Introduction to the Hot New LDAP Features in Novell eDirectory™ 8.7

Introduction to the Hot New LDAP Features in Novell eDirectory™ 8.7
Novell BrainShare 2002 Introduction to the Hot New LDAP Features in Novell eDirectory™ 8.7 Gary L. Anderson Senior Development Manager Novell, Inc. Alan Clark Senior Manager, eDirectory Access Novell, Inc. IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Deployed Versions Novell eDirectory™ and Novell Directory Services® (NDS®)
Product Version Build Version Platforms NetWare 5.1 SP4 (NDS 7) DS.nlm v7.57 NetWare 5.1 NetWare 5.1 SP 4 (NDS 8) DS.nlm v8.79 eDirectory 8 DS.nlm & DS.dlm v8.79 NetWare 5.0,Win NT/2K eDirectory 8.5.x DS v85.23 NetWare 5.x,Win,Solaris NetWare 6 (eDirectory 8.6) DS.nlm v NetWare 6 eDirectory 8.6.1 DS v NW 5.1,NW 6,Win,Solaris,Linux NetWare 6 SP1 (eDirectory 8.6.2) DS.nlm v eDirectory 8.6.2 DS v103xx.xx eDirectory 8.7 DS v10410.xx NW 5.1,NW 6,Win,Solaris,Linux,AIX

Differences between eDirectory and NDS
Novell BrainShare 2002 Differences between eDirectory and NDS NDS eDirectory NOS directory focused on managing NetWare® servers A cross-platform, scalable, standards-based directory used for managing identities that span all aspects of the network—eDirectory is the foundation for eBusiness NetWare 5 NetWare NetWare 6 IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Novell BrainShare 2002 Abstract This session provides an overview of the hot new LDAP features available in eDirectory 8.7 Rights-based object access Dynamic groups Object-based schema Search simplification Event monitoring Configurable transport security Multiple LDAP authentication methods Device provisioning with embedded LDAP clients Specific implementation details and code samples are presented in DL204 and DL307 Rights-based object access (ACLs) Event monitoring (LDAP extension, and persistent search) Dynamic Groups Object-based Schema (Auxiliary Classes) Search Scope Reduction (Extensible Match) Selectable Transport Encryption (Start TLS) Biometric Authentication (SASL support) Device Provisioning using embedded LDAP clients IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Welcome to Outdoor Adventures
This tree shows the logical layout of Outdoor Adventures, the sample company used in this presentation and in Tech Lab

Using LDAP to Set Directory Rights
Novell BrainShare 2002 Using LDAP to Set Directory Rights IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Terminology ACM—The Access Control Model used in a directory to specify who has rights to what ACI—The X.500 standard name for Access Control Information (the rights to access objects) ACL—List maintained as an attribute of an object showing the rights that other objects have to the object

The eDirectory Access Control Model
Novell BrainShare 2002 The eDirectory Access Control Model Access Control Lists (ACLs) reside on resources, and grant permissions to individual objects, containers (and subtrees), and groups How do students get rights to course information? Grant rights to all students, registered or not Here, we want to review the general idea that an ACL is an attribute that resides on a resource, that names a subject (trustee), and a set of permissions. An ACL can specifically grant a permission to a single object, a group of object, or a container full of objects (actually subtree). An ACL can reside at a higher point in the tree and grant subtree rights. Individually grant rights to each registered student Grant rights to a dynamic group IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Access Rights Directory allows rights per object and user
Novell BrainShare 2002 Access Rights Directory allows rights per object and user Easy management of rights Inheritance of rights based on tree structure User abilities depend on ACLs for the object, the user, and the groups and subtrees the user belongs to Rights are held in the ndsAcl attribute of each object Databases limit access on a table basis. Access can allow read, write, modify and delete. Directory allows rights to be assigned per object and user. Rights can be assigned to a superior container and inherited down the tree from that point. Management consoles provide easier access and management for users and rights assignments. IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Effective Privileges It’s hard to understand exactly which rights an object has to a resource because ACLs are held on resources, parents of resources, and groups ACLs may be blocked by inheritance rights filters eDirectory allows an object’s “Effective Privileges” to be interrogated Check out DL204 for details on coding in C and Java

Programmatic ACL Modification
How do I allow a student to access information on a course section? The answer is obvious, right? Use ConsoleOne® or iManager and assign student1 as a trustee of section1 But how do I do this with LDAP?

