index [ptgmedia.pearsoncmg.com]ptgmedia.pearsoncmg.com/images/0672323168/index/howesindex.pdf ·...

879

Index

: (colon), in DNs, 93–96 ( ) (parentheses), grouping search terms, 78& (ampersand), AND operator within search filters, 78* (asterisk), wildcard within search filters, 73–74= (equal sign)

equality operator within search filters, 74in multivalued RDNs, 66

! (exclamation point), negation within search filters, 78<= (left angle, equal sign), greater than or equal to

operator within search filters, 75+ (plus sign), in search operations, 73# (pound sign), comment indicator, 783>= (right angle, equal sign), greater than or equal to

operator within search filters, 75| (vertical bar), OR operator within search filters, 78~= (tilde, equal sign)

approximation operator within search filters, 74–752222 (

SASL...)

RFC, 1392251 (

LDAPv3)

RFC,

47

2252 (

LDAPv3 Attribute Syntax Definitions

) RFC, 47, 61–62, 274

2253 (

LDAPv3 UTF-8 String Representation of Distinguished Names

) RFC, 472254 (

String Representation of LDAP Search Filters

) RFC, 47

2255 (

LDAP URL Format

) RFC, 482256 (

Summary of the X.500(96) User Schema for Use with LDAPv3

) RFC, 482587 (

Internet X.509 Public Key Infrastructure LDAPv2 Schema)

RFC, 2902820 (

Access Control Requirements for LDAP)

RFC, 142

2829 (

Authentication Methods for LDAP

) RFC, 48, 90, 125

2830 (

Extension for Transport Layer Security

) RFC, 48, 92–93

2830 (

[LDAPv3] Extension for Transport Layer Security

) RFC, 1422831 (

Using Digest Authentication as a SASL Mechanism

) RFC, 1402891 (

LDAP...Sorting of Search Results)

RFC, 1313377 (

LDAPv3: Technical Specification

) RFC, 48

abandon operation, 56, 87–88abstract object classes, 268Access, Searching, and Indexing of Directories (ASID)

IETF working group, 49access control

application needs definition, 219applications for, 654–657data design, 239definition, 90delegation, case study, 867–871in the hands of users, 841information, backup and restore, 542models, 91namespace design, 311Netscape Directory Server, 167–173replication, 396security design, 432–434

access control instructions (ACIs), 167, 169–173access control lists (ACLs).

See

ACLs (access control lists).

access control policy, 433–434

Access Control Requirements for LDAP

(RFC 2820), 142ACIs (access control instructions), 167, 169–173ACLs (access control lists)

description, 432–433examples, 434–438placement, 439–440replication, 396

actionPerformed()

method, 752Active Directory, 345, 394Active Directory Services Interface (ADSI) API, 118

add

changetype

LDIF statement, 96–97

add

modifytype

LDIF statement, 97adding

ACIs (access control instructions), 169–171auxiliary information to directory entries.

See

auxiliary classes.

directory entriesadd operation, 56, 82

ldapmodify

utility, 111–112LDIF, 96–97

schemas to directory servers, 289–290

Howes.book Page 879 Friday, April 4, 2003 11:38 AM

880

Index

address book applications, 356administrators.

See

system administrators.ADSI (Active Directory Services Interface) API, 118aggregating servers, 368AIM Enterprise Gateway, 177alias dereferencing, 72aliases, 68–69allowed (optional) attributes, 268, 274–277Alvestrand, Harald, 292American Standards Institute (ANSI), 292ampersand (&), AND operator within search filters, 78analyzing

data elements, 251environment

application software, 215coexistence with other systems, 228computer systems, 213–214criticality of service, 228hardware constraints, 227network constraints, 227–228networks, 214–215organizational structure and geography, 213overview, 210, 211–212prioritizing constraints, 228–229security constraints, 228software constraints, 227

log files, 410, 580–581, 590–591AND operators within search filters, 78Andreesen, Marc, 798anonymous bind (authentication), 102–103, 427–428anonymous users, 427–428ANSI (American Standards Institute), 292AOL Instant Messenger (AIM), 177, 179, 738AOL Time Warner, 821APIs

ADSI (Active Directory Services Interface), 118, 662C language, 116–117, 658Java, 117, 658, 662JNDI (Java Naming and Directory Interface), 118,

662, 693online resources, 115–116, 117–118Perl, 117, 659Python, 117, 659SDKs, sources for, 115–116

application-maintained data, 560–562application needs

access control, 219auditing, 219authentication, 219data, 216–217level of service, 218overview, 211performance, 217–218prioritizing, 219–220privacy, 219security, 219

versus

user needs and expectations, 223application-specific directories, 6, 761–762applications

as data source, 254developing.

