350 likes | 531 Vues
Got LDAP?. Deploying the Lightweight Directory Access Protocol. Leif Hedstrom <leif@netscape.com> Netscape Communications Corp. Agenda. Brief introduction to LDAP Why use LDAP? Planning your deployment Architecture features Designing your Directory Information Tree
E N D
Got LDAP? Deploying the Lightweight Directory Access Protocol Leif Hedstrom<leif@netscape.com> Netscape Communications Corp.
Agenda • Brief introduction to LDAP • Why use LDAP? • Planning your deployment • Architecture features • Designing your Directory Information Tree • Managing your LDAP system 12th Usenix LISA, 1998
Agenda (cont.) • Selecting software • Conclusions • Resources and further reading 12th Usenix LISA, 1998
Background and history of LDAP • Has it’s roots in X.500 (hence DAP) • Developed initially at University of Michigan, and is now an IETF standard • Accepted standard for Directory services, embraced by all the “big” players • LDAP is a protocol, not a database • Client-server based, ASN.1 encoding 12th Usenix LISA, 1998
LDAP Basics: Attributes • Every entry consists of one or more attribute value pairs • An attribute can have one of several types • e.g. BIN, TEL, CES • Attributes can be single or multi value cn=Leif Hedstrom cn=The Swede mailHost=tintin.netscape.com 12th Usenix LISA, 1998
What is an Objectclass? • Every entry must have at least one objectclass attribute • Defines the database schema, specifying which attributes an entry can, and must, include • Many standard classes available • Extensible • Structural, with inheritance 12th Usenix LISA, 1998
Example: Objectclass person attribute cn commonName 2.5.4.3 CIS attribute sn surName 2.5.4.4 CIS … objectclass person oid 2.5.6.6 superior top requires sn, cn allows description, seeAlso, telephoneNumber, userPassword 12th Usenix LISA, 1998
Distinguished Name, DN • The unique identifier for every entry • Example uid=leif, ou=People, dc=Netscape, dc=com • Forms the hierarchy in your data, each “node” is both an entry, and a potential branch point • Relative DNs (RDN), e.g. uid=leif, must be unique within each subtree 12th Usenix LISA, 1998
Why use LDAP? • Understand the reasons of your LDAP deployment • What problems are you solving? • What is the target audience? • Key applications and clients • Don’t deploy LDAP without a good reason • Make sure you have well defined and measurable goals 12th Usenix LISA, 1998
Example goals (@Netscape) • Scalability and performance • Reliable and robust • Security • Easy to maintain, extend and upgrade • Provide our users with services they need • Make system administration easier and more efficient (less manual work) 12th Usenix LISA, 1998
Preparing for your deployment • Have a brilliant plan, but be flexible • Analyze existing systems, procedures and resources • Get other people involved, e.g. • HR • Legal • Network/Telco people • IS HelpDesk 12th Usenix LISA, 1998
Common problems • Changing existing procedures are difficult • Might require assigning new or different tasks to some people • Make sure you have support from management • Mmmm, politics... 12th Usenix LISA, 1998
Doing a pilot deployment • Decide on a few applications to LDAP’ify • E.g. Phonebook • Find volunteers to use your applications • Run the deployment as if it was full scale • Analyze the result, get feedback from users • Modify and refine your deployment plan accordingly 12th Usenix LISA, 1998
DIT design • Flat structure? Probably a good idea • But, adapt to corporate and organizational needs, and be flexible 12th Usenix LISA, 1998
DIT design • Decisions, decisions, decisions... • Naming attributes (CN, UID … ?) • Replication points • Delegation and ACL issues • Be prepared for changes • Organizational changes • Geographical changes • Changes in ownership and delegation 12th Usenix LISA, 1998
Data replication • Replication for redundancy, performance and scalability • Single master vs. Multi master • Cascaded replication (single master) • Scalable replication • Efficient replication, to Europe for instance • Reduce load on the Master server 12th Usenix LISA, 1998
Cascaded replication (@Netscape) 12th Usenix LISA, 1998
