www.novell.com introduction to the hot new ldap features in novell edirectory ™ 8.7 gary l....
TRANSCRIPT
www.novell.com
Introduction to the Hot New LDAP Features in Novell eDirectory™ 8.7
Introduction to the Hot New LDAP Features in Novell eDirectory™ 8.7
Gary L. AndersonSenior Development ManagerNovell, [email protected]
Alan ClarkSenior Manager, eDirectory AccessNovell, [email protected]
Deployed Versions Novell eDirectory™ and Novell Directory Services® (NDS®)
Product Version Build Version
Platforms
NetWare 5.1 SP4 (NDS 7) DS.nlm v7.57 NetWare 5.1
NetWare 5.1 SP 4 (NDS 8) DS.nlm v8.79 NetWare 5.1
eDirectory 8 DS.nlm & DS.dlm v8.79
NetWare 5.0,Win NT/2K
eDirectory 8.5.x DS v85.23 NetWare 5.x,Win,Solaris
NetWare 6 (eDirectory 8.6) DS.nlm v10110.20 NetWare 6
eDirectory 8.6.1 DS v10210.43 NW 5.1,NW 6,Win,Solaris,Linux
NetWare 6 SP1 (eDirectory 8.6.2)
DS.nlm v10310.17 NetWare 6
eDirectory 8.6.2 DS v103xx.xx NW 5.1,NW 6,Win,Solaris,Linux
eDirectory 8.7 DS v10410.xx NW 5.1,NW 6,Win,Solaris,Linux,AIX
Differences between eDirectory and NDS
NetWare 6
NetWare
NDS eDirectory
NOS directory focused on managing NetWare® servers
A cross-platform, scalable, standards-based directory
used for managing identities that span all aspects of the network—eDirectory
is the foundation for eBusiness
NetWare 5
• This session provides an overview of the hot new LDAP features available in eDirectory 8.7
Rights-based object access Dynamic groups Object-based schema Search simplification Event monitoring Configurable transport security Multiple LDAP authentication methods Device provisioning with embedded LDAP clients
• Specific implementation details and code samples are presented in DL204 and DL307
Abstract
Welcome to Outdoor Adventures
partners
coursesite1 airport1hotel1
students salesinstructors sections
instructor 1 salesman1section1 admin asst1student1
USA
Atlanta Denver
students salesinstructors sections
instructor 1 salesman1section1
courses
course1
admin asst1student1
partners
coursesite1 airport1hotel1
OutdoorAdv
registeredregistered
registered
This tree shows the logical layout of Outdoor Adventures, the sample company used in this presentation and in
Tech Lab
Using LDAP to Set Directory Rights
Terminology
• ACM—The Access Control Model used in a directory to specify who has rights to what
• ACI—The X.500 standard name for Access Control Information (the rights to access objects)
• ACL—List maintained as an attribute of an object showing the rights that other objects have to the object
The eDirectory Access Control Model
• Access Control Lists (ACLs) reside on resources, and grant permissions to individual objects, containers (and subtrees), and groups
Atlanta
students salesinstructors sections
instructor 1 salesman1section1 admin asst1student1 registeredIndividually grant rights to each registered student
Grant rights to a dynamic group
How do students get rights to course information?
Grant rights to all students, registered or not
Access Rights
• Directory allows rights per object and user Easy management of rights Inheritance of rights based on tree structure User abilities depend on ACLs for the object,
the user, and the groups and subtrees the user belongs to
• Rights are held in the ndsAcl attribute of each object
Effective Privileges
• It’s hard to understand exactly which rights an object has to a resource because
ACLs are held on resources, parents of resources, and groups
ACLs may be blocked by inheritance rights filters
• eDirectory allows an object’s “Effective Privileges” to be interrogated
Check out DL204 for details on coding in C and Java
Programmatic ACL Modification
The answer is obvious, right? Use ConsoleOne® or iManager and assign student1 as a trustee of section1
But how do I do this with LDAP?