See

developing applications.namespace design considerations, 312, 320–321needs definition, 215

arcs, for OIDs 77, 292ASID (Access, Searching, and Indexing of Directories)

IETF working group, 49ASN.1 schema format, 280–283asterisk (*), wildcard within search filters, 73–74attribute types.

See

attributes.attribute values, 60–62, 95–96.

See also

data, element values.

attributescase sensitivity, 262definition, 33description, 60–62designing schemas

allowed (optional), 268, 274–277hierarchies, 264–265matching rules, 265, 267naming, 262, 291operational, 263subtypes, 264–265supertypes, 264–265syntax, 265, 266type example, 263–264usage indicators, 262, 276values, 262

mandatory, 268usage indicators, 262, 276

attributeTypes

attribute type, 274–277auditing, 219, 417authentication.

See also

security.application needs definition, 219certificate-based client, distributed directories, 350credentials, verifying, 650–652data maintenance, 567definition, 10, 88designing, 427–431distributed directories, 348–351LDAPv3 methods, 90process of.

See

binding.simple, 88tools for, 417, 418

authentication and control operations, 56, 86–88authentication applications, 356authentication database, 35

Authentication Methods for LDAP

(RFC 2829), 48, 90, 125

authorization, proxied, 136–137, 167–173auxiliary classes, 268, 279, 295–297availability, 17–18, 248, 331, 358, 398, 504,

backdoor access, 413backup and restore.

See also

disaster recovery.access control information, 542case studies, 815, 846, 874causes of, 538change history, 542


Index

881

cost, 514–515databases, 164–165directories

versus

file systems, 538directory server configuration files, 542incremental backups, 539LDIF backup and restore, 540–542Netscape Directory Server, 540, 543online directory servers, 539with replication, 543–545restoring databases, 165–167safeguarding backups, 545, 548schema configuration files, 542single-master replication, 546–547snapshot restores, 540verifying backups, 548–549

bak2db

command, 165–167

bak2db

script, 540base-64 encoding, 95–96Basic Encoding Rules (BER), 59batch updates, as data source, 256–257BER (Basic Encoding Rules), 59bind operation, 56, 86–87binding, 89, 102–103British Standards Institute (BSI), 292browsing

versus

searching, 25BSI.

See

British Standards Institute.Bulk Import Finished extended operation, 138–139Bulk Import Start extended operation, 138–139bulk loading databases, 161

C language API, 116–117, 658C language SDK, 115–116, 658

The

C LDAP Application Program Interface

, 142cascaded replication configuration, 403case studies.

See

enterprise with an extranet; examples; large multinational enterprise; Netscape Communications Corporation.

centrally maintained data, 563–565certificate authority, 444certificate-based client authentication, 350certificates

authentication, 430–431issuance, 444life cycle management, 31, 652location problem, 31revocation list, 445

chaining, 343–344change control policy, 638change history, 542change sequence numbers (CSNs), 379changelog, 379chasing referrals, 342, 381, 670choosing an overall approach, 212, 229–230choosing directory services software.

See

evaluating directory services software.

