1 / 32

OpenLDAP Directory Administration LDAP Interoperability

OpenLDAP Directory Administration LDAP Interoperability. Table of Contents. Introduction Interoperability or Integration Directory Gateways Cross-Platform Authentication Services Distributed, Multivendor Directories Metadirectories Push/Pull Agents for Directory Synchronization.

naomi
Download Presentation

OpenLDAP Directory Administration LDAP Interoperability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OpenLDAP Directory AdministrationLDAP Interoperability

  2. Table of Contents • Introduction • Interoperability or Integration • Directory Gateways • Cross-Platform Authentication Services • Distributed, Multivendor Directories • Metadirectories • Push/Pull Agents for Directory Synchronization

  3. Table of Contents • Introduction • Interoperability or Integration • Directory Gateways • Cross-Platform Authentication Services • Distributed, Multi-vendor Directories • Metadirectories • Push/Pull Agents for Directory Synchronization

  4. Introduction • Why this chapter on interoperability when LDAP is supposed to be a standard protocol • Selling point of LDAP is its potential for consolidating vendor-specific application-specific directories • LDAP “minimizes” interoperability problems • Core features of LDAP are standardized, but things such as schemas are not: many common objects can be extended by vendors • Protocol can be extended as well • For each service that can be consolidated into an LDAP directory, there must be a corresponding client-side application to access the old information in the new directory • This chapter: discuss technologies used to solve these problems

  5. Table of Contents • Introduction • Interoperability or Integration • Directory Gateways • Cross-Platform Authentication Services • Distributed, Multi-vendor Directories • Metadirectories • Push/Pull Agents for Directory Synchronization

  6. Interoperability or Integration ? • Directory integration means enabling client applications to access data in an LDAP directory • Interoperability addresses communication between LDAP servers themselves • Blurry distinction when one LDAP server becomes the client of another LDAP server • First question should always be: what level of integration or interoperability your application requires • Some common approaches are listed on the next page

  7. Interoperability or Integration ? (cont.)

  8. Table of Contents • Introduction • Interoperability or Integration • Directory Gateways • Cross-Platform Authentication Services • Distributed, Multi-vendor Directories • Metadirectories • Push/Pull Agents for Directory Synchronization

  9. Directory Gateways • Gateways have existed for a very long time, eg. between different email formats, network filesystems, etc. • Examples: • PADL's ypldapd daemon: in one way, this is actually an LDAP client from the LDAP server's point of view • NIS/LDAP gateway shipped with Microsoft “Windows Services for Unix (SFU)” • Provides tools for importing data from a NIS domain into Active Directory • Main advantage of using a gateway • You usually don't have to modify any clients • This results in lower cost of administration • Disadvantages • Additional overhead, clients don't take advantage of LDAP

  10. Table of Contents • Introduction • Interoperability or Integration • Directory Gateways • Cross-Platform Authentication Services • Distributed, Multi-vendor Directories • Metadirectories • Push/Pull Agents for Directory Synchronization

  11. Cross-Platform Authentication Services • Not: interoperability between directory services • But: interoperability between a specific directory service and non-native clients • eg. • NIS/Active Directory Gateway included in Microsoft's “Services for UNIX” • PADL's PAM and NSS LDAP modules • Active Directory + Kerberos 5

  12. Table of Contents • Introduction • Interoperability or Integration • Directory Gateways • Cross-Platform Authentication Services • Distributed, Multi-vendor Directories • Metadirectories • Push/Pull Agents for Directory Synchronization

  13. Distributed, Multi-vendor Directories • LDAP servers from various vendors can be linked into a single, logical, distributed directory • Why a multi-vendor directory ? • Singe-vendor directory may force you to take decisions that you are uncomfortable with • eg. Say a product (calendar server) has only been tested with a particular LDAP server, possible solutions: • Abandon calendar server • Replace existing directory • Install LDAP server that supports calendar application and include it as a subtree of your existing directory framework • Last option is the only option that makes sense • How is this any different than the myriad of application-specific directories in the past ? • Here: single access protocol for clients & admin tools

