Understanding directory services PDF
Preview Understanding directory services
00 0672323052 FM 11/7/01 3:27 PM Page i Understanding Directory Services Beth Sheresh Doug Sheresh Systems Research Corporation 800 East 96th St.,Indianapolis,Indiana 46240 USA 00 0672323052 FM 11/7/01 3:27 PM Page ii Copyright © 2002 by Systems Research ASSOCIATEPUBLISHER Jeff Koch Corporation ACQUISITIONSEDITOR All rights reserved. No part of this book shall be reproduced,stored in a William E. Brown retrieval system,or transmitted by any means,electronic,mechanical, photocopying,recording,or otherwise,without written permission from the DEVELOPMENTEDITOR publisher. No patent liability is assumed with respect to the use of the informa- Mark Renfrow tion contained herein. Although every precaution has been taken in the prepa- MANAGINGEDITOR ration of this book,the publisher and author assume no responsibility for Matt Purcell errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. PROJECTEDITOR George E. Nedeff International Standard Book Number:0-672-32305-2 Library of Congress Catalog Card Number:2001094219 COPYEDITOR Linda Seifert Printed in the United States of America First Printing:December,2001 INDEXER Sandy Henselmeier 04 03 02 01 4 3 2 1 PROOFREADER Trademarks Wendy Ott All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Sams Publishing cannot attest to TECHNICALEDITOR Marcus Williamson the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. TEAMCOORDINATOR Warning and Disclaimer Lynne Williams Every effort has been made to make this book as complete and as accurate as INTERIORDESIGNER possible,but no warranty or fitness is implied. The information provided is on Anne Jones an “as is”basis. COVERDESIGNER Aren Howell PAGELAYOUT Rebecca Harmon 00 0672323052 FM 11/7/01 3:27 PM Page iv Contents Introduction 1 Who Should Read This Book..........................................................1 How This Book Is Organized..........................................................1 Conventions ....................................................................................2 1 Introduction to Directory Services 3 What Is a Directory Service? ..................................................................5 A Ubiquitous Management Technology ..........................................6 Defining Directory Services ..............................................................7 How Does a Directory Service Work? ............................................10 Qualities of a Directory Service ......................................................11 What a Directory Service Provides ......................................................12 Streamlined Network Administration ..............................................14 Integrated Security Infrastructure ....................................................18 Reliable High Performance ............................................................20 Robust Application Development Platform ....................................22 Common Types of Directory Services ..................................................24 Network Operating System Directories ..........................................25 General-Purpose Directory Services ..............................................28 Metadirectories ................................................................................29 Application Directories ..................................................................30 Specific-Use Directories ..................................................................31 Directory Service Implementations ......................................................33 Automated Provisioning ..................................................................34 Public Key Infrastructure ................................................................34 Internet Service Providers ..............................................................35 Web Site Management ....................................................................36 Government Services ......................................................................36 State of Directory Services ..................................................................38 2 Evolution of Directory Services 39 Information Characteristics ..................................................................41 Scope of Information ......................................................................41 Directory Focus ..............................................................................42 Directory Content ............................................................................43 Data Sensitivity ..............................................................................43 Information Ownership ..................................................................44 Management Capability ..................................................................45 Regulations and Policies ................................................................46 Organizing Directory Information ........................................................47 Namespace Organization:From Flat to Hierarchical ....................48 Naming Directory Objects:From Physical to Logical ..................50 00 0672323052 FM 11/7/01 3:27 PM Page v Storing Directory Information ..............................................................59 Storage:From Centralized to Distributed ......................................60 Centralized Directory Information ..................................................60 Centralized and Replicated Directory Information ........................62 Distributed Directory Information ..................................................62 Securing Directory Information ............................................................66 Hierarchical Security Model ..........................................................68 Granularity ......................................................................................69 Multiple Security Technologies and Providers ..............................69 Directory Administration ......................................................................71 Hierarchical Administration Model ................................................71 Delegation of Administration ..........................................................72 Granular Administration of Access ................................................73 3 Storing Directory Information 75 The Directory Database ........................................................................76 Storing the Directory Database on Disk ........................................77 Distributing the Directory Database ................................................77 Partitioning the Directory ....................................................................78 Managing Partitions ........................................................................79 Partitioning Examples ....................................................................81 Invalid Partitioning ..........................................................................86 Name Resolution Across Partitions ................................................88 Directory Replication ............................................................................92 Managing Replication ....................................................................93 Replica Types ..................................................................................94 Replication Strategies ......................................................................97 Replication Operations ..................................................................101 Data Consistency ..........................................................................105 4 X.500: A Model for Directory Services 111 Introduction to X.500 ........................................................................112 X.500 Terminology ........................................................................113 Defining a Distributed Directory