Clark, Jim, 798class of service (CoS) feature, 179

clearSessionValues()

method, 708client replication updates

versus

replica updates, 387

client use of LDAP, 54–56clock synchronization, 385–386coexistence

common data sources, 761–763copying to/from data sources

migration, 763–764N-way join, 768–770, 783–793one-way synchronization, 764–766, 783–793two-way synchronization, 766–768virtual synchronization, 770–773

data source security, 776data translation, 772–774data transport, 775–776designing for, 228implementation considerations, 780–783importance of, 761–763monitoring, 782–783new applications, 663–665overview, 759–761performance considerations, 781requirements definition, 777–780security and privacy considerations, 774–776tools for, 781–782troubleshooting, 782tuning, 782unique join attributes, 775

coexistence tables, 779cold-site recovery, 552–554colon (:), in DNs, 93–96combining data from multiple sources.

See

joins.command-line utilities

ldapmodify

, 110–115, 569

ldapsearch

binding, 102–103definition, 101encrypting server communications, 105–106filters, 102, 104–105options, 106–110retrieving a single entry, 102retrieving specified attributes, 103–104sample searches, 101–102search base, 102searching with SSL (Secure Sockets Layer), 105–106

online sources for, 127compare operation, 56, 81–82.

See also

search operation.

ComposeFrame

class, 750–751computer systems, needs definition, 213–214configuration

backing up and restoring, 543changing using LDAP, 173

Directory Server Configuration, Command, and File Reference

, 173managing, 27–28

configuration filesbackup and restore, 542

dse.ldif

, 173

notify.conf

, 605schema, backup and restore, 542


882

Index

configuringcascaded replication, 403distributed directories, 345–348Netscape Directory Server, 173–176schemas, 285–286, 301user preferences, 28

conflict resolution, 384–388connecting servers, 345–348connection hijacking, 412connection timeouts, 622consistency, 238, 375–377constraints, data element values, 245–246.

See also

value constraint plug-in.

consumers, 246–247, 375continuous mode for the ldapmodify command, 112control operations.

See

authentication and control operations.

controlsdefinition, 59, 124Entry Change Notification Response, 128–130

ManageDSAIT

, 128Password Expired, 137–138Password Expiring, 137–138Persistent Search Request, 128–130Proxied Authorization, 136–137Server-Side Sorting Request, 130–131Server-Side Sorting Response, 130–131VLV (Virtual List View) Request, 132–136VLV (Virtual List View) Response, 132–136

convergence, 375–377copying directories.

See

replication.copying to/from data sources


corporate databases, 762correcting bad data, 573CoS (class of service) feature, 179cost

backup and restore, 514–515case study, 844–845data maintenance, 513–514, 559design phase, 502–503disaster recovery, 516–517evaluating directory services software, 457, 470hardware

apportioning to software costs, 510deployment phase, 504–507upgrade and replacement, 511–512

maintenance contracts, 518–519monitoring, 512–513piloting directory services, 503–504political considerations, 500reductions through applications, 644–647software

apportioning to hardware cost, 510deployment phase, 507–509

upgrades, 509–511training and support, 517–519, 567–568

Crack password cracking package, 447

createLDAPContext()

methods, 703–705creating directory entries.

See

adding, directory entries.credentials, forging and stealing, 412criticality of service, 228CSNs (change sequence numbers), 379custom probing tools, 588–592

dampening replication, 388DAS (Directory Assistance Service) protocol, 41data

definition, 236distribution, 14–16element values.

See also

attribute values.characteristics of, 243–247definition, 236format, 244number of, 245ownership, 245–246pointers to, 236restrictions, 245–246size, 244–245

elements.

See

also attributes.analyzing, 251characteristics of, 243–247consumers, 246–247definition, 236dynamic

versus

static, 248example, 249–251format, 244inventory (example), 803needs definition, 240–243number of values, 245ownership, 245–246relationships with other elements, 249restrictions, 245–246shared

versus

application-specific, 248value sizes, 244–245

integrity, 91–93maintenance.

See also

maintenance phase.application-maintained data, 560–562authentication and security, 567centrally maintained data, 563–565checking data quality, 572–574correcting bad data, 573cost, 513–514, 559data validation, 569–570definition, 557developer awareness, 562exception handling, 559, 571importance of, 558new data sources, 570–571performance effects, 568–569responsibility for, 559source of truth method, 572spot checks, 573training and support costs, 567–568


Index

883

update-capable clients, 566–567user-maintained data, 565–570user surveys, 573

organization, namespace design, 310owners, 802partitioning, 310–311policy statement, creating, 239–240quality, monitoring, 591reference, 309–310related problems, 237–238replication.

