Get documents about "LDAP Directory Integration for ISP's and Enterprises
Document Sample
LDAP Directory Integration
for ISP's and Enterprises
Authors:
Nickolay Rashev, Bianor Ltd.
Kostadin Jordanov, Bianor Ltd.
November 2002
-1-
Contents
Abstract ....................................................................................................... 3
What is a directory? ....................................................................................... 4
Directory clients and servers ........................................................................... 5
Directory security and management ................................................................ 5
Directory versus database .............................................................................. 7
The directory as infrastructure ........................................................................ 8
The LDAP directory standard ........................................................................... 8
LDAP directory products ................................................................................. 8
Value for the enterprise: short-term, long-term benefits, and ROI ....................... 9
Short-term benefits .................................................................................... 9
Long-term benefits ................................................................................... 10
Security Management ............................................................................... 10
Network Management ............................................................................... 10
Systems Management ............................................................................... 11
E-commerce and business process applications ............................................ 11
Competitive Advantage ............................................................................. 11
Directory ROI ........................................................................................... 11
Directory service integration for ISP's and Hosting companies – a case study ...... 12
Key features and advantages of WireFlame Web Hosting ............................... 12
For Hosting Providers ................................................................................ 13
For Technical Staff .................................................................................... 13
For End-users........................................................................................... 13
Conclusion .................................................................................................. 14
Contacts ....................................................... Error! Bookmark not defined.14
-2-
Abstract
The directory project analysis includes both the short-term and long-term benefits of
a directory infrastructure. The short-term benefits are related to administrative
overhead and the quality of directory information. Managing multiple directories that
contain similar information escalates administrative costs and reduces the quality of
information in the directory.
For ISP’s and hosting companies, integrated web hosting system saves valuable
management resources by automating the time consuming aspects of web hosting.
Such a system provides a simple, integrated, and easy to use web interface that
allows both client's and provider's technical staff to easily maintain all clients and
accounts. Using a directory-centric hosting system insures that a manageable,
secure, and scalable solution is in place to support the need for business growth.
The benefits of an enterprise directory deployment far outweigh the costs of
maintaining multiple directories. Companies can get a return of approximately five
times their directory investment, depending on how many directories they integrate.
That return will manifest itself in administrative and support cost savings related to
directory management.
It’s more difficult to measure the long-term benefits, but they’re equally important.
Over the long term, the directory will become an essential part of the enterprise
computing infrastructure, providing the foundation for a variety of applications and
services. E-commerce, extranet, and other distributed applications will not scale
without a solid directory foundation. Policy-based management systems will use the
directory to reduce the costs of managing desktop computers, network devices, and
other systems. They’ll also increase the efficiency of the network, allowing managers
to personalize the network to fit the needs of individuals, groups, and applications.
This combination of short-term and long-term benefits clearly justifies a directory
investment on the part of organizations that are trying to simplify their internal
network environments while simultaneously trying to extend their networks to
support extranet and e-commerce applications.
-3-
What is a directory?
A directory is a listing of information about objects arranged in some order and that
gives details about each object. Common examples are a city telephone directory
and a library card catalog. For a telephone directory, the objects listed are people;
the names are arranged alphabetically, and the details given about each person are
address and telephone number.
In computer terms, a directory is a specialized database, also called a data
repository, that stores typed and ordered information about objects. Today, almost
every application that involves communication comes with some kind of directory.
Human Resources and Enterprise Resource Planning (ERP) applications such as
PeopleSoft and SAP are becoming critical in large organizations.
Without realizing it, we all use directory services, whether on the Internet or at work
when we need to get some information. When you type in a URL on a web browser,
such as http://www.bianor.com, this must be translated into an IP address via the
Domain Name System (DNS). Thus, DNS is a directory that you use.
One example that has generated a lot of interest is Directory-Enabled Network. This
is an example of LDAP being viewed as a factor in easing the management of many
different components of distributed systems. It may also provide the capability to
centralize the management of these distributed systems without reducing security or
increasing complexity.
Today, the developers of directory-enabled applications are faced with a problem.
What if they cannot assume that a directory service will exist in all environments? If
there is a directory service, it might be specific to a certain operating environment or
e-mail system, making the application non-portable. Can the existing directory
-4-
service be extended to store the type of information needed by all applications?