Modifying ACLs with LDAP
Novell BrainShare 2002 Modifying ACLs with LDAP ACLs are attributes, so no special APIs are required to access or update them The LDIF file to allow Student1 rights to section1 could be: dn: cn=section1, ou=sections, l=Atlanta changetype: modify add: ndsACL ndsAcl: 1#entry#cn=student1, ou=students, l=Atlanta#[Entry Rights] ndsAcl: 3#entry#cn=student1, ou=students, l=Atlanta#[All Attributes Rights] Refer to section 5.7 of (Section 5.7 from draft-sermersheim-nds-ldap-schema-02.txt) 5.7 NDS ACL ( DESC 'NDS ACL') Used for attributes whose values represent ACL entries. An ACL value can protect either an object or an attribute. The protected object is always the one that contains the ACL attribute. Values in this syntax are encoded according to the following BNF: ndsAcl = privileges "#" scope "#" subjectname "#" protectedattrname privileges = uint32string scope = "entry" / "subtree" subjectname = distinguishedname / "[Self]" / "[Creator]" / "[Public]" / "[Inheritance Mask]" / "[Root]" protectedattrname = caseignorestring / "[Entry Rights]" / "[All Attributes Rights]" The privileges field is number that represents the kind of access being granted. Performing a bitwise OR on the numbers that represent the desired access arrives at this number. Below a table is shown which specifies the values: Value Attributes [Entry Rights] Compare Attributes Browse Entry Read Attributes Add Entry Write, Add, Delete Attrs Delete Entry Add/Delete Self Rename Entry (none) Supervisory Supervisory (none) The scope field specifies whether or not the privileges are applied to the target entry (the entry containing the ACL) or the target and its subtree. The subjectname either contains the distinguished name of the entry being granted the privileges, or one of the special values: [Self] Indicates the user authenticated in the current connection. This can only be used in the Add Entry operation. [Creator] The user who created the object. This can only be used in the Add Entry operation. [Public] Includes all objects in the tree. [Inheritance Mask] Filters or masks the privileges granted to an object. [Root] Denotes the directory tree root object [This] the user identified by the object Any occurance of the # character in the subjectname MUST be escaped using the rules in Section 4.3 of [RFC2252]. The protectedattrname either names a specific attribute that the privileges are applied to, or it contains one of the following special values: [Entry Rights] Privileges apply to the entire object, rather than an attribute. [All Attributes Rights] Privileges apply to all attributes of the object. If the protectedattrname neither specifies a valid attribute as defined in the schema, nor one of the special values, an invalidSyntax error will be returned. The following ASN.1 data type is used to represent this syntax when transferred in binary form (see 4.1): ndsAcl ::= SEQUENCE { privileges uint32, scope uint32, subjectName LDAPDN, protectedAttrName LDAPString } The special string values for protectedAttrName and subjectName are the same as given in the BNF above. The privileges field is an integer which represents the bit mask as described above. The scope field is set to either 0 for "entry" or 1 for "subtree". Attributes of this syntax match for equality if all fields match for equality and match approximate if the attribute name and the subject name match, and any privilege bits set in the filter are also set in the target value. IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

ACL Privileges Value [Attributes] [Entry Rights] 1 Compare Browse 2
Novell BrainShare 2002 ACL Privileges The privileges field is number that is generated by performing a bitwise OR on the values that represent the desired access rights The table below shows the values Value [Attributes] [Entry Rights] 1 Compare Browse 2 Read Add 4 Write, Add,Del Del 8 Add/Del Self Rename 16 (na) Supervisory 32 Dynamic This slide is pretty self explanatory. IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

The New ACL in Town [This]
Novell BrainShare 2002 The New ACL in Town [This] A new ACL subjectName, it can be inheritable or non-inheritable Reduces the need to use per object ACLs to grant rights to object’s own attributes Management now available through iManager Question: How can you give everyone rights to modify their own phone number? To solve this problem, you can A: Go through object by object and grant individual access, or… B: Apply read, compare, and write rights to [This] for the telephoneNumber attribute high up in the tree and let it inherit IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Filter-Based Groups Novell BrainShare 2002
IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Novell BrainShare 2002 Creating Communities Communities in a directory exist when objects are formed into groups The original eDirectory group provided a static list of members and referential integrity between the members list of the group and the members of attribute on an object IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Novell BrainShare 2002 Dynamic Groups eDirectory 8.6 and 8.7 allow you to determine group membership dynamically by using a search filter Search filter is in URL form (RFC 2255) ldap:///<base-DN>??<scope>?<filter> Example: ldap:///ou=sales,o=acme??sub?(title=manager) Additional capabilities excludedMember—Objects specifically excluded uniqueMember—Objects specifically included in the group Web management interface in eDirectory 8.7 Available only via LDAP in eDirectory 8.6 vi. The 17th slide does not mention anything about the X-chaining. vii. The 18th slide says, that the ACLs are applied to the DG filters. This needs to be clarified and corrected. IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

