openldap directory administration ldap interoperability n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
OpenLDAP Directory Administration LDAP Interoperability PowerPoint Presentation
Download Presentation
OpenLDAP Directory Administration LDAP Interoperability

Loading in 2 Seconds...

play fullscreen
1 / 32

OpenLDAP Directory Administration LDAP Interoperability - PowerPoint PPT Presentation


  • 138 Views
  • Uploaded on

OpenLDAP Directory Administration LDAP Interoperability. Table of Contents. Introduction Interoperability or Integration Directory Gateways Cross-Platform Authentication Services Distributed, Multivendor Directories Metadirectories Push/Pull Agents for Directory Synchronization.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'OpenLDAP Directory Administration LDAP Interoperability' - naomi


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide2

Table of Contents

  • Introduction
  • Interoperability or Integration
  • Directory Gateways
  • Cross-Platform Authentication Services
  • Distributed, Multivendor Directories
  • Metadirectories
  • Push/Pull Agents for Directory Synchronization
slide3

Table of Contents

  • Introduction
  • Interoperability or Integration
  • Directory Gateways
  • Cross-Platform Authentication Services
  • Distributed, Multi-vendor Directories
  • Metadirectories
  • Push/Pull Agents for Directory Synchronization
slide4

Introduction

  • Why this chapter on interoperability when LDAP is supposed to be a standard protocol
  • Selling point of LDAP is its potential for consolidating vendor-specific application-specific directories
  • LDAP “minimizes” interoperability problems
  • Core features of LDAP are standardized, but things such as schemas are not: many common objects can be extended by vendors
  • Protocol can be extended as well
  • For each service that can be consolidated into an LDAP directory, there must be a corresponding client-side application to access the old information in the new directory
  • This chapter: discuss technologies used to solve these problems
slide5

Table of Contents

  • Introduction
  • Interoperability or Integration
  • Directory Gateways
  • Cross-Platform Authentication Services
  • Distributed, Multi-vendor Directories
  • Metadirectories
  • Push/Pull Agents for Directory Synchronization
slide6

Interoperability or Integration ?

  • Directory integration means enabling client applications to access data in an LDAP directory
  • Interoperability addresses communication between LDAP servers themselves
  • Blurry distinction when one LDAP server becomes the client of another LDAP server
  • First question should always be: what level of integration or interoperability your application requires
  • Some common approaches are listed on the next page
slide8

Table of Contents

  • Introduction
  • Interoperability or Integration
  • Directory Gateways
  • Cross-Platform Authentication Services
  • Distributed, Multi-vendor Directories
  • Metadirectories
  • Push/Pull Agents for Directory Synchronization
slide9

Directory Gateways

  • Gateways have existed for a very long time, eg. between different email formats, network filesystems, etc.
  • Examples:
    • PADL's ypldapd daemon: in one way, this is actually an LDAP client from the LDAP server's point of view
    • NIS/LDAP gateway shipped with Microsoft “Windows Services for Unix (SFU)”
      • Provides tools for importing data from a NIS domain into Active Directory
  • Main advantage of using a gateway
    • You usually don't have to modify any clients
    • This results in lower cost of administration
  • Disadvantages
    • Additional overhead, clients don't take advantage of LDAP
slide10

Table of Contents

  • Introduction
  • Interoperability or Integration
  • Directory Gateways
  • Cross-Platform Authentication Services
  • Distributed, Multi-vendor Directories
  • Metadirectories
  • Push/Pull Agents for Directory Synchronization
slide11

Cross-Platform Authentication Services

  • Not: interoperability between directory services
  • But: interoperability between a specific directory service and non-native clients
  • eg.
    • NIS/Active Directory Gateway included in Microsoft's “Services for UNIX”
    • PADL's PAM and NSS LDAP modules
    • Active Directory + Kerberos 5
slide12

Table of Contents

  • Introduction
  • Interoperability or Integration
  • Directory Gateways
  • Cross-Platform Authentication Services
  • Distributed, Multi-vendor Directories
  • Metadirectories
  • Push/Pull Agents for Directory Synchronization
slide13

Distributed, Multi-vendor Directories

  • LDAP servers from various vendors can be linked into a single, logical, distributed directory
  • Why a multi-vendor directory ?
    • Singe-vendor directory may force you to take decisions that you are uncomfortable with
    • eg. Say a product (calendar server) has only been tested with a particular LDAP server, possible solutions:
      • Abandon calendar server
      • Replace existing directory
      • Install LDAP server that supports calendar application and include it as a subtree of your existing directory framework
    • Last option is the only option that makes sense
  • How is this any different than the myriad of application-specific directories in the past ?
    • Here: single access protocol for clients & admin tools
slide14

Distributed, Multi-vendor Directories (cont.)

