Скачать презентацию Introduction to the Hot New LDAP Features in Скачать презентацию Introduction to the Hot New LDAP Features in

5ee48edaadb75e34f8e075bf1a5697da.ppt

  • Количество слайдов: 73

Introduction to the Hot New LDAP Features in ™ 8. 7 Novell e. Directory Introduction to the Hot New LDAP Features in ™ 8. 7 Novell e. Directory www. novell. com Gary L. Anderson Senior Development Manager Novell, Inc. [email protected] com Alan Clark Senior Manager, e. Directory Access Novell, Inc. [email protected] com

Deployed Versions Novell e. Directory™ and Novell Directory Services® (NDS®) Product Version Build Version Deployed Versions Novell e. Directory™ and Novell Directory Services® (NDS®) Product Version Build Version Platforms Net. Ware 5. 1 SP 4 (NDS 7) DS. nlm v 7. 57 Net. Ware 5. 1 SP 4 (NDS 8) DS. nlm v 8. 79 Net. Ware 5. 1 e. Directory 8 DS. nlm & DS. dlm v 8. 79 Net. Ware 5. 0, Win NT/2 K e. Directory 8. 5. x DS v 85. 23 Net. Ware 5. x, Win, Solaris Net. Ware 6 (e. Directory 8. 6) DS. nlm v 10110. 20 Net. Ware 6 e. Directory 8. 6. 1 DS v 10210. 43 NW 5. 1, NW 6, Win, Solaris, Linux Net. Ware 6 SP 1 (e. Directory 8. 6. 2) DS. nlm v 10310. 17 Net. Ware 6 e. Directory 8. 6. 2 DS v 103 xx. xx NW 5. 1, NW 6, Win, Solaris, Linux e. Directory 8. 7 DS v 10410. xx NW 5. 1, NW 6, Win, Solaris, Linux, AIX

Differences Between e. Directory and Novell NDS® NDS e. Directory NOS directory focused on Differences Between e. Directory and Novell NDS® NDS e. Directory NOS directory focused on managing Net. Ware servers A cross-platform, scalable, standards-based directory used for managing identities that span all aspects of the network—e. Directory is the foundation for e. Business Net. Ware 5 Net. Ware 6

Abstract • This session provides an overview of the hot new LDAP features available Abstract • This session provides an overview of the hot new LDAP features available in e. Directory 8. 7 4 4 4 4 Rights-based object access Dynamic groups Object-based schema Search simplification Event monitoring Configurable transport security Multiple LDAP authentication methods Device provisioning with embedded LDAP clients • Specific implementation details and code samples are presented in DL 204 and DL 307

Welcome to Outdoor Adventures This tree shows the logical layout of Outdoor Adventures, the Welcome to Outdoor Adventures This tree shows the logical layout of Outdoor Adventures, the sample company used in this presentation and in Tech Lab

Using LDAP to Set Directory Rights Using LDAP to Set Directory Rights

Terminology • ACM—The Access Control Model used in a directory to specify who has Terminology • ACM—The Access Control Model used in a directory to specify who has rights to what • ACI—The X. 500 standard name for Access Control Information (the rights to access objects) • ACL—List maintained as an attribute of an object showing the rights that other objects have to the object

The e. Directory Access Control Model • Access Control Lists (ACLs) reside on resources, The e. Directory Access Control Model • Access Control Lists (ACLs) reside on resources, and grant permissions to individual objects, containers (and subtrees), and groups How do students get rights to course information? Grant rights to all students, registered or not Individually grant rights to each registered student Grant rights to a dynamic group

Access Rights • Directory allows rights per object and user 4 Easy management of Access Rights • Directory allows rights per object and user 4 Easy management of rights 4 Inheritance of rights based on tree structure 4 User abilities depend on ACLs for the object, the user, and the groups and subtrees the user belongs to • Rights are held in the nds. Acl attribute of each object

Effective Privileges • It’s hard to understand exactly which rights an object has to Effective Privileges • It’s hard to understand exactly which rights an object has to a resource because 4 ACLs are held on resources, parents of resources, and groups 4 ACLs may be blocked by inheritance rights filters • e. Directory allows an object’s “Effective Privileges” to be interrogated 4 Check out DL 204 for details on coding in C and Java

Programmatic ACL Modification How do I allow a student to access information on a Programmatic ACL Modification How do I allow a student to access information on a course section? The answer is obvious, right? Use Console. One® or i. Manager and assign student 1 as a trustee of section 1 But how do I do this with LDAP?

