edirectory update with 8.7.1 gary j porter mindworks, inc. [email protected]
TRANSCRIPT
eDirectory Update with 8.7.1
Gary J PorterMindWorks, [email protected]
© April 21, 2023 Novell Inc, Confidential & Proprietary. 2
• Things you should know from 8.7•Extensible Match•Dynamic Groups•New Event Triggers•Persistent Search•TLS
• New Authentication Methods• SOAP Access• Universal Password• & much more…
Contents
© April 21, 2023 Novell Inc, Confidential & Proprietary. 3
Extensible Match
Extensible Match defined in LDAP v3• Support multiple matching rules for the
same types of data– Can implement new rules, e.g., “sounds like”
• Include DN elements in the search criteria– The DN specification allows matching on
specific elements of the DN of an object
cn=Terry,organizationalRole=adminAssistant,ou=sales,o=usaou=sal
© April 21, 2023 Novell Inc, Confidential & Proprietary. 4
Task: Find All Admin Assistants in All the Sales Groups of this Company
Sales Sales SalesManufacturing Finance Engineering
Adminassistant
Terry AliceSam Hilda
Adminassistant
Adminassistant
Bill
Adminassistant
Root
EnglandUSA Germany
East West
© April 21, 2023 Novell Inc, Confidential & Proprietary. 5
2. In the client, evaluate each DN to see if it is subordinate to a sales-container
organizationalRole=adminAssistant,ou=sales,o=usaorganizationalRole=adminAssistant,ou=sales,o=germanyorganizationalRole=adminAssistant,ou=finance,o=germanyorganizationalRole=adminAssistant,ou=west,ou=sales,o=england
Possibility One
1. Search for all admin assistant containers in the treeC:>ldapsearch … (organizationalRole=adminAssistant)organizationalRole=adminAssistant,ou=sales,o=usaorganizationalRole=adminAssistant,ou=sales,o=germanyorganizationalRole=adminAssistant,ou=finance,o=germanyorganizationalRole=adminAssistant,ou=west,ou=sales,o=england4 matches
© April 21, 2023 Novell Inc, Confidential & Proprietary. 6
Possibility One (cont.)
3. Using each admin assistant container as a base, do a subtree search for users in that container
C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=usa” (objectClass=user)cn=Terry,organizationalRole=adminAssistant,ou=sales,o=usa1 matchesC:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=germany” (objectClass=user)cn=Sam,organizationalRole=adminAssistant,ou=sales,o=germanycn=Alice,organizationalRole=adminAssistant,ou=sales,o=germany2 matchesC:>ldapsearch … -b “organizationalRole=adminAssistant,ou=west,ou=sales,o=england” (objectClass=user)cn=Bill,organizationalRole=adminAssistant,ou=west,ou=sales,o=england1 matches
© April 21, 2023 Novell Inc, Confidential & Proprietary. 7
Possibility Two
1. Search for all sales containers in the treeC:>ldapsearch … (ou=sales)ou=sales,o=usaou=sales,o=germanyou=sales,o=england3 matches
2. Using each sales container as a base, do a subtree search for users in the admin assistant containerC:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=usa” (objectClass=user)cn=Terry, organizationalRole=adminAssistant,ou=sales,o=usa1 matchesC:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=germany” (objectClass=user)cn=Sam, organizationalRole=adminAssistant,ou=sales,o=germanycn=Alice, organizationalRole=adminAssistant,ou=sales,o=germany2 matchesC:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=england” (objectClass=user)0 matches
What’s wrong?What’s wrong?
This search assumeseverything is at the
same level!
This search assumeseverything is at the
same level!
© April 21, 2023 Novell Inc, Confidential & Proprietary. 8
In eDirectory 8.7...