Delegation and data ownership • Move responsibility of maintenance close to the data source (or the owner) • Systems and applications • Users • Groups of users (e.g. managers) • Reduce load on central resources • Depends heavily on ACL mechanisms and groups 12th Usenix LISA, 1998
LDAP integration • Integration with existing applications • mail servers • Web servers (e.g for authentication) • Integration with existing databases • Replace legacy systems with LDAP • Synchronize when appropriate • Integrated solutions (e.g. ypldapd) • Meta Directories 12th Usenix LISA, 1998
Example: @Netscape 12th Usenix LISA, 1998
Efficient maintenance • LDAP server plugins/extensions • Data consistency checks • Trigger updates and automatic processes • Proactive data maintenance! • Automatic synchronization with other data • HR PeopleSoft -> LDAP • LDAP to NIS, Win/NT, DNS etc. • PBX, Badge system, Certificate server etc. 12th Usenix LISA, 1998
Efficient maintenance (cont.) • Management tools used by users • Changing their password (Web UI) • Phonebook (a NS Gateway design) • Specific Gateway used by IS HelpDesk • Specific Gateway used by our Admins and other groups of users • Custom tools developed for common tasks 12th Usenix LISA, 1998
Maintenance tools for Sysadmins • SDKs available for most popular languages • Perl/PerLDAP • C • Java • Some typical scripts • Adding/deleting users • Group management • Changing passwords 12th Usenix LISA, 1998
PerLDAP: Searching for an entry #!/usr/bin/perl5 use Mozilla::LDAP::Conn; #setup global parameters, using Getopt # … $c = new Mozilla::LDAP::Conn(\%ld); $entry = $c->search($base, $sc, $srch); while ($entry) { $entry->printLDIF(); $entry = $c->nextEntry(); } $c->close(); 12th Usenix LISA, 1998
PerLDAP: Updating an entry #!/usr/bin/perl5 use Mozilla::LDAP::Conn; #setup global parameters, using Getopt # … $c = new Mozilla::LDAP::Conn(\%ld); $entry = $c->search($base, $sc, $srch); while ($entry) { $entry->setValue(“mailhost”)=[$host]; $c->update($entry); $entry = $c->nextEntry(); } $c->close(); 12th Usenix LISA, 1998
Monitoring • Monitor via scripts, or perhaps SNMP • Perhaps using cn=monitor entry • Try to detect data anomalies or inconsistencies (but be proactive) • Make sure replication is working • Performance monitoring • Are the servers responsive? High load? • Detect bad clients, or LDAP intensive clients 12th Usenix LISA, 1998
Selecting software • Does it support your architecture • Replication? Multi-master? • ACL mechanisms? • Performance needs? • Cost • Initial costs • Maintenance costs • OS and Hardware costs 12th Usenix LISA, 1998
Selecting software (cont.) • Standards • LDAP v2 or v3? • Extensions and controls? • Other considerations • OpenSource is popular... • Support • Platforms 12th Usenix LISA, 1998
Some software products • Netscape Directory Server (v4.0) • Very fast, powerful ACLs • Cross platform • Standards compliant • Flexible design (plugin API) • OpenLDAP/Umich LDAP • Free! • Source code, but still behind the curve 12th Usenix LISA, 1998
Software products (cont.) • Microsoft ActiveDirectory • Integration with NT (for better and for worse) • Multi-master replication • Excellent admin GUI • Only for NT • Sun’s Directory Server • Integrates with NIS 12th Usenix LISA, 1998
Conclusions • Spend time planning, analyzing and testing your design • Select a DIT that is as easy as possible, while still supporting your organization • Proactive and automatic maintenance is good, helps keeping consistent data • Select the software appropriate for your architecture and needs 12th Usenix LISA, 1998
Literature • RFCs, drafts and other protocol papers • LDAP:Programming Directory Enabled Applications with Lightweight Directory Access protocol • Tim Howes and Mark Smith • Macmillan Technology Series • ISBN: 1-57870-000-0 • ~$45 12th Usenix LISA, 1998
Literature (cont.) • Understanding and Deploying LDAP Directory Services • Tim Howes, Mark Smith and Gordon Good • MacMillan • ISBN: 1-57870-070-1 • ~$50 • Should be out early 1999 12th Usenix LISA, 1998
Resources • Http://www.openldap.org/ • http://www.mozilla.org/directory/ • http://www.ogre.com/ldap/ • Mail questions to me at leif@netscape.com or leif@ogre.com 12th Usenix LISA, 1998