Atlanta
students salesinstructors sections
instructor 1 salesman1section1 admin asst1student1 registered
How do I allow a student to access information on a course section?
Modifying ACLs with LDAP
• ACLs are attributes, so no special APIs are required to access or update them
• The LDIF file to allow Student1 rights to section1 could be:dn: cn=section1, ou=sections, l=Atlantachangetype: modifyadd: ndsACLndsAcl: 1#entry#cn=student1, ou=students, l=Atlanta#[Entry Rights]ndsAcl: 3#entry#cn=student1, ou=students, l=Atlanta#[All Attributes
Rights]
• Refer to section 5.7 of http://ietf.org/internet-drafts/draft-sermersheim-nds-ldap-schema-
02.txt
ACL Privileges
• The privileges field is number that is generated by performing a bitwise OR on the values that represent the desired access rights
• The table below shows the values
Value [Attributes] [Entry Rights]
1 Compare Browse
2 Read Add
4 Write, Add,Del Del
8 Add/Del Self Rename
16 (na) Supervisory
32 Supervisory (na)
536870912 Dynamic Dynamic
00 00 00 02
00 00 00 01
00 00 00 0400 00 00 0800 00 00 1000 00 00 2020 00 00 00
The New ACL in Town
• [This] A new ACL subjectName, it can be inheritable or
non-inheritable Reduces the need to use per object ACLs to
grant rights to object’s own attributes Management now available through iManager
Question: How can you give everyone rights to modify their own phone number?
A: Go through object by object and grant individual access, or…
To solve this problem, you can
B: Apply read, compare, and write rights to [This] for the telephoneNumber attribute high up in the tree and let it inherit
Filter-Based Groups
Creating Communities
• Communities in a directory exist when objects are formed into groups
• The original eDirectory group provided a static list of members and referential integrity between the members list of the group and the members of attribute on an object
Dynamic Groups
• eDirectory 8.6 and 8.7 allow you to determine group membership dynamically by using a search filter
• Search filter is in URL form (RFC 2255) ldap:///<base-DN>??<scope>?<filter> Example:
• ldap:///ou=sales,o=acme??sub?(title=manager)
• Additional capabilities excludedMember—Objects specifically excluded uniqueMember—Objects specifically included in the group
• Web management interface in eDirectory 8.7 Available only via LDAP in eDirectory 8.6
What Is the Cost of Using Dynamic Groups?
• Dynamic groups don’t show up in the groupMembership attribute of a user object
• To find out if your object is a member of the dynamic group, you have to run the group query filter against your object to see if it matches
• ACLs are applied to dynamic group filters
Why Use Dynamic Groups?
• Policy is stored in the directory An application can be hard-coded to just read a
dynamic group instead of searching with a search filter
This allows the “effective” filter to be modified at the directory without changing the application
• ACLs may be used with dynamic groups Put an ACL on a course section object granting
access rights to the dynamic group Now all students registered for the section
(determined dynamically) will have access
• Dynamic groups are scalable
Dynamic Groups—Compatibility
• Static groups may be converted to dynamic groups
Add dynamicGroupAux to the objectClass attribute
Set a search query in memberQueryURL
• For either static or dynamic groups, obtain a membership list by simply reading the “member” attribute
• By default, the implicit search is limited to the local server
Object-Based Schema
(Auxiliary Classes)
What Good Is Object-Based Schema?
Staff
GeorgeSue Bill FredPeggy
Scott Ivan Jean Paul
Q: Peggy and Scott are managers—how can they have attributes specific to managers?
Q: Bill, Jean and Paul take turns handling the after-hours pager—how can the one holding the pager be uniquely identified?
