openldap enterprise features bruce huang (bruce.huang@hp.com) tommy yan (tommy.yan@hp.com) hp open...

OpenLDAP Enterprise Features

Bruce Huang (bruce.huang@hp.com)

Tommy Yan (tommy.yan@hp.com)

HP Open Source and Linux Organization

Agenda

• 2 Non-Native English speakers

• Directory services in large enterprises-- challenges and progress

• Technical implementation of some enterprise features

Directories in a large enterprise- an HP example back to 2003

Singapore

Boeblingen

Boise

Atlanta

SunnyvaleGrenoble

Houston

- Mission-critical repository used by 1500+ applications in HP- Approximately 50 million+ operations/day- Resolve every @hp.com mail address- Authorize every HP inline login - Hardware: Approximately 30 servers Worldwide- Software: Sun ONE Directory Server 5.x

Directories in a large enterprise- an HP example back to 2003(cont.)

Directory Root

People (Employees/Contingents HR data, email, NT, certs, etc) ou=People

o=hp.com

Groups (News/Mail/Security group owners, members, description, etc) ou=Groups

Servers (used to store server certificates) ou=Servers

Locations (HP real estate, address, lat/long, time zone, etc) ou=Locations

Business Partners ou=Partners

Organizations (HP organizations, name, address, contact, etc) ou=Organizations

…

What are the challenges in this model?

– Cost: Per entry pricing mode. (An entry is defined as a single Distinguished Name (DN) and its contained attributes. 1 employee takes 1 entry, 1 server takes 1 entry, for example.)

– Lock: Vendors don’t want to modify the existing product to meet our technical requirement, but want us to buy more products.

Why was considered the solution

• Cost: Symas per server/enterprise license model

• Freedom: Having the source code

• Support: IT has the resource and capability to support it (OSMS, Symas)

• Standard, not proprietary: Why not enhance the applications?

OpenLDAP’s challenges and progress

– General enterprise grade robustness:• Solid Berkeley DB support• Audit capability• Reconfiguring must be available on-the-fly as much as possi

ble• Reliable replication strategy

– Password Policy: A security policy for passwords (e.g., must not be a dictionary word, must be over 6 characters, and so on). Overlay by Neil Dunbar (HP) and Howard Chu(Symas)

OpenLDAP’s challenges and progress (cont.)

– Data constraint: For instance, a telephone number could be forced to follow ITU standard representation rules. Overlay by Neil Dunbar (HP).

– Translucency: store department-specific attributes for its employees in a local directory, for extension and speed. Overlay by Symas, sponsored by HP.

– Group Policy: Much of HP's authorization data resides in the notion of groups; groups of employees; groups of assets; groups of business partners, and so forth. However, the LDAP/X.500 model does not really impose any notion of what groups mean. Overlay by Symas.

What is the current status

• HP completed migrating the Enterprise Directory to OpenLDAP on Linux in 2006.

• HP is completely unchained from the per-entry licensing model

• Above directory enterprise requirements are met.

• Source code upstream to the OpenLDAP community.

OpenLDAP working model

Client Frontend BackendRequest Request

Response Responseslapd bdb, dbm, hdb

• slapd frontend receives an LDAP request

• slapd frontend passes the request to the backend

• The backend calls some functions of frontend to send the results to the client

OpenLDAP Overlays• Overlays: modules working between frontend and backend

– introduced since OpenLDAP 2.2– change the behavior of backends without changing backend code– process incoming requests before backends– process outgoing results before frontend

Frontend

Backend

Overlay1Overlay2

...

1

2

3

4• Processing Steps

− The frontend passes requests to the first overlay− The first overlay forwards requests to the next overlay until requests reach the real backend.− The backend directs results from the first overlay to the last one until they are sent to the client.

Create your own overlay//hello.cstatic slap_overinst hello_ovl;int init_module(int argc, char *argv[]){

hello_ovl.on_bi.bi_type = “hello";hello_ovl.on_bi.bi_op_add = hello_add;hello_ovl.on_bi.bi_op_modify = hello_modify; hello_ovl.on_bi.bi_db_close = hello_close;

return overlay_register(&hello_ovl);}static int hello_add(Operation *op, SlapReply *rs){…}static int hello_modify(Operation *op, SlapReply *rs){…}…

Two Examples of Using Overlays

- Password Policy- Constraint

Password Policy• provide password control mechanisms, like passw

ord aging, password reuse, mandatory password resets and so on.

• define multiple password policies by using ‘pwdPolicy’ object class.

• apply specific password polices to entries• Configuration directives:

– moduleload ppolicy.la– overlay ppolicy– ppolicy_default <defaultDN>– more explanations in Linux man page (slapo-ppolicy)

Password Policy (con’t)

Example: Create two different password policies and apply them to entries.