What Is the Cost of Using Dynamic Groups?
Novell BrainShare 2002 What Is the Cost of Using Dynamic Groups? Dynamic groups don’t show up in the groupMembership attribute of a user object To find out if your object is a member of the dynamic group, you have to run the group query filter against your object to see if it matches ACLs are applied to dynamic group filters The search query essentially defines a policy. Example of badge reader station. An application running on the badge reader station could do a directory search with a search filter. But this search filter defines the policy. Suppose we wanted to change the policy from allowing all employees access to allowing only managers access. To change the policy would require changing the client software running on all the badge readers. If the badge readers were coded to read the dynamic group, an admin could modify the dynamic group’s query, and the policy is instantly changed on all badge readers. IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Why Use Dynamic Groups? Policy is stored in the directory
Novell BrainShare 2002 Why Use Dynamic Groups? Policy is stored in the directory An application can be hard-coded to just read a dynamic group instead of searching with a search filter This allows the “effective” filter to be modified at the directory without changing the application ACLs may be used with dynamic groups Put an ACL on a course section object granting access rights to the dynamic group Now all students registered for the section (determined dynamically) will have access Dynamic groups are scalable The search query essentially defines a policy. Example of badge reader station. An application running on the badge reader station could do a directory search with a search filter. But this search filter defines the policy. Suppose we wanted to change the policy from allowing all employees access to allowing only managers access. To change the policy would require changing the client software running on all the badge readers. If the badge readers were coded to read the dynamic group, an admin could modify the dynamic group’s query, and the policy is instantly changed on all badge readers. IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Dynamic Groups—Compatibility
Novell BrainShare 2002 Dynamic Groups—Compatibility Static groups may be converted to dynamic groups Add dynamicGroupAux to the objectClass attribute Set a search query in memberQueryURL For either static or dynamic groups, obtain a membership list by simply reading the “member” attribute By default, the implicit search is limited to the local server viii. The 19th slide, first statement could mention some example applications. ix. The 20th slide, 3rd statment could talk about the X-chain facility. IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Object-Based Schema (Auxiliary Classes)
Novell BrainShare 2002 Object-Based Schema (Auxiliary Classes) IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

What Good Is Object-Based Schema?
Q: Peggy and Scott are managers—how can they have attributes specific to managers? Q: Bill, Jean and Paul take turns handling the after-hours pager—how can the one holding the pager be uniquely identified? To solve these problems, you can: A. Add all attributes to base class definitions, or… B: Use auxiliary classes to meet both of these requirements without adding attributes to other objects

Auxiliary Class Definition
Novell BrainShare 2002 Auxiliary Class Definition Auxiliary (or aux) classes are dynamic classes that can be added to the object class attribute of individual objects The object inherits all the attributes of the aux class while retaining all of its own attributes When the aux class is removed from the object, all of the aux class attributes are removed Only the objects that need the attributes have them Doesn’t change the object class definition IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Using Auxiliary Classes
Novell BrainShare 2002 Using Auxiliary Classes Two steps Modify the object class of an existing object to include the aux class name Write values to attributes as you would any other attributes for that class Easy to remove Delete the aux class name from the objectClass attribute Auxiliary classes are available from eDirectory 8 and beyond Is this note right or were they available starting with NetWare 5? All the cleaning up of the aux class attributes is done for you when you delete the aux class name from the object class attribute IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Auxiliary Classes vs Structural Classes
Inherited Classes Added to individual instances of an object SuperInherited to all objects through class definition eDirectory 8 and above All versions of eDirectory and NDS Removable from any object Non removable from base classes Single object may have many Aux classes Multiple Inheritance Requires write rights to the object’s object class attribute Object class rights not required Cannot define containment Ability to define containment All instances of use have to be removed prior to schema removal May contain mandatory and optional attributes, including naming attributes