A. Add all attributes to base class definitions, or…
B: Use auxiliary classes to meet both of these requirements without adding attributes to other objects
To solve these problems, you can:
Auxiliary Class Definition
• Auxiliary (or aux) classes are dynamic classes that can be added to the object class attribute of individual objects
The object inherits all the attributes of the aux class while retaining all of its own attributes
When the aux class is removed from the object, all of the aux class attributes are removed
Only the objects that need the attributes have them Doesn’t change the object class definition
Using Auxiliary Classes
• Two steps Modify the object class of an existing object to
include the aux class name Write values to attributes as you would any
other attributes for that class
• Easy to remove Delete the aux class name from the objectClass
attribute
• Auxiliary classes are available from eDirectory 8 and beyond
Auxiliary Classes vs Structural Classes
Auxiliary ClassesAuxiliary Classes Inherited ClassesInherited ClassesAdded to individual instances of an object
SuperInherited to all objects through class definition
eDirectory 8 and above All versions of eDirectory and NDS
Removable from any object Non removable from base classes
Single object may have many Aux classes
Multiple Inheritance
Requires write rights to the object’s object class attribute
Object class rights not required
Cannot define containment Ability to define containment
All instances of use have to be removed prior to schema removal
May contain mandatory and optional attributes, including naming attributes
NDS 6.x
NDS 7.x NDS 6.13
NDS 7.55c
Replication of Auxiliary Classes
eDirectory 8.7
8.5 v85.23 or 8.0 v8.78
Fred Fred
FredFred
Modify or Replication
Error
NDS 7.55d NDS 6.14
-666IncompatibleDS Version
Fred
aspenStudentAuxiliary Class
aspenCourseDNaspenRegisteredSectionaspenPaymentRef
Fred
FredFred
aspenStudentAuxiliary Class
aspenCourseDNaspenRegisteredSectionaspenPaymentRef
Fred
Fred
Fred
Fred
aspenStudentAuxiliary Class
aspenCourseDNaspenRegisteredSectionaspenPaymentRef
eDirectory 8.6 eDirectory 8.7
aspenStudentAuxiliary Class
aspenCourseDNaspenRegisteredSectionaspenPaymentRef
Fred Fred
FredFred
Auxiliary Class Safety Precautions
• Upgrade your tree to all eDirectory 8 servers• If you can’t go to all eDirectory 8, then make
sure you have the latest released patches for NDS 7 and NDS 6
• Never, never, never add auxiliary classes to objects on NDS 7 or NDS 6 servers
• Break the old habit of deleting unknown objects if you are using auxiliary classes
Auxiliary Class Benefits
• You can now apply attributes at will to objects in the tree, without requiring the schema definitions to be applied to all objects in the class
• Cleanup of auxiliary classes is a snap Simply remove the aux class name from the
objectClass attribute, and all attributes disappear automatically
Using Matching Rules to Reduce
Searches
Extensible Match
• Extensible Match defined in LDAP v3 Support multiple matching rules for the same
types of data• Can implement new rules, e.g., “sounds like”
Include DN elements in the search criteria• The DN specification allows matching on specific
elements of the DN of an object
cn=Terry,organizationalRole=adminAssistant,ou=sales,o=usaou=sal
Task: Find All Admin Assistants in All the Sales Groups of this Company
Sales Sales SalesManufacturing Finance Engineering
Adminassistant
Terry AliceSam Hilda
Adminassistant
Adminassistant
Bill
Adminassistant
Root
EnglandUSA Germany
East West
2. In the client, evaluate each DN to see if it is subordinate to a sales-container
organizationalRole=adminAssistant,ou=sales,o=usaorganizationalRole=adminAssistant,ou=sales,o=germanyorganizationalRole=adminAssistant,ou=finance,o=germanyorganizationalRole=adminAssistant,ou=west,ou=sales,o=england
Possibility One
1. Search for all admin assistant containers in the treeC:>ldapsearch … (organizationalRole=adminAssistant)organizationalRole=adminAssistant,ou=sales,o=usaorganizationalRole=adminAssistant,ou=sales,o=germanyorganizationalRole=adminAssistant,ou=finance,o=germanyorganizationalRole=adminAssistant,ou=west,ou=sales,o=england4 matches
Possibility One (cont.)