Modifying ACLs with LDAP • ACLs are attributes, so no special APIs are required Modifying ACLs with LDAP • ACLs are attributes, so no special APIs are required to access or update them • The LDIF file to allow Student 1 rights to section 1 could be dn: cn=section 1, ou=sections, l=Atlanta changetype: modify add: nds. ACL nds. Acl: 1#entry#cn=student 1, ou=students, l=Atlanta#[Entry Rights] nds. Acl: 3#entry#cn=student 1, ou=students, l=Atlanta#[All Attributes Rights] • Refer to section 5. 7 of 4 http: //ietf. org/internet-drafts/draft-sermersheim-nds-ldap-schema 02. txt

ACL Privileges • The privileges field is number that is generated by performing a ACL Privileges • The privileges field is number that is generated by performing a bitwise OR on the values that represent the desired access rights • The table below shows the values Value 1 00 00 01 00 2 00 00 02 00 4 00 00 04 00 8 00 00 08 00 16 00 00 10 00 32 00 00 20 00 536870912 20 00 00 00 [Attributes] Compare Read Write, Add, Del [Entry Rights] Browse Add Del Add/Del Self (na) Supervisory Dynamic Rename Supervisory (na) Dynamic

The New ACL in Town • [This] 4 A new ACL subject. Name, it The New ACL in Town • [This] 4 A new ACL subject. Name, it can be inheritable or non-inheritable 4 Reduces the need to use per object ACLs to grant rights to object’s own attributes 4 Management now available through i. Manager Question: How can you give everyone rights to modify their own phone number? To solve this problem, you can A: Go through object by object and grant individual access, or… B: Apply read, compare, and write rights to [This] for the telephone. Number attribute high up in the tree and let it inherit

Filter-Based Groups Filter-Based Groups

Creating Communities • Communities in a directory exist when objects are formed into groups Creating Communities • Communities in a directory exist when objects are formed into groups • The original e. Directory group provided a static list of members and referential integrity between the members list of the group and the members of attribute on an object

Dynamic Groups • e. Directory 8. 6 and 8. 7 allow you to determine Dynamic Groups • e. Directory 8. 6 and 8. 7 allow you to determine group membership dynamically by using a search filter • Search filter is in URL form (RFC 2255) 4 4 ldap: ///? ? ? Example: • ldap: ///ou=sales, o=acme? ? sub? (title=manager) • Additional capabilities 4 4 excluded. Member—Objects specifically excluded unique. Member—Objects specifically included in the group • Web management interface in e. Directory 8. 7 4 Available only via LDAP in e. Directory 8. 6

What Is the Cost of Using Dynamic Groups? • Dynamic groups don’t show up What Is the Cost of Using Dynamic Groups? • Dynamic groups don’t show up in the group. Membership attribute of a user object • To find out if your object is a member of the dynamic group, you have to run the group query filter against your object to see if it matches • ACLs are applied to dynamic group filters

Why Use Dynamic Groups? • Policy is stored in the directory 4 An application Why Use Dynamic Groups? • Policy is stored in the directory 4 An application can be hard-coded to just read a dynamic group instead of searching with a search filter 4 This allows the “effective” filter to be modified at the directory without changing the application • ACLs may be used with dynamic groups 4 Put an ACL on a course section object granting access rights to the dynamic group 4 Now all students registered for the section (determined dynamically) will have access • Dynamic groups are scalable