Example: Connecting OpenLDAP to Active Directory

  • Working OpenLDAP, naming context dc=plainjoe,dc=org
  • Active Directory, DNS domain ad.plainjoe.org, naming context is dc=ad,dc=plainjoe,dc=org

reference to

ldap://ldap.plainjoe.org/dc=plainjoe,dc=org

Windows Active Directory

dc=ad,dc=plainjoe,dc=org

referral to

ldap://ldap.plainjoe.org/dc=ad,dc=plainjoe,dc=org

OpenLDAP

dc=plainjoe,dc=org

slide15

Distributed, Multi-vendor Directories (cont.)

Example: Connecting OpenLDAP to Active Directory (cont.)

  • We need to add two knowledge references to this system:
    • Point from Active Directory Service to OpenLDAP server
    • Refer client searches from the OpenLDAP server to the active directory domain
  • ADSI Edit MMC snap-in required
    • \support\tools on Windows CD
slide16

Distributed, Multi-vendor Directories (cont.)

Example: Connecting OpenLDAP to Active Directory (cont.)

Create referral from AD to OpenLDAP:

  • Must be created inside the cn=Partitions,cn=Configuration,dc=ad,dc=plainjoe,dc=org container
  • Create a new crossRef object
  • Add a node named OpenLDAP with nCName attribute with value dc=plainjoe,dc=org, and dnsRoot attribute with the value ldap.plainjoe.org
  • The corresponding LDIF:
  • This instructs the Active Directory server to return a referral of the form ldap://ldap.plainjoe.org/dc=plainjoe,dc=org to clients in response to an LDAP search

dn: cn=OpenLDAP,cn=Partitions,dc=Configuration,dc=ad,dc=plainjoe,dc=org

cn: OpenLDAP

nCName: dc=plainjoe,dc=org

dnsRoot: ldap.plainjoe.org

slide17

Distributed, Multi-vendor Directories (cont.)

Example: Connecting OpenLDAP to Active Directory (cont.)

Add corresponding knowledge reference OpenLDAP:

  • LDIF of object to add to OpenLDAP:
  • ldapadd syntax:

dn: dc=ad,dc=plainjoe,dc=org

objectclass: referral

objectclass: dcObject

ref: ldap://ad.plainjoe.org/dc=ad,dc=plainjoe,dc=org

dc: ad

$ ldapadd -D “cn=Manager,dc=plainjoe,dc=org” -w secret -x \

> -H ldap://ldap.plainjoe.org/ -f ad-referral.ldif

slide18

Distributed, Multi-vendor Directories (cont.)

Example: Connecting OpenLDAP to Active Directory (cont.)

Testing Lookups:

  • This search did not follow the referral, so no results are displayed

$ ldapsearch -H ldap://ad.plainjoe.org/ -x \

> -b “ou=people,dc=plainjoe,dc=org” -LLL “(uid=jerry)”

Referral (10)

Additional information: 00002028: RefErr: DSID-031005EE,data 0,1 access points

ref 1: 'ldap.plainjoe.org'

Referral: ldap://ldap.plainjoe.org/ou=people,dc=plainjoe,dc=org

slide19

Distributed, Multi-vendor Directories (cont.)

Example: Connecting OpenLDAP to Active Directory (cont.)

Testing Lookups (cont.):

  • This search follows the referral (-C switch):

$ ldapsearch -h ad.plainjoe.org/ -x -C \

> -b “ou=people,dc=plainjoe,dc=org” -LLL “(uid=jerry)”

dn: cn=Gerald Carter,ou=people,dc=plainjoe,dc=org

objectClass: posixAccount

objectClass: account

objectClass: sambaAccount

cn: Gerald Carter

uidNumber: 780

uid: jerry

gidNumber: 100

homeDirectory: /home/queso/jerry

loginShell: /bin/bash

rid: 2560

acctFlags: [UX ]

pwdLastSet: 1018451245

slide20

Distributed, Multi-vendor Directories (cont.)