Replication of Auxiliary Classes
Novell BrainShare 2002 Replication of Auxiliary Classes 8.5 v or 8.0 v8.78 eDirectory 8.7 Modify or Replication Error -666 Incompatible DS Version Start this slide just showing the 4 servers. First mouse click creates Fred on an 8.7 server, and replicates Fred. “Let’s create a user in the directory. As you know, eDirectory replicates this entry so that it shows up on all of the servers in the ring.” “Now we want to make Fred a student at Aspen Outdoors” – click mouse – aux class appears on 8.7, and animation replicates to the other servers. “Note that the aux class also replicates to the other servers in the tree. On the 8.5 or 8.0 servers, if you have the current patch build show on the slide, Fred still retains his identity. However, notice that Fred’s object has gone unknown on the NDS 7 and NDS 6 servers. Now, all you system admins out there, what have you been trained to do with unknown objects – you usually delete them, right? Well, here’s what happens when you do that” – click the mouse here and the objects go away on all servers. “What would have happened if this was your admin user? Auxiliary classses will require that you change your management methods for unknown objects. Don’t delete an object from an older server if it went unknown because an aux class was added.” “So, let’s restore Fred to the tree” – click mouse – “ and then try to add an aux class to Fred again. If you are doing this from ConsoleOne, remember that you cannot control which server the update will be attempted on. You are simply pointing to a partition, and ConsoleOne can hit any server holding the partition. Let’s assume that the NDS 7 or NDS 6 server is the one that ConsoleOne attempts to update. If your NDS 7 server is 7.55c or earlier, or if your NDS 6 server is 6.13 or earlier, this will be the result” – click mouse again and wait for the error. “We showed this for addition to the NDS 7 server, but the same problem exists if you add an aux class on NDS 6. These are very bad problems, and can cause real problems for your tree. Novell has released an upgrade to both NDS 7 and NDS 6 servers that will help to alleviate some of these problems. Let’s see what happens if you try to add an aux class to a 6 or 7 server running the latest code” – click mouse “For NDS 6 and 7 latest release, attempts to modify the objectClasses attribute results in a –666 error (incompatible DS version). Thus, the object is not modified, and no replication problems occur. However, you may experience inconsistent performance in a mixed tree depending on which server the ConsoleOne instance is talking to.” On NDS 7 and NDS 6 the objectClasses attribute is set to top and unknown auxClassObjectClassBackup – list of aux classes unkownBaseClass – original base class auxiliaryClassCompatibility – holds ‘lie’ consistency information – appears on 8 if synched to 7Fred eDirectory 8.6 NDS 7.55c NDS 7.55d NDS 7.x eDirectory 8.7 NDS 6.13 NDS 6.14 NDS 6.x IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Auxiliary Class Safety Precautions
Novell BrainShare 2002 Auxiliary Class Safety Precautions Upgrade your tree to all eDirectory 8 servers If you can’t go to all eDirectory 8, then make sure you have the latest released patches for NDS 7 and NDS 6 Never, never, never add auxiliary classes to objects on NDS 7 or NDS 6 servers Break the old habit of deleting unknown objects if you are using auxiliary classes IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Auxiliary Class Benefits
Novell BrainShare 2002 Auxiliary Class Benefits You can now apply attributes at will to objects in the tree, without requiring the schema definitions to be applied to all objects in the class Cleanup of auxiliary classes is a snap Simply remove the aux class name from the objectClass attribute, and all attributes disappear automatically IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Using Matching Rules to Reduce Searches
Novell BrainShare 2002 Using Matching Rules to Reduce Searches IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

cn=Terry,organizationalRole=adminAssistant,ou=sales,o=usa
Novell BrainShare 2002 Extensible Match Extensible Match defined in LDAP v3 Support multiple matching rules for the same types of data Can implement new rules, e.g., “sounds like” Include DN elements in the search criteria The DN specification allows matching on specific elements of the DN of an object ou=sal cn=Terry,organizationalRole=adminAssistant,ou=sales,o=usa IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Novell BrainShare 2002 Task: Find All Admin Assistants in All the Sales Groups of this Company Root USA Germany England Sales Manufacturing Sales Finance Sales Engineering Three clicks are required to pull up the animation. East West Admin assistant Admin assistant Admin assistant Terry Sam Alice Admin assistant Hilda Bill IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Novell BrainShare 2002 Possibility One 1. Search for all admin assistant containers in the tree C:>ldapsearch … (organizationalRole=adminAssistant) organizationalRole=adminAssistant,ou=sales,o=usa organizationalRole=adminAssistant,ou=sales,o=germany organizationalRole=adminAssistant,ou=finance,o=germany organizationalRole=adminAssistant,ou=west,ou=sales,o=england 4 matches 2. In the client, evaluate each DN to see if it is subordinate to a sales-container organizationalRole=adminAssistant,ou=sales,o=usa organizationalRole=adminAssistant,ou=sales,o=germany organizationalRole=adminAssistant,ou=finance,o=germany organizationalRole=adminAssistant,ou=west,ou=sales,o=england The first search returns the 4 organizationalRole containers Evaluation of the DN results in 3 paths IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Possibility One (cont.)
3. Using each admin assistant container as a base, do a subtree search for users in that container C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=usa” (objectClass=user) cn=Terry,organizationalRole=adminAssistant,ou=sales,o=usa 1 matches C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=germany” (objectClass=user) cn=Sam,organizationalRole=adminAssistant,ou=sales,o=germany cn=Alice,organizationalRole=adminAssistant,ou=sales,o=germany 2 matches C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=west,ou=sales,o=england” (objectClass=user) cn=Bill,organizationalRole=adminAssistant,ou=west,ou=sales,o=england

