320 likes | 507 Views
OpenLDAP Directory Administration LDAP Interoperability. Table of Contents. Introduction Interoperability or Integration Directory Gateways Cross-Platform Authentication Services Distributed, Multivendor Directories Metadirectories Push/Pull Agents for Directory Synchronization.
E N D
Table of Contents • Introduction • Interoperability or Integration • Directory Gateways • Cross-Platform Authentication Services • Distributed, Multivendor Directories • Metadirectories • Push/Pull Agents for Directory Synchronization
Table of Contents • Introduction • Interoperability or Integration • Directory Gateways • Cross-Platform Authentication Services • Distributed, Multi-vendor Directories • Metadirectories • Push/Pull Agents for Directory Synchronization
Introduction • Why this chapter on interoperability when LDAP is supposed to be a standard protocol • Selling point of LDAP is its potential for consolidating vendor-specific application-specific directories • LDAP “minimizes” interoperability problems • Core features of LDAP are standardized, but things such as schemas are not: many common objects can be extended by vendors • Protocol can be extended as well • For each service that can be consolidated into an LDAP directory, there must be a corresponding client-side application to access the old information in the new directory • This chapter: discuss technologies used to solve these problems
Table of Contents • Introduction • Interoperability or Integration • Directory Gateways • Cross-Platform Authentication Services • Distributed, Multi-vendor Directories • Metadirectories • Push/Pull Agents for Directory Synchronization
Interoperability or Integration ? • Directory integration means enabling client applications to access data in an LDAP directory • Interoperability addresses communication between LDAP servers themselves • Blurry distinction when one LDAP server becomes the client of another LDAP server • First question should always be: what level of integration or interoperability your application requires • Some common approaches are listed on the next page
Table of Contents • Introduction • Interoperability or Integration • Directory Gateways • Cross-Platform Authentication Services • Distributed, Multi-vendor Directories • Metadirectories • Push/Pull Agents for Directory Synchronization
Directory Gateways • Gateways have existed for a very long time, eg. between different email formats, network filesystems, etc. • Examples: • PADL's ypldapd daemon: in one way, this is actually an LDAP client from the LDAP server's point of view • NIS/LDAP gateway shipped with Microsoft “Windows Services for Unix (SFU)” • Provides tools for importing data from a NIS domain into Active Directory • Main advantage of using a gateway • You usually don't have to modify any clients • This results in lower cost of administration • Disadvantages • Additional overhead, clients don't take advantage of LDAP
Table of Contents • Introduction • Interoperability or Integration • Directory Gateways • Cross-Platform Authentication Services • Distributed, Multi-vendor Directories • Metadirectories • Push/Pull Agents for Directory Synchronization
Cross-Platform Authentication Services • Not: interoperability between directory services • But: interoperability between a specific directory service and non-native clients • eg. • NIS/Active Directory Gateway included in Microsoft's “Services for UNIX” • PADL's PAM and NSS LDAP modules • Active Directory + Kerberos 5
Table of Contents • Introduction • Interoperability or Integration • Directory Gateways • Cross-Platform Authentication Services • Distributed, Multi-vendor Directories • Metadirectories • Push/Pull Agents for Directory Synchronization