Service ......................................114 X.500 Client/Server Agents ..........................................................115 X.500 Protocols ............................................................................116 Application Programming Interfaces in X.500 ............................118 X.500 Models ....................................................................................118 The Directory Functional Model ..................................................119 The User Information Model ........................................................120 The Directory Administrative and Operational Information Model ......................................................................121 The DSA Information Model ........................................................122 The Directory Distribution Model ................................................125 00 0672323052 FM 11/7/01 3:27 PM Page vi vi UNDERSTANDINGDIRECTORYSERVICES The Directory Administrative Authority Model ............................126 The Security Model ......................................................................129 X.500 Directory Objects ....................................................................131 Container Objects ..........................................................................132 Leaf Objects ..................................................................................133 Aliases ..........................................................................................134 Directory Information Tree ................................................................135 The Global Tree ............................................................................136 Structuring the DIT ......................................................................137 DIT Roles in X.500 Models ..........................................................137 DIT Permissions Flow ..................................................................137 X.500 Naming ....................................................................................138 X.500 Directory Schema ....................................................................140 Object Class Definitions ................................................................141 Attribute Definitions ......................................................................143 Attribute Syntax Definitions ........................................................144 Extending the Schema ..................................................................144 Directory Information Base ................................................................145 Naming Context ............................................................................145 Replication in X.500 ....................................................................146 X.500 Operations ................................................................................148 Binding and Authentication Operations ........................................148 Object Name Resolution ..............................................................149 Directory Access Operations ........................................................153 Security in X.500 ................................................................................154 Authentication ..............................................................................155 Access Control ..............................................................................157 Digital Signatures ..........................................................................161 X.509 Certificates ..........................................................................162 5 LDAP: Lightweight Directory Access Protocol 163 Introduction to LDAP ........................................................................164 Features of LDAP ..........................................................................165 The Evolution of LDAP ................................................................167 LDAP Models ....................................................................................170 Data Model ....................................................................................171 Protocol Model ..............................................................................171 The LDAP Directory Objects and Schema ........................................172 LDAP Directory Objects ..............................................................173 LDAP Attributes ............................................................................176 The Directory Information Tree ........................................................177 LDAP Naming ....................................................................................178 LDAP Names ................................................................................178 00 0672323052 FM 11/7/01 3:27 PM Page vii vii CONTENTS LDAP URLs ..................................................................................181 DNS Domain Names in LDAP ....................................................184 The Directory Information Base ........................................................186 LDAP Operations ..............................................................................186 Name Resolution ..........................................................................187 LDAP Searches ............................................................................188 Extended Operations ....................................................................190 LDAP Data Interchange Format ....................................................191 LDAP Security ....................................................................................192 Access Control ..............................................................................192 Authentication ..............................................................................193 Simple Authentication and Security Layer ..................................194 LDAP Programming ..........................................................................195 Proposed LDAP Extensions ..............................................................197 Replication ....................................................................................197 Broader Schema ............................................................................198 6 DNS: The Domain Name System 199 Introduction to DNS ..........................................................................200 DNS Terminology ........................................................................202 DNS as a Specific-Use Directory ..................................................203 DNS Client/Server Agents ............................................................204 Models/Views in DNS ........................................................................206 DNS Objects:Resource Records ........................................................207 The DNS Tree ....................................................................................208 The Root Domain ..........................................................................209 Top-Level Domains ......................................................................209 Second-Level Domains ................................................................211 Subdomains ..................................................................................213 DNS Hosts ....................................................................................214 DNS Naming ......................................................................................215 Defining the DNS Schema ................................................................216 DNS Resource Records ................................................................217 The Start of Authority Record ......................................................217 Specifying Name Server Records ................................................218 Supplying