Possibility Two What’s wrong? This search assumes everything is at the
1. Search for all sales containers in the tree C:>ldapsearch … (ou=sales) ou=sales,o=usa ou=sales,o=germany ou=sales,o=england 3 matches 2. Using each sales container as a base, do a subtree search for users in the admin assistant container C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=usa” (objectClass=user) cn=Terry, organizationalRole=adminAssistant,ou=sales,o=usa 1 matches C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=germany” (objectClass=user) cn=Sam, organizationalRole=adminAssistant,ou=sales,o=germany cn=Alice, organizationalRole=adminAssistant,ou=sales,o=germany 2 matches C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=england” (objectClass=user) 0 matches This search assumes everything is at the same level! What’s wrong?

Novell BrainShare 2002 In eDirectory 1. Use extensibleMatch C:>ldapsearch … (&(ou:dn:=Sales)(organizationalRole=adminAssistant)) cn=Terry, organizationalRole=adminAssistant,ou=sales,o=usa cn=Sam, organizationalRole=adminAssistant,ou=sales,o=germany cn=Alice, organizationalRole=adminAssistant,ou=sales,o=germany cn=Bill, organizationalRole=adminAssistant,ou=west,ou=sales,o=england 4 matches xii. The 37th slide, can specify the RFC and the section to refer for the extensible match. xiii. In the 38th slide, we should say no matching rule supported still. extensible = attr [":dn"] [":" matchingrule] ":=" value / [":dn"] ":" matchingrule ":=" value IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

eDirectory Support for extensibleMatch
Novell BrainShare 2002 eDirectory Support for extensibleMatch eDirectory 8.7, available soon, supports extensibleMatch for matching on DN values eDirectory 8.7 treats other extensibleMatch specifications as undefined terms in the filter and will ignore them Versions of eDirectory prior to 8.7 would return a protocol error if an extensibleMatch term was specified in a search filter Advertisement of matching rules in eDirectory 8.7 is done through the LDAP subschema subentry object using the standard matchingRules and matchingRuleUse schema attributes From 2251, section 2.4.1: The extensibleMatch is new in this version of LDAP. If the matchingRule field is absent, the type field MUST be present, and the equality match is performed for that type. If the type field is absent and matchingRule is present, the matchValue is compared against all attributes in an entry which support that matchingRule, and the matchingRule determines the syntax for the assertion value (the filter item evaluates to TRUE if it matches with at least one attribute in the entry, FALSE if it does not match any attribute in the entry, and Undefined if the matchingRule is not recognized or the assertionValue cannot be parsed.) If the type field is present and matchingRule is present, the matchingRule MUST be one permitted for use with that type, otherwise the filter item is undefined. If the dnAttributes field is set to TRUE, the match is applied against all the attributes in an entry's distinguished name as well, and also evaluates to TRUE if there is at least one attribute in the distinguished name for which the filter item evaluates to TRUE. (Editors note: The dnAttributes field is present so that there does not need to be multiple versions of generic matching rules such as for word matching, one to apply to entries and another to apply to entries and dn attributes as well). A filter item evaluates to Undefined when the server would not be able to determine whether the assertion value matches an entry. If an attribute description in an equalityMatch, substrings, greaterOrEqual, lessOrEqual, approxMatch or extensibleMatch filter is not recognized by the server, a matching rule id in the extensibleMatch is not recognized by the server, the assertion value cannot be parsed, or the type of filtering requested is not implemented, then the filter is Undefined. Thus for example if a server did not recognize the attribute type shoeSize, a filter of (shoeSize=*) would evaluate to FALSE, and the filters (shoeSize=12), (shoeSize>=12) and (shoeSize<=12) would evaluate to Undefined. IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Directory Events in LDAP
Novell BrainShare 2002 Directory Events in LDAP IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

How Do I Track Directory Changes?
Novell BrainShare 2002 How Do I Track Directory Changes? Q: Students can change some of their own information—how can I track their changes in my instructor application using LDAP? I can poll the directory looking for changes Requires me to keep state information in my app I can use directory events Persistent Search LDAP eDirectory events extension IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

