Open. LDAP Enterprise Features Bruce Huang (bruce. huang@hp. com) Tommy Yan (tommy. yan@hp. com) HP Open Source and Linux Organization
Agenda • 2 Non-Native English speakers • Directory services in large enterprises-challenges and progress • Technical implementation of some enterprise features
Directories in a large enterprise - an HP example back to 2003 Boeblingen Sunnyvale Houston Boise Grenoble Atlanta Singapore - Mission-critical repository used by 1500+ applications in HP - Approximately 50 million+ operations/day - Resolve every @hp. com mail address - Authorize every HP inline login - Hardware: Approximately 30 servers Worldwide - Software: Sun ONE Directory Server 5. x
Directories in a large enterprise - an HP example back to 2003(cont. ) o=hp. com Directory Root ou=People (Employees/Contingents HR data, email, NT, certs, etc) ou=Groups (News/Mail/Security group owners, members, description, etc) ou=Servers (used to store server certificates) ou=Locations (HP real estate, address, lat/long, time zone, etc) ou=Organizations (HP organizations, name, address, contact, etc) ou=Partners Business Partners …
What are the challenges in this model? – Cost: Per entry pricing mode. (An entry is defined as a single Distinguished Name (DN) and its contained attributes. 1 employee takes 1 entry, 1 server takes 1 entry, for example. ) – Lock: Vendors don’t want to modify the existing product to meet our technical requirement, but want us to buy more products.
Why was considered the solution • Cost: Symas per server/enterprise license model • Freedom: Having the source code • Support: IT has the resource and capability to support it (OSMS, Symas) • Standard, not proprietary: Why not enhance the applications?
Open. LDAP’s challenges and progress – General enterprise grade robustness: • Solid Berkeley DB support • Audit capability • Reconfiguring must be available on-the-fly as much as possible • Reliable replication strategy – Password Policy: A security policy for passwords (e. g. , must not be a dictionary word, must be over 6 characters, and so on). Overlay by Neil Dunbar (HP) and Howard Chu(Symas)
Open. LDAP’s challenges and progress (cont. ) – Data constraint: For instance, a telephone number could be forced to follow ITU standard representation rules. Overlay by Neil Dunbar (HP). – Translucency: store department-specific attributes for its employees in a local directory, for extension and speed. Overlay by Symas, sponsored by HP. – Group Policy: Much of HP's authorization data resides in the notion of groups; groups of employees; groups of assets; groups of business partners, and so forth. However, the LDAP/X. 500 model does not really impose any notion of what groups mean. Overlay by Symas.
What is the current status • HP completed migrating the Enterprise Directory to Open. LDAP on Linux in 2006. • HP is completely unchained from the per-entry licensing model • Above directory enterprise requirements are met. • Source code upstream to the Open. LDAP community.
Open. LDAP working model • slapd frontend receives an LDAP request • slapd frontend passes the request to the backend • The backend calls some functions of frontend to send the results to the client
Open. LDAP Overlays • Overlays: modules working between frontend and backend – introduced since Open. LDAP 2. 2 – change the behavior of backends without changing backend code – process incoming requests before backends – process outgoing results before frontend • Processing Steps − The frontend passes requests to the first overlay − The first overlay forwards requests to the next overlay until requests reach the real backend. − The backend directs results from the first overlay to the last one until they are sent to the client.