  14. Distributed, Multi-vendor Directories (cont.) Example: Connecting OpenLDAP to Active Directory • Working OpenLDAP, naming context dc=plainjoe,dc=org • Active Directory, DNS domain ad.plainjoe.org, naming context is dc=ad,dc=plainjoe,dc=org reference to ldap://ldap.plainjoe.org/dc=plainjoe,dc=org Windows Active Directory dc=ad,dc=plainjoe,dc=org referral to ldap://ldap.plainjoe.org/dc=ad,dc=plainjoe,dc=org OpenLDAP dc=plainjoe,dc=org

  15. Distributed, Multi-vendor Directories (cont.) Example: Connecting OpenLDAP to Active Directory (cont.) • We need to add two knowledge references to this system: • Point from Active Directory Service to OpenLDAP server • Refer client searches from the OpenLDAP server to the active directory domain • ADSI Edit MMC snap-in required • \support\tools on Windows CD

  16. Distributed, Multi-vendor Directories (cont.) Example: Connecting OpenLDAP to Active Directory (cont.) Create referral from AD to OpenLDAP: • Must be created inside the cn=Partitions,cn=Configuration,dc=ad,dc=plainjoe,dc=org container • Create a new crossRef object • Add a node named OpenLDAP with nCName attribute with value dc=plainjoe,dc=org, and dnsRoot attribute with the value ldap.plainjoe.org • The corresponding LDIF: • This instructs the Active Directory server to return a referral of the form ldap://ldap.plainjoe.org/dc=plainjoe,dc=org to clients in response to an LDAP search dn: cn=OpenLDAP,cn=Partitions,dc=Configuration,dc=ad,dc=plainjoe,dc=org cn: OpenLDAP nCName: dc=plainjoe,dc=org dnsRoot: ldap.plainjoe.org

  17. Distributed, Multi-vendor Directories (cont.) Example: Connecting OpenLDAP to Active Directory (cont.) Add corresponding knowledge reference OpenLDAP: • LDIF of object to add to OpenLDAP: • ldapadd syntax: dn: dc=ad,dc=plainjoe,dc=org objectclass: referral objectclass: dcObject ref: ldap://ad.plainjoe.org/dc=ad,dc=plainjoe,dc=org dc: ad $ ldapadd -D “cn=Manager,dc=plainjoe,dc=org” -w secret -x \ > -H ldap://ldap.plainjoe.org/ -f ad-referral.ldif

  18. Distributed, Multi-vendor Directories (cont.) Example: Connecting OpenLDAP to Active Directory (cont.) Testing Lookups: • This search did not follow the referral, so no results are displayed $ ldapsearch -H ldap://ad.plainjoe.org/ -x \ > -b “ou=people,dc=plainjoe,dc=org” -LLL “(uid=jerry)” Referral (10) Additional information: 00002028: RefErr: DSID-031005EE,data 0,1 access points ref 1: 'ldap.plainjoe.org' Referral: ldap://ldap.plainjoe.org/ou=people,dc=plainjoe,dc=org

  19. Distributed, Multi-vendor Directories (cont.) Example: Connecting OpenLDAP to Active Directory (cont.) Testing Lookups (cont.): • This search follows the referral (-C switch): $ ldapsearch -h ad.plainjoe.org/ -x -C \ > -b “ou=people,dc=plainjoe,dc=org” -LLL “(uid=jerry)” dn: cn=Gerald Carter,ou=people,dc=plainjoe,dc=org objectClass: posixAccount objectClass: account objectClass: sambaAccount cn: Gerald Carter uidNumber: 780 uid: jerry gidNumber: 100 homeDirectory: /home/queso/jerry loginShell: /bin/bash rid: 2560 acctFlags: [UX ] pwdLastSet: 1018451245