LDAP Persistent Search
Novell BrainShare 2002 LDAP Persistent Search Alters the standard LDAP search operation to perform a continuous search, notifying the application of changes that occur on an LDAP server Persistent search allows the client to be notified when changes are made to entries that satisfy the specified search filter The connection to the server remains open until the search is abandoned Persistent search is supported by multiple directories xiiii. Could mention the ietf draft in the slide 42. IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Applications of Persistent Search
Novell BrainShare 2002 Applications of Persistent Search What does Persistent Search enable? Applications driven by business process events Creating and updating a local cache easily Auditing Data logging Data reporting And more… Persistent Search is an LDAP-standard way of getting directory events Examples of these: Business Processes: Whenever a new student is added to Aspen, an independent process can detect the change, send him a welcome and print an address label for a packet of information. Allows a separate application to perform this work instead of building it all into the Aspen Demo. Cache: Create a local cache of all course objects. Make the initial call with changesOnly=0 so you get all the courses. Then you get notified when any course object is added or removed. Auditing/logging: A separate process does a persistent search of all user objects, reading the modifiers name and modification timestamp. (changes only). Gets notification of any user added, deleted, renamed, or modified. IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

eDirectory Events Extension
Novell BrainShare 2002 eDirectory Events Extension Novell extension allowing an LDAP client to be notified of the occurrence of various events on a Novell eDirectory server Utilizes the LDAP v3-extended operation extension mechanism It also uses an intermediate response Protocol Data Unit (PDU) as described in the IETF draft draft-rharrison-ldap-intermediate-resp-00.txt Available on all platforms supported by Novell eDirectory 8.7 This is Novell-specific and not standard LDAP Psearch – data in the directory on the server, and I want a directory agnostic app Extension – when I am eDirectory event specific IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Selectively Monitor eDirectory Events
Novell BrainShare 2002 Selectively Monitor eDirectory Events Novell eDirectory defines several directory-related events, including Operations on individual entries and their attributes Partition and replica operations These events can be used for Debugging Auditing Management Access to each event is controlled by rights checking If the user does not have the required privileges, the request will fail An EventExtendedResponse will be returned by the server with an responseCode value of insufficientPrivileges The eDirectory server has a directory event service that defines over 200 directory related events. The defined events span a large number of operations that occur within the directory. They include operations on individual entries and their attributes as well as partition and replica operations. Some of the events are used for debugging purposes, while others are designed to support auditing and management applications. This is an LDAP extension that allows an LDAP client to selectively monitor events that occur on an eDirectory server. xvi. In slide 46, What are we debugging. xvii. In slide 46, 3rd statement, could specify the default ACL. IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Event Handling Priority
Novell BrainShare 2002 Event Handling Priority The eDirectory event system extension supports the equivalent of the eDirectory journal priority Event notifications are sent to a client in the order in which the events occurred on the server after the underlying operations have completed Order is guaranteed, and events are received after DS has processed the information You cannot preempt an event or register for in-line processing The eDirectory event system allows event notification to occur at three different priorities: in-line, journal, and work. When in-line priority is selected event notification occurs before the actual operation and the operation does not proceed until the recipient of the event completes processing of the event. In-line priority is designed for processing that can complete very quickly and may need to abort the underlying operation. The journal and work priorities are very similar. Both perform event notification after the underlying operation(s) have completed. The main difference is that journal priority guarantees that the client receives notification of events in the same order in which the events actually occurred. Work priority does not provide such a guarantee. The eDirectory event system extension supports the equivalent of the journal priority. Event notifications are sent to a client in the order in which the events occurred on the server after the underlying operations have completed. IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Applications of eDirectory Events
What can I do with eDirectory Events? eDirectory monitoring Auditing Automation of infrastructure changes Automated business logic All of these things can be done with eDirectory—they don’t exist in the same form on other directory products

Configurable Transport Security
Novell BrainShare 2002 Configurable Transport Security IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

eDirectory 8.7 Debuts Full TLS 1.0
SAS Library Novell TLS Library SSL v3.0 support TLS 1.0 support (RFC 2246) Cryptography using NICI Limited interoperability with other clients Full TLS 1.0 compliance, good interoperability Limited support for EXTERNAL authentication Fully configurable support for EXTERNAL authentication No support for StartTLS Supports LDAP StartTLS