Because of these concerns, application developers often take the approach of
developing their own application-specific directory. To avoid this obvious waste of
time and energy (by reinventing the wheel on every application), directory standards
were created by international bodies like ISO, CCITT, ITU-T.
Directory clients and servers
Directories are usually accessed using the client/server model of communication. An
application that wants to read or write information in a directory does not access the
directory directly. Instead, it calls a function or application programming interface
(API) that causes a message to be sent to another process. This second process
accesses the information in the directory on behalf of the requesting application.
The request is performed by the directory client, and the process that maintains and
looks up information in the directory is called the directory server. In general,
servers provide a specific service to clients. Sometimes, a server might become the
client of other servers in order to gather the information necessary to process a
request.
Directory security and management
The security of information stored in a directory is a major consideration. Some
directories are meant to be accessed publicly on the Internet, but any user should
not necessarily be able to perform any operation. A company’s directory servicing its
intranet can be stored behind a firewall to keep the general public from accessing it,
but more security control is needed within the intranet itself.
For example, anybody should be able to look up an employee’s e-mail address, but
only the employee or a system administrator should be able to change it. Members
of the personnel department might have permission to look up an employee’s home
-5-
telephone number, but their co-workers might not. Perhaps information needs to be
encrypted before being transmitted over the network. A security policy defines who
has what type of access to what information. The security policy is defined by the
organization that maintains the directory.
Herein we focus on the three aspects of directory security: authentication, integrity
and confidentiality. There are several methods that can be used for this purpose; the
most important ones are discussed here. These are:
No authentication
This is the simplest way, one that obviously does not need to be explained in much
detail. This method should only be used when data security is not an issue and when
no special access control permissions are involved. This could be the case, for
example, when your directory is an address book browsable by anybody.
Basic authentication
Beside the option of using no authentication at all, the most simple security
mechanism in LDAP is called basic authentication. When using basic authentication
with LDAP, the client identifies itself to the server by means of an ID and a password
that are sent in the clear over the network. It is a relatively simple encryption, and
therefore it is not hard to break once one has captured the data on the network.
Simple Authentication and Security Layer (SASL)
SASL is a framework for adding additional authentication mechanisms to connection-
oriented protocols. The SASL security mechanism negotiation between client and
server is done in the clear. Once the client and the server have agreed on a common
mechanism, the connection is secure against modifying the authentication identities.
SSL and its successor, TLS, are the mechanisms commonly used in LDAP. The
Secure Socket Layer (SSL) protocol was devised to provide both authentication and
data security. It encapsulates the TCP/IP socket so that basically every TCP/IP
application can use it to secure its communication.
-6-
SSL/TLS supports server authentication (client authenticates server), client
authentication (server authenticates client), or mutual authentication. In addition, it
provides for privacy by encrypting data sent over the network.
SSL/TLS uses a public key method to secure the communication and to authenticate
the counterparts of the session. This is achieved with a public/private key pair.
The simplified interchange between a client and a server negotiating an SSL/TLS
connection is illustrated here:
SSL/TLS is used to authenticate a server to a client using its certificate and its
private key and to negotiate a secret key later on used for data encryption.
Directory versus database
A directory is often described as a database, but it is a specialized database that has
characteristics that set it apart from, for example, general-purpose relational
databases. One special characteristic of directories is that in general they are
accessed (read or searched) much more often than they are updated (written).
Hundreds of people might look up an individual’s phone number, or thousands of
print clients might look up the characteristics of a particular printer. But the phone
number or printer characteristics rarely change.
Directories must be able to support high volumes of read requests, so they are
typically optimized for read access. Write access might be limited to system
administrators or to the owner of each piece of information. A general-purpose
database, on the other hand, needs to support applications such as airline
reservations and banking with high update volumes.
-7-
The directory as infrastructure
A directory that is accessible by all applications is a vital part of the infrastructure
supporting a distributed system. A directory service provides a single logical view of
the users, resources, and other objects that make up a distributed system. This
allows users and applications to access network resources transparently. That is, the
system is perceived as an integrated whole, not a collection of independent parts.
Objects can be accessed by name or function without knowing low-level identifiers
such as host addresses, file server names, and e-mail addresses.
LDAP is the protocol to be used to access this common directory infrastructure. Like
HTTP (hypertext transfer protocol) and FTP (file transfer protocol), LDAP is becoming
an indispensable part of the Internet’s protocol suite.