3. Using each admin assistant container as a base, do a subtree search for users in that container
C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=usa” (objectClass=user)cn=Terry,organizationalRole=adminAssistant,ou=sales,o=usa1 matchesC:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=germany” (objectClass=user)cn=Sam,organizationalRole=adminAssistant,ou=sales,o=germanycn=Alice,organizationalRole=adminAssistant,ou=sales,o=germany2 matchesC:>ldapsearch … -b “organizationalRole=adminAssistant,ou=west,ou=sales,o=england” (objectClass=user)cn=Bill,organizationalRole=adminAssistant,ou=west,ou=sales,o=england1 matches
Possibility Two
1. Search for all sales containers in the treeC:>ldapsearch … (ou=sales)ou=sales,o=usaou=sales,o=germanyou=sales,o=england3 matches
2. Using each sales container as a base, do a subtree search for users in the admin assistant containerC:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=usa” (objectClass=user)cn=Terry, organizationalRole=adminAssistant,ou=sales,o=usa1 matchesC:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=germany” (objectClass=user)cn=Sam, organizationalRole=adminAssistant,ou=sales,o=germanycn=Alice, organizationalRole=adminAssistant,ou=sales,o=germany2 matchesC:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=england” (objectClass=user)0 matches
What’s wrong?What’s wrong?
This search assumeseverything is at the
same level!
This search assumeseverything is at the
same level!
In eDirectory 8.7...
1. Use extensibleMatch
C:>ldapsearch … (&(ou:dn:=Sales)(organizationalRole=adminAssistant))cn=Terry, organizationalRole=adminAssistant,ou=sales,o=usacn=Sam, organizationalRole=adminAssistant,ou=sales,o=germanycn=Alice, organizationalRole=adminAssistant,ou=sales,o=germanycn=Bill, organizationalRole=adminAssistant,ou=west,ou=sales,o=england4 matches
extensible = attr [":dn"] [":" matchingrule] ":=" value / [":dn"] ":" matchingrule ":=" valueextensible = attr [":dn"] [":" matchingrule] ":=" value / [":dn"] ":" matchingrule ":=" value
eDirectory Support for extensibleMatch
• eDirectory 8.7, available soon, supports extensibleMatch for matching on DN values
• eDirectory 8.7 treats other extensibleMatch specifications as undefined terms in the filter and will ignore them Versions of eDirectory prior to 8.7 would return a protocol
error if an extensibleMatch term was specified in a search filter
• Advertisement of matching rules in eDirectory 8.7 is done through the LDAP subschema subentry object using the standard matchingRules and matchingRuleUse schema attributes
Directory Events in LDAP
How Do I Track Directory Changes?
• I can poll the directory looking for changes Requires me to keep state information in my app
Students
GeorgeSue Bill FredPeggy
Scott Ivan Jean Paul
Q: Students can change some of their own information—how can I track their changes in my instructor application using LDAP?