Distributed, Multi-vendor Directories • LDAP servers from various vendors can be linked into a single, logical, distributed directory • Why a multi-vendor directory ? • Singe-vendor directory may force you to take decisions that you are uncomfortable with • eg. Say a product (calendar server) has only been tested with a particular LDAP server, possible solutions: • Abandon calendar server • Replace existing directory • Install LDAP server that supports calendar application and include it as a subtree of your existing directory framework • Last option is the only option that makes sense • How is this any different than the myriad of application-specific directories in the past ? • Here: single access protocol for clients & admin tools
Distributed, Multi-vendor Directories (cont.) Example: Connecting OpenLDAP to Active Directory • Working OpenLDAP, naming context dc=plainjoe,dc=org • Active Directory, DNS domain ad.plainjoe.org, naming context is dc=ad,dc=plainjoe,dc=org reference to ldap://ldap.plainjoe.org/dc=plainjoe,dc=org Windows Active Directory dc=ad,dc=plainjoe,dc=org referral to ldap://ldap.plainjoe.org/dc=ad,dc=plainjoe,dc=org OpenLDAP dc=plainjoe,dc=org
Distributed, Multi-vendor Directories (cont.) Example: Connecting OpenLDAP to Active Directory (cont.) • We need to add two knowledge references to this system: • Point from Active Directory Service to OpenLDAP server • Refer client searches from the OpenLDAP server to the active directory domain • ADSI Edit MMC snap-in required • \support\tools on Windows CD
Distributed, Multi-vendor Directories (cont.) Example: Connecting OpenLDAP to Active Directory (cont.) Create referral from AD to OpenLDAP: • Must be created inside the cn=Partitions,cn=Configuration,dc=ad,dc=plainjoe,dc=org container • Create a new crossRef object • Add a node named OpenLDAP with nCName attribute with value dc=plainjoe,dc=org, and dnsRoot attribute with the value ldap.plainjoe.org • The corresponding LDIF: • This instructs the Active Directory server to return a referral of the form ldap://ldap.plainjoe.org/dc=plainjoe,dc=org to clients in response to an LDAP search dn: cn=OpenLDAP,cn=Partitions,dc=Configuration,dc=ad,dc=plainjoe,dc=org cn: OpenLDAP nCName: dc=plainjoe,dc=org dnsRoot: ldap.plainjoe.org
Distributed, Multi-vendor Directories (cont.) Example: Connecting OpenLDAP to Active Directory (cont.) Add corresponding knowledge reference OpenLDAP: • LDIF of object to add to OpenLDAP: • ldapadd syntax: dn: dc=ad,dc=plainjoe,dc=org objectclass: referral objectclass: dcObject ref: ldap://ad.plainjoe.org/dc=ad,dc=plainjoe,dc=org dc: ad $ ldapadd -D “cn=Manager,dc=plainjoe,dc=org” -w secret -x \ > -H ldap://ldap.plainjoe.org/ -f ad-referral.ldif
Distributed, Multi-vendor Directories (cont.) Example: Connecting OpenLDAP to Active Directory (cont.) Testing Lookups: • This search did not follow the referral, so no results are displayed $ ldapsearch -H ldap://ad.plainjoe.org/ -x \ > -b “ou=people,dc=plainjoe,dc=org” -LLL “(uid=jerry)” Referral (10) Additional information: 00002028: RefErr: DSID-031005EE,data 0,1 access points ref 1: 'ldap.plainjoe.org' Referral: ldap://ldap.plainjoe.org/ou=people,dc=plainjoe,dc=org
Distributed, Multi-vendor Directories (cont.) Example: Connecting OpenLDAP to Active Directory (cont.) Testing Lookups (cont.): • This search follows the referral (-C switch): $ ldapsearch -h ad.plainjoe.org/ -x -C \ > -b “ou=people,dc=plainjoe,dc=org” -LLL “(uid=jerry)” dn: cn=Gerald Carter,ou=people,dc=plainjoe,dc=org objectClass: posixAccount objectClass: account objectClass: sambaAccount cn: Gerald Carter uidNumber: 780 uid: jerry gidNumber: 100 homeDirectory: /home/queso/jerry loginShell: /bin/bash rid: 2560 acctFlags: [UX ] pwdLastSet: 1018451245