When applications access a standard common directory that is designed in a proper
way, rather than using application-specific directories, redundant and costly
administration can be eliminated, and security risks are more controllable. The
calendar, mail, and operator notification applications can all access the same
directory to retrieve an email address. New uses for directory information will be
realized, and a synergy will develop as more applications take advantage of the
common directory.
The LDAP directory standard
LDAP defines the communication protocol between the directory client and server,
but does not define a programming interface for the client. A standardized protocol
and the availability of a common API on different platforms are the major reasons for
the wide acceptance of LDAP.
LDAP has evolved to meet the need of providing access to a common directory
infrastructure. LDAP is an open industry standard that is supported by many system
vendors on a variety of platforms. It is being incorporated into software products and
is quickly becoming the directory access protocol of choice. LDAP allows products
from different vendors on different platforms to interoperate and provide a global
directory infrastructure, much like HTTP enabled the deployment of the World Wide
Web.
A common directory infrastructure encourages new uses. The Directory Enabled
Networks (DEN) Initiative is a proposal to allow information about network
configuration, protocol information, router characteristics, and so on to be stored in
an LDAP directory. The availability of this information in a common format from
many equipment vendors will allow the intelligent management and provisioning of
network resources. These examples show the diverse uses of directory-enabled
applications supported by a common directory infrastructure accessed with LDAP.
LDAP directory products
Novell, eDirectory
Sun, Sun ONE Directory Server
-8-
Netscape Directory Server
Oracle, Oracle Internet Directory
Microsoft, Active Directory
IBM, Directory Server
Open LDAP, Open LDAP
Apple Open Directory
Value for the enterprise: short-term, long-term benefits, and
ROI
Short-term benefits
The short-term benefits of directory deployments are related primarily to
administrative overhead and information quality. The fact that most enterprises have
multiple directories is no surprise, but many companies haven’t really examined how
much it costs to maintain those directories or the overall impact of inaccurate
information. The need to manage multiple directories—most of which contain the
same user and resource information—creates significant costs related to the
duplication of effort and the inaccuracy of directory information. Simply put,
companies want a single, authoritative source of accurate information. While they
can’t reduce the number of directories they have to just one, IT managers can
reduce the duplication of effort and increase the accuracy of directory information
through integration and unification efforts, which in turn save money.
Each directory a company has to maintain comes with its own setup, administration,
training, support, and maintenance operations. IT departments must hire and train
people to run those directories, and end users must access them. In other words,
each directory has its associated costs, and reducing the number of directories that
an organization has to manage can reduce costs.
A few simple calculations illustrate these savings. A company having an annual
administration costs of $360,000, if it is supporting seven directories and 35,000
individual record changes occurring annually, and if it takes an average of 15
minutes to change a directory record, can reduce the cost of directory changes to
$52,000 by consolidating its directories.
In comparison with most enterprise environments, this example is relatively simple.
It’s safe to say that all large enterprises have more than five directories. If we
consider between 15 and 30 directories, which isn’t out of line with the reality most
companies face, we get dramatically higher savings. Therefore, our example clearly
illustrates that even in a simple environment, the cost savings that a directory
integration project yield are significant. Enterprise customers can use similar
techniques to calculate the costs of maintaining the status quo, and estimating the
cost savings that they can realize from implementing an integrated enterprise
directory in their own environment. By comparing those two numbers and illustrating
the return on the directory investment, a directory proposal can usually gain
widespread support within an organization due to the significant cost savings even a
conservative estimate promises.
-9-
Long-term benefits
Using an enterprise directory integration project to reduce administration costs
allows an organization to lay the foundation for long-term benefits that are harder to
quantify, but are of equal importance. As already said, directories become as
important as fundamental protocols like TCP/IP. They provide the foundation for a
new generation of applications that support e-commerce, extranet communications,
intranet collaboration, and other functions that transform business processes.
Directories also become the coordinating element in managing distributed systems
based on policies, which managers will apply and administer via the directory.
Specifically, directories will enable managers to create clear relationships between
basic user administration and policies for security, network, and systems
management, as well as business processes, allowing them to manage the whole
network environment.