Dynamic Groups—Compatibility • Static groups may be converted to dynamic groups 4 Add dynamic. Dynamic Groups—Compatibility • Static groups may be converted to dynamic groups 4 Add dynamic. Group. Aux to the object. Class attribute 4 Set a search query in member. Query. URL • For either static or dynamic groups, obtain a membership list by simply reading the “member” attribute • By default, the implicit search is limited to the local server

Object-Based Schema (Auxiliary Classes) Object-Based Schema (Auxiliary Classes)

What Good Is Object-Based Schema? Q: Peggy and Scott are managers—how can they have What Good Is Object-Based Schema? Q: Peggy and Scott are managers—how can they have attributes specific to managers? Q: Bill, Jean and Paul take turns handling the afterhours pager—how can the one holding the pager be uniquely identified? To solve these problems, you can A. Add all attributes to base class definitions, or… B: Use auxiliary classes to meet both of these requirements without adding attributes to other objects

Auxiliary Class Definition • Auxiliary (or aux) classes are dynamic classes that can be Auxiliary Class Definition • Auxiliary (or aux) classes are dynamic classes that can be added to the object class attribute of individual objects 4 The object inherits all the attributes of the aux class while retaining all of its own attributes 4 When the aux class is removed from the object, all of the aux class attributes are removed 4 Only the objects that need the attributes have them 4 Doesn’t change the basic object class definition

Using Auxiliary Classes • Two steps 4 Modify the object class of an existing Using Auxiliary Classes • Two steps 4 Modify the object class of an existing object to include the aux class name 4 Write values to attributes as you would any other attributes for that class • Easy to remove 4 Delete the aux class name from the object. Class attribute • Auxiliary classes are available from e. Directory 8 and beyond

Auxiliary Classes vs. Structural Classes Auxiliary Classes Inherited Classes Added to individual instances of Auxiliary Classes vs. Structural Classes Auxiliary Classes Inherited Classes Added to individual instances of an object Super. Inherited to all objects through class definition e. Directory 8 and above All versions of e. Directory and NDS Removable from any object Non removable from base classes Single object may have many aux classes Multiple Inheritance Requires write rights to the object’s object class attribute Object class rights not required Cannot define containment Ability to define containment All instances of use have to be removed prior to schema removal May contain mandatory and optional attributes, including naming attributes

Replication of Auxiliary Classes 8. 5 v 85. 23 or 8. 0 v 8. Replication of Auxiliary Classes 8. 5 v 85. 23 or 8. 0 v 8. 78 e. Directory 8. 7 Modify or -666 Replication Incompatible DS Version Error e. Directory 8. 6 NDS 7. 55 c NDS 7. 55 d 7. x e. Directory 8. 7 NDS 6. 14 NDS 6. 13 6. x

Auxiliary Class Safety Precautions • Upgrade your tree to all e. Directory 8 servers Auxiliary Class Safety Precautions • Upgrade your tree to all e. Directory 8 servers • If you can’t go to all e. Directory 8, then make sure you have the latest released patches for NDS 7 and NDS 6 • Never, never add auxiliary classes to objects on NDS 7 or NDS 6 servers • Break the old habit of deleting unknown objects if you are using auxiliary classes

Auxiliary Class Benefits • You can now apply attributes at will to objects in Auxiliary Class Benefits • You can now apply attributes at will to objects in the tree, without requiring the schema definitions to be applied to all objects in the class • Cleanup of auxiliary classes is a snap 4 Simply remove the aux class name from the object. Class attribute, and all attributes disappear automatically

Using Matching Rules to Reduce Searches Using Matching Rules to Reduce Searches

Extensible Match • Extensible Match defined in LDAP v 3 4 Support data multiple Extensible Match • Extensible Match defined in LDAP v 3 4 Support data multiple matching rules for the same types of • Can implement new rules, e. g. , “sounds like” 4 Include DN elements in the search criteria • The DN specification allows matching on specific elements of the DN of an object ou=sal cn=Terry, organizational. Role=admin. Assistant, ou=sales, o=usa

