Date post: | 11-Jan-2016 |
Category: |
Documents |
Upload: | clara-carson |
View: | 218 times |
Download: | 1 times |
The Directory
A distributed database
Distributed maintenance
Purpose of a Directory
A directory is a way to store data in an organized way for easy access
Primary operation on a directory is LOOKUP
This means that a directory is optimized for reading rather than for creation or updateNote the distinction from a database
Why a directory? Tracking users' software configuration preferences in a directory can give them
the mobility they need to work from any location. Rather than being stored in a local registry or preferences file, accessible only from a single computer, this information can essentially travel around the network with the user.
Tracking access privileges in a directory enables network administrators to keep users out of parts of the network that are off limits to them. Storing access control rights in the directory enables multiple applications to have easy access to the same security settings.
Centralizing user account and password information can minimize password management and disparate sign-ons across applications.
Managing Web site configuration information in a centralized directory makes site administration simpler. One configuration change in the directory can easily be applied to all the servers at the site.
LDAP has the potential to do for directories what HTTP and HTML did for documents
Ref: http://developer.netscape.com/viewsource/rose_ldap.html
Four ways to describe a directory Informational Model
what does the directory hold?How are the entries related?
Functional ModelHow does it operate?What services are available to serve a user?
Organizational ModelWho owns it and how do they manage it?
Security ModelWhat authorization and authentication?
Four ways to describe a directory Informational Model
what does the directory hold?How are the entries related?
Functional ModelHow does it operate?What services are available to serve a user?
Organizational ModelWho owns it and how do they manage it?
Security ModelWhat authorization and authentication?
Information Stored in the Directory Information Base (DIB) composed of entries
information about one objectpersonprintercompanystate or provincean application entity
… or anything else Entry composed of attributes
consists of a type and one or more values
Object Classes Object class = identified family of objects
Some common set of characteristics ex. person is an object class
o common attributes commonName, surname
o optional attributes description, telephoneNumber, userPassword, seeAlso
Subclasso organizationalPerson
subclass of person must have all the required attributes may have the optional attributes may have additional attributes
• ex. title, organizationalUnitName, etc.
Structure of the DIB Tree like Entries form the vertices of the tree Arcs define the relation between entries Distinguished name (DN)
Uniquely and unambiguously identifies each entry Constructed from the identities of ancestors in the tree specially designated set of attribute values from the entry
Entry components
Type Values
Values DistinguishedAttribute Value
AttributeValue Value
Attribute AttributeValue
Attribute
Attribute
Attribute
Surname Cassel Riley
commonName L. N. Cassel, Lillian N. Cassel, Boots
telephoneNumber +1 610 555 1234
One attribute/value pair is the Relative Distinguished Name for the entrySurname Cassel, for example, would identify this entry.
Attribute objectclass person
Objectclass is the type of the entry as a whole. It tells the directory what kinds of information can or should be included in the entry
An example entry
Root
Country Organization Locality
resPerson grp ou org locality
org
A portion of the standard Directory Information Tree
Sample section of a DITRoot
C = US
L=PA
Org=VU
OU=Computing Sciences
grp=Faculty grp=equipment
CN= Lillian N. CasselPN= +1 610 555 1234L=162A Mendel Hall
CN=m163psDesc=PostScript PrinterL=163 Mendel
L=Mendel Hall An Entry with 3 attributes
The Directory Schema
Rules governing attribute types allowed for each class of object
form of values for each attribute typeclass of object that can be a child entry of a
given class object
The Directory Service
Operations to interrogate and modify the content of the Directory
Control access to DIT entriesEnsure that any changes continue to obey
the rules of the schema
Four ways to describe a directory Informational Model
what does the directory hold?How are the entries related?
Functional ModelHow does it operate?What services are available to serve a user?
Organizational ModelWho owns it and how do they manage it?
Security ModelWhat authorization and authentication?
Functional Model players
Directory User Agent (DUA)participates in the Directory protocol on behalf
of a user
Directory Service Agent (DSA)responds to requests for information from the
directoryrequests come from DUAs or other DSAs
Functional Model Describes the Directory in terms of operations
performed by a DUA and one or more DSAs serving the request of the DUA.
DUA gains access binds to an access point represented by a particular
DSADSA has direct access to a portion of the Directory (the
data)DSA has knowledge about the rest of the Directory
o can get information it does not have
DSA - DUA interaction
DSA
DSA
DSA
DSA
DUA
The user sees the directory as one collection accessible through one interface. Directory servers interact with each other to provide the response.
X.500 and LDAP
X.500 is the ITU specification of a global directory intended to run over a full ISO protocol stack
LDAP is a lightweight version of X.500 that runs directly over TCP/IP
LDAP was originally intended as a frontend to the X.500 Directory, but now runs standalone as well.
Four ways to describe a directory Informational Model
what does the directory hold?How are the entries related?
Functional ModelHow does it operate?What services are available to serve a user?
Organizational ModelWho owns it and how do they manage it?
Security ModelWhat authorization and authentication?
Security Model
Authorization given tosubtreeentryattribute type
Authorization allowed by individualgroupsowner
Access
Give authority to Owner – to update phone number, address, etc.Project managers – to update project
informationDepartment to update goal statementsetc.
Security issues
AuthenticationWho are you and how do I know that?
ConfidentialityWho is entitled to this unit of information?
Integrity Is the data uncorrupted?
AuthorizationYou are entitled to authorize some resources, but not
others.
Directory Security Examples
Anonymous Requesters? Identified Requesters?
Read/Write?
Read/Write?
1 N N Y RO N None2 N N N N/A Y RO Secure Authentication
3 N Y N/A N/A N/A N/A
Mutual authentication, Connection Integrity-Protection
4 N N Y RO Y RW Secure Authentication
5 Y Y N/A N/A N/A N/A
Mutual authentication, Connection Integrity- and Confidentiality- Protection
Required Directory-Specific Security Mechanisms or
Functions
Connection Hijacking or IP
Spoofing Threats?sc
enar
ios Contains
Sesitive Data?
Ref: Jeff Hodges; [email protected]; http://www.oblix.com/
Data Integrity: Replication There are world-wide directories
Performance issueso Data distributed over the whole worldo Multiple copies of sections of the DITo Local copy may not be completely up to date
DUA always knows when it receives information from a copy
Local directories may be copies of remote directories or stand-alone directoriesperformance issues are different
Cache and Shadow copies
Cache copies not covered in the specificationUnofficial copies, no guarantee of accuracy
Shadow copiesObtained in accordance with procedures in Directory
specificationOfficial, controlled copy.Not necessarily up to date at all timesLimit to the time before it will be updated.
LDAP in use
Address access to LDAP
LDAP related RFCs
Find more
http
://w
ww
.ope
nlda
p.or
g/
More information on LDAP
http://www.kingsmountain.com/ldapRoadmap.shtml
Pointers to recent articles
Pointers to downloadable copies of the software
Updates on status
etc.
Directory summary
Distributed informationperformance issuessecurity issues
Consistent structure of information makes distributed access easier
Local use has many applications in coordinated access and security within an organization