Host Address Records ..................................................219 Aliases:The Canonical Name Records ........................................219 Using Service Resource Records ..................................................220 The Distributed DNS Database ..........................................................221 Partitioning the DNS Database ....................................................221 Replication of DNS Data ............................................................226 DNS Operations ..................................................................................230 DNS Name Resolution ..................................................................231 00 0672323052 FM 11/7/01 3:27 PM Page viii viii UNDERSTANDINGDIRECTORYSERVICES Operational Roles of Name Servers ..............................................231 DNS Name Queries ......................................................................233 Iterative Name Resolution ............................................................234 Recursive Name Resolution ..........................................................235 Reverse Lookups ..........................................................................237 Name Resolution with forwarders ............................................237 Proposed DNS Extensions ..................................................................240 DNS Security ................................................................................241 DNS in Directory Services ..........................................................241 Dynamic DNS (DDNS) ................................................................242 7 X.500 Directory Services 245 Introduction to X.500 Directory Services ..........................................246 Computer Associates’eTrust Directory ............................................248 Introduction to eTrust ....................................................................248 The eTrust Directory Information Base ......................................251 eTrust Operations ..........................................................................251 eTrust Security ..............................................................................252 eTrust Administration ....................................................................253 Siemens DirX ......................................................................................254 Introduction to DirX ......................................................................254 The DirX Directory Information Base ..........................................259 DirX Operations ............................................................................260 DirX Security ................................................................................261 DirX Administration ......................................................................262 Nexor Directory ..................................................................................264 Introduction to Nexor ....................................................................264 The Nexor Directory Information Base ......................................266 Nexor Operations ..........................................................................267 Nexor Security ..............................................................................267 Nexor Administration ....................................................................268 8 LDAP-Only Directory Services 269 Introduction to LDAP-Only Directory Services ................................270 SLAPD (Standalone LDAP Daemon) ..........................................271 SLURPD (Standalone LDAP Update/Replication Daemon) ........273 LDAP 2000 Certification ..............................................................273 OpenLDAP ........................................................................................274 Introduction to OpenLDAP ..........................................................275 OpenLDAP Directory Objects and Schema ..................................278 The OpenLDAP Directory Information Tree ................................278 OpenLDAP Naming ......................................................................279 The OpenLDAP Directory Information Base ..............................279 OpenLDAP Operations ................................................................280 00 0672323052 FM 11/7/01 3:27 PM Page ix ix CONTENTS OpenLDAP Security ......................................................................280 OpenLDAP Administration ..........................................................281 IBM SecureWay ..................................................................................281 SecureWay Directory Objects and Schema ..................................284 The SecureWay Directory Information Tree ................................284 SecureWay Naming ......................................................................284 The SecureWay Directory Information Base ................................284 SecureWay Operations ..................................................................285 SecureWay Security ......................................................................285 SecureWay Administration ..........................................................286 Sun|Netscape iPlanet ..........................................................................287 Introduction to iPlanet ..................................................................287 iPlanet Directory Objects and Schema ..........................................291 The iPlanet Directory Information Tree ........................................291 iPlanet Naming ..............................................................................293 The iPlanet Directory Information Base ......................................293 iPlanet Operations ........................................................................296 iPlanet Security ..............................................................................296 iPlanet Administration ..................................................................297 9 eDirectory 299 Introduction to eDirectory ..................................................................300 NDS Design Overview ..................................................................303 Client/Server Agents ......................................................................306 eDirectory APIs ............................................................................309 Support for Industry Initiatives ....................................................310 eDirectory Objects and Schema ........................................................311 Directory Objects ..........................................................................311 eDirectory Schema ........................................................................313 The eDirectory Tree ............................................................................317 Naming in eDirectory ........................................................................318 eDirectory Names ..........................................................................319 Directory Context ..........................................................................321 Periods in eDirectory Names ........................................................322 eDirectory Directory Information Base ..............................................323 Storage Method ............................................................................323 Partitioning the DIB ......................................................................325 Replication of the DIB ..................................................................326 Synchronization Method ..............................................................330 eDirectory Operations ........................................................................334 Server Location ............................................................................334 