Task: Find All Admin Assistants in All the Sales Groups of this Company Root Task: Find All Admin Assistants in All the Sales Groups of this Company Root USA Sales Germany Manufacturing England Admin assistant Sales Finance Admin assistant Sales East Engineering West Admin assistant Terry Sam Alice Hilda Bill

Possibility One 1. Search for all admin assistant containers in the tree C: >ldapsearch Possibility One 1. Search for all admin assistant containers in the tree C: >ldapsearch … (organizational. Role=admin. Assistant) organizational. Role=admin. Assistant, ou=sales, o=usa organizational. Role=admin. Assistant, ou=sales, o=germany organizational. Role=admin. Assistant, ou=finance, o=germany organizational. Role=admin. Assistant, ou=west, ou=sales, o=england 4 matches 2. In the client, evaluate each DN to see if it is subordinate to a sales-container organizational. Role=admin. Assistant, ou=sales, o=usa organizational. Role=admin. Assistant, ou=sales, o=germany organizational. Role=admin. Assistant, ou=finance, o=germany organizational. Role=admin. Assistant, ou=west, ou=sales, o=england

Possibility One (cont. ) 3. Using each admin assistant container as a base, do Possibility One (cont. ) 3. Using each admin assistant container as a base, do a subtree search for users in that container C: >ldapsearch … -b “organizational. Role=admin. Assistant, ou=sales, o=usa” (object. Class=user) cn=Terry, organizational. Role=admin. Assistant, ou=sales, o=usa 1 matches C: >ldapsearch … -b “organizational. Role=admin. Assistant, ou=sales, o=germany” (object. Class=user) cn=Sam, organizational. Role=admin. Assistant, ou=sales, o=germany cn=Alice, organizational. Role=admin. Assistant, ou=sales, o=germany 2 matches C: >ldapsearch … -b “organizational. Role=admin. Assistant, ou=west, ou=sales, o=england” (object. Class=user) cn=Bill, organizational. Role=admin. Assistant, ou=west, ou=sales, o=england 1 matches

Possibility Two 1. Search for all sales containers in the tree C: >ldapsearch … Possibility Two 1. Search for all sales containers in the tree C: >ldapsearch … (ou=sales) ou=sales, o=usa ou=sales, o=germany ou=sales, o=england 3 matches 2. Using each sales container as a base, do a subtree search for users in the admin assistant container C: >ldapsearch … -b “organizational. Role=admin. Assistant, ou=sales, o=usa” (object. Class=user) cn=Terry, organizational. Role=admin. Assistant, ou=sales, o=usa This search assumes 1 matches C: >ldapsearcheverything is at the … -b “organizational. Role=admin. Assistant, ou=sales, o=germany” (object. Class=user) same level! cn=Sam, organizational. Role=admin. Assistant, ou=sales, o=germany cn=Alice, organizational. Role=admin. Assistant, ou=sales, o=germany 2 matches C: >ldapsearch … -b “organizational. Role=admin. Assistant, ou=sales, o=england” (object. Class=user) 0 matches What’s wrong?

In e. Directory 8. 7. . . 1. Use extensible. Match C: >ldapsearch … In e. Directory 8. 7. . . 1. Use extensible. Match C: >ldapsearch … (&(ou: dn: =Sales)(organizational. Role=admin. Assistant)) cn=Terry, organizational. Role=admin. Assistant, ou=sales, o=usa cn=Sam, organizational. Role=admin. Assistant, ou=sales, o=germany cn=Alice, organizational. Role=admin. Assistant, ou=sales, o=germany cn=Bill, organizational. Role=admin. Assistant, ou=west, ou=sales, o=england 4 matches extensible = attr [": dn"] [": " matchingrule] ": =" value / [": dn"] ": " matchingrule ": =" value

e. Directory Support for extensible. Match • e. Directory 8. 7, available soon, supports e. Directory Support for extensible. Match • e. Directory 8. 7, available soon, supports extensible. Match for matching on DN values • e. Directory 8. 7 treats other extensible. Match specifications as undefined terms in the filter and will ignore them 4 Versions of e. Directory prior to 8. 7 would return a protocol error if an extensible. Match term was specified in a search filter • Advertisement of matching rules in e. Directory 8. 7 is done through the LDAP subschema subentry object using the standard matching. Rules and matching. Rule. Use schema attributes

