Date post: | 04-Jan-2016 |
Category: |
Documents |
Upload: | echo-branch |
View: | 22 times |
Download: | 0 times |
Directory ServicesDirectory Services
DIT Design
Jim Rommel
Perot Systems Corporation
Jim RommelJim Rommel
Sr. Directory Specialist: Perot Systems Incorporated
4 years experience with X.500/LDAP Directory Services at
Texas Instruments and Perot Systems
Prior experience with Object Repository Technology
X.500/LDAP Experience includes: Schema and DIT Design Directory Infrastructure Integration Directory Synchronization LDAP Development Client DUA Development X.500/LDAP Vendor evaluations Installation and Maintennance of 4 several X.500/LDAP products
DIT DesignDIT Design
Directory Information Tree The logical hierarchical structure and categorization of
directory information Different naming attributes within the tree:
• c : country• o : organization• ou : organizational unit• l : locality• cn : common name
DIT Structure rules determine which naming attributes must preceed others in the hierarchy
Each entry in a Directory must have a unique Distinguished Name (DN)
What is a DIT?
c=US
o=Acme
ou=Sales ou=Accountingou=R&D ou=Engineering
cn=Mike Smith
DIT Design: People By DepartmentDIT Design: People By Department
ou=Mfg.
ou=Employees ou=Customersou=Contractors
DIT Design: Types of PeopleDIT Design: Types of People
ou=Others
cn=Mike Smith
c=US
o=Acme
l=Headquarters l=Los Angelesl=Chicago l=Dallasl=New York
cn=Mike Smith
DIT Design: By LocationDIT Design: By Location
c=US
o=Acme
c=US
o=Acme
l=Los Angelesl=Dallasl=New York
l=North America l=Europel=Asia
l=Singaporel=Japan l=Munichl=London l=Paris
ou=People
cn=Mike Smith
DIT Design: Deep Tree By DepartmentDIT Design: Deep Tree By Department
l=North America l=Asia
ou=People
cn=Joe Boss
cn=Clara Jordan ou=Engineering ou=R&Dou=MFGou=Engineeringou=Sales
cn=Mike Smith cn=Mike Smith
DIT Design: Deep TreeDIT Design: Deep Tree
l=DFW l=NYCl=LA
cn=Soopy Sales
c=US
o=Acme
DIT Design: Flat TreeDIT Design: Flat Tree
ou=People
cn=Mike Smith
c=US
o=Acme
DIT Design: Flat TreeDIT Design: Flat Tree
ou=People
cn=Mike Smith #2
c=US
o=Acme
cn=Mike Smith #1
ou=People
cn =SmithETcn =AikmanTA
cn =SandersDJcn = GonzalesJ
cn =ModanoMW
DIT Design: Perot Systems DITDIT Design: Perot Systems DIT
c=US
o=Acme
ou=People
cn =SmithETcn =AikmanTA
cn =SandersDJcn = GonzalesJ
cn =ModanoMW
cn=Directory Usercn=Mail Admin
cn=Medical Admincn=Medical User
site=TX-SDsite=TX-RI
site=SW-BKsite=NY-AA
ou=Medicalou=Web Sites ou=Resumes
DIT Design: Perot Systems DITDIT Design: Perot Systems DIT
c=US
o=Acme
ou=Groups ou=Locations ou=Apps ou=Systems ou=Schema
DIT Design: Deep -vs- Flat TreesDIT Design: Deep -vs- Flat Trees
Can result in long Distinguished Names (DN) May reflect your actual corporate structure Can result in administrative problems if your
organization is constantly changing Better chance of having unique names within a
subtree Works well if you want to distribute the data
across multiple DSAs and do multi-mastering
Deep Trees:
DIT Design: Deep -vs- Flat TreesDIT Design: Deep -vs- Flat Trees
No need to categorize people Short Distinguished Names, easy to remember
and type DIT is very stable: not affected by organizational
changes, and easy to administer Higher chance of name collisions Not well suited for Browsing Can result in longer load times or startup times,
depending on the Directory Product you use
Flat Trees:
DIT Design: Selecting a Distinguished DIT Design: Selecting a Distinguished Name Name
- DN Changes if a female marries- DN Changes if I change my nickname- Name may not be unique.
cn=Mike Smith, ou=People, o=Perot Systems, c=US
c=US
o=Perot Systems
ou=People
cn = Mike Smith
DIT Design: Selecting a Distinguished DIT Design: Selecting a Distinguished Name Name
+ DN Guaranteed to be unique+ DN Never Changes+ More robust searching using name components
cn=0175387, ou=People, o=Perot Systems, c=US
c=US
o=Perot Systems
ou=People
cn = 0175387givenName = Michaelnickname = Mikesurname = Smith
- Browser shows useless information- Microsoft and Netscape mail clients expected
a real name in the commonName (cn) field.
DIT Design: Selecting a Distinguished DIT Design: Selecting a Distinguished Name Name
+ DN Guaranteed to be unique+ DN Never Changes+ More robust searching using name components
- Browser shows useless information
uid=0175387, ou=People, o=Perot Systems, c=US
c=US
o=Perot Systems
ou=People
uid = 0175387cn = Mike Smith givenName = Michaelnickname = Mikesurname = Smith
+ commonName (cn) field contains a real name to work well with other LDAP applications.