Distributed, Multi-vendor Directories (cont.) Example: Connecting OpenLDAP to Active Directory (cont.) Testing Lookups (cont.): • The other way round: search to OpenLDAP for data stored in Active Directory • By default, Active Directory does not support anonymous searches (apart from its rootDSE), hence we only get a referral (test with & without -C option): • See more info: Single sign-on, Kerberos: Cross-platform authentication services $ ldapsearch -x -H ldap://ldap.plainjoe.org/ \ > -b “dc=ad,dc=plainjoe,dc=org” -LLL -C “(sAMAccountName=kristi)” # refldap://ad.plainjoe.org/CN=Configuration,DC=ad,DC=plainjoe,DC=org $ ldapsearch -x -H ldap://ldap.plainjoe.org/ \ > -b “dc=ad,dc=plainjoe,dc=org” -LLL “(sAMAccountName=kristi)” Referral (10) Matched DN: dc=ad,dc=plainjoe,dc=org Referral: ldap://ad.plainjoe.org/dc=ad,dc=plainjoe,dc=org??sub
Table of Contents • Introduction • Interoperability or Integration • Directory Gateways • Cross-Platform Authentication Services • Distributed, Multi-vendor Directories • Metadirectories • Push/Pull Agents for Directory Synchronization
Metadirectories • Term describes any solution that joins distinct, isolated data sources into a single logical volume • Popular products on the market: • MaXware MetaCenter (http://www.maxware.com/) • Siemens DirXmetahub (http://www.siemens.ie/fixedoperators/CarrierNetworks/Meta/dirxmetahub.htm) • Sun Microsystems SunONE MetaDirectory (http://wwws.sun.com/software/products/meta_directory/home_meta_dir.html) • Novell's eDirectory and DirXML combination (http://www.novell.com/products/edirectory/) • Microsoft Metadirectory Services (http://www.microsoft.com/windows2000/technologies/directory/MMS) • A metadirectory is any directory service that presents an alternative view of a data source
Metadirectories (cont.) OpenLDAP's Proxy Backend • Translates server's schema into a different view, suitable for a particular application • No replication or synchronization of data • Eg. client expects a directory to provide an email address using the mail attribute, assume an Active Directory where the Kerberos principal name is username@domain (userPrincipalName). It makes no sense to duplicate this information • Requirements: • Active Directory domain must be configured for the DNS domain ad.plainjoe.org • DNS name ad.plainjoe.org must resolve to the IP address of an Active Directory domain controller for that domain • An account named ldap-proxy must be created in AD for use by the proxy server when binding to a Windows DC
Metadirectories (cont.) OpenLDAP's Proxy Backend (cont.) • Supports updating the target via the proxy, supports ACLs • This option is not enabled by default • Recompile and create a new database in slapd.conf $ ./configure --enable-ldap --enable-rewrite database ldap suffix ou=windows,dc=plainjoe,dc=org uri ldap://ad.plainjoe.org suffixmassage ou=windows,dc=plainjoe,dc=org cn=users,dc=ad,dc=plainjoe,dc=org binddn cn=ldap-proxy,cn=users,dc=ad,dc=plainjoe,dc=org bindpw proxy-secret map attribute uid sAMAccountName map attribute cn name map attribute mail userPrincipalName map objectclass account user map attribute *
Metadirectories (cont.) OpenLDAP's Proxy Backend (cont.) • See the result: query Active Directory, items provided by proxy are in italic $ ldapsearch -H ldap://ad.plainjoe.org -x \ > -D ldap-proxy@ad.plainjoe.org -w proxy-secret -X \ > -b “cn=users,dc=ad,dc=plainjoe,dc=org” -LLL \ > “(sAMAccountName=kristi)” dn: CN=Kristi Carter,CN=Users,DC=ad,DC=plainjoe,DC=org accountExpires: 9223372036854775807 badPasswordTime: 0 badPwdCount: 0 codePage: 0 cn: Kristi Carter countryCode: 0 displayName: Kristi Carter givenName: Joe instanceType: 4 lastLogoff: 0 lastLogon: 0 logonCount: 0 distinguishedName: CN=Kristi Carter,CN=Users,DC=ad,DC=plainjoe,DC=org objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=plainjoe,DC=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user