1. Use extensibleMatch
C:>ldapsearch … (&(ou:dn:=Sales)(organizationalRole=adminAssistant))cn=Terry, organizationalRole=adminAssistant,ou=sales,o=usacn=Sam, organizationalRole=adminAssistant,ou=sales,o=germanycn=Alice, organizationalRole=adminAssistant,ou=sales,o=germanycn=Bill, organizationalRole=adminAssistant,ou=west,ou=sales,o=england4 matches
extensible = attr [":dn"] [":" matchingrule] ":=" value / [":dn"] ":" matchingrule ":=" valueextensible = attr [":dn"] [":" matchingrule] ":=" value / [":dn"] ":" matchingrule ":=" value
© April 21, 2023 Novell Inc, Confidential & Proprietary. 9
eDirectory Support for extensibleMatch
eDirectory 8.7, and 8.7.1, supports extensibleMatch for matching on DN values
eDirectory 8.7 treats other extensibleMatch specifications as undefined terms in the filter and will ignore them• Versions of eDirectory prior to 8.7 would return a protocol
error if an extensibleMatch term was specified in a search filter
Advertisement of matching rules in eDirectory 8.7 is done through the LDAP subschema subentry object using the standard matchingRules and matchingRuleUse schema attributes
© April 21, 2023 Novell Inc, Confidential & Proprietary. 10
Too_lazy_to_live
Dynamic Groups
Creating communities while reducing administrative
overhead
[RF CEW ]
© April 21, 2023 Novell Inc, Confidential & Proprietary. 11
Dynamic Groups
eDirectory 8.6.1 and 8.7 allow you to determine group membership dynamically
• Membership determined by use of a search filter– Search filter is in URL form (RFC 2255)
• Additional capabilities– Objects specifically excluded– Objects specifically included in the group
Web management interface in eDirectory 8.7• Available only via LDAP in eDirectory 8.6.1
© April 21, 2023 Novell Inc, Confidential & Proprietary. 12
Dynamic Groups—Schema
ObjectClasses• dynamicGroup—Structural class for dynamic
group• dynamicGroupAux—Auxiliary class
Attributes• memberQueryURL—The search query in URL form• excludedMember—Objects specifically excluded• uniqueMember—Objects specifically included in
the group– Reading the “uniqueMember” (or “member”)
attribute returns specifically returned objects as well as objects which satisfy the query
© April 21, 2023 Novell Inc, Confidential & Proprietary. 13
Dynamic Groups—Compatibility
Static groups may be converted to dynamic groups
• Add dynamicGroupAux to the objectClass attribute
• Set a search query in memberQueryURL
For either static or dynamic groups, obtain a membership list by simply reading the “member” attribute
By default, the implicit search is limited to the local server
© April 21, 2023 Novell Inc, Confidential & Proprietary. 14
Dynamic Groups
The student registers for a course
Student
DynamicCourse Group
Course
The student can now see the list of other
students in the course automatically because he becomes part of the dynamic group for the course
ldap:///ou=students,l=Denver, l=USA, o=OutdoorAdv??sub?(&(objectclass=aspenStudent)(aspenRegisteredSections=cn=EA-sec1, ou=sections, l=Denver, l=USA, o=OutdoorAdv))
© April 21, 2023 Novell Inc, Confidential & Proprietary. 15
eDirectory Events
Automate and monitor
© April 21, 2023 Novell Inc, Confidential & Proprietary. 16
Applications of eDirectory Events
What can I do with eDirectory Events?• eDirectory monitoring• Auditing• Automation of infrastructure changes • Automated business logic
All of these things can be done with eDirectory—they don’t exist in the same form on other directory products
© April 21, 2023 Novell Inc, Confidential & Proprietary. 17
Selectively Monitor eDirectory Events
eDirectory defines several directory-related events, including
• Operations on individual entries and their attributes• Partition and replica operations
These events can be used for• Debugging• Auditing• Management
Access to each event is controlled by rights checking• If the user does not have the required privileges the
request will fail or,• No event will be sent
© April 21, 2023 Novell Inc, Confidential & Proprietary. 18
LDAP Persistent Search
Alters the standard LDAP search operation to perform a continuous search, notifying the application of changes that occur on an LDAP server
• Persistent search allows the client to be notified when changes are made to entries that satisfy the specified search filter
• The connection to the server remains open until the search is abandoned
• Persistent search is supported by multiple directories
© April 21, 2023 Novell Inc, Confidential & Proprietary. 19
eDirectory Events Extension
Novell extension allowing an LDAP client to be notified of the occurrence of various events on an eDirectory server
• Utilizes the LDAPv3 extended operation extension mechanism
• It also uses an intermediate response PDU* as described in the IETF draft– draft-rharrison-ldap-intermediate-resp-00.txt
• Available on all platforms supported by Novell eDirectory 8.7
• This is Novell-specific and not standard LDAP
*Protocol Data Unit
© April 21, 2023 Novell Inc, Confidential & Proprietary. 20
Using eDirectory Events
Student registers for a
course
Persistent Search updates
instructor’s class list automatically
© April 21, 2023 Novell Inc, Confidential & Proprietary. 21
Transport Layer Security
Securing eDirectory access
© April 21, 2023 Novell Inc, Confidential & Proprietary. 22
Transport Layer Security (TLS)
TLS 1.0 provides privacy and data integrity between the LDAP client and the LDAP server
TLS ensures that• The connection is private • The connection is reliable• Identities can be authenticated using
asymmetric or public key cryptography
• Negotiation of a shared secret is secure (no middle man)
• The negotiation is reliable (attackers detected)
TLS = SSL
© April 21, 2023 Novell Inc, Confidential & Proprietary. 23
Selectable Channel Encryption
I’m connected to the directory on the clear-text port, and I want to access my credit card information. What do I do?I can drop my connection, re-authenticate to the SSL port, and get the data
I can send the StartTLS extended request along with the query to read my credit card
OR
© April 21, 2023 Novell Inc, Confidential & Proprietary. 24
Connecting with TLS
• eDirectory LDAP server can now be configured to use the following TLS handshakes
• This configuration is done through iManager
• Require client certificate
• Request client certificate
• Server certificate only
© April 21, 2023 Novell Inc, Confidential & Proprietary. 25
Ending TLS on a Connection
Client or server sends a TLS end notification
• Connection reverts to anonymous
Who are you, anyway?