Directory Events in LDAP Directory Events in LDAP

How Do I Track Directory Changes? Q: Students can change some of their own How Do I Track Directory Changes? Q: Students can change some of their own information—how can I track their changes in my instructor application using LDAP? • I can poll the directory looking for changes 4 Requires me to keep state information in my app 4 Persistent Search LDAP e. Directory events extension • I can use directory events 4

LDAP Persistent Search • Alters the standard LDAP search operation to perform a continuous LDAP Persistent Search • Alters the standard LDAP search operation to perform a continuous search, notifying the application of changes that occur on an LDAP server 4 Persistent search allows the client to be notified when changes are made to entries that satisfy the specified search filter 4 The connection to the server remains open until the search is abandoned 4 Persistent search is supported by multiple directories

Applications of Persistent Search • What does Persistent Search enable? 4 Applications driven by Applications of Persistent Search • What does Persistent Search enable? 4 Applications driven by business process events 4 Creating and updating a local cache easily 4 Auditing 4 Data logging 4 Data reporting 4 And more… • Persistent Search is an LDAP-standard way of getting directory events

e. Directory Events Extension • Novell extension allowing an LDAP client to be notified e. Directory Events Extension • Novell extension allowing an LDAP client to be notified of the occurrence of various events on a Novell e. Directory server 4 Utilizes the LDAP v 3 -extended operation extension mechanism 4 It also uses an intermediate response Protocol Data Unit (PDU) as described in the IETF draft • draft-rharrison-ldap-intermediate-resp-00. txt 4 Available on all platforms supported by Novell e. Directory 8. 7 4 This is Novell-specific and not standard LDAP

Selectively Monitor e. Directory Events • Novell e. Directory defines several directory-related events, including Selectively Monitor e. Directory Events • Novell e. Directory defines several directory-related events, including 4 Operations on individual entries and their attributes 4 Partition and replica operations • These events can be used for 4 Debugging 4 Auditing 4 Management • Access to each event is controlled by rights checking 4 If the user does not have the required privileges, the request will fail 4 An Event. Extended. Response will be returned by the server with an response. Code value of insufficient. Privileges

Event Handling Priority • The e. Directory event system extension supports the equivalent of Event Handling Priority • The e. Directory event system extension supports the equivalent of the e. Directory journal priority 4 Event notifications are sent to a client in the order in which the events occurred on the server after the underlying operations have completed 4 Order is guaranteed, and events are received after DS has processed the information 4 You cannot preempt an event or register for in-line processing

Applications of e. Directory Events • What can I do with e. Directory Events? Applications of e. Directory Events • What can I do with e. Directory Events? 4 e. Directory monitoring 4 Auditing 4 Automation of infrastructure changes 4 Automated business logic • All of these things can be done with e. Directory— they don’t exist in the same form on other directory products

Configurable Transport Security Configurable Transport Security

e. Directory 8. 7 Debuts Full TLS 1. 0 SAS Library Novell TLS Library e. Directory 8. 7 Debuts Full TLS 1. 0 SAS Library Novell TLS Library SSL v 3. 0 support TLS 1. 0 support (RFC 2246) Cryptography using NICI Limited interoperability with Full TLS 1. 0 compliance, other clients good interoperability Limited support for EXTERNAL authentication No support for Start. TLS Fully configurable support for EXTERNAL authentication Supports LDAP Start. TLS

Connecting with TLS Please may I your Cert! Cert? Give me have your • Connecting with TLS Please may I your Cert! Cert? Give me have your • e. Directory LDAP server can now be configured to use the following TLS handshakes • Server Certificate Only • Request Client Certificate • Require Client Certificate • This configuration is done through i. Manager

Selectable Channel Encryption I’m connected to the directory on the clear-text port, and I Selectable Channel Encryption I’m connected to the directory on the clear-text port, and I want to access my credit card information—what do I do? I can drop my connection, re-authenticate to the SSL port, and get the data OR I can send the Start. TLS extended request along with the query to read my credit card