Metadirectories (cont.) OpenLDAP's Proxy Backend (cont.) • (cont.) objectGUID:: NDHKI8oYFkqN8da3Gl9a5Q== objectSid:: AQUAAAAAAAUVAAAAEcNfczJiHypDFwoyUwQAAA== primaryGroupID: 513 pwdLastSet: 126784120014273696 name: Kristi Carter sAMAccountName: kristi sAMAccountType: 805306368 sn: Carter userAccountControl: 66048 userPrincipalName: kristi@ad.plainjoe.org uSNChanged: 2963 uSNCreated: 2957 whenChanged: 20021006210839.0Z whenChanged: 20021006210637.0Z
Metadirectories (cont.) OpenLDAP's Proxy Backend (cont.) • Now, we issue a similar query to the proxy server, except we look up a uid rather than an Active Directory sAMAccountName: • From the two results, we see that: $ ldapsearch -H ldap://ldap.plainjoe.org -x \ > -b “ou=windows,dc=plainjoe,dc=org” -LLL “(uid=kristi)” dn: CN=Kristi Carter,ou=windows,dc=plainjoe,dc=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: account cn: Kristi Carter uid: kristi mail: kristi@ed.plainjoe.org objectClass: user name: Kristi Carter sAMAccountName: kristi userPrincipalName: kristi@ed.plainjoe.org objectClass: account cn: Kristi Carter uid: kristi mail: kristi@ed.plainjoe.org mapped to
Metadirectories (cont.) OpenLDAP's Proxy Backend (cont.) • If you remove the directive that filters all the attributes that aren't explicitly mapped (map attribute *), response is slightly different: • slapd still filters out some attributes bacause queries are still controlled by the local schema in slapd.conf: unknown attributes are filtered out $ ldapsearch -H ldap://ldap.plainjoe.org -x \ > -b “ou=windows,dc=plainjoe,dc=org” -LLL “(uid=kristi)” dn: CN=Kristi Carter,ou=windows,dc=plainjoe,dc=org cn: Kristi Carter DisplayName: Kristi Carter mail: kristi@ad.plainjoe.org givenName: Kristi distinguishedName: CN=Kristi Carter,ou=windows,dc=plainjoe,dc=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: account cn: Kristi Carter uid: kristi sn: Carter
Table of Contents • Introduction • Interoperability or Integration • Directory Gateways • Cross-Platform Authentication Services • Distributed, Multi-vendor Directories • Metadirectories • Push/Pull Agents for Directory Synchronization
Push/pull Agents for Directory Synchronization • Common tools for synchronizing information between directories • Single agent pulls information from one directory service and massages the data to make it acceptable for upload to another directory server • Several directory vendors provide synchronization agents (drivers, connectors, ...) • Data is often transferred in an XML-based format connector transmitting data in common format data in directory-specific format Driver Directory A Directory B
Push/pull Agents for Directory Synchronization (cont.) • A partial list of commercial connector/driver offerings: • SunOne's XMLDAP (http://wwws.sun.com/software/products/directory_srvr/) • Novell's DirXML (http://www.novell.com/products/edirectory/dirxml/) • Commercial vs. in-house • Inherent knowledge of when data changes in the directory • Homegrown tools can be very useful
Push/pull Agents for Directory Synchronization (cont.) The Directory Services Markup Language • XML (Extensible Markup Language) fever has infected LDAP • DSML (Directory Services Markup Language) = XML schema for representing LDAP information using document fragments • DSML v1.0 is really just an attempt at replacing LDIF • DSML v2.0 (May 2002): new and interesting functionality • DSML v2.0 is designed to provide methods for representing LDAP queries, updates, and responses in XML • This allows eg. embedded devices to access LDAP data without an LDAP client library, only XML parsing & SOAP • No concrete examples yet • More info: http://www.oasis-open.org/committees/dsml/