The Directory

Document Sample
The Directory Powered By Docstoc
					  The Directory

 A distributed database
Distributed maintenance
Purpose of a Directory
A directory is a way to store data in an
 organized way for easy access
Primary operation on a directory is
 LOOKUP
This means that a directory is optimized for
 reading rather than for creation or update
  Note the distinction from a database
Why a directory?
 Tracking users' software configuration preferences in a directory can give
  them the mobility they need to work from any location. Rather than being
  stored in a local registry or preferences file, accessible only from a single
  computer, this information can essentially travel around the network with the
  user.
 Tracking access privileges in a directory enables network administrators to
  keep users out of parts of the network that are off limits to them. Storing
  access control rights in the directory enables multiple applications to have easy
  access to the same security settings.
 Centralizing user account and password information can minimize password
  management and disparate sign-ons across applications.
 Managing Web site configuration information in a centralized directory
  makes site administration simpler. One configuration change in the directory
  can easily be applied to all the servers at the site.
 LDAP has the potential to do for directories what HTTP and HTML
  did for documents

                            Ref: http://developer.netscape.com/viewsource/rose_ldap.html
Four ways to describe a directory
 Informational Model
   what does the directory hold?
   How are the entries related?
 Functional Model
   How does it operate?
   What services are available to serve a user?
 Organizational Model
   Who owns it and how do they manage it?
 Security Model
   What authorization and authentication?
Four ways to describe a directory
 Informational Model
   what does the directory hold?
   How are the entries related?
 Functional Model
   How does it operate?
   What services are available to serve a user?
 Organizational Model
   Who owns it and how do they manage it?
 Security Model
   What authorization and authentication?
Information Stored in the
Directory Information Base (DIB)
 composed of entries
    information about one object
     person
     printer
     company
     state or province
     an application entity
    … or anything else
 Entry composed of attributes
    consists of a type and one or more values
  Object Classes
 Object class = identified family of objects
    Some common set of characteristics
    ex. person is an object class
      o common attributes
           commonName, surname
      o optional attributes
           description, telephoneNumber, userPassword, seeAlso
    Subclass
      o organizationalPerson
             subclass of person
             must have all the required attributes
             may have the optional attributes
             may have additional attributes
                • ex. title, organizationalUnitName, etc.
Structure of the DIB
 Tree like
 Entries form the vertices of the tree
 Arcs define the relation between entries
 Distinguished name (DN)
    Uniquely and unambiguously identifies each entry
    Constructed from the identities of ancestors in the tree
    specially designated set of attribute values from the entry
Entry components



            Type             Values



                           Attribute   Attribute
Values   Distinguished
         Attribute Value   Value         Value
                                                   Attribute
                                                    Value
 An example entry
Attribute       Surname                Cassel   Riley

Attribute      commonName       L. N. Cassel, Lillian N. Cassel, Boots

Attribute      telephoneNumber         +1 610 555 1234

Attribute      objectclass            person

  One attribute/value pair is the Relative Distinguished Name for the entry
  Surname Cassel, for example, would identify this entry.
  Objectclass is the type of the entry as a whole. It tells the directory what
  kinds of information can or should be included in the entry
                  Root

    Country       Organization      Locality



            resPerson    grp ou   org locality


                                         org

A portion of the standard Directory Information Tree
Sample section of a DIT
                               Root
              C = US
           L=PA

