• Provide any organized set of records • Directory is a map between names and values • Looks like a dictionary • A name may be associated with multiple pieces of data
System Agent • Client sends an operation request to the server • Server sends responses in return Common behavior: • Client doesn't need to wait response to send a new request • Server may send the responses in any order
entries • An entry consists of a set of attributes • Attributes must have names • Entries have a unique identifier (DN = Distinguished Name) Relative Distinguished Name (RDN) RDN is constructed from some attributes in the entry, followed by the parent entry's DN: uid=lviana,ou=People,dc=locaweb,dc=com,dc=br
objectClass: organizationalPerson objectClass: top cn: José Cuervo sn: Cuervo givenName: José mail: [email protected] uid: jose.cuervo UserPassword: 9bGZ1eW0vVHAxVEdsREV1T3dFbnBaL0pWWnM1UGVTa0p Tip: DN's can be changed, but each entry have a unique identifier (UUID)
directory today? ✔ What immediate problem is solved by deploying a directory? ✔ What are your application needs on the directory? ✔ What information will be on the directory now? ✔ What information will be on the directory in the near future? Tip: Perform a site survey before defining the schema!
organization responsible for making sure the data is up-to-date. Common data ownership strategies: • Read-only global with Read-write restricted to some groups • Individuals have their own read-write subsets • Roles that give groups of people read or write access • Access restricted just to directory managers
one object class • Used to group related information • Typically represents a real object • Standard object classes are sufficient for most environments • Can be extended and used with the standard ones
• A unique name • An object identifier that names the object (OID) • A set of mandatory attributes • A set of allowed attributes (optional attributes) objectclasses: ( 2.5.6.6 NAME 'person' DESC 'Standard Person Object Class' SUP top MUST (objectclass $ sn $ cn $ userPassword) MAY (description $ seeAlso $ telephoneNumber) XORIGIN 'RFC 2252' )
Keep everything as simple as possible • Reuse existing elements whenever possible • Avoid using too many mandatory attributes • Do not modify existing definitions of attributes
attribute must be assigned a unique name and object identifier (OID) 1.Obtain an OID from Internet Assigned Numbers Authority (IANA) 2.Create an OID registry to track OID assignments 3.Create branches in the OID tree accommodating elements Tip: Create at least 2 branches on the directory schema, using OID.1 for attributes and OID.2 for object classes. Define custom rules or controls adding new branches.
schema rules ✔ Use syntax validation in attribute values ✔ Select and apply a consistent data format ✔ Use encryption when needed Attention when using replicated schemas! Do not: ✗ Modify the schema on a read-only replica ✗ Use too many useless ACI's ✗ Create same name attributes that use different syntaxes
deployment! ➔ Simplified directory data ➔ Flexibility in creating replication policies ➔ Directory data according to the access controls ➔ Support for the client applications ➔ Simplified navigation for the directory
Internet domain name • Globally unique and static • Short and easy to remember • Branch the directory according to your organization • Use common objects to define the initial tree • Identify branch points • Define organizational entries needed • Define RDN's for your entries • Naming group entries • Static groups – Few members defined • Dynamic groups – Search filter / Subtree
stable, supports multi-master replication and have extensive documentation. ✔ Multi-master native replication ✔ Active Directory user and group synchronization ✔ Secure authentication and transport (SSLv3, TLSv1, and SASL) ✔ Online, zero downtime, LDAP based schema update and ACI's ✔ Compatible with Linux, Solaris and HP-UX ✗ Lack of administration tools (Java Desktop Client) ✗ Too complex for simple environments
multi- platform and have a flexible back end administration. ✔ Standards compliant and very extensible (Java) ✔ Front end is completely separable from its back end ✔ Complete administration tool (complete front-end) ✔ Administration via a special system back end (LDAP based) ✔ Ability to handle large amounts of concurrency ✗ Too simple multi master architecture ✗ Lack of documentation
LDAP server available on most Unix / Linux distributions. ✔ Multi-platform server (C / C++) ✔ Complete libraries ✔ Available natively on most Linux distributions ✔ Multiple back ends and multi-master support ✔ Modular structure ✗ No administration interface ✗ Non native multi-master replication (syncrepl)
source • Identity management functions included • XML based configuration file (Fully configurable) • Open source project written in Java • Support for SSL / TLS and LDAP v3 extensions • Database support using native JDBC, and Microsoft Active Directory compatible!
= "uid=jovem,ou=people,dc=anydomain,dc=com" password = "mypass" conn = ldap.open("127.0.0.1") conn.protocol_version = ldap.VERSION3 conn.simple_bind(username, password) except ldap.LDAPError, e: print e # You can handle the error however you like :)
lviana
sansantech
narirou
atsushii
ymd65536
kakehashi
ryuichi1208
sygyzmundovych
mtakeya4062
yussugi
moriya0130
guvalif
sudoakiy
tammyeverts
holman
skipperchong
addyosmani
kneath
malarkey
bryan
paulrobertlloyd
morganepeng
bcantrill
brettharned
![Large Scale LDAP Deployment Luiz Viana, [email protected] Locaweb Systems Administrator](https://files.speakerdeck.com/presentations/4f1722bf8c93d7001f00d03e/slide_0.jpg){kind=link}
![Erlang Example #Erlang simple authentication handler {_,S} = eldap:open(["127.0.0.1"], []).](https://files.speakerdeck.com/presentations/4f1722bf8c93d7001f00d03e/slide_31.jpg){kind=link}
![And finally... Questions? :) Presentation available on: http://include.io/talks @luizxx, [email protected]](https://files.speakerdeck.com/presentations/4f1722bf8c93d7001f00d03e/slide_33.jpg){kind=link}