Clearly, directories are evolving and cannot fully deliver on all of these promises in
an enterprise-wide fashion today. Directory products, standards, and tools must
mature to meet these goals. Developers must leverage directories more effectively in
their applications, and customers must make progress in their directory
deployments. But organizations can currently realize some of these benefits. The
longer an organization waits to start building its directory infrastructure, the longer it
will take to realize these benefits as they emerge over the next three to five years.
Security Management
Directories allow security managers to associate credentials from different
authentication mechanisms with each user’s unique directory ID. Directories can
associate both X.509 digital certificates and Kerberos passwords with a specific user,
giving managers a single place to manage and integrate credentials and security
policy. In addition, directories are the ideal foundation for single sign-on services.
Likewise, Virtual Private Networks (VPNs), firewalls, and other security services can
use the directory to authenticate users, store and apply access controls, and expose
their services to other applications. As organizations centralize important security
functions in the directory, they can save money and effort by minimizing
administration overhead and decreasing risk.
Network Management
As the DEN initiative clearly demonstrates, directories will be the foundation for
management tools that allocate bandwidth based on quality and class of service
parameters (QoS/CoS). IT organizations will be able to provision and personalize
network access using profiles and policies for groups and individual users. IT
organizations can use these QoS/CoS services to meter services for charge back to
internal customers, and to cost-justify network hardware upgrades. As organizations
leverage policy-based management, they can save money by minimizing the effort it
takes to manage the network while using corporate resources more efficiently.
- 10 -
Systems Management
Increasingly, systems management tools will store policies for application and
operating system configuration preferences in the directory. Directories will enable
location independence, allowing users and applications to access resources, and get
the appropriate class of service, wherever they are. These developments make it
clear that it will be directories, not the network computer, that will rein in the costs
of desktop systems management.
E-commerce and business process applications
Directory services will be the foundation for e-commerce and extranet applications
that put business processes ―in‖ the network. Directories will allow people to
collaborate and share information, for example, both internally and externally.
Applications will use the directories as the repository for roles and capabilities,
allowing applications (and the people that use them) to find the resources they need.
Directories will also allow applications to access naming, addressing, and routing
information for the people and applications involved with any process. An enterprise
directory will also enable trust relationships between partners, suppliers, and
customers. Many enterprises will maintain extranet directories, hosting entries that
describe their partners and customers through trading profiles and policies, including
each partner’s digital certificates and other important attributes, such as capabilities,
access rights, and appropriate contacts. Until global directory replication standards
emerge, many directory managers will want to delegate the authority to manage
these entries to their partners, ensuring a higher level of data integrity.
Many enterprises using extranets for business-to-business e-commerce will also have
to issue certificates for their trading partners, especially in cases where a strong
vertical electronic marketplace doesn’t exist. Thus, directories will support the
centralized management of e-commerce applications and tight integration with
corporate security, network, and systems management policies and systems.
Without a solid directory foundation, commerce applications will not scale to the
hundreds of thousands, if not millions, of users most enterprises want to serve.
Competitive Advantage
All of these long-term benefits translate to competitive advantage. Directories will
make new applications easier to build, because they can leverage the directory and
security infrastructure instead duplicating it. Thus, organizations can re-engineer
their business processes with less pain and overhead. Lower administration costs
free resources and enable investments in other developments that can improve the
company’s business process and bottom line. Finally, the coordination of security,
network, and systems management through policy will improve security, save
money, and strengthen a company’s competitive capabilities.
Directory ROI
Organizations must consider both the short-term and long-term benefits of a
directory strategy to assess accurately the return on investment. Simply put, the
- 11 -
long-term directory payback comes by combining the short-term benefits of reduced
administration costs with the long-term strategic benefits of a directory
infrastructure.
In the initial term of a directory integration project, costs will increase as an
organization invests in the directory infrastructure, cleans up and integrates
corporate data, and takes on the hard work of directory integration and unification.
But over the long term, costs will decrease as the integration pays off. The
organization will have to manage fewer directories, and an increasing number of
applications will leverage the directory infrastructure. Without such an integration
effort, costs will rise exponentially as an organization maintains an increasing
number of directories and fails to effectively leverage the overall strategic advantage
of an enterprise-wide directory infrastructure.