Example: Connecting OpenLDAP to Active Directory (cont.)

Testing Lookups (cont.):

  • The other way round: search to OpenLDAP for data stored in Active Directory
  • By default, Active Directory does not support anonymous searches (apart from its rootDSE), hence we only get a referral (test with & without -C option):
  • See more info: Single sign-on, Kerberos: Cross-platform authentication services

$ ldapsearch -x -H ldap://ldap.plainjoe.org/ \

> -b “dc=ad,dc=plainjoe,dc=org” -LLL -C “(sAMAccountName=kristi)”

# refldap://ad.plainjoe.org/CN=Configuration,DC=ad,DC=plainjoe,DC=org

$ ldapsearch -x -H ldap://ldap.plainjoe.org/ \

> -b “dc=ad,dc=plainjoe,dc=org” -LLL “(sAMAccountName=kristi)”

Referral (10)

Matched DN: dc=ad,dc=plainjoe,dc=org

Referral: ldap://ad.plainjoe.org/dc=ad,dc=plainjoe,dc=org??sub

slide21

Table of Contents

  • Introduction
  • Interoperability or Integration
  • Directory Gateways
  • Cross-Platform Authentication Services
  • Distributed, Multi-vendor Directories
  • Metadirectories
  • Push/Pull Agents for Directory Synchronization
slide22

Metadirectories

  • Term describes any solution that joins distinct, isolated data sources into a single logical volume
  • Popular products on the market:
    • MaXware MetaCenter (http://www.maxware.com/)
    • Siemens DirXmetahub (http://www.siemens.ie/fixedoperators/CarrierNetworks/Meta/dirxmetahub.htm)
    • Sun Microsystems SunONE MetaDirectory (http://wwws.sun.com/software/products/meta_directory/home_meta_dir.html)
    • Novell's eDirectory and DirXML combination (http://www.novell.com/products/edirectory/)
    • Microsoft Metadirectory Services (http://www.microsoft.com/windows2000/technologies/directory/MMS)
  • A metadirectory is any directory service that presents an alternative view of a data source
slide23

Metadirectories (cont.)

OpenLDAP's Proxy Backend

  • Translates server's schema into a different view, suitable for a particular application
  • No replication or synchronization of data
  • Eg. client expects a directory to provide an email address using the mail attribute, assume an Active Directory where the Kerberos principal name is username@domain (userPrincipalName). It makes no sense to duplicate this information
  • Requirements:
    • Active Directory domain must be configured for the DNS domain ad.plainjoe.org
    • DNS name ad.plainjoe.org must resolve to the IP address of an Active Directory domain controller for that domain
    • An account named ldap-proxy must be created in AD for use by the proxy server when binding to a Windows DC
slide24

Metadirectories (cont.)

OpenLDAP's Proxy Backend (cont.)

  • Supports updating the target via the proxy, supports ACLs
  • This option is not enabled by default
  • Recompile and create a new database in slapd.conf

$ ./configure --enable-ldap --enable-rewrite

database ldap

suffix ou=windows,dc=plainjoe,dc=org

uri ldap://ad.plainjoe.org

suffixmassage ou=windows,dc=plainjoe,dc=org

cn=users,dc=ad,dc=plainjoe,dc=org

binddn cn=ldap-proxy,cn=users,dc=ad,dc=plainjoe,dc=org

bindpw proxy-secret

map attribute uid sAMAccountName

map attribute cn name

map attribute mail userPrincipalName

map objectclass account user

map attribute *

slide25

Metadirectories (cont.)

OpenLDAP's Proxy Backend (cont.)

  • See the result: query Active Directory, items provided by proxy are in italic

$ ldapsearch -H ldap://ad.plainjoe.org -x \

> -D ldap-proxy@ad.plainjoe.org -w proxy-secret -X \

> -b “cn=users,dc=ad,dc=plainjoe,dc=org” -LLL \

> “(sAMAccountName=kristi)”

dn: CN=Kristi Carter,CN=Users,DC=ad,DC=plainjoe,DC=org

accountExpires: 9223372036854775807

badPasswordTime: 0

badPwdCount: 0

codePage: 0

cn: Kristi Carter

countryCode: 0

displayName: Kristi Carter

givenName: Joe

instanceType: 4

lastLogoff: 0

lastLogon: 0

logonCount: 0

distinguishedName: CN=Kristi Carter,CN=Users,DC=ad,DC=plainjoe,DC=org

objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=plainjoe,DC=org

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

slide26

Metadirectories (cont.)

