280 likes | 299 Views
Learn about the technical implementation of enterprise features and challenges faced in directory services for large enterprises through an HP example from 2003. Explore the benefits, challenges, and the progress made in using OpenLDAP for mission-critical directory services at HP.
E N D
OpenLDAP Enterprise Features Bruce Huang (bruce.huang@hp.com) Tommy Yan (tommy.yan@hp.com) HP Open Source and Linux Organization
Agenda • 2 Non-Native English speakers • Directory services in large enterprises-- challenges and progress • Technical implementation of some enterprise features
Directories in a large enterprise- an HP example back to 2003 Boeblingen Boise Sunnyvale Grenoble Atlanta Houston Singapore • - Mission-critical repository used by 1500+ applications in HP • Approximately 50 million+ operations/day • Resolve every @hp.com mail address • Authorize every HP inline login • Hardware: Approximately 30 servers Worldwide • Software: Sun ONE Directory Server 5.x
Directories in a large enterprise- an HP example back to 2003(cont.) Directory Root o=hp.com People (Employees/Contingents HR data, email, NT, certs, etc) ou=People Groups (News/Mail/Security group owners, members, description, etc) ou=Groups Servers (used to store server certificates) ou=Servers Locations (HP real estate, address, lat/long, time zone, etc) ou=Locations Organizations (HP organizations, name, address, contact, etc) ou=Organizations Business Partners ou=Partners …
What are the challenges in this model? • Cost: Per entry pricing mode. (An entry is defined as a single Distinguished Name (DN) and its contained attributes. 1 employee takes 1 entry, 1 server takes 1 entry, for example.) • Lock: Vendors don’t want to modify the existing product to meet our technical requirement, but want us to buy more products.
Why was considered the solution • Cost: Symas per server/enterprise license model • Freedom: Having the source code • Support: IT has the resource and capability to support it (OSMS, Symas) • Standard, not proprietary: Why not enhance the applications?
OpenLDAP’s challenges and progress • General enterprise grade robustness: • Solid Berkeley DB support • Audit capability • Reconfiguring must be available on-the-fly as much as possible • Reliable replication strategy • Password Policy: A security policy for passwords (e.g., must not be a dictionary word, must be over 6 characters, and so on). Overlay by Neil Dunbar (HP) and Howard Chu(Symas)
OpenLDAP’s challenges and progress (cont.) • Data constraint: For instance, a telephone number could be forced to follow ITU standard representation rules. Overlay by Neil Dunbar (HP). • Translucency: store department-specific attributes for its employees in a local directory, for extension and speed.Overlay by Symas, sponsored by HP. • Group Policy: Much of HP's authorization data resides in the notion of groups; groups of employees; groups of assets; groups of business partners, and so forth. However, the LDAP/X.500 model does not really impose any notion of what groups mean. Overlay by Symas.
What is the current status • HP completed migrating the Enterprise Directory to OpenLDAP on Linux in 2006. • HP is completely unchained from the per-entry licensing model • Above directory enterprise requirements are met. • Source code upstream to the OpenLDAP community.
OpenLDAP working model • slapd frontend receives an LDAP request • slapd frontend passes the request to the backend • The backend calls some functions of frontend to send the results to the client
OpenLDAP Overlays • Overlays: modules working between frontend and backend • introduced since OpenLDAP 2.2 • change the behavior of backends without changing backend code • process incoming requests before backends • process outgoing results before frontend • Processing Steps • The frontend passes requests to the first overlay • The first overlay forwards requests to the next overlay until requests reach the real backend. • The backend directs results from the first overlay to the last one until they are sent to the client.