         Org=VU
   OU=Computing Sciences
     L=Mendel Hall                          An Entry with
         grp=Faculty       grp=equipment    3 attributes
   CN= Lillian N. Cassel       CN=m163ps
   PN= +1 610 555 1234         Desc=PostScript Printer
   L=162A Mendel Hall          L=163 Mendel
The Directory Schema
Rules governing attribute types allowed for
 each class of object
form of values for each attribute type
class of object that can be a child entry of a
 given class object
The Directory Service
Operations to interrogate and modify the
 content of the Directory
Control access to DIT entries
Ensure that any changes continue to obey
 the rules of the schema
Four ways to describe a directory
 Informational Model
   what does the directory hold?
   How are the entries related?
 Functional Model
   How does it operate?
   What services are available to serve a user?
 Organizational Model
   Who owns it and how do they manage it?
 Security Model
   What authorization and authentication?
Functional Model players
Directory User Agent (DUA)
  participates in the Directory protocol on behalf
   of a user
Directory Service Agent (DSA)
  responds to requests for information from the
   directory
  requests come from DUAs or other DSAs
Functional Model
 Describes the Directory in terms of operations
  performed by a DUA and one or more DSAs
  serving the request of the DUA.
 DUA gains access
    binds to an access point represented by a particular
     DSA
    DSA has direct access to a portion of the Directory (the
     data)
    DSA has knowledge about the rest of the Directory
      o can get information it does not have
DSA - DUA interaction


                  DSA
 DUA
          DSA

                   DSA
          DSA

                The user sees the directory as one
                collection accessible through one
                interface. Directory servers interact
                with each other to provide the response.
X.500 and LDAP
X.500 is the ITU specification of a global
 directory intended to run over a full ISO
 protocol stack
LDAP is a lightweight version of X.500 that
 runs directly over TCP/IP
LDAP was originally intended as a frontend
 to the X.500 Directory, but now runs
 standalone as well.
Four ways to describe a directory
 Informational Model
   what does the directory hold?
   How are the entries related?
 Functional Model
   How does it operate?
   What services are available to serve a user?
 Organizational Model
   Who owns it and how do they manage it?
 Security Model
   What authorization and authentication?
Security Model
Authorization given to
  subtree
  entry
  attribute type
Authorization allowed by
  individual
  groups
  owner
Access
Give authority to
  Owner – to update phone number, address, etc.
  Project managers – to update project
   information
  Department to update goal statements
  etc.
Security issues
 Authentication
    Who are you and how do I know that?
 Confidentiality
    Who is entitled to this unit of information?
 Integrity
    Is the data uncorrupted?
 Authorization
    You are entitled to authorize some resources, but not
     others.
    Directory Security Examples
             Connection                                                    Required Directory-
scenarios




   Contains                 Anonymous Requesters? Identified Requesters?
            Hijacking or IP                                                 Specific Security
   Sesitive
               Spoofing                                                     Mechanisms or
    Data?                              Read/Write              Read/Write
               Threats?                                                        Functions
                                           ?                       ?
 1    N           N             Y         RO          N                   None
 2    N           N             N         N/A         Y           RO      Secure Authentication
                                                                           Mutual authentication,
 3          N        Y            N/A         N/A        N/A       N/A     Connection Integrity-
                                                                           Protection

 4          N        N            Y           RO          Y        RW      Secure Authentication
                                                                           Mutual authentication,
                                                                           Connection Integrity-
 5          Y        Y            N/A         N/A        N/A       N/A
                                                                           and Confidentiality-
                                                                           Protection
    Ref: Jeff Hodges; jhodges@oblix.com; http://www.oblix.com/
Data Integrity: Replication
 There are world-wide directories
    Performance issues
      o Data distributed over the whole world
      o Multiple copies of sections of the DIT
      o Local copy may not be completely up to date
    DUA always knows when it receives information from
     a copy
 Local directories may be copies of remote
  directories or stand-alone directories
    performance issues are different
Cache and Shadow copies
 Cache copies
   not covered in the specification
   Unofficial copies, no guarantee of accuracy
 Shadow copies
   Obtained in accordance with procedures in Directory
    specification
   Official, controlled copy.
   Not necessarily up to date at all times
   Limit to the time before it will be updated.
LDAP in use
Address access to LDAP
LDAP related RFCs
http://www.openldap.org/
                            Find more
More information on LDAP
 http://www.kingsmountain.com/ldapRoadmap.shtml
    Pointers to recent articles
    Pointers to downloadable copies of the software
    Updates on status
    etc.
Directory summary
Distributed information
  performance issues
  security issues
Consistent structure of information makes
 distributed access easier
Local use has many applications in
 coordinated access and security within an
 organization

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:151
posted:8/16/2012
language:English
pages:32