See

replication.sensitivity, privacy needs definition, 421translation, 772–774transport, 775–776users, 803values.

See

data, element values.data design

access control, 239application needs definition, 216–217case studies, 801–804, 829–830, 860consistency, 238data elements

analyzing, 251characteristics of, 243–247consumers, 246–247definition, 236dynamic

versus

static, 248example, 249–251format, 244needs definition, 240–243number of values, 245ownership, 245–246relationships with other elements, 249restrictions, 245–246shared

versus

application-specific, 248value sizes, 244–245

data-related problems, 237–238data source inventory, 242–243

versus

designing schemas, 286directory content, 239exception handling, 239legal considerations, 239multiple storage locations, 239overview, 236–237policy statement, creating, 239–240political considerations, 257redundancy, 238sources of data

administrators, 254applications, 254batch updates, 256–257databases, 253end users, 254files, 253–254NOSs (network operating systems), 253–254other directory services, 253overview, 251–253replication, 255synchronization, 255–256

data sourcesadministrators, 254applications, 254batch updates, 256–257copying to/from


databases, 253definition, 236end users, 254files, 253–254inventory, 242–243list of, 761–763NOSs (network operating systems), 253–254other directory services, 253overview, 251–253replication, 255security, 776synchronization, 255–256

databases.

See also

directory partitioning.corporate, 762as data source, 253

versus

directories, 29–30, 32–33embedding in applications, 30external, 762homegrown, 762links, 347Netscape Directory Server

backing up, 164–165bulk loading, 161default, 160dumping in DSML, 163–164dumping to an LDIF file, 161–162restoring, 165–167

db2bak

command, 164–165

db2bak

script, 539–540

db2dsml

command, 163

db2ldif

command, 161DDoS (distributed denial of service) attacks, 416delegating OID arcs, 292

delete

changetype

LDIF statement, 97

delete

modifytype

LDIF statement, 97–98delete operation, 56, 82deleted entries, restoring, 390deleted entry conflicts, 390deleting

attributes and values, 97–98directory entries, 56, 82, 97

denial of service (DoS) attacks, 415–416deployability, and security, 449–450deployment phase.

See also

production rollout.case studies

enterprise with an extranet, 871–874, 877large multinational enterprise, 842–845, 850–852Netscape Communications Corporation,

812–815, 819–821


884

Index

deployment phase

continued

constraints on directory designdesign openness, 224overview, 211political considerations, 225–226prioritizing, 226resources, 224system administrators, 225system designers, 224–225

definition, 202description, 204–205

dereferencing aliases, 72design center, 12design openness, 224design phase.

See also

needs definition.case studies

data, 801–804, 829–830, 860data element inventory, 803data owners, 802data users, 803namespace, 805–808, 833–835, 863–865needs definition, 799–801, 828–829, 859–860privacy, 810–812, 839–841, 867–871replication, 809–810, 836–839, 867schemas, 804–805, 831–833, 861–863security, 810–812, 839–841, 867–871topology, 808–809, 836, 865–866

cost, 502–503description, 202–204

designers.

See

system designers.designing

data.

See

data design.namespaces.

See

namespace design.replication.

See

replication design.schemas.

See

schema design.security.

See

security design.topology.

See

topology design.developing applications

access control decisions, 654–657coexistence, 663–665common mistakes, 669–671common uses for, 649–658cost reductions, 644–647customizing your directory, 646–647directory-agnostic SDKs, 662–663directory-enabling, 648–649directory interactions, 665–666DSML tools and SDKs, 662examples

directory-enabled finger service (lfingerd.pl), 737–746

LDAP address lookup in e-mail client (ICEMail), 746–756

resetting passwords (setpwd), 671–687Web site with user profile storage (SimpleSite),

687–722facilitating PKI deployment, 652–654LDAP command line tools, 659LDAP SDKs, 658–659

LDAP tag libraries, 660–661leveraging existing code, 668–669locating and sharing information, 649–650location independence, 657–658performance, 666–668piloting, 668prototyping, 668reasons for, 644–649roaming, 657–658scalability, 666–668tools for, 658–663verifying authentication credentials, 650–652

device and application probing, 578DIGEST-MD5 SASL authentication, 140–141directories

accessibility, and privacy, 423–424accessing data.

