directory services
DESCRIPTION
Directory Services. CS5493/7493. Directory Services. Directory services represent a technological breakthrough by integrating into a single management tool: Authentication Access control Accounting. Directory Services. A directory service organizes data into objects. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/1.jpg)
Directory Services
CS5493/7493
![Page 2: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/2.jpg)
Directory Services
• Directory services represent a technological breakthrough by integrating into a single management tool:– Authentication– Access control – Accounting
![Page 3: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/3.jpg)
Directory Services
• A directory service organizes data into objects.
• The directory holds the objects.
• The directory service provides the tools for accessing and modifying the objects.
![Page 4: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/4.jpg)
Directory Service Objects
• These objects consist of a name and a group of attributes associated with the name.
• The object name is formally known as the object’s “Distinguished Name”
• An object can be a service, hardware, or user.
![Page 5: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/5.jpg)
Directory Service Examples
• A phonebook – entries in the phonebook are indexed by name. The name has a phone number and address associated with the name.
• DNS – maps human readable names of network resources to their respective (binary) numeric network address.
![Page 6: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/6.jpg)
Software Engineered D.S.
• A software engineered directory service stores, organizes, and provides access to electronic information in a directory.
• DNS was the first Internet directory service.
![Page 7: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/7.jpg)
X.500
• A standard model for general-purpose directory services was developed in the late 1980’s.
• The X.500 standard emerged from this effort in 1988.
• A series of supplementary editions and refinements to X.500 followed.
![Page 8: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/8.jpg)
X.500 Refinements
• Shadowing (copying) directory information
• Access controls
• Additional administrative capabilities
• Contexts – define actions for an object according to the context of the objects use.
• Additional security features
![Page 9: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/9.jpg)
X.500 Concept
• There is a single directory information tree (DIT)
• The DIT is a hierarchical organization of objects distributed across one or more servers.
• Provides the protocol for querying and updating objects in the DIT.
![Page 10: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/10.jpg)
X.500 Legacy
• The general framework of X.500 has been adopted in more popular (widely adapted) directory services like:– LDAP, lightweight directory access protocol.
OpenLDAP is available for Linux.– MicroSoft Active Directory
![Page 11: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/11.jpg)
LDAP
• Defines a simple protocol that will manage directory objects:– Search and retrieve– Add – Modify– Delete– Rename
• LDAP uses a client-server model.
![Page 12: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/12.jpg)
LDAP Model
• LDAP uses a client-server model.
• The LDAP protocol uses TCP/IP
![Page 13: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/13.jpg)
LDAP Protocol
• The LDAP client establishes a connection to an LDAP server.
• The LDAP protocol usually uses port 389.• The client must authenticate itself to the
server by supplying a distinguished name and password.
• The LDAP server can restrict access to directory objects by managing permissions (access control)
![Page 14: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/14.jpg)
MS Active Directory
• A collection of services for managing resources in a computer network (LAN, MAN, CAN, or WAN).
![Page 15: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/15.jpg)
The AD Collection of Services
• AD Lightweight Directory Service
• AD Federation Service
• AD Certificate Service
• AD Rights Management Service
• AD Domain Service
![Page 16: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/16.jpg)
AD Lightweight Directory Service
• A lightweight version of AD based on LDAP.
![Page 17: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/17.jpg)
AD Federation Service
• A single sign-on service allowing a user to access services in different network environments using AD-FS.
• The different network environments can be different companies running AD-FS.
![Page 18: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/18.jpg)
AD Certificate Service
• Issues public key certificates used for such things as authentication with smart cards; or encrypting data transmitted over a network.
• This service can renew or revoke certificates.
![Page 19: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/19.jpg)
AD Rights Management Service
• Goes beyond access control.
• AD-RMS manages (controls) what users can do with data once they have accessed the data.– Can prevent files from being copied (this
includes disabling cut and paste.– Prevent saving or forwarding e-mail
messages.
![Page 20: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/20.jpg)
AD Domain Services
• The traditional features of AD from previous versions.
![Page 21: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/21.jpg)
Active Directory Summary
• A hierarchical framework of data objects.
• AD objects are categorized as– Resources: computers, printers, etc.– Services like e-mail– Users and groups of users– Any real component and its attributes
![Page 22: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/22.jpg)
Active Directory Summary
• A logical structure = grouping objects together based on criteria other than physical location.
• A physical structure = grouping objects together based on a physical topology (all the users, equipment, and services located in a particular office building).
![Page 23: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/23.jpg)
Active Directory Summary
• Acts as the central point for managing object security
• Individual user policies can be defined
• Group policies can be defined
• Auditing features:– Monitoring object usage– Create reports on object usage– Notify personnel of object usage
![Page 24: Directory Services](https://reader036.vdocuments.us/reader036/viewer/2022062308/568133f7550346895d9aeab1/html5/thumbnails/24.jpg)
Active Directory Summary
• Objects are organized into containers called Organizational Units (OU).
• Organizational Units belong to a domain.
• A domain is an administrative boundary. All the objects in a domain operate with the same security policy.