530 likes | 1.38k Views
What is a Directory Service? Directory Services model Directory Services naming model X.500 and LDAP Implementations of Directory Services. Directory Services. A directory service is the collection of software, hardware,
E N D
What is a Directory Service? Directory Services model Directory Services naming model X.500 and LDAP Implementations of Directory Services Directory Services
A directory service is the collection of software, hardware, processes, policies, and administrative procedures involved in making the information in your directory available to the users of your directory. Your directory service includes at least the following components: Information contained in the directory S/W servers holding this information S/W clients acting on behalf of users or other entities accessing this information H/W on which these clients and servers run Policies governing access S/W and procedures for maintainance and monitoring What is a Directory Service?
Early directory services were designed for a specific application (e.g. X.400 email application) Later, (1988) X.500 was introduced as a standard directory service to service different applications. It was revised several times, currently 5th edition (2005). Implemented as a distributed database All network entities are implemented as objects with attributes Schema defines the directory “blueprint” X.509 subset of X.500 specification (public key certification) became a common stand-alone standard for authentication Directory Service
Directory is a specialized database Directories typically have a higher read-to-write ratio than databases. Directories are typically more easily extended Directories are usually more widely distributed Directories are often replicated on a higher scale Directories usually have very different performance characteristics Support for standards is important in directories, less so in databases. Directory as a Database
All objects are arranged into a hierarchical tree structure (DIT) Directory Naming Model
All objects are arranged into a hierarchical tree structure (DIT) Each object has RDN – simple object name that is unique within a tree level (e.g. Printer1, dglazer) Each object is identified by it’s distinguished name (DN) that’s unique in the directory (e.g. cn=ChocCookie,ou=recipes,dc=foobar,dc=com; Printer1.is.umbc.edu; dglazer.umbc.edu) Directory Naming Model
LDAP was originally developed as an alternative to X.500 DAP protocol It was designed to use TCP/IP instead of OSI protocol stack (“lighter protocol”). LDAP evolved into a complete directory service LDAP’s architecture and naming structure are based on X.500 standard Although today’s version of DAP also runs over TCP/IP, LDAP remains the popular option for connection to a Directory. LDAP vs X.500
LDAP operations are divided into 3 areas: Authentication, Interrogation, Update Some examples include: Authentication: Open, bind and unbind Interrogation: Search, compare Update: Add, Modify, Delete LDAP functional model
Authentication Assurance that the opposite party (machine or person) really is who he/she/it claims to be. Integrity Assurance that the information that arrives is really the same as what was sent. Confidentiality Protection of information disclosure by means of data encryption to those who are not intended to receive it. Authorization Assurance that a party is really allowed to do what he/she/it is requesting to do. This is usually checked after user authentication. In LDAP Version 3, this is currently not part of the protocol specification and is therefore implementation- (or vendor-) specific. LDAP security model
No authentication Basic authentication Simple Authentication and Security Layer (SASL)SASL is a framework for adding additional authentication mechanisms to connection-oriented protocols. ISSL and its successor, TLS, are the mechanisms commonly used in SASL for LDAP LDAP security model
Microsoft Active Directory Novell eDirectory Sun Microsystems OpenDS OpenLDAP Apple Open Directory Oracle Internet Directory Apache Directory Server Look at the example of OpenLDAP implementation article: SLAPD – stand-alone LDAP server SLURD – replication service Directory Services Implementations