Directory service integration for ISP's and Hosting companies –
a case study
A directory-integrated web hosting system aims to facilitate the every-day
operations of hosting providers, ISPs, and their clients. It saves valuable
management resources by automating the time-consuming aspects of web hosting,
providing a simple and easy-to-use web interface that allows the client’s and
provider’s technical staff to maintain web hosting system from any computer with
Internet connection.
Hosting providers are using enormous number of diverse web services and products
provided by different vendors. If these services are not unified in one integrated
solution, their management, control and monitoring turns into a hard and time-
consuming task.
Bianor’s WireFlame Integrated Web Hosting System enables ISP to finally get the
features they need with enough performance to support tens of thousands of web
sites, domains and users.
WireFlame is an integrated web hosting system with two major components – a
Server System, that provides different network services, such as email, custom web
sites, file transfer, etc., and an Administration Interface, which is a unique
management application for the sales people, technical staff, and end-users enabling
them to centrally manage all their profiles and subordinates.
Key features and advantages of WireFlame Web Hosting
Robust system - built for growth above 100,000 mail accounts, tens of
thousands of web sites, domains, and users
Highly available and reliable - runs on a cluster of load-balanced PC servers
Scalable - new machines can be easily added to the cluster
Flexible and open to new functionalities - allows easy integration of new
modules and third-party products
Manageable - centralized directory for all services and products
No additional license costs - integrates the best open-source proven products
like Apache, qmail, etc.
- 12 -
Based entirely on Linux - no additional license costs for middleware
Multi-lingual support - English, Japanese, and other
Remote management of accounts via secure web access
High level of network security and monitoring
Easy to support
Low TOC (Total Cost of Ownership)
For Hosting Providers
WireFlame provides hosting provider's sales force a selection of predefined service
packages, which they can easily offer to their clients. Hosting packages allow flexible
customization of all features and aspects of a hosting plan, making it a swift to build
a hosting offer that is perfectly suited for every individual client's need. The package
is a kind of a wizard, which lowers creation and modification efforts by using
predefined profiles while giving the means to add or remove services and change
quotas through a simple point-and-click interface.
For Technical Staff
WireFlame integrated directory-based policy management controls which system
users have access to different resources. Access rights are grouped by role name,
and access to resources is restricted only to users who have been assigned a given
role. For example, a user who is defined as a system administrator of a certain
client's company can access only the company's properties and manage company's
internal user profiles, details, and quotas in the range of resources generally
provided to the company by the hosting provider.
For End-users
WireFlame Web Hosting System provides end-users with custom managed profiles,
web sites, email, file exchange, FTP, WebDAV, DNS, SMTP, POP3, IMAP, web mail,
mailing lists, CGI's, access management and usage statistics, network security,
backup, real-time monitoring, and a number of other integrated products and
services - sized for thousands of companies and hundreds of thousands users,
centrally managed through a web interface for every single user.
WireFlame Server System provides the following basic functionalities and services to
the Internet users, integrated through a central directory:
Web server - User password-protected directories, SSL, Apache mod plug-ins
DNS
Sub domains
File transfers – FTP, WebDAV, Web-based file exchange
Multimedia capabilities
- 13 -
Application environments – Java, XML, ASP, Perl, Python, PHP, C/C++,
Standard CGI packages
Email - SMTP, POP3, IMAP, WebMail
Mail listings
Anti-virus and spam control
Database – MySQL, PostgreSQL, Oracle 9i, IBM DB2, and other
E-shops and catalogs
Interface to payment providers
Administration Interface
WireFlame is an open architecture system to which different software packages can
be integrated according to hosting provider and customer’s needs. Herein, we
present the basic functionality and packages of the system.
Conclusion
IT managers can demonstrate the value of, and the return on, an enterprise
directory project by quantifying the short-term benefits in terms of dollars, and
defining the long-term benefits in terms of strategic initiatives. With a well-executed
implementation plan, enterprise customers can expect a return of approximately five
times their ongoing investment, depending on the size of the network, the number of
users in the directory, and the number of directories being integrated with the
enterprise directory. Organizations can realize that return in cost savings in the
millions of dollars, primarily in the areas of administration and support. But those
savings will come only through the hard work, careful planning, and commitments
that directory projects require.
Contacts
For more information please contact:
BIANOR
5 Stratsin Str.
1407 Sofia
Bulgaria
Email: info@bianor.com
Web: www.bianor.com
- 14 -
