1 / 19

Directory Services

What is a Directory Service? Directory Services model Directory Services naming model X.500 and LDAP Implementations of Directory Services. Directory Services. A directory service is the collection of software, hardware,

cyrus-tyson
Download Presentation

Directory Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What is a Directory Service? Directory Services model Directory Services naming model X.500 and LDAP Implementations of Directory Services Directory Services

  2. A directory service is the collection of software, hardware, processes, policies, and administrative procedures involved in making the information in your directory available to the users of your directory. Your directory service includes at least the following components: Information contained in the directory S/W servers holding this information S/W clients acting on behalf of users or other entities accessing this information H/W on which these clients and servers run Policies governing access S/W and procedures for maintainance and monitoring What is a Directory Service?

  3. Directory Service

  4. Early directory services were designed for a specific application (e.g. X.400 email application) Later, (1988) X.500 was introduced as a standard directory service to service different applications. It was revised several times, currently 5th edition (2005). Implemented as a distributed database All network entities are implemented as objects with attributes Schema defines the directory “blueprint” X.509 subset of X.500 specification (public key certification) became a common stand-alone standard for authentication Directory Service

  5. Directory is a specialized database Directories typically have a higher read-to-write ratio than databases. Directories are typically more easily extended Directories are usually more widely distributed Directories are often replicated on a higher scale Directories usually have very different performance characteristics Support for standards is important in directories, less so in databases. Directory as a Database

  6. Directory entry with attributes

  7. All objects are arranged into a hierarchical tree structure (DIT) Directory Naming Model

  8. All objects are arranged into a hierarchical tree structure (DIT) Each object has RDN – simple object name that is unique within a tree level (e.g. Printer1, dglazer) Each object is identified by it’s distinguished name (DN) that’s unique in the directory (e.g. cn=ChocCookie,ou=recipes,dc=foobar,dc=com; Printer1.is.umbc.edu; dglazer.umbc.edu) Directory Naming Model

  9. Distributed DIT

  10. Distributed DIT

  11. Distributed DIT

  12. Directory Management Domains

  13. Client/Server architecture

  14. X.500 components and protocols

  15. LDAP was originally developed as an alternative to X.500 DAP protocol It was designed to use TCP/IP instead of OSI protocol stack (“lighter protocol”). LDAP evolved into a complete directory service LDAP’s architecture and naming structure are based on X.500 standard Although today’s version of DAP also runs over TCP/IP, LDAP remains the popular option for connection to a Directory. LDAP vs X.500

  16. LDAP operations are divided into 3 areas: Authentication, Interrogation, Update Some examples include: Authentication: Open, bind and unbind Interrogation: Search, compare Update: Add, Modify, Delete LDAP functional model

  17. Authentication Assurance that the opposite party (machine or person) really is who he/she/it claims to be. Integrity Assurance that the information that arrives is really the same as what was sent. Confidentiality Protection of information disclosure by means of data encryption to those who are not intended to receive it. Authorization Assurance that a party is really allowed to do what he/she/it is requesting to do. This is usually checked after user authentication. In LDAP Version 3, this is currently not part of the protocol specification and is therefore implementation- (or vendor-) specific. LDAP security model

  18. No authentication Basic authentication Simple Authentication and Security Layer (SASL)SASL is a framework for adding additional authentication mechanisms to connection-oriented protocols. ISSL and its successor, TLS, are the mechanisms commonly used in SASL for LDAP LDAP security model

  19. Microsoft Active Directory Novell eDirectory Sun Microsystems OpenDS OpenLDAP Apple Open Directory Oracle Internet Directory Apache Directory Server Look at the example of OpenLDAP implementation article: SLAPD – stand-alone LDAP server SLURD – replication service Directory Services Implementations

More Related