Please may I have your Cert?
Connecting with TLS Give me your Cert! Please may I have your Cert? eDirectory LDAP server can now be configured to use the following TLS handshakes Server Certificate Only Request Client Certificate Require Client Certificate This configuration is done through iManager

Selectable Channel Encryption
Novell BrainShare 2002 Selectable Channel Encryption I’m connected to the directory on the clear-text port, and I want to access my credit card information—what do I do? I can drop my connection, re-authenticate to the SSL port, and get the data xviii. In slide 53, why would the connection revert to anonymous connection. xix. In slide 58, it should be supportedSASLMechanisms instead of registeredSASLMechanisms. OR I can send the StartTLS extended request along with the query to read my credit card IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Ending TLS on a Connection
Client or server sends a TLS end notification All operations are abandoned TLS is turned off by both client and server Connection reverts to anonymous Specified in RFC 2829

TLS Information Functionality is defined in RFC 2222, 2829, and 2830
Novell TLS Library* is based on the OpenSSL project (current version 0.9.c) with the cryptographic library replaced by NICI * This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (

New LDAP Authentication Methods
Novell BrainShare 2002 New LDAP Authentication Methods IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Is LDAP Simple Bind Secure Enough?
Are you confident that the user is who he claims to be? Employee: Jane.Smith Password: jsmith Hacker aka: Jane.Smith Password: jsmith

SASL Exposed SASL (Simple Authentication and Security Layer) is an authentication negotiation framework Server lists registered authentication mechanisms in the supportedSASLMechanisms attribute of root DSE Client chooses the authentication method Server implements authentication policy Official SASL mechanisms are registered with IANA* eDirectory 8.7 supports EXTERNAL DIGEST-MD5 NMAS_LOGIN *Internet Assigned Numbers Authority

SASL EXTERNAL TLS handshake establishes client identity by means of certificate-based client authentication LDAP SASL EXTERNAL uses that identity for the user connection

SASL DIGEST-MD5 SASL bind packet with hashed password Allows password to be securely sent over a clear text connection Requires that the server maintain a clear text copy of the password in the NMAS encrypted store that can be hashed using data provided in the bind and then compared to the hashed password contained in the bind

SASL NMAS_LOGIN Fingerprint Password Biometric Smart card Certificate Allows the full functionality of Novell Modular Authentication Services to be applied to LDAP binds Login policy maintained by the server Provides for multiple levels of authentication and identification

Device Provisioning with Embedded LDAP Clients
Novell BrainShare 2002 Device Provisioning with Embedded LDAP Clients IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Novell Leadership in Device Provisioning
Through our embedded technology effort Novell has been in the embedded eDirectory business for eight years iPrint and eNDPS (embedded Novell Distributed Print Services™ (NDPS®) technology Introducing The Embedded Device Provisioning Agent (eDPrA) Novell offers the market self-provisioning hardware managed by eDirectory

What Is Embedded Device Provisioning?
Novell BrainShare 2002 What Is Embedded Device Provisioning? Directory-enabled device provisioning Allows for non-computer connected devices to work with eDirectory Improves security on hardware that has been limited by SNMP standards (simple login and passwords) Allows for management of millions of devices at one time Provides hands-free configuration and setup Non-computer devices still have embedded processing capability, but typically don’t have keyboard/display capability. Being able to configure and manage this type of equipment provides greater flexibility. LDAP provisions for enhanced authentication provide much better security than the simple login/password provided with SNMP The scalability of eDirectory makes it so that you can manage millions of devices at one time. Authentication to the directory by a device on power-up provides a slick method of configuring the device. IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

