Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers

Published byNathan Greene Modified over 8 years ago

Similar presentations

Presentation on theme: "Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers"— Presentation transcript:

1 Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com

2 2 LDAP overview History Historical Usage Technical specs

3 3 History Created by the University of Michigan Evolution – 1993 : LDAP v1: RFC 1487: X.500 Lightweight Directory Access Protocol – 1995 : LDAP v2: RFC 1777: Lightweight Directory Access Protocol – 1997 : LDAP v3: RFC 2251: Lightweight Directory Access Protocol (v3)

4 4 Historical Usage People-centric information – Phone books – Personnel Data Large white page applications

5 5 Technical specs TCP/IP Lightweight Hierarchical structure Easy API

6 6 LDAP for a single sign-on environment? Why single sign-on is needed? Why LDAP is a viable solution for single-on? Requirements for an efficient and secure single sign- on solution Technical challenges for implementing a true single- sign on What can LDAP do to solve the problems?

7 7 Why single sign-on is needed? Large networks Multiple operating systems Various network devices Centralizing Infrastructure

8 8 Why LDAP is a viable solution for single-on? Lightweight TCP/IP Open standard Already used to store People-centric information

9 9 Requirements for an efficient and secure single sign-on solution Open standard Scalability Access controls Easy to integrate with current infrastructure Easy and reliable API Easy to manage

10 10 Technical challenges for implementing a true single-sign on Cross platform support Cross platform user settings Data Synchronization Proprietary authentications Security Schema and organizational structure

11 11 What can LDAP do to solve the problems? Open standard Support for SSL Most vendors offer ACL Customizable schema Powerful search capabilities

12 Test case - ASP environment

13 13 Overview

14 14 NT Authentication

15

16

17

18 18 Linux/UNIX Authentication

19

20

21 21 Why is this solution better? Advantages Security – Central control of all users – Central point of revocation Flexibility Scalability Financially – Most of the components are available for free use – Low management cost – Doesn't requirement a lot of administration

22 22 Security Central control of all users Central point of revocation

23 23 Advance topics LDAP Security – Steps to secure your LDAP server – Special consideration for single sign on

24 24 Steps to secure your LDAP server 1. Identifying requirements 2. Securing the Directory 2. LDAP server host security 3. Network security

25 25 1. Identifying requirements Network access Types of users and groups Defining data access requirements LDAP schema

26 26 Network access Network architecture Identifying member servers and their requirements Identifying Clients and their requirements

27 27 Types of users and groups Administration users Read users Write users Member servers Groups – Static – Dynamic

28 28 Defining data access requirements What can each member server do and see Types of information can users see What attributes the user can change on themselves Data risk level – Is the data public? – Is the data restricted per organizational units? – Is the data used for the infrastructure?

29 29 Data risk level Is the data public? Is the data restricted per organizational units? Is the data used for the infrastructure?

30 30 2. Securing the Directory Implementing ACL Strong password management

31 31 2. LDAP server host security File system – File system ACL – Identifying critical data – Integrity Non-privilege user Registry (Win32 only) Limiting services

32 32 File system File system ACL Identifying critical data Integrity

33 33 3. Network security Encrypting data – SLDAP Authentication – Basic? – Certificate? – Anonymous?

34 34 Special consideration for single sign on Security of the object class attributes 1. NT Authentication using iPlanet Directory Server 2. PAM authentication via LDAP Security of the authentication module

35 NT Authentication using iPlanet Directory Server

36 PAM authentication via LDAP

37 37 Quick Links Further readings Tools Implementations

38 38 Further readings LDAP Overview by Bruce Greenblatt Why LDAP & Security Are Critical to Your Success Solaris 8 LDAP Setup and Configuration Guide IBM Understanding LDAP Securing Netscape Directory Server paper (work in progress)

39 39 Tools LDAP Browser/Editor LDAPMiner NetscapeGetACL LDAPRootDSE

40 40 Implementations OpenLDAP iPlanet Novell eDirectory Tivoli(IBM)

41 Questions?

42 Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com

Download ppt "Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers"

Similar presentations

automated single login access to Novell storage resources

automated single login access to Novell storage resources
DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.

DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.
Prepared by Dept. of Information Technology & Telecommunication, May 1, 2015 DoITT Identity Management Security, Provisioning, Authentication.

Prepared by Dept. of Information Technology & Telecommunication, May 1, 2015 DoITT Identity Management Security, Provisioning, Authentication.
ECS and LDAP Karen Krivaa Product Marketing Manager.

ECS and LDAP Karen Krivaa Product Marketing Manager.
IBM Software Group ® Accessing Domino via Outlook iNotes Access for Microsoft Outlook - Notes Domino 5.5 – 6.0.1 Domino Access for MS Outlook - Notes Domino.

IBM Software Group ® Accessing Domino via Outlook iNotes Access for Microsoft Outlook - Notes Domino 5.5 – Domino Access for MS Outlook - Notes Domino.
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.

Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
Technical Brief v1.0. Communication tools that broadcast visual content directly onto the screens of computers, using multiple channels and formats Easy.

Technical Brief v1.0. Communication tools that broadcast visual content directly onto the screens of computers, using multiple channels and formats Easy.
Understanding Active Directory

Understanding Active Directory
Directory Services BICS 565. What is a Directory Service (DS)? A service that allows users to lookup information about entities in an organization Entities.

Directory Services BICS 565. What is a Directory Service (DS)? A service that allows users to lookup information about entities in an organization Entities.
Network+ Guide to Networks, Fourth Edition Chapter 10 Netware-Based Networking.

Network+ Guide to Networks, Fourth Edition Chapter 10 Netware-Based Networking.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.

© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
Understanding Active Directory

Understanding Active Directory

Similar presentations

Ads by Google