© April 21, 2023 Novell Inc, Confidential & Proprietary. 26
Configurable Transport Security
Instructor connects with clear textStart TLS - Instructor changes to a secure connection to see the student information
© April 21, 2023 Novell Inc, Confidential & Proprietary. 27
New LDAP Authentication Methods
© April 21, 2023 Novell Inc, Confidential & Proprietary. 28
Multiple Authentication Mechanisms (SASL)
Students authenticate with SASLEXTERNA
L
DIGEST-MD5
NMAS_LOGIN
Student registers thumbprint
eDirectory Replication
Students can modify their own profiles
© April 21, 2023 Novell Inc, Confidential & Proprietary. 29
SASL EXTERNAL
TLS handshake establishes client identity by means of certificate-based client authentication
• LDAP SASL EXTERNAL uses that identity for the user connection
© April 21, 2023 Novell Inc, Confidential & Proprietary. 30
SASL DIGEST_MD5
Allows password to be securely sent over a clear-text connection
Requires that the server maintain a clear-text copy of the password in the NMAS encrypted store that can be hashed using data provided in the bind and then compared to the hashed password contained in the bind
Simple bind packet with hashed password
© April 21, 2023 Novell Inc, Confidential & Proprietary. 31
SASL NMAS_LOGIN
Full functionality of Novell Modular Authentication Services (NMAS™) applied to LDAP binds
• Login policy maintained by the server• Provides for multiple levels of authentication
and identification
Fingerprint
Smart card
Certificate
Biometric
© April 21, 2023 Novell Inc, Confidential & Proprietary. 32
Web Services & Novell eDirectory 8.7
SOAP Access to eDirectory
© April 21, 2023 Novell Inc, Confidential & Proprietary. 33
DSML Connector
J2EE Container
DSMLDSMLSOAPSOAP
ServletServleteDirectoryeDirectory
LDAPLDAPR
ead
er
Write
rJava Java LDAPLDAPAPIAPI LDAPSOAP
SOAP UDDIDSML URL DSML WSDL
DSML
Web Server
© April 21, 2023 Novell Inc, Confidential & Proprietary. 34
Clientless install
(Windows only)
This provides the ability to install eDirectory on a Windows NT or 2000 server without the Novell Client.
© April 21, 2023 Novell Inc, Confidential & Proprietary. 35
Novell iMonitor 2.1
This new version of iMonitor provides:• SSL support on all platforms• Object statistics reports• Enhanced obituary processing reports• Server advertising reports• Enhanced tracing functions• Event monitoring and statistics
© April 21, 2023 Novell Inc, Confidential & Proprietary. 36
Novell iManager 2.0
This utility provides a single Web-based management console for the administration of Novell products on NetWare 6.5 & NNLS iManager standardizes all Novell Web-based administration utilities into a single management framework Provides an architecture for easy development of Web-based administration and management modules through open standard application interfaces Uses Roles to delegate eDirectory administration, management, and services tasks
© April 21, 2023 Novell Inc, Confidential & Proprietary. 37
Novell iManager 2.0
Novell iManager consists of two pieces: • eDirectory Management Framework
(eMFrame)• eDirectory Management Toolbox (eMBox)
EMBox is the server-side piece that works with iManager to access functionality in various eDirectory utilities. Other Utilities:
• DSRepair• DSMerge• Backup and Restore• LDAP• WAN Manager• Novell Import Convert Export utility
© April 21, 2023 Novell Inc, Confidential & Proprietary. 38
Universal Password
In the past, administrators have had to manage multiple passwords (simple password, NDS RSA passwords) because of password limitations Administrators have also had to deal with keeping the passwords synchronized Universal Password addressed these problems by creating a single password that can be used by all protocols to authenticate users
© April 21, 2023 Novell Inc, Confidential & Proprietary. 39
UTF8 Encoded
In addition, all Novell utilities are now UTF8 encoded When a password is reset by a user or an administrator, the Secure Password Manager (SPM), an NMAS components, will take the unicode password and convert it to a Universal Password (UTF8-encoded) and reset the NDS password.
© April 21, 2023 Novell Inc, Confidential & Proprietary. 40
Backup and Restore
eDirectory 8.7 introduced a new focus for backup and restore, called "hot continuous backup
With the new Backup eMTool, you back up the eDirectory database for each server individually, and you can do it while eDirectory is running
© April 21, 2023 Novell Inc, Confidential & Proprietary. 41
Novell eGuide 2.11
eGuide provides a Web-based GUI for searching, viewing, and editing information stored in Novell eDirectory and other directory data sources
Because eGuide is highly customizable for any type of environment, administrators can configure it to their own specifications
© April 21, 2023 Novell Inc, Confidential & Proprietary. 42