1 / 32

The Directory

The Directory. A distributed database Distributed maintenance. Purpose of a Directory. A directory is a way to store data in an organized way for easy access Primary operation on a directory is LOOKUP This means that a directory is optimized for reading rather than for creation or update

ginata
Télécharger la présentation

The Directory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Directory A distributed database Distributed maintenance

  2. Purpose of a Directory • A directory is a way to store data in an organized way for easy access • Primary operation on a directory is LOOKUP • This means that a directory is optimized for reading rather than for creation or update • Note the distinction from a database

  3. Why a directory? • Tracking users' software configuration preferences in a directory can give them the mobility they need to work from any location. Rather than being stored in a local registry or preferences file, accessible only from a single computer, this information can essentially travel around the network with the user. • Tracking access privileges in a directory enables network administrators to keep users out of parts of the network that are off limits to them. Storing access control rights in the directory enables multiple applications to have easy access to the same security settings. • Centralizing user account and password information can minimize password management and disparate sign-ons across applications. • Managing Web site configuration information in a centralized directory makes site administration simpler. One configuration change in the directory can easily be applied to all the servers at the site. • LDAP has the potential to do for directories what HTTP and HTML did for documents Ref: http://developer.netscape.com/viewsource/rose_ldap.html

  4. Four ways to describe a directory • Informational Model • what does the directory hold? • How are the entries related? • Functional Model • How does it operate? • What services are available to serve a user? • Organizational Model • Who owns it and how do they manage it? • Security Model • What authorization and authentication?

  5. Four ways to describe a directory • Informational Model • what does the directory hold? • How are the entries related? • Functional Model • How does it operate? • What services are available to serve a user? • Organizational Model • Who owns it and how do they manage it? • Security Model • What authorization and authentication?

  6. Information Stored in the Directory Information Base (DIB) • composed of entries • information about one objectpersonprintercompanystate or provincean application entity • … or anything else • Entry composed of attributes • consists of a type and one or more values

  7. Object Classes • Object class = identified family of objects • Some common set of characteristics • ex. person is an object class • common attributes • commonName, surname • optional attributes • description, telephoneNumber, userPassword, seeAlso • Subclass • organizationalPerson • subclass of person • must have all the required attributes • may have the optional attributes • may have additional attributes • ex. title, organizationalUnitName, etc.

  8. Structure of the DIB • Tree like • Entries form the vertices of the tree • Arcs define the relation between entries • Distinguished name (DN) • Uniquely and unambiguously identifies each entry • Constructed from the identities of ancestors in the tree • specially designated set of attribute values from the entry

  9. Entry components

  10. An example entry objectclass person Attribute One attribute/value pair is the Relative Distinguished Name for the entry Surname Cassel, for example, would identify this entry. Objectclass is the type of the entry as a whole. It tells the directory what kinds of information can or should be included in the entry

  11. Sample section of a DIT An Entry with 3 attributes

  12. The Directory Schema • Rules governing attribute types allowed for each class of object • form of values for each attribute type • class of object that can be a child entry of a given class object

  13. The Directory Service • Operations to interrogate and modify the content of the Directory • Control access to DIT entries • Ensure that any changes continue to obey the rules of the schema

  14. Four ways to describe a directory • Informational Model • what does the directory hold? • How are the entries related? • Functional Model • How does it operate? • What services are available to serve a user? • Organizational Model • Who owns it and how do they manage it? • Security Model • What authorization and authentication?

  15. Functional Model players • Directory User Agent (DUA) • participates in the Directory protocol on behalf of a user • Directory Service Agent (DSA) • responds to requests for information from the directory • requests come from DUAs or other DSAs

  16. Functional Model • Describes the Directory in terms of operations performed by a DUA and one or more DSAs serving the request of the DUA. • DUA gains access • binds to an access point represented by a particular DSA • DSA has direct access to a portion of the Directory (the data) • DSA has knowledge about the rest of the Directory • can get information it does not have

  17. DSA - DUA interaction DSA DUA DSA DSA DSA The user sees the directory as one collection accessible through one interface. Directory servers interact with each other to provide the response.

  18. X.500 and LDAP • X.500 is the ITU specification of a global directory intended to run over a full ISO protocol stack • LDAP is a lightweight version of X.500 that runs directly over TCP/IP • LDAP was originally intended as a frontend to the X.500 Directory, but now runs standalone as well.

  19. Four ways to describe a directory • Informational Model • what does the directory hold? • How are the entries related? • Functional Model • How does it operate? • What services are available to serve a user? • Organizational Model • Who owns it and how do they manage it? • Security Model • What authorization and authentication?

  20. Security Model • Authorization given to • subtree • entry • attribute type • Authorization allowed by • individual • groups • owner

  21. Access • Give authority to • Owner – to update phone number, address, etc. • Project managers – to update project information • Department to update goal statements • etc.

  22. Security issues • Authentication • Who are you and how do I know that? • Confidentiality • Who is entitled to this unit of information? • Integrity • Is the data uncorrupted? • Authorization • You are entitled to authorize some resources, but not others.

  23. Directory Security Examples Ref: Jeff Hodges; jhodges@oblix.com; http://www.oblix.com/

  24. Data Integrity: Replication • There are world-wide directories • Performance issues • Data distributed over the whole world • Multiple copies of sections of the DIT • Local copy may not be completely up to date • DUA always knows when it receives information from a copy • Local directories may be copies of remote directories or stand-alone directories • performance issues are different

  25. Cache and Shadow copies • Cache copies • not covered in the specification • Unofficial copies, no guarantee of accuracy • Shadow copies • Obtained in accordance with procedures in Directory specification • Official, controlled copy. • Not necessarily up to date at all times • Limit to the time before it will be updated.

  26. LDAP in use

  27. Address access to LDAP

  28. LDAP related RFCs

  29. Find more • http://www.openldap.org/

  30. More information on LDAP • http://www.kingsmountain.com/ldapRoadmap.shtml • Pointers to recent articles • Pointers to downloadable copies of the software • Updates on status • etc.

  31. Directory summary • Distributed information • performance issues • security issues • Consistent structure of information makes distributed access easier • Local use has many applications in coordinated access and security within an organization

More Related