Compare - test if a named entry contains a given attribute value Add a new entry Delete an entry Modify an entry Modify Distinguished Name (DN) - move or rename an entry

17 Sun Proprietary/Confidential: Internal and Authorized Partners Only LDAP Operations (2 of 2) Abandon - abort a previous request Extended Operation - generic operation used to define other operations Unbind - close the connection (not the inverse of Bind) Start TLS - optionally protect the connection with Transport Layer Security (TLS), to have a more secure connection

18 Sun Proprietary/Confidential: Internal and Authorized Partners Only Schema Contents of entries is governed by schema The schema defines the objectclasses and attribute types that a directory can contain Each entry must have an objectClass attribute. The objectclasses of an entry defines what kind of object the entry may represent and lists which attributes are mandatory and which are optional Example objectClass: inetOrgPerson Mandatory attributes: cn, sn Optional attributes: description, userPassword, seeAlso, telephonenumber

19 Sun Proprietary/Confidential: Internal and Authorized Partners Only Access Control Mechanism to define access (allow, deny) to directory objects Three parts of an access control instruction: > Target : Entries or attributes to which the rule applies > Permissions: Operations allowed or denied > Bind rule: Who (user or groups) does this rule apply for Placed inside the DIT and applied to the corresponding subtree Example ACI (Sun implementation): aci: (targetattr="*")(target=(dc=ensimag,dc=fr)) (version 3.0; acl "Default anonymous access"; allow (read, search) userdn="ldap:///anyone";)

20 Sun Proprietary/Confidential: Internal and Authorized Partners Only Part 4 Directory Server Technologies

21 Sun Proprietary/Confidential: Internal and Authorized Partners Only LDAP Server Implementations Commercial > Sun Directory Server > IBM Directory Server > Microsoft Active Directory > Others Open Source > OpenDS > OpenLDAP > ApacheDS > Fedora Directory Server

22 Sun Proprietary/Confidential: Internal and Authorized Partners Only Security: LDAPS The Secure Socket Layer (SSL) provides encrypted communications and optional authentication between a Directory Server and its clients Guarantees confidentiality and data integrity Certificate-based authentication uses public-key cryptography to prevent forgery and impersonation of either client or server

23 Sun Proprietary/Confidential: Internal and Authorized Partners Only Indexes (1 of 2) Like a book index, Directory Server indexes speed up searches by associating search strings with references to the directory contents Indexes are tables of attribute values (the keys) where each attribute value has the list of entries (their IDs) assigned that contain that value Indexes are created and managed independently for each suffix in the directory. Once you create an index in the suffix configuration, the server maintains the index automatically

24 Sun Proprietary/Confidential: Internal and Authorized Partners Only Indexes (2 of 2) Main index types > Presence index (pres) - Contains a list of the entries that contain the particular attribute, regardless of its value. > Equality index (eq) - Allows you to search efficiently for entries containing a specific attribute value. > Substring index (sub) - Provides efficient searches of attribute value substrings, such as cn=*john*.

25 Sun Proprietary/Confidential: Internal and Authorized Partners Only Replication (1 of 2) Replication is the mechanism by which directory contents are automatically copied from a Directory Server to one or more others Write operations of any kind (entry additions, modifications, or deletions) are automatically mirrored to other Directory Servers Single master replication: One writable instance Multi-master replication: Multiple writable instances

26 Sun Proprietary/Confidential: Internal and Authorized Partners Only Replication (2 of 2) Dual site replication scenario providing: > High availability (local and remote) > Scalability

27 Sun Proprietary/Confidential: Internal and Authorized Partners Only Part 5 LDAP Client Tools

28 Sun Proprietary/Confidential: Internal and Authorized Partners Only Command Line: ldapsearch Searches an LDAP directory ldapsearch -h mabecane.fac.fr -p 389 -s sub -b “ou=people,dc=example,dc=com” -D “uid=moimeme,ou=people,dc=example,dc=com ” -w password “firstname=Walter*”

29 Sun Proprietary/Confidential: Internal and Authorized Partners Only Command Line: ldapmodify Adds, renames, modifies or deletes entries in the LDAP directory ldapmodify -h mabecane.fac.fr -p 389 -D “uid=moimeme,ou=people,dc=example,dc=com” - w password -f modfile.ldif cat modfile.ldif dn: uid=moimeme,ou=people,dc=example,dc=com changetype: modify replace: emailadresse emailadresse: moimeme@superhero.com