Ending TLS on a Connection • Client or server sends a TLS end notification Ending TLS on a Connection • Client or server sends a TLS end notification • All operations are abandoned • TLS is turned off by both client and server • Connection reverts to anonymous 4 Specified in RFC 2829

TLS Information • Functionality is defined in RFC 2222, 2829, and 2830 • Novell TLS Information • Functionality is defined in RFC 2222, 2829, and 2830 • Novell TLS Library* is based on the Open. SSL project (current version 0. 9. c) with the cryptographic library replaced by NICI * This product includes software developed by the Open. SSL Project for use in the Open. SSL Toolkit. (http: //www. openssl. org/)

New LDAP Authentication Methods New LDAP Authentication Methods

Is LDAP Simple Bind Secure Enough? Are you confident that the user is who Is LDAP Simple Bind Secure Enough? Are you confident that the user is who he claims to be? Employee: Jane. Smith Password: jsmith Hacker aka: Jane. Smith Password: jsmith

SASL Exposed • SASL (Simple Authentication and Security Layer) is an authentication negotiation framework SASL Exposed • SASL (Simple Authentication and Security Layer) is an authentication negotiation framework 4 Server lists registered authentication mechanisms in the supported. SASLMechanisms attribute of root DSE 4 Client chooses the authentication method 4 Server implements authentication policy 4 Official SASL mechanisms are registered with IANA* 4 e. Directory 8. 7 supports • EXTERNAL • DIGEST-MD 5 • NMAS_LOGIN *Internet Assigned Numbers Authority

SASL EXTERNAL • TLS handshake establishes client identity by means of certificate-based client authentication SASL EXTERNAL • TLS handshake establishes client identity by means of certificate-based client authentication • LDAP SASL EXTERNAL uses that identity for the user connection

SASL DIGEST-MD 5 SASL bind packet with hashed password • Allows password to be SASL DIGEST-MD 5 SASL bind packet with hashed password • Allows password to be securely sent over a clear text connection • Requires that the server maintain a clear text copy of the password in the NMAS encrypted store that can be hashed using data provided in the bind and then compared to the hashed password contained in the bind

SASL NMAS_LOGIN Fingerprint Password Biometric Smart card Certificate • Allows the full functionality of SASL NMAS_LOGIN Fingerprint Password Biometric Smart card Certificate • Allows the full functionality of Novell Modular Authentication Services to be applied to LDAP binds • Login policy maintained by the server • Provides for multiple levels of authentication and identification

Device Provisioning with Embedded LDAP Clients Device Provisioning with Embedded LDAP Clients

Novell Leadership in Device Provisioning • Through our embedded technology effort Novell has been Novell Leadership in Device Provisioning • Through our embedded technology effort Novell has been in the embedded e. Directory business for eight years 4 i. Print and e. NDPS (embedded Novell Distributed Print Services™ (NDPS®) technology • Introducing 4 The Embedded Device Provisioning Agent (e. DPr. A) • Novell offers the market self-provisioning hardware managed by e. Directory

What Is Embedded Device Provisioning? • Directory-enabled device provisioning 4 Allows for non-computer connected What Is Embedded Device Provisioning? • Directory-enabled device provisioning 4 Allows for non-computer connected devices to work with e. Directory 4 Improves security on hardware that has been limited by SNMP standards (simple login and passwords) 4 Allows for management of millions of devices at one time 4 Provides hands-free configuration and setup

How a Directory Helps Provisioning • Increases deployment speeds of embedded hardware • Improves How a Directory Helps Provisioning • Increases deployment speeds of embedded hardware • Improves management of the overall system • Enhanced security from multiple authentication methods • More scalable than SNMP

Directory-based Provisioning of Devices within the Enterprise Management console Order entry HR Billing Work Directory-based Provisioning of Devices within the Enterprise Management console Order entry HR Billing Work order Novell e. Directory Provisioning policies Trouble alert policies Billing policies Data sync policies Security Wireless device Caching or other hardware Router Internet Data CPE Networked hardware Dir. XML™ Data