  20. Distributed, Multi-vendor Directories (cont.) Example: Connecting OpenLDAP to Active Directory (cont.) Testing Lookups (cont.): • The other way round: search to OpenLDAP for data stored in Active Directory • By default, Active Directory does not support anonymous searches (apart from its rootDSE), hence we only get a referral (test with & without -C option): • See more info: Single sign-on, Kerberos: Cross-platform authentication services $ ldapsearch -x -H ldap://ldap.plainjoe.org/ \ > -b “dc=ad,dc=plainjoe,dc=org” -LLL -C “(sAMAccountName=kristi)” # refldap://ad.plainjoe.org/CN=Configuration,DC=ad,DC=plainjoe,DC=org $ ldapsearch -x -H ldap://ldap.plainjoe.org/ \ > -b “dc=ad,dc=plainjoe,dc=org” -LLL “(sAMAccountName=kristi)” Referral (10) Matched DN: dc=ad,dc=plainjoe,dc=org Referral: ldap://ad.plainjoe.org/dc=ad,dc=plainjoe,dc=org??sub

  21. Table of Contents • Introduction • Interoperability or Integration • Directory Gateways • Cross-Platform Authentication Services • Distributed, Multi-vendor Directories • Metadirectories • Push/Pull Agents for Directory Synchronization

  22. Metadirectories • Term describes any solution that joins distinct, isolated data sources into a single logical volume • Popular products on the market: • MaXware MetaCenter (http://www.maxware.com/) • Siemens DirXmetahub (http://www.siemens.ie/fixedoperators/CarrierNetworks/Meta/dirxmetahub.htm) • Sun Microsystems SunONE MetaDirectory (http://wwws.sun.com/software/products/meta_directory/home_meta_dir.html) • Novell's eDirectory and DirXML combination (http://www.novell.com/products/edirectory/) • Microsoft Metadirectory Services (http://www.microsoft.com/windows2000/technologies/directory/MMS) • A metadirectory is any directory service that presents an alternative view of a data source

  23. Metadirectories (cont.) OpenLDAP's Proxy Backend • Translates server's schema into a different view, suitable for a particular application • No replication or synchronization of data • Eg. client expects a directory to provide an email address using the mail attribute, assume an Active Directory where the Kerberos principal name is username@domain (userPrincipalName). It makes no sense to duplicate this information • Requirements: • Active Directory domain must be configured for the DNS domain ad.plainjoe.org • DNS name ad.plainjoe.org must resolve to the IP address of an Active Directory domain controller for that domain • An account named ldap-proxy must be created in AD for use by the proxy server when binding to a Windows DC

  24. Metadirectories (cont.) OpenLDAP's Proxy Backend (cont.) • Supports updating the target via the proxy, supports ACLs • This option is not enabled by default • Recompile and create a new database in slapd.conf $ ./configure --enable-ldap --enable-rewrite database ldap suffix ou=windows,dc=plainjoe,dc=org uri ldap://ad.plainjoe.org suffixmassage ou=windows,dc=plainjoe,dc=org cn=users,dc=ad,dc=plainjoe,dc=org binddn cn=ldap-proxy,cn=users,dc=ad,dc=plainjoe,dc=org bindpw proxy-secret map attribute uid sAMAccountName map attribute cn name map attribute mail userPrincipalName map objectclass account user map attribute *

  25. Metadirectories (cont.) OpenLDAP's Proxy Backend (cont.) • See the result: query Active Directory, items provided by proxy are in italic $ ldapsearch -H ldap://ad.plainjoe.org -x \ > -D ldap-proxy@ad.plainjoe.org -w proxy-secret -X \ > -b “cn=users,dc=ad,dc=plainjoe,dc=org” -LLL \ > “(sAMAccountName=kristi)” dn: CN=Kristi Carter,CN=Users,DC=ad,DC=plainjoe,DC=org accountExpires: 9223372036854775807 badPasswordTime: 0 badPwdCount: 0 codePage: 0 cn: Kristi Carter countryCode: 0 displayName: Kristi Carter givenName: Joe instanceType: 4 lastLogoff: 0 lastLogon: 0 logonCount: 0 distinguishedName: CN=Kristi Carter,CN=Users,DC=ad,DC=plainjoe,DC=org objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=plainjoe,DC=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user