See

functional model.application-specific, 6characteristics of

data distribution, 14–16information extensibility, 14interoperability, 21–22joins, 22–24performance, 19–21read-to-write ratio, 13–14, 37, 248replication, 16–19standards, 21–22transactions, 22–24

complementing other services, 35–36content design.

See

data design.data problems, troubleshooting, 628–630data types, defining.

See

information model; schemas.

versus

databases, 29–30, 32–33.

See also

directories, characteristics of.

definition, 5–6design center, 12

versus

DNS servers, 34–35dynamic nature of, 6–8evaluating the need for, 37everyday, 5

versus

file systems, 33flexibility, 8–10

versus

FTP servers, 34general purpose, 6information types, rules, and behavior.

See

schemas.information units, defining.

See

information model; schemas.

integrating other data sources.

See

coexistence.NOS (network operating system)-based, 6offline, 5online, 5–6personalization, 11–12purpose-specific, 6querying, 56security, 10–11standards-based, 6, 37updating, 56uses for

authentication database, 35


Index

885

certificate location problem, 31configuration management, 27–28finding things, 25–26lightweight database applications, 29–30location independence, 29managing things, 26–29network-accessible storage device, 36organizing and accessing Web server

information, 36–37PKI life cycle management, 31, 652searching

versus

browsing, 25security applications, 31synchronization, 27user configuration and preference management, 28

versus

Web servers, 33–34directory-agnostic SDKs, 662–663Directory Assistance Service (DAS) protocol, 41directory design, constraints on

choosing an overall approach, 229deployment

design openness, 224overview, 211political considerations, 225–226prioritizing, 226resources, 224system administrators, 225system designers, 224–225

hardware, 227network, 227–228prioritizing, 228–229security, 228software, 227

directory-enabling existing applicationsconsidering alternatives, 736–737effects on directory service, 735examples

directory-enabled finger service (lfingerd.pl), 737–746

LDAP address lookup in e-mail client (ICEMail), 746–756

hiding directory integration, 731–732making capabilities visible, 732problematic architecture, 733–734protocol gateways, 732–733reasons for, 726–730transition phase, 735–736

directory entriesadding auxiliary information.

See

auxiliary classes.aliases, 68–69change notification, 128–130creating, 56, 82definition, 60–62deleting with delete operation, 56, 82deleting with LDIF, 97modifying content, 56, 84–86modifying DN (renaming), 56, 83–84, 85naming, 66representing with DSML, 143–145representing with LDIF, 93–96

Directory Interface to X.500 Implemented Efficiently (DIXIE) protocol, 41

directory life cycle.

See

deployment phase; design phase; maintenance phase.

directory outages, 621–623directory partitioning

description, 332–335examples, 361–369multiple-partition example, 364–369pros and cons, 351–354single-partition example, 361–364

directory partitions, discovery, 336directory requirements, privacy needs, 420–423directory schemas.

See

schemas.directory server access logs, monitoring, 606–607directory server configuration files, backup and

restore, 542directory services

choosing software for.

See evaluating directory services software.

components, 4–5as data source, 253definition, 4–5embedding in applications, 30versus protocols, 50putting into production. See production rollout.testing. See piloting, directory services.