• I can use directory events Persistent Search LDAP eDirectory events extension
LDAP Persistent Search
• Alters the standard LDAP search operation to perform a continuous search, notifying the application of changes that occur on an LDAP server
Persistent search allows the client to be notified when changes are made to entries that satisfy the specified search filter
The connection to the server remains open until the search is abandoned
Persistent search is supported by multiple directories
Applications of Persistent Search
• What does Persistent Search enable? Applications driven by business process events Creating and updating a local cache easily Auditing Data logging Data reporting And more…
• Persistent Search is an LDAP-standard way of getting directory events
eDirectory Events Extension
• Novell extension allowing an LDAP client to be notified of the occurrence of various events on a Novell eDirectory server
Utilizes the LDAP v3-extended operation extension mechanism
It also uses an intermediate response Protocol Data Unit (PDU) as described in the IETF draft• draft-rharrison-ldap-intermediate-resp-00.txt
Available on all platforms supported by Novell eDirectory 8.7
This is Novell-specific and not standard LDAP
Selectively Monitor eDirectory Events
•Novell eDirectory defines several directory-related events, including
Operations on individual entries and their attributes Partition and replica operations
•These events can be used for Debugging Auditing Management
•Access to each event is controlled by rights checking If the user does not have the required privileges, the request
will fail An EventExtendedResponse will be returned by the server
with an responseCode value of insufficientPrivileges
Event Handling Priority
• The eDirectory event system extension supports the equivalent of the eDirectory journal priority
Event notifications are sent to a client in the order in which the events occurred on the server after the underlying operations have completed
Order is guaranteed, and events are received after DS has processed the information
You cannot preempt an event or register for in-line processing
Applications of eDirectory Events
• What can I do with eDirectory Events? eDirectory monitoring Auditing Automation of infrastructure changes Automated business logic
• All of these things can be done with eDirectory—they don’t exist in the same form on other directory products
Configurable Transport
Security
eDirectory 8.7 Debuts Full TLS 1.0
SAS Library Novell TLS LibrarySSL v3.0 support TLS 1.0 support (RFC
2246)
Cryptography using NICI Cryptography using NICI
Limited interoperability with other clients
Full TLS 1.0 compliance, good interoperability
Limited support for EXTERNAL authentication
Fully configurable support for EXTERNAL authentication
No support for StartTLS Supports LDAP StartTLS
Please may I have your Cert?
Give me your Cert!
Connecting with TLS
• eDirectory LDAP server can now be configured to use the following TLS handshakes
• This configuration is done through iManager
• Require Client Certificate
• Request Client Certificate
• Server Certificate Only
Selectable Channel Encryption
I’m connected to the directory on the clear-text port, and I want to access my credit card information—what do I do?I can drop my connection, re-authenticate to the SSL port, and get the data
I can send the StartTLS extended request along with the query to read my credit card
OR
Ending TLS on a Connection
• Client or server sends a TLS end notification
• All operations are abandoned
• Connection reverts to anonymous Specified in RFC 2829
• TLS is turned off by both client and server
TLS Information
• Functionality is defined in RFC 2222, 2829, and 2830
• Novell TLS Library* is based on the OpenSSL project (current version 0.9.c) with the cryptographic library replaced by NICI
* This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)
New LDAP Authentication
Methods
Is LDAP Simple Bind Secure Enough?
Employee: Jane.SmithPassword: jsmith
Hacker aka: Jane.SmithPassword: jsmith
Are you confident that the user is who he claims to
be?
SASL Exposed
• SASL (Simple Authentication and Security Layer) is an authentication negotiation framework
Server lists registered authentication mechanisms in the supportedSASLMechanisms attribute of root DSE
Client chooses the authentication method Server implements authentication policy Official SASL mechanisms are registered with IANA* eDirectory 8.7 supports
• EXTERNAL• DIGEST-MD5• NMAS_LOGIN
*Internet Assigned Numbers Authority
SASL EXTERNAL
• TLS handshake establishes client identity by means of certificate-based client authentication
• LDAP SASL EXTERNAL uses that identity for the user connection
SASL DIGEST-MD5
• Allows password to be securely sent over a clear text connection
• Requires that the server maintain a clear text copy of the password in the NMAS encrypted store that can be hashed using data provided in the bind and then compared to the hashed password contained in the bind
SASL bind packet with hashed password
SASL NMAS_LOGIN
• Allows the full functionality of Novell Modular Authentication Services to be applied to LDAP binds
• Login policy maintained by the server• Provides for multiple levels of authentication and
identification
Password
Fingerprint
Smart card
Certificate
Biometric
Device Provisioning with Embedded LDAP
Clients
Novell Leadership in Device Provisioning
• Through our embedded technology effort Novell has been in the embedded eDirectory business for eight years
iPrint and eNDPS (embedded Novell Distributed Print Services™ (NDPS®) technology
• Introducing The Embedded Device Provisioning Agent (eDPrA)
• Novell offers the market self-provisioning hardware managed by eDirectory
What Is Embedded Device Provisioning?