DIT Design: Selecting a Distinguished DIT Design: Selecting a Distinguished Name Name
uid=smithMJ, ou=People, o=Perot Systems, c=US
c=US
o=Perot Systems
ou=People
uid = smithMJcn = Mike SmithgivenName = Michaelnickname = Mikesurname = Smith
+ DN Guaranteed to be unique+ More robust searching using name components+ commonName (cn) field contains a real name
+ Browser shows more useful information (although not as ideal as a full name)
+ Directly maps to a user’s logon ID (can be used for single signon)
- DN has the potential to change if the name or UID changes
- Entrust product requires the commonName (cn) to be part of the DN.
DIT Design: Selecting a Distinguished DIT Design: Selecting a Distinguished Name Name
cn=Mike Smith + uid=smithMJ, ou=People, o=Perot Systems, c=US
c=US
o=Perot Systems
ou=People
cn = Mike Smith + uid = smithMJgivenName = Michaelnickname = Mikesurname = Smith
+ DN Guaranteed to be unique+ More robust searching using name components+ Directly maps to a user’s logon ID (can be used
for single signon)+ commonName (cn) field contains a real name+ commonName (cn) is part of the DN
- DN has the potential to change
- Very hokey way of achieving uniqueness
- Complicated DN syntax- More complicated Directory Logon procedures- This syntax may not be accepted as standard in
the future.
DIT Design: Selecting a Distinguished DIT Design: Selecting a Distinguished Name Name
+ DN Guaranteed to be unique+ More robust searching using name components+ Directly maps to a user’s logon ID (can be used
for single signon)+ commonName (cn) field contains a real name+ commonName (cn) is part of the DN
- DN has the potential to change
cn=smithMJ, ou=People, o=Perot Systems, c=US
c=US
o=Perot Systems
ou=People
cn = smithMJcn = Mike SmithgivenName = Michaelnickname = Mikesurname = Smithuid = smithMJ
- Data is duplicated in several areas (uid and cn)- Value displayed for commonName may vary.
DIT Design: Selecting a Distinguished DIT Design: Selecting a Distinguished Name Name
c=US
o=Perot Systems
ou=People ou=Certificates
uid=smithMJ, ou=Certificates, o=Perot Systems, c=US
uid = smithMJcn = Mike SmithgivenName = Michaelnickname = Mikesurname = Smith
cn = smithMJALIAS POINTER
cn=smithMJ, ou=People, o=Perot Systems, c=US
+ DN Guaranteed to be unique+ More robust searching using
name components+ Directly maps to a user’s logon
ID (can be used for single signon)
+ commonName (cn) field contains a real name
+ commonName (cn) is part of the DN
- DN has the potential to change- Problems with X.500 aliases:
- no built-in referential integrity - will LDAPv3 support them?
“The X.500 approach to naming has become an obstacle to the wide deployment of directory-enabled applications on the Internet.”
http://www.imc.org/draft-ietf-ids-dirnamingDIT Design: An IETF DIT Naming ProposalDIT Design: An IETF DIT Naming Proposal
dc=com
dc=acme
http://www.imc.org/draft-ietf-ids-dirnamingDIT Design: An IETF DIT Naming ProposalDIT Design: An IETF DIT Naming Proposal
The dc named attribute stands for domain component
The idea is to map the upper levels of the tree with registered DNS Names (in this case acme.com)
dc=com
dc=acme
dc=Corporate dc=Customers
http://www.imc.org/draft-ietf-ids-dirnamingDIT Design: An IETF DIT Naming ProposalDIT Design: An IETF DIT Naming Proposal
The dc named attribute stands for domain component
The idea is to map the upper levels of the tree with registered DNS Names (in this case acme.com)
Lower levels of the tree will also use the dc named attribute
dc=com
dc=acme
dc=Corporate dc=DalSite
uid = [email protected] = Mike SmithgivenName = Michaelsurname = Smith
uid = [email protected] = Jane DoegivenName = Janesurname = Doe
http://www.imc.org/draft-ietf-ids-dirnamingDIT Design: An IETF DIT Naming ProposalDIT Design: An IETF DIT Naming Proposal
The dc named attribute stands for domain component
The idea is to map the upper levels of the tree with registered DNS Names (in this case acme.com)
Lower levels of the tree will also use the dc named attribute
Each user is identified with the uid named attribute containing the email address.
Robust DIT Naming and design standards are not in place yet There is currently no single “right way” to design your DIT that
applies to everyone Take into consideration your organization
– the organizational structure– the organization’s tendency to change– the organization’s current size and potential to grow
Take into consideration the how you want to use the directory– what information will be stored in the directory– who will own what data and how will be be mastered– what what other systems in the infrastructure will be
using/storing the data– how and what applications will be accessing the data
DIT DesignDIT DesignConclusion
Questions???Questions???
Jim RommelJim RommelPerot Systems CorporationPerot Systems Corporation
email:email: [email protected] [email protected]:phone: 972-461-3689 972-461-3689fax:fax: 972-461-3030 972-461-3030