420 likes | 600 Views
Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando. Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com. LDAP overview. History Historical Usage Technical specs. History. Created by the University of Michigan
E N D
Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com
LDAP overview • History • Historical Usage • Technical specs
History • Created by the University of Michigan • Evolution • 1993 : LDAP v1: RFC 1487: X.500 Lightweight Directory Access Protocol • 1995 : LDAP v2: RFC 1777: Lightweight Directory Access Protocol • 1997 : LDAP v3: RFC 2251: Lightweight Directory Access Protocol (v3)
Historical Usage • People-centric information • Phone books • Personnel Data • Large white page applications
Technical specs • TCP/IP • Lightweight • Hierarchical structure • Easy API
LDAP for a single sign-on environment? • Why single sign-on is needed? • Why LDAP is a viable solution for single-on? • Requirements for an efficient and secure single sign-on solution • Technical challenges for implementing a true single-sign on • What can LDAP do to solve the problems?
Why single sign-on is needed? • Large networks • Multiple operating systems • Various network devices • Centralizing Infrastructure
Why LDAP is a viable solution for single-on? • Lightweight • TCP/IP • Open standard • Already used to store People-centric information
Requirements for an efficient and secure single sign-on solution • Open standard • Scalability • Access controls • Easy to integrate with current infrastructure • Easy and reliable API • Easy to manage
Technical challenges for implementing a true single-sign on • Cross platform support • Cross platform user settings • Data Synchronization • Proprietary authentications • Security • Schema and organizational structure
What can LDAP do to solve the problems? • Open standard • Support for SSL • Most vendors offer ACL • Customizable schema • Powerful search capabilities
Why is this solution better? Advantages • Security • Central control of all users • Central point of revocation • Flexibility • Scalability • Financially • Most of the components are available for free use • Low management cost • Doesn't requirement a lot of administration
Security • Central control of all users • Central point of revocation
Advance topics • LDAP Security • Steps to secure your LDAP server • Special consideration for single sign on
Steps to secure your LDAP server • 1. Identifying requirements • 2. Securing the Directory • 2. LDAP server host security • 3. Network security
1. Identifying requirements • Network access • Types of users and groups • Defining data access requirements • LDAP schema
Network access • Network architecture • Identifying member servers and their requirements • Identifying Clients and their requirements
Types of users and groups • Administration users • Read users • Write users • Member servers • Groups • Static • Dynamic
Defining data access requirements • What can each member server do and see • Types of information can users see • What attributes the user can change on themselves • Data risk level • Is the data public? • Is the data restricted per organizational units? • Is the data used for the infrastructure?
Data risk level • Is the data public? • Is the data restricted per organizational units? • Is the data used for the infrastructure?
2. Securing the Directory • Implementing ACL • Strong password management
2. LDAP server host security • File system • File system ACL • Identifying critical data • Integrity • Non-privilege user • Registry (Win32 only) • Limiting services
File system • File system ACL • Identifying critical data • Integrity
3. Network security • Encrypting data • SLDAP • Authentication • Basic? • Certificate? • Anonymous?
Special consideration for single sign on • Security of the object class attributes • NT Authentication using iPlanet Directory Server • PAM authentication via LDAP • Security of the authentication module
Quick Links • Further readings • Tools • Implementations
Further readings • LDAP Overview by Bruce Greenblatt • Why LDAP & Security Are Critical to Your Success • Solaris 8 LDAP Setup and Configuration Guide • IBM Understanding LDAP • Securing Netscape Directory Server paper (work in progress)
Tools • LDAP Browser/Editor • LDAPMiner • NetscapeGetACL • LDAPRootDSE
Implementations • OpenLDAP • iPlanet • Novell eDirectory • Tivoli(IBM)
Building Secure, Flexible and Scalable Environments using LDAP - SANS 2002 - Orlando Sacha Faust PricewaterhouseCoopers sacha@severus.org sacha.faust.bourque@ca.pwcglobal.com