• Directory-enabled device provisioning Allows for non-computer connected devices to
work with eDirectory Improves security on hardware that has been
limited by SNMP standards (simple login and passwords)
Allows for management of millions of devices at one time
Provides hands-free configuration and setup
How a Directory Helps Provisioning
• Increases deployment speeds of embedded hardware
• Improves management of the overall system
• Enhanced security from multiple authentication methods
• More scalable than SNMP
Billing
NovelleDirectory
HR Work orderOrder entry
Internet Data DirXML Data
Provisioning policiesTrouble alert policies
Billing policiesData sync policies
Security
Managementconsole
Directory-based Provisioning
Wireless device
Networked hardware
Caching or other hardware
RouterCPE
Provisioning of Devices within the Enterprise
Bringing It All Together
Outdoor Adventures:Bringing It All Together
Let’s look at how these new features can benefit a hypothetical company, Outdoor Adventures
Auxiliary classes are used to identify students and instructors
ACLs are used to give students and instructors rights to view information they need on the web
The [This] ACL is used to allow students to modify their own object attributes
Access to specific course information is allowed by assigning ACLs to dynamic groups that identify students
Outdoor Adventures:Bringing It All Together
Instructors use Persistent Search to dynamically update their web display of class members
Searches in the tree simplified with DN matching rules
Credit card information is transmitted over TLS connections
Advanced authentication (thumbprint) is required for instructors to access student and course information
Outdoor Adventures network is run using switches and routers configured from the directory
Outdoor Adventures:Bringing It All Together
Want to learn more about these concepts and see them in operation?
• The “How To” information is given in sessions DL204, DL307, and TUT242
• The Outdoor Adventures web site showcasing all of these concepts can be experienced in the tech lab
Novell eDirectory 8.7—It’s Not Just a NOS Directory Anymore
How do I get this great full-service LDAP directory product for re-distribution with my applications?You can have your customers go out and buy individual licenses as needed,
Developers can sign up for the Novell eDirectory Re-distribution Kit by visiting developer.novell.com/edirectory/ and receiving 250,000 eDirectory licenses for free (now that’s a DEAL)
OR
Vision…one NetA world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries
MissionTo solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world
Developer References
• Novell Developer LDAP SDKs, documentation, and samples
http://developer.novell/ndk
• Novell eDirectory Evaluation Version and Redistribution kit
http://www.novell.com/products/edirectory/
• Novell Modular Authentication (NMAS™) http://www.novell.com/products/nmas
• Novell Developer AppNotes http://developer.novell.com/research
Developer References
• LDAP Zone: The latest information andresources for LDAP
• http://www.ldapzone.com
Directory Interoperability Forum
• http://www.opengroup.org/difWorks with LDAP certification
• http://www.wwldap.org
Developer References
• LDAP IETF standards Filters and extensibleMatch
• http://www.ietf.org/rfc/rfc2254.txt• http://www.ietf.org/rfc/rfc2251.txt
The TLS protocol • http://www.ietf.org/rfc/rfc2246.txt
Extension for TLS (startTLS)• http://www.ietf.org/rfc/rfc2830.txt
SASL (Simple Authentication and Security Layer)• http://www.ietf.org/rfc/rfc2222.txt
References
• eDirectory ACLs http://www.ietf.org/internet-drafts/draft-sermersheim-nds
-ldap-schema-02.txt Section 5.7
• Dynamic Groups http://www.ietf.org/internet-drafts/draft-haripriya-dynami
cgroup-00.txt
App note on http://www.developer.novell.com
• Persistent Search http://www.ietf.org/internet-drafts/draft-smith-pesearch-0
0.txt
Soon to be App note on http://www.developer.novell.com