Create your own overlay //hello.c static slap_overinst hello_ovl; int init_module(int argc, char *argv[]) { hello_ovl.on_bi.bi_type = “hello"; hello_ovl.on_bi.bi_op_add = hello_add; hello_ovl.on_bi.bi_op_modify = hello_modify; hello_ovl.on_bi.bi_db_close = hello_close; return overlay_register(&hello_ovl); } static int hello_add(Operation *op, SlapReply *rs) {…} static int hello_modify(Operation *op, SlapReply *rs) {…} …
Password Policy • provide password control mechanisms, like password aging, password reuse, mandatory password resets and so on. • define multiple password policies by using ‘pwdPolicy’ object class. • apply specific password polices to entries • Configuration directives: • moduleload ppolicy.la • overlay ppolicy • ppolicy_default <defaultDN> • more explanations in Linux man page (slapo-ppolicy)
Password Policy (con’t) Example: Create two different password policies and apply them to entries. • Load and configure the overlay in slapd.conf: … moduleload ppolicy.la overlay ppolicy ppolicy_default cn=default,ou=policy,dc=hp,dc=com …
Password Policy (con’t) • Add two policy entries • policy.ldif: dn: cn=default,ou=policy,dc=hp,dc=com objectClass: pwdPolicy objectClass: device cn: default pwdAttribute: userPassword pwdCheckQuality: 2 pwdMinLength: 5 pwdMaxAge: 2592000 dn: cn=strong,ou=policy,dc=hp,dc=com objectClass: pwdPolicy objectClass: device cn: strong pwdAttribute: userPassword pwdCheckQuality: 2 pwdMinLength: 8 pwdMaxAge: 1296000
Password Policy (con’t) • Set the pwdPolicySubentry attribute in a DN • bruce.ldif: dn: uid=bruce,dc=osms,dc=hp,dc=com objectClass: inetOrgPerson uid: bruce mail: bruce.huang@hp.com sn: huang employeeNumber: 111111 cn: Bruce Huang pwdPolicySubentry: cn=strong,ou=policy,dc=hp,dc=com
Password Policy (con’t) • Verify whether the overlay works by running ‘ldappassword’ to change the password of ‘uid=bruce,dc=osms,dc=hp,dc=com’ to a word less than 8 characters : Result: Constraint violation (19) Additional info: Password fails quality checking policy • Note: the bind DN used to change the password must not be the rootdn.
Constraint • Contributed by HP • Constrain the values of attributes by character set or regular expression • Triggered by LDAP add and modify operations • Configuration directives: • constraint_attribute <attribute> <constraint> <constraint_value> • Possible values of <constraint>: charset regex
Constraint (con’t) • Example: Constrain empolyeeNumber as 6 digits and cn as valid letters • Load and configure the overlay in slapd.conf: … moduleload constraint.la overlay constraint constraint_attribute employeeNumber regex ^[0-9]{6}$ constraint_attribute cn regex ^[a-zA-Z]*$ …
Constraint (con’t) • Verify it by running ‘ldapmodify’ to change the employeeNumber attribute of ‘uid=bruce,ou=people,dc=hp,dc=com’ to a number with 5 digits: • modify.ldif: dn: uid=bruce,ou=people,dc=hp,dc=com changetype: modify replace: employeeNumber employeeNumber: 12345 ldap_modify: Constraint violation (19) additional info: modify breaks regular expression constraint on employeeNumber
More information on overlay • OpenLDAP admin guide: • http://www.openldap.org/doc/admin24/ • Linux man page • OpenLDAP Source Code
Resource, Thanks and Questions • http://www.openldap.org/conf/odd-sandiego-2004/Neil.pdf (Special thanks to Neil Dunbar and Kartik Subbarao from HP directories team) • www.hp.com/go/osms • www.symas.com/
Appendix: Attribute Uniqueness • Enforce the uniqueness of one or some attributes in a subtree • triggered by the operations of add, modify and modrdn • Configuration options: • unique_base <basedn> • unique_ignore <attribute…> • unique_attributes <attribute…> • …
Attribute Uniqueness (con’t) • Example: Enforce the uniqueness of uid and mail for all DNs moduleload unique.la overlay unique unique_base dc=hp,dc=com unique_ignore objectClass dc ou o cn unique_attributes uid mail dn: uid=bruce,ou=people,dc=hp,dc=com objectClass: inetOrgPerson uid: bruce sn: Huang cn: Bruce mail: bruce.huang@hp.com Error Message: Constraint violation (19) additional info: some attributes not unique
Translucency • Enable a translucent proxy • A remote LDAP server and a local database are required • Entries from the remote server may be overridden (attribute level) by entries in the local database • Configuration options: • translucent_strict • translucent_no_glue
Referential Integrity • maintain the cohesiveness of a schema with reference attributes • triggered by the operations of modrdn and delete • Configuration options: • refint_attributes <attribute…> • refint_nothing <string> • refer to Linux man page (slapo-refint)
Referential Integrity (con’t) • Example: Remove Jason and have Tommy as his replacement • Delete “uid=zjason,ou=people,dc=hp,dc=com” • The attribute of manager in “uid=hbruce,ou=people,dc=hp,dc=com” and “uid=ytommy,ou=people,dc=hp,dc=com” is set to “uid=ytommy,ou=people,dc=hp,dc=com” automatically. moduleload refint.la overlay refint refint_attributes manager refint_nothing uid=ytommy, ou=people,dc=hp,dc=com