30 Sun Proprietary/Confidential: Internal and Authorized Partners Only Various Graphical Tools Ldapbrowser http://www-unix.mcs.anl.gov/~gawor/ldap/ Apache Directory Studio http://directory.apache.org/studio/

31 Sun Proprietary/Confidential: Internal and Authorized Partners Only LDAP Client Programming Typically C and Java API (many others available, e.g. Perl) Example (Netscape/Mozilla Java SDK): UserArgs userArgs = new UserArgs("Search", args, false); String MY_HOST=”mabecane.fac.fr”; Integer MY_PORT=389; LDAPConnection ld = new LDAPConnection(); ld.connect(“mabecane.fac.fr”, MY_PORT); /* search for all entries with firstname starting with Walter */ String MY_FILTER = "(firstname=Walter*)”; String MY_SEARCHBASE = "ou=people,dc=example,dc=com"; LDAPSearchResults res = ld.search(MY_SEARCHBASE, LDAPConnection.SCOPE_SUB, MY_FILTER, null, false, null); /* Results are returned in an enumeration */

32 Sun Proprietary/Confidential: Internal and Authorized Partners Only Part 6 Learning Resources

33 Sun Proprietary/Confidential: Internal and Authorized Partners Only Online Resources Wikipedia > English: http://en.wikipedia.org/wiki/Ldaphttp://en.wikipedia.org/wiki/Ldap > French: http://fr.wikipedia.org/wiki/Ldaphttp://fr.wikipedia.org/wiki/Ldap OpenDS Material > www.opends.org www.opends.org Sun Directory Server Documentation > http://docs.sun.com/app/docs/coll/1224.3

34 Joachim Andres Guillaume Andru Renaud Métrich Sun Microsystems, Inc.

Download ppt "Identity Management Technical Training LDAP and Directory Services Joachim Andres Guillaume Andru Renaud Métrich Sun Microsystems, Inc."

Similar presentations

Indications in green = Live content Indications in white = Edit in master Indications in blue = Locked elements Indications in black = Optional elements.

Indications in green = Live content Indications in white = Edit in master Indications in blue = Locked elements Indications in black = Optional elements.
Lightweight Directory Access Protocol (LDAP) By Raghavendra Aekka Professor Dr. Ravi Mukkamala.

Lightweight Directory Access Protocol (LDAP) By Raghavendra Aekka Professor Dr. Ravi Mukkamala.
LDAP Lightweight Directory Access Protocol LDAP.

LDAP Lightweight Directory Access Protocol LDAP.
Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.

Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
Virtual Directories: Attack Models and Prevention June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram laboratory.

Virtual Directories: Attack Models and Prevention June 2 nd, 2009 Bill Claycomb Systems Analyst Sandia National Laboratories Sandia is a multiprogram laboratory.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
LDAP Jianwen Luo School of CTI, Depaul Univ. Oct.23, 1998.

LDAP Jianwen Luo School of CTI, Depaul Univ. Oct.23, 1998.
Directory & Naming Services CS-328 Dick Steflik. A Directory.

Directory & Naming Services CS-328 Dick Steflik. A Directory.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.

LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.
Understanding Active Directory

Understanding Active Directory
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Understanding Active Directory

Understanding Active Directory
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Overview of Active Directory Domain Services Lesson 1.

Overview of Active Directory Domain Services Lesson 1.
(ITI310) SESSIONS 9-10-11-12: Active Directory By Eng. BASSEM ALSAID.

(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
BZUPAGES.COM An Introduction to. BZUPAGES.COM Introduction Large corporations today face the following problems Finding a certain file. Seeing everything.

BZUPAGES.COM An Introduction to. BZUPAGES.COM Introduction Large corporations today face the following problems Finding a certain file. Seeing everything.
INFORMATION FOR NETWORK OPERATION. CONTENT Directory service Standard X.500 LDAP.

INFORMATION FOR NETWORK OPERATION. CONTENT Directory service Standard X.500 LDAP.

Similar presentations

Ads by Google