  26. Metadirectories (cont.) OpenLDAP's Proxy Backend (cont.) • (cont.) objectGUID:: NDHKI8oYFkqN8da3Gl9a5Q== objectSid:: AQUAAAAAAAUVAAAAEcNfczJiHypDFwoyUwQAAA== primaryGroupID: 513 pwdLastSet: 126784120014273696 name: Kristi Carter sAMAccountName: kristi sAMAccountType: 805306368 sn: Carter userAccountControl: 66048 userPrincipalName: kristi@ad.plainjoe.org uSNChanged: 2963 uSNCreated: 2957 whenChanged: 20021006210839.0Z whenChanged: 20021006210637.0Z

  27. Metadirectories (cont.) OpenLDAP's Proxy Backend (cont.) • Now, we issue a similar query to the proxy server, except we look up a uid rather than an Active Directory sAMAccountName: • From the two results, we see that: $ ldapsearch -H ldap://ldap.plainjoe.org -x \ > -b “ou=windows,dc=plainjoe,dc=org” -LLL “(uid=kristi)” dn: CN=Kristi Carter,ou=windows,dc=plainjoe,dc=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: account cn: Kristi Carter uid: kristi mail: kristi@ed.plainjoe.org objectClass: user name: Kristi Carter sAMAccountName: kristi userPrincipalName: kristi@ed.plainjoe.org objectClass: account cn: Kristi Carter uid: kristi mail: kristi@ed.plainjoe.org mapped to

  28. Metadirectories (cont.) OpenLDAP's Proxy Backend (cont.) • If you remove the directive that filters all the attributes that aren't explicitly mapped (map attribute *), response is slightly different: • slapd still filters out some attributes bacause queries are still controlled by the local schema in slapd.conf: unknown attributes are filtered out $ ldapsearch -H ldap://ldap.plainjoe.org -x \ > -b “ou=windows,dc=plainjoe,dc=org” -LLL “(uid=kristi)” dn: CN=Kristi Carter,ou=windows,dc=plainjoe,dc=org cn: Kristi Carter DisplayName: Kristi Carter mail: kristi@ad.plainjoe.org givenName: Kristi distinguishedName: CN=Kristi Carter,ou=windows,dc=plainjoe,dc=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: account cn: Kristi Carter uid: kristi sn: Carter

  29. Table of Contents • Introduction • Interoperability or Integration • Directory Gateways • Cross-Platform Authentication Services • Distributed, Multi-vendor Directories • Metadirectories • Push/Pull Agents for Directory Synchronization

  30. Push/pull Agents for Directory Synchronization • Common tools for synchronizing information between directories • Single agent pulls information from one directory service and massages the data to make it acceptable for upload to another directory server • Several directory vendors provide synchronization agents (drivers, connectors, ...) • Data is often transferred in an XML-based format connector transmitting data in common format data in directory-specific format Driver Directory A Directory B

  31. Push/pull Agents for Directory Synchronization (cont.) • A partial list of commercial connector/driver offerings: • SunOne's XMLDAP (http://wwws.sun.com/software/products/directory_srvr/) • Novell's DirXML (http://www.novell.com/products/edirectory/dirxml/) • Commercial vs. in-house • Inherent knowledge of when data changes in the directory • Homegrown tools can be very useful

  32. Push/pull Agents for Directory Synchronization (cont.) The Directory Services Markup Language • XML (Extensible Markup Language) fever has infected LDAP • DSML (Directory Services Markup Language) = XML schema for representing LDAP information using document fragments • DSML v1.0 is really just an attempt at replacing LDIF • DSML v2.0 (May 2002): new and interesting functionality • DSML v2.0 is designed to provide methods for representing LDAP queries, updates, and responses in XML • This allows eg. embedded devices to access LDAP data without an LDAP client library, only XML parsing & SOAP • No concrete examples yet • More info: http://www.oasis-open.org/committees/dsml/

More Related