How a Directory Helps Provisioning
Novell BrainShare 2002 How a Directory Helps Provisioning Increases deployment speeds of embedded hardware Improves management of the overall system Enhanced security from multiple authentication methods More scalable than SNMP Increases deployment speeds of embedded Hardware because the directory provides: Directory based policies for self provisioning of hardware and software. Integration with customer record, billing, and accounting systems (DirXML). Manages process flow and relationships between companies/organizations. Complements existing systems and infrastructure. Improves management of the overall system. Objects in the directory(ies) are aggregated into a secure system. Can manage large groups of objects in various inter-related ways. Globally, regionally, in groups, or individually. Multiple directories interconnected in custom ways. Secure System. SSL and certificate based authentication. Support for additional authentication models. Multi-layered security model. Directory objects can have individual access rights managed down to the attributes of an object. Centralized (unlike SNMP). Scalability. Scales much larger than SNMP alone based management systems. Easily manage millions of objects (CPE, Ports, etc.) in the directory. Novell Directory Services scales to billions of objects. IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Directory-based Provisioning
Novell BrainShare 2002 Directory-based Provisioning Provisioning of Devices within the Enterprise Order entry HR Work order Billing Management console Novell eDirectory Provisioning policies Trouble alert policies Billing policies Data sync policies Security Wireless device Common data can be leveraged between systems. Simply adding attributes to objects to describe more information about the object, or associating objects together. This greatly simplifies the management. NDS allows for auxiliary classes to be defined and associated with base classes for additional attribute customization. Policy information is also maintained in the directory, scaling from individual objects up to all objects in the tree. Typically, objects are grouped or contained and policy is applied at that level. Router CPE Caching or other hardware Networked hardware Internet Data DirXML Data IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Bringing It All Together
Novell BrainShare 2002 Bringing It All Together IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Outdoor Adventures: Bringing It All Together
Novell BrainShare 2002 Outdoor Adventures: Bringing It All Together Let’s look at how these new features can benefit a hypothetical company, Outdoor Adventures Auxiliary classes are used to identify students and instructors ACLs are used to give students and instructors rights to view information they need on the web The [This] ACL is used to allow students to modify their own object attributes Access to specific course information is allowed by assigning ACLs to dynamic groups that identify students Rights-based object access (ACLs) Event monitoring (LDAP extension, and persistent search) Dynamic Groups Object-based Schema (Auxiliary Classes) Search Scope Reduction (Extensible Match) Selectable Transport Encryption (Start TLS) Biometric Authentication (SASL support) Device Provisioning using embedded LDAP clients IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Novell BrainShare 2002 Outdoor Adventures: Bringing It All Together Instructors use Persistent Search to dynamically update their web display of class members Searches in the tree simplified with DN matching rules Credit card information is transmitted over TLS connections Advanced authentication (thumbprint) is required for instructors to access student and course information Outdoor Adventures network is run using switches and routers configured from the directory Rights-based object access (ACLs) Event monitoring (LDAP extension, and persistent search) Dynamic Groups Object-based Schema (Auxiliary Classes) Search Scope Reduction (Extensible Match) Selectable Transport Encryption (Start TLS) Biometric Authentication (SASL support) Device Provisioning using embedded LDAP clients IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Novell BrainShare 2002 Outdoor Adventures: Bringing It All Together Want to learn more about these concepts and see them in operation? The “How To” information is given in sessions DL204, DL307, and TUT242 The Outdoor Adventures web site showcasing all of these concepts can be experienced in the tech lab Rights-based object access (ACLs) Event monitoring (LDAP extension, and persistent search) Dynamic Groups Object-based Schema (Auxiliary Classes) Search Scope Reduction (Extensible Match) Selectable Transport Encryption (Start TLS) Biometric Authentication (SASL support) Device Provisioning using embedded LDAP clients IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Novell eDirectory 8.7—It’s Not Just a NOS Directory Anymore
Novell BrainShare 2002 Novell eDirectory 8.7—It’s Not Just a NOS Directory Anymore How do I get this great full-service LDAP directory product for re-distribution with my applications? You can have your customers go out and buy individual licenses as needed, OR Need to push the RDK here. Developer has unlimited internal licenses for development, 250,000 for internal business use, and 250,000 for each product shipped. Developers can sign up for the Novell eDirectory Re-distribution Kit by visiting developer.novell.com/edirectory/ and receiving 250,000 eDirectory licenses for free (now that’s a DEAL) IO137—Introduction to the Hot New LDAP Features in eDirectory 8.7

Vision…one Net Mission
A world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries Mission To solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world

Developer References Novell Developer LDAP SDKs, documentation, and samples Novell eDirectory Evaluation Version and Redistribution kit Novell Modular Authentication (NMAS™) Novell Developer AppNotes

Developer References LDAP Zone: The latest information and resources for LDAP Directory Interoperability Forum Works with LDAP certification

Developer References LDAP IETF standards Filters and extensibleMatch
The TLS protocol Extension for TLS (startTLS) SASL (Simple Authentication and Security Layer)

References eDirectory ACLs Dynamic Groups Persistent Search
Section 5.7 Dynamic Groups App note on Persistent Search Soon to be App note on

Introduction to the Hot New LDAP Features in Novell eDirectory™ 8.7

Similar presentations

Presentation on theme: "Introduction to the Hot New LDAP Features in Novell eDirectory™ 8.7"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Introduction to the Hot New LDAP Features in Novell eDirectory™ 8.7

Similar presentations

Presentation on theme: "Introduction to the Hot New LDAP Features in Novell eDirectory™ 8.7"— Presentation transcript:

Similar presentations

About project

Feedback