the directory a distributed database distributed maintenance

The Directory

A distributed database

Distributed maintenance

Purpose of a Directory

A directory is a way to store data in an organized way for easy access

Primary operation on a directory is LOOKUP

This means that a directory is optimized for reading rather than for creation or updateNote the distinction from a database

Why a directory? Tracking users' software configuration preferences in a directory can give them

the mobility they need to work from any location. Rather than being stored in a local registry or preferences file, accessible only from a single computer, this information can essentially travel around the network with the user.

Tracking access privileges in a directory enables network administrators to keep users out of parts of the network that are off limits to them. Storing access control rights in the directory enables multiple applications to have easy access to the same security settings.

Centralizing user account and password information can minimize password management and disparate sign-ons across applications.

Managing Web site configuration information in a centralized directory makes site administration simpler. One configuration change in the directory can easily be applied to all the servers at the site.

LDAP has the potential to do for directories what HTTP and HTML did for documents

Ref: http://developer.netscape.com/viewsource/rose_ldap.html

Four ways to describe a directory Informational Model

what does the directory hold?How are the entries related?

Functional ModelHow does it operate?What services are available to serve a user?

Organizational ModelWho owns it and how do they manage it?

Security ModelWhat authorization and authentication?

Information Stored in the Directory Information Base (DIB) composed of entries

information about one objectpersonprintercompanystate or provincean application entity

… or anything else Entry composed of attributes

consists of a type and one or more values

Object Classes Object class = identified family of objects

Some common set of characteristics ex. person is an object class

o common attributes commonName, surname

o optional attributes description, telephoneNumber, userPassword, seeAlso

Subclasso organizationalPerson

subclass of person must have all the required attributes may have the optional attributes may have additional attributes

• ex. title, organizationalUnitName, etc.

Structure of the DIB Tree like Entries form the vertices of the tree Arcs define the relation between entries Distinguished name (DN)

Uniquely and unambiguously identifies each entry Constructed from the identities of ancestors in the tree specially designated set of attribute values from the entry

Entry components

Type Values

Values DistinguishedAttribute Value

AttributeValue Value

Attribute AttributeValue

Attribute

Attribute

Attribute

Surname Cassel Riley

commonName L. N. Cassel, Lillian N. Cassel, Boots

telephoneNumber +1 610 555 1234

One attribute/value pair is the Relative Distinguished Name for the entrySurname Cassel, for example, would identify this entry.

Attribute objectclass person

Objectclass is the type of the entry as a whole. It tells the directory what kinds of information can or should be included in the entry

An example entry

Root

Country Organization Locality

resPerson grp ou org locality

org

A portion of the standard Directory Information Tree

Sample section of a DITRoot

C = US

L=PA

Org=VU

OU=Computing Sciences

grp=Faculty grp=equipment

CN= Lillian N. CasselPN= +1 610 555 1234L=162A Mendel Hall

CN=m163psDesc=PostScript PrinterL=163 Mendel

L=Mendel Hall An Entry with 3 attributes

The Directory Schema

Rules governing attribute types allowed for each class of object

form of values for each attribute typeclass of object that can be a child entry of a

given class object

The Directory Service

Operations to interrogate and modify the content of the Directory

Control access to DIT entriesEnsure that any changes continue to obey

the rules of the schema

Functional Model players

Directory User Agent (DUA)participates in the Directory protocol on behalf

of a user

Directory Service Agent (DSA)responds to requests for information from the

directoryrequests come from DUAs or other DSAs

Functional Model Describes the Directory in terms of operations

performed by a DUA and one or more DSAs serving the request of the DUA.

DUA gains access binds to an access point represented by a particular

DSADSA has direct access to a portion of the Directory (the

data)DSA has knowledge about the rest of the Directory

o can get information it does not have

DSA - DUA interaction

DSA

DSA

DSA

DSA

DUA

The user sees the directory as one collection accessible through one interface. Directory servers interact with each other to provide the response.

X.500 and LDAP

X.500 is the ITU specification of a global directory intended to run over a full ISO protocol stack

LDAP is a lightweight version of X.500 that runs directly over TCP/IP

LDAP was originally intended as a frontend to the X.500 Directory, but now runs standalone as well.

Security Model

Authorization given tosubtreeentryattribute type

Authorization allowed by individualgroupsowner

Access

Give authority to Owner – to update phone number, address, etc.Project managers – to update project

informationDepartment to update goal statementsetc.

Security issues

AuthenticationWho are you and how do I know that?

ConfidentialityWho is entitled to this unit of information?

Integrity Is the data uncorrupted?

AuthorizationYou are entitled to authorize some resources, but not

others.

Directory Security Examples

Anonymous Requesters? Identified Requesters?

Read/Write?

Read/Write?

1 N N Y RO N None2 N N N N/A Y RO Secure Authentication

3 N Y N/A N/A N/A N/A

Mutual authentication, Connection Integrity-Protection

4 N N Y RO Y RW Secure Authentication

5 Y Y N/A N/A N/A N/A

Mutual authentication, Connection Integrity- and Confidentiality- Protection

Required Directory-Specific Security Mechanisms or

Functions

Connection Hijacking or IP

Spoofing Threats?sc

enar

ios Contains

Sesitive Data?

Ref: Jeff Hodges; [email protected]; http://www.oblix.com/

Data Integrity: Replication There are world-wide directories

Performance issueso Data distributed over the whole worldo Multiple copies of sections of the DITo Local copy may not be completely up to date

DUA always knows when it receives information from a copy

Local directories may be copies of remote directories or stand-alone directoriesperformance issues are different

Cache and Shadow copies

Cache copies not covered in the specificationUnofficial copies, no guarantee of accuracy

Shadow copiesObtained in accordance with procedures in Directory

specificationOfficial, controlled copy.Not necessarily up to date at all timesLimit to the time before it will be updated.

LDAP in use

Address access to LDAP

LDAP related RFCs

Find more

http

://w

ww

.ope

nlda

p.or

g/

More information on LDAP

http://www.kingsmountain.com/ldapRoadmap.shtml

Pointers to recent articles

Pointers to downloadable copies of the software

Updates on status

etc.

Directory summary

Distributed informationperformance issuessecurity issues

Consistent structure of information makes distributed access easier

Local use has many applications in coordinated access and security within an organization

the directory a distributed database distributed maintenance

Documents