Bringing It All Together Bringing It All Together

Outdoor Adventures: Bringing It All Together Let’s look at how these new features can Outdoor Adventures: Bringing It All Together Let’s look at how these new features can benefit a hypothetical company, Outdoor Adventures 4 Auxiliary classes are used to identify students and instructors 4 ACLs are used to give students and instructors rights to view information they need on the web 4 The [This] ACL is used to allow students to modify their own object attributes 4 Access to specific course information is allowed by assigning ACLs to dynamic groups that identify students

Outdoor Adventures: Bringing It All Together 4 Instructors use Persistent Search to dynamically update Outdoor Adventures: Bringing It All Together 4 Instructors use Persistent Search to dynamically update their web display of class members 4 Searches in the tree simplified with DN matching rules 4 Credit card information is transmitted over TLS connections 4 Advanced authentication (thumbprint) is required for instructors to access student and course information 4 Outdoor Adventures network is run using switches and routers configured from the directory

Outdoor Adventures: Bringing It All Together Want to learn more about these concepts and Outdoor Adventures: Bringing It All Together Want to learn more about these concepts and see them in operation? • The “How To” information is given in sessions DL 204, DL 307, and TUT 242 • The Outdoor Adventures web site showcasing all of these concepts can be experienced in the tech lab • Security concepts for various types of authentication are presented in BUS 217

Novell e. Directory 8. 7—It’s Not Just a NOS Directory Anymore How do I Novell e. Directory 8. 7—It’s Not Just a NOS Directory Anymore How do I get this great full-service LDAP directory product for re-distribution with my applications? You can have your customers go out and buy individual licenses as needed, OR Developers can sign up for the Novell e. Directory Re-distribution Kit by visiting developer. novell. com/edirectory/ and receiving 250, 000 e. Directory licenses for free (now that’s a DEAL)

Vision…one Net A world where networks of all types—corporate and public, intranets, extranets, and Vision…one Net A world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries Mission To solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world

Developer References • Novell Developer LDAP SDKs, documentation, and samples 4 http: //developer. novell/ndk Developer References • Novell Developer LDAP SDKs, documentation, and samples 4 http: //developer. novell/ndk • Novell e. Directory Evaluation Version and Redistribution kit 4 http: //www. novell. com/products/edirectory/ • Novell Modular Authentication (NMAS™) 4 http: //www. novell. com/products/nmas • Novell Developer App. Notes 4 http: //developer. novell. com/research

Developer References • LDAP Zone The latest information and resources for LDAP • http: Developer References • LDAP Zone The latest information and resources for LDAP • http: //www. ldapzone. com Directory Interoperability Forum • http: //www. opengroup. org/dif Works with LDAP certification • http: //www. wwldap. org

Developer References • LDAP IETF standards 4 Filters and extensible. Match • http: //www. Developer References • LDAP IETF standards 4 Filters and extensible. Match • http: //www. ietf. org/rfc 2254. txt • http: //www. ietf. org/rfc 2251. txt 4 The TLS protocol • http: //www. ietf. org/rfc 2246. txt 4 Extension for TLS (start. TLS) • http: //www. ietf. org/rfc 2830. txt 4 SASL (Simple Authentication and Security Layer) • http: //www. ietf. org/rfc 2222. txt

References • e. Directory ACLs 4 http: //www. ietf. org/internet-drafts/draft-sermersheim-ndsldap-schema-02. txt Section 5. 7 References • e. Directory ACLs 4 http: //www. ietf. org/internet-drafts/draft-sermersheim-ndsldap-schema-02. txt Section 5. 7 • Dynamic Groups 4 4 http: //www. ietf. org/internet-drafts/draft-haripriyadynamicgroup-00. txt App note on http: //www. developer. novell. com • Persistent Search 4 4 http: //www. ietf. org/internet-drafts/draft-smith-pesearch 00. txt Soon to be App note on http: //www. developer. novell. com