Name Resolution ..........................................................................334 DNS Federation ............................................................................335 Bindery Compatibility ..................................................................335 00 0672323052 FM 11/7/01 3:27 PM Page x x UNDERSTANDINGDIRECTORYSERVICES Security in eDirectory ........................................................................337 Authentication Methods ................................................................337 Access Control ..............................................................................338 eDirectory Administration ..................................................................342 Administration Tools ....................................................................343 Login Script Processing ................................................................346 Groups in eDirectory ....................................................................347 Integrated Novell Management Technologies ..............................347 The Future of eDirectory ..................................................................349 DirXML ........................................................................................349 Interesting NDS Deployments ......................................................350 10 Active Directory 351 Introduction to Active Directory ........................................................352 Active Directory Design Overview ..............................................354 Client/Server Agents ......................................................................357 Active Directory APIs ..................................................................358 Active Directory Models ....................................................................360 Active Directory Objects and Schema ..............................................361 Active Directory Objects ..............................................................361 Active Directory Schema ..............................................................363 The Active Directory DIT ..................................................................365 The Forest ......................................................................................366 The Domain Tree ..........................................................................367 The Directory Tree ........................................................................370 Naming in Active Directory ..............................................................372 NetBIOS Naming ..........................................................................373 DNS Naming ................................................................................373 LDAP Naming ..............................................................................374 The Globally Unique IDentifier ....................................................375 The Active Directory DIB ..................................................................375 Storage Method ............................................................................375 Partitioning the DIB ......................................................................377 Replication of the DIB ..................................................................379 Synchronization ............................................................................381 Active Directory Operations ..............................................................383 DSA Operational Roles ................................................................383 Client Logon ..................................................................................385 Name Resolution ..........................................................................386 Native Versus Non-Native Mode ..................................................387 Extensibility ..................................................................................388 Security in Active Directory ..............................................................388 New Security Capabilities ............................................................389 00 0672323052 FM 11/7/01 3:27 PM Page xi xi CONTENTS Interdomain Trusts ........................................................................390 Security Standards and Protocols ..................................................392 Authentication ..............................................................................393 Access Control ..............................................................................394 Group Policy ..................................................................................396 Active Directory Administration ......................................................397 Delegation of Administrative Authority ........................................397 Administrative Tools ....................................................................398 Groups in Active Directory ..........................................................400 The Future of Active Directory ..........................................................402 11 Metadirectory Services 405 Introduction to Metadirectory Services ..............................................406 Information and Implementation Factors ......................................407 What Is a Metadirectory? ..................................................................408 What Does a Metadirectory Do? ..................................................408 How Does a Metadirectory Work? ................................................410 Metadirectory Design ........................................................................410 Integrating Multiple Namespaces ..................................................411 Scope of Interoperability ..............................................................413 Methods of Integration ..................................................................414 Directory Synchronization Tools....................................................420 Metadirectory Components ..........................................................422 Information Management ..............................................................422 Data Synchronization ....................................................................425 Storing the Data..............................................................................425 Event Management ........................................................................426 Interdirectory Security....................................................................426 Siemens DirXmetahub ........................................................................427 Namespace Integration ..................................................................428 Scope of Interoperability ..............................................................428 Metadirectory Components ..........................................................428 Information Management ..............................................................432 Sun|Netscape iPlanet Metadirectory ..................................................439 Namespace Integration ..................................................................440 Scope of Interoperability ..............................................................441 Metadirectory Components ..........................................................441 Information Management ..............................................................444 Microsoft Metadirectory Services ......................................................446 Namespace Integration ..................................................................447 Scope of Interoperability ..............................................................448 Metadirectory Components ..........................................................448 Information Management ..............................................................451
The list of books you might like