• Load and configure the overlay in slapd.conf:…moduleload ppolicy.laoverlay ppolicyppolicy_default cn=default,ou=policy,dc=hp,dc=com…

Password Policy (con’t)• Add two policy entries

– policy.ldif: dn: cn=default,ou=policy,dc=hp,dc=comobjectClass: pwdPolicyobjectClass: devicecn: defaultpwdAttribute: userPasswordpwdCheckQuality: 2pwdMinLength: 5pwdMaxAge: 2592000

dn: cn=strong,ou=policy,dc=hp,dc=comobjectClass: pwdPolicyobjectClass: devicecn: strongpwdAttribute: userPasswordpwdCheckQuality: 2pwdMinLength: 8pwdMaxAge: 1296000

Password Policy (con’t)• Set the pwdPolicySubentry attribute in a DN

– bruce.ldif: dn: uid=bruce,dc=osms,dc=hp,dc=comobjectClass: inetOrgPersonuid: brucemail: bruce.huang@hp.comsn: huangemployeeNumber: 111111cn: Bruce HuangpwdPolicySubentry: cn=strong,ou=policy,dc=hp,dc=com

Password Policy (con’t)• Verify whether the overlay works by running ‘ldapp

assword’ to change the password of ‘uid=bruce,dc=osms,dc=hp,dc=com’ to a word less than 8 characters :

Result: Constraint violation (19)Additional info: Password fails quality checking policy

• Note: the bind DN used to change the password must not be the rootdn.

Constraint• Contributed by HP• Constrain the values of attributes by character set

or regular expression• Triggered by LDAP add and modify operations• Configuration directives:

– constraint_attribute <attribute> <constraint> <constraint_value>

• Possible values of <constraint>: charset regex

Constraint (con’t)• Example: Constrain empolyeeNumber as 6 digits a

nd cn as valid letters– Load and configure the overlay in slapd.conf:

…moduleload constraint.laoverlay constraint

constraint_attribute employeeNumber regex ^[0-9]{6}$constraint_attribute cn regex ^[a-zA-Z]*$…

Constraint (con’t)• Verify it by running ‘ldapmodify’ to change the empl

oyeeNumber attribute of ‘uid=bruce,ou=people,dc=hp,dc=com’ to a number with 5 digits:– modify.ldif:

dn: uid=bruce,ou=people,dc=hp,dc=comchangetype: modifyreplace: employeeNumber employeeNumber: 12345

ldap_modify: Constraint violation (19)

additional info: modify breaks regular expression constraint on employeeNumber

More information on overlay• OpenLDAP admin guide:

– http://www.openldap.org/doc/admin24/

• Linux man page• OpenLDAP Source Code

Resource, Thanks and Questions

• http://www.openldap.org/conf/odd-sandiego-2004/Neil.pdf (Special thanks to Neil Dunbar and Kartik Subbarao from HP directories team)

• www.hp.com/go/osms

• www.symas.com/

Attribute Uniqueness• Enforce the uniqueness of one or some attributes i

n a subtree• triggered by the operations of add, modify and mod

rdn• Configuration options:

– unique_base <basedn>– unique_ignore <attribute…>– unique_attributes <attribute…>– …

Appendix:

Attribute Uniqueness (con’t)• Example: Enforce the uniqueness of uid and mail f

or all DNsmoduleload unique.laoverlay uniqueunique_base dc=hp,dc=comunique_ignore objectClass dc ou o cnunique_attributesuid mail

dn: uid=bruce,ou=people,dc=hp,dc=comobjectClass: inetOrgPersonuid: brucesn: Huangcn: Brucemail: bruce.huang@hp.com

Error Message:Constraint violation (19)

additional info: some attributes not unique

Translucency• Enable a translucent proxy• A remote LDAP server and a local database are re

quired• Entries from the remote server may be overridden

(attribute level) by entries in the local database• Configuration options:

– translucent_strict– translucent_no_glue

Referential Integrity• maintain the cohesiveness of a schema with refere

nce attributes• triggered by the operations of modrdn and delete• Configuration options:

– refint_attributes <attribute…>– refint_nothing <string>– refer to Linux man page (slapo-refint)

Referential Integrity (con’t)• Example: Remove Jason and have Tommy as his r

eplacement

– Delete “uid=zjason,ou=people,dc=hp,dc=com”– The attribute of manager in “uid=hbruce,ou=people,dc=h

p,dc=com” and “uid=ytommy,ou=people,dc=hp,dc=com” is set to “uid=ytommy,ou=people,dc=hp,dc=com” automatically.

moduleload refint.laoverlay refintrefint_attributes managerrefint_nothing uid=ytommy, ou=people,dc=hp,dc=com