![Create your own overlay //hello. c static slap_overinst hello_ovl; int init_module(int argc, char *argv[])](https://present5.com/presentation/3f1a4d836bc29f6323f64a691b144b08/image-12.jpg "Create your own overlay //hello. c static slap_overinst hello_ovl; int init_module(int argc, char *argv[])")
Create your own overlay //hello. c static slap_overinst hello_ovl; int init_module(int argc, char *argv[]) { hello_ovl. on_bi. bi_type = “hello"; hello_ovl. on_bi. bi_op_add = hello_add; hello_ovl. on_bi. bi_op_modify = hello_modify; hello_ovl. on_bi. bi_db_close = hello_close; return overlay_register(&hello_ovl); } static int hello_add(Operation *op, Slap. Reply *rs) {…} static int hello_modify(Operation *op, Slap. Reply *rs) {…} …
Two Examples of Using Overlays - Password Policy - Constraint
Password Policy • provide password control mechanisms, like password aging, password reuse, mandatory password resets and so on. • define multiple password policies by using ‘pwd. Policy’ object class. • apply specific password polices to entries • Configuration directives: – – moduleload ppolicy. la overlay ppolicy_default <default. DN> more explanations in Linux man page (slapo-ppolicy)
Password Policy (con’t) Example: Create two different password policies and apply them to entries. • Load and configure the overlay in slapd. conf: … moduleload overlay ppolicy_default … ppolicy. la ppolicy cn=default, ou=policy, dc=hp, dc=com
Password Policy (con’t) • Add two policy entries – policy. ldif: dn: cn=default, ou=policy, dc=hp, dc=com object. Class: pwd. Policy object. Class: device cn: default pwd. Attribute: user. Password pwd. Check. Quality: 2 pwd. Min. Length: 5 pwd. Max. Age: 2592000 dn: cn=strong, ou=policy, dc=hp, dc=com object. Class: pwd. Policy object. Class: device cn: strong pwd. Attribute: user. Password pwd. Check. Quality: 2 pwd. Min. Length: 8 pwd. Max. Age: 1296000
Password Policy (con’t) • Set the pwd. Policy. Subentry attribute in a DN – bruce. ldif: dn: uid=bruce, dc=osms, dc=hp, dc=com object. Class: inet. Org. Person uid: bruce mail: bruce. huang@hp. com sn: huang employee. Number: 111111 cn: Bruce Huang pwd. Policy. Subentry: cn=strong, ou=policy, dc=hp, dc=com
Password Policy (con’t) • Verify whether the overlay works by running ‘ldappassword’ to change the password of ‘uid=bruce, dc=osms, dc=hp, dc=com’ to a word less than 8 characters : Result: Constraint violation (19) Additional info: Password fails quality checking policy • Note: the bind DN used to change the password must not be the rootdn.
Constraint • Contributed by HP • Constrain the values of attributes by character set or regular expression • Triggered by LDAP add and modify operations • Configuration directives: – constraint_attribute <attribute> <constraint_value> • Possible values of <constraint>: charset regex
Constraint (con’t) • Example: Constrain empolyee. Number as 6 digits and cn as valid letters – Load and configure the overlay in slapd. conf: … moduleload overlay constraint. la constraint_attribute employee. Number regex ^[0 -9]{6}$ constraint_attribute cn regex ^[a-z. A-Z]*$ …
Constraint (con’t) • Verify it by running ‘ldapmodify’ to change the employee. Number attribute of ‘uid=bruce, ou=people, dc=hp, dc=com’ to a number with 5 digits: – modify. ldif: dn: uid=bruce, ou=people, dc=hp, dc=com changetype: modify replace: employee. Number: 12345 ldap_modify: Constraint violation (19) additional info: modify breaks regular expression constraint on employee. Number
More information on overlay • Open. LDAP admin guide: – http: //www. openldap. org/doc/admin 24/ • Linux man page • Open. LDAP Source Code
Resource, Thanks and Questions • http: //www. openldap. org/conf/oddsandiego-2004/Neil. pdf (Special thanks to Neil Dunbar and Kartik Subbarao from HP directories team) • www. hp. com/go/osms • www. symas. com/
Appendix: Attribute Uniqueness • Enforce the uniqueness of one or some attributes in a subtree • triggered by the operations of add, modify and modrdn • Configuration options: – – unique_base <basedn> unique_ignore <attribute…> unique_attributes <attribute…> …
Attribute Uniqueness (con’t) • Example: Enforce the uniqueness of uid and mail for all DNs moduleload overlay unique_base unique_ignore unique_attributes unique. la unique dc=hp, dc=com object. Class dc ou o cn uid mail dn: uid=bruce, ou=people, dc=hp, dc=com object. Class: inet. Org. Person uid: bruce sn: Huang cn: Bruce mail: bruce. huang@hp. com Error Message: Constraint violation (19) additional info: some attributes not unique
Translucency • Enable a translucent proxy • A remote LDAP server and a local database are required • Entries from the remote server may be overridden (attribute level) by entries in the local database • Configuration options: – translucent_strict – translucent_no_glue
Referential Integrity • maintain the cohesiveness of a schema with reference attributes • triggered by the operations of modrdn and delete • Configuration options: – refint_attributes <attribute…> – refint_nothing <string> – refer to Linux man page (slapo-refint)
Referential Integrity (con’t) • Example: Remove Jason and have Tommy as his replacement moduleload overlay refint_attributes refint_nothing refint. la refint manager uid=ytommy, ou=people, dc=hp, dc=com – Delete “uid=zjason, ou=people, dc=hp, dc=com” – The attribute of manager in “uid=hbruce, ou=people, dc=hp, dc=com” and “uid=ytommy, ou=people, dc=hp, dc=com” is set to “uid=ytommy, ou=people, dc=hp, dc=com” automatically.
Скачать презентацию Open LDAP Enterprise Features Bruce Huang bruce huang hp
3f1a4d836bc29f6323f64a691b144b08.ppt