The Directory A distributed database Distributed maintenance

Purpose of a Directory A directory is a way to store data in an organized way for easy access Primary operation on a directory is LOOKUP This means that a directory is optimized for reading rather than for creation or update  Note the distinction from a database

Why a directory? Tracking users' software configuration preferences in a directory can give them the mobility they need to work from any location. Rather than being stored in a local registry or preferences file, accessible only from a single computer, this information can essentially travel around the network with the user. Tracking access privileges in a directory enables network administrators to keep users out of parts of the network that are off limits to them. Storing access control rights in the directory enables multiple applications to have easy access to the same security settings. Centralizing user account and password information can minimize password management and disparate sign-ons across applications. Managing Web site configuration information in a centralized directory makes site administration simpler. One configuration change in the directory can easily be applied to all the servers at the site. LDAP has the potential to do for directories what HTTP and HTML did for documents Ref:

Four ways to describe a directory Informational Model  what does the directory hold?  How are the entries related? Functional Model  How does it operate?  What services are available to serve a user? Organizational Model  Who owns it and how do they manage it? Security Model  What authorization and authentication?

Four ways to describe a directory Informational Model  what does the directory hold?  How are the entries related? Functional Model  How does it operate?  What services are available to serve a user? Organizational Model  Who owns it and how do they manage it? Security Model  What authorization and authentication?

Information Stored in the Directory Information Base (DIB) composed of entries  information about one object person printer company state or province an application entity  … or anything else Entry composed of attributes  consists of a type and one or more values

Object Classes Object class = identified family of objects  Some common set of characteristics  ex. person is an object class ocommon attributes  commonName, surname ooptional attributes  description, telephoneNumber, userPassword, seeAlso  Subclass oorganizationalPerson  subclass of person  must have all the required attributes  may have the optional attributes  may have additional attributes ex. title, organizationalUnitName, etc.

Structure of the DIB Tree like Entries form the vertices of the tree Arcs define the relation between entries Distinguished name (DN)  Uniquely and unambiguously identifies each entry  Constructed from the identities of ancestors in the tree  specially designated set of attribute values from the entry

Entry components

One attribute/value pair is the Relative Distinguished Name for the entry Surname Cassel, for example, would identify this entry. Attribute objectclassperson Objectclass is the type of the entry as a whole. It tells the directory what kinds of information can or should be included in the entry An example entry

Sample section of a DIT An Entry with 3 attributes

The Directory Schema Rules governing attribute types allowed for each class of object form of values for each attribute type class of object that can be a child entry of a given class object

The Directory Service Operations to interrogate and modify the content of the Directory Control access to DIT entries Ensure that any changes continue to obey the rules of the schema

Four ways to describe a directory Informational Model  what does the directory hold?  How are the entries related? Functional Model  How does it operate?  What services are available to serve a user? Organizational Model  Who owns it and how do they manage it? Security Model  What authorization and authentication?

Functional Model players Directory User Agent (DUA)  participates in the Directory protocol on behalf of a user Directory Service Agent (DSA)  responds to requests for information from the directory  requests come from DUAs or other DSAs

Functional Model Describes the Directory in terms of operations performed by a DUA and one or more DSAs serving the request of the DUA. DUA gains access  binds to an access point represented by a particular DSA  DSA has direct access to a portion of the Directory (the data)  DSA has knowledge about the rest of the Directory ocan get information it does not have

DSA - DUA interaction DSA DUA The user sees the directory as one collection accessible through one interface. Directory servers interact with each other to provide the response.

X.500 and LDAP X.500 is the ITU specification of a global directory intended to run over a full ISO protocol stack LDAP is a lightweight version of X.500 that runs directly over TCP/IP LDAP was originally intended as a frontend to the X.500 Directory, but now runs standalone as well.

Four ways to describe a directory Informational Model  what does the directory hold?  How are the entries related? Functional Model  How does it operate?  What services are available to serve a user? Organizational Model  Who owns it and how do they manage it? Security Model  What authorization and authentication?

Security Model Authorization given to  subtree  entry  attribute type Authorization allowed by  individual  groups  owner

Access Give authority to  Owner – to update phone number, address, etc.  Project managers – to update project information  Department to update goal statements  etc.

Security issues Authentication  Who are you and how do I know that? Confidentiality  Who is entitled to this unit of information? Integrity  Is the data uncorrupted? Authorization  You are entitled to authorize some resources, but not others.

Directory Security Examples Ref: Jeff Hodges;

Data Integrity: Replication There are world-wide directories  Performance issues oData distributed over the whole world oMultiple copies of sections of the DIT oLocal copy may not be completely up to date  DUA always knows when it receives information from a copy Local directories may be copies of remote directories or stand-alone directories  performance issues are different

Cache and Shadow copies Cache copies  not covered in the specification  Unofficial copies, no guarantee of accuracy Shadow copies  Obtained in accordance with procedures in Directory specification  Official, controlled copy.  Not necessarily up to date at all times  Limit to the time before it will be updated.

LDAP in use

Address access to LDAP

LDAP related RFCs

Find more

More information on LDAP  Pointers to recent articles  Pointers to downloadable copies of the software  Updates on status  etc.

Directory summary Distributed information  performance issues  security issues Consistent structure of information makes distributed access easier Local use has many applications in coordinated access and security within an organization