OpenLDAP's Proxy Backend (cont.)

  • (cont.)

objectGUID:: NDHKI8oYFkqN8da3Gl9a5Q==

objectSid:: AQUAAAAAAAUVAAAAEcNfczJiHypDFwoyUwQAAA==

primaryGroupID: 513

pwdLastSet: 126784120014273696

name: Kristi Carter

sAMAccountName: kristi

sAMAccountType: 805306368

sn: Carter

userAccountControl: 66048

userPrincipalName: kristi@ad.plainjoe.org

uSNChanged: 2963

uSNCreated: 2957

whenChanged: 20021006210839.0Z

whenChanged: 20021006210637.0Z

slide27

Metadirectories (cont.)

OpenLDAP's Proxy Backend (cont.)

  • Now, we issue a similar query to the proxy server, except we look up a uid rather than an Active Directory sAMAccountName:
  • From the two results, we see that:

$ ldapsearch -H ldap://ldap.plainjoe.org -x \

> -b “ou=windows,dc=plainjoe,dc=org” -LLL “(uid=kristi)”

dn: CN=Kristi Carter,ou=windows,dc=plainjoe,dc=org

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: account

cn: Kristi Carter

uid: kristi

mail: kristi@ed.plainjoe.org

objectClass: user

name: Kristi Carter

sAMAccountName: kristi

userPrincipalName: kristi@ed.plainjoe.org

objectClass: account

cn: Kristi Carter

uid: kristi

mail: kristi@ed.plainjoe.org

mapped to

slide28

Metadirectories (cont.)

OpenLDAP's Proxy Backend (cont.)

  • If you remove the directive that filters all the attributes that aren't explicitly mapped (map attribute *), response is slightly different:
  • slapd still filters out some attributes bacause queries are still controlled by the local schema in slapd.conf: unknown attributes are filtered out

$ ldapsearch -H ldap://ldap.plainjoe.org -x \

> -b “ou=windows,dc=plainjoe,dc=org” -LLL “(uid=kristi)”

dn: CN=Kristi Carter,ou=windows,dc=plainjoe,dc=org

cn: Kristi Carter

DisplayName: Kristi Carter

mail: kristi@ad.plainjoe.org

givenName: Kristi

distinguishedName: CN=Kristi Carter,ou=windows,dc=plainjoe,dc=org

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: account

cn: Kristi Carter

uid: kristi

sn: Carter

slide29

Table of Contents

  • Introduction
  • Interoperability or Integration
  • Directory Gateways
  • Cross-Platform Authentication Services
  • Distributed, Multi-vendor Directories
  • Metadirectories
  • Push/Pull Agents for Directory Synchronization
slide30

Push/pull Agents for Directory Synchronization

  • Common tools for synchronizing information between directories
  • Single agent pulls information from one directory service and massages the data to make it acceptable for upload to another directory server
  • Several directory vendors provide synchronization agents (drivers, connectors, ...)
  • Data is often transferred in an XML-based format

connector transmitting data in common format

data in directory-specific format

Driver

Directory A

Directory B

slide31

Push/pull Agents for Directory Synchronization (cont.)

  • A partial list of commercial connector/driver offerings:
    • SunOne's XMLDAP (http://wwws.sun.com/software/products/directory_srvr/)
    • Novell's DirXML (http://www.novell.com/products/edirectory/dirxml/)
  • Commercial vs. in-house
    • Inherent knowledge of when data changes in the directory
    • Homegrown tools can be very useful
slide32

Push/pull Agents for Directory Synchronization (cont.)

The Directory Services Markup Language

  • XML (Extensible Markup Language) fever has infected LDAP
  • DSML (Directory Services Markup Language) = XML schema for representing LDAP information using document fragments
  • DSML v1.0 is really just an attempt at replacing LDIF
  • DSML v2.0 (May 2002): new and interesting functionality
    • DSML v2.0 is designed to provide methods for representing LDAP queries, updates, and responses in XML
    • This allows eg. embedded devices to access LDAP data without an LDAP client library, only XML parsing & SOAP
  • No concrete examples yet
  • More info: http://www.oasis-open.org/committees/dsml/