Directory Services Markup Language (DSML), 143–145, 163–164

disablingNetscape Directory Server updates, 174schema checking, 287, 813–814write access to directory data, 173–176

disaster recovery. See also backup and restore.case studies, 815, 846, 874cold-site recovery, 552–554cost, 516–517developing a plan, 550–552directory-specific issues, 553–554hot-site recovery, 552–554risk assessment, 550–551types of disasters, 549–550vendor services, 549

discovery of LDAP features and schema, 47, 125–127displayEntry subroutine, 743–744displayOneEntry() method, 711–712distinguished names (DNs). See DNs (distinguished

names).distributed data. See data, distribution.distributed denial of service (DDoS) attacks, 416distributed directories

authentication, 348–351certificate-based client authentication, 350configuring, 345–348definition, 332–333directory server software, 345–348security implications, 351

DIXIE (Directory Interface to X.500 Implemented Efficiently) protocol, 41


886 Index

DNs (distinguished names). See also RDNs (relative distinguished names).

base-64 encoding, 95–96definition, 55escaping special characters, 67–68identifying replicated entries, 386in namespace design, 308–309naming entries, 66non-ASCII, 95–96restricted characters, 67–68

DNS servers versus directories, 34–35DNS update capabilities, 35documentation. See Internet drafts; publications; RFCs;

standards.documenting schemas, 299–300doEditProfile() method, 699, 712–714doFind() method, 701, 708–711doGet() method, 699–700doLogin() method, 701–702doLogout() method, 699, 707domains. See directory partitioning.doNewProfile() method, 699, 712–714doPost() method, 700–701DoS (denial of service) attacks, 415–416doSaveProfile() method, 701, 716–720DSML (Directory Services Markup Language), 143–145,

163–164DSML tools and SDKs, 662dumping databases, 161–164duplicating directories. See replication.dynamic groups, 179dynamic nature of directories, 6–8dynamic roles, 179dynamic versus static data elements, 248

e-mail, LDAP address lookup, 746–756email2LDAPDN() method, 705–706emitProfileForm() method, 714–716enabling

applications for directory services. See directory-enabling applications.

schema checking, 287, 813–814encryption

government restrictions, 429server communications, 105–106SSL (Secure Sockets Layer), 91–93, 105–107,

113–114, 412, 414, 417, 418TLS (Transport Layer Security), 91–93, 412, 414,

417, 418tools for, 417

enterprise numbers. See OIDs (object identifiers).enterprise service providers (ESPs), 459–460enterprise with an extranet (case study). See also

examples; large multinational enterprise; Netscape Communications Corporation.

access control, delegation, 867–871backup and restore, 874deployment, 871–874, 877

design phasedata, 860namespace, 863–865needs definition, 859–860privacy, 867–871replication, 867schemas, 861–863security, 867–871topology, 865–866

disaster recovery, 874leveraging directory services, 876–877maintenance phase, 874–876monitoring, 876motivation, 859organizational overview, 856–859piloting, 872–873product choice, 871–872production rollout, 873–874summary of results, 877troubleshooting, 876

entries. See directory entries.Entry Change Notification Response control, 128–130entry naming conflicts, 389environmental analysis. See analyzing, environment.equal sign (=)

equality operator within search filters, 74in multivalued RDNs, 66

error handling for the ldapmodify command, 112escapedValue() method, 706–707escaping special characters

within DNs, 67–68within search filters 78–80

ESPs (enterprise service providers), 459–460establishAddresses() method, 751–752evaluating directory services software

criteriacore features, 463cost, 457, 470example, 472–474extensibility, 470–471flexibility, 470–471interoperability, 469management features, 463–464overview, 462–463performance, 465–466product completeness, 471product future, 471product support, 471–472reliability, 464–465scalability, 465–466security, 466–467standards compliance, 467–469vendor services, 472

ESPs (enterprise service providers), 459–460extranet applications, 459gathering product information, 475–476Internet-facing hosted applications, 459–460intranet applications, 458–459

Howes.book 86 Friday, April 4, 2003 11:38 AM

Index 887

lightweight database applications, 460, 462negotiating price, 476–477NOS applications, 458overview, 456–457piloting candidates, 476product categories, 457–462vendor input, 475–476virtual networks, 459

event correlation, monitoring, 578examples. See also enterprise with an extranet; large

multinational enterprise; Netscape Communications Corporation.

ACLs (access control lists), 434–438data element design, 249–251designing schemas, 269directory-enabled finger service, 746–756directory partitioning, 361–369evaluating directory services software, 472–474extending Netscape Directory Server, 180-197finger service, directory-enabled, 737–746flat namespace structure, 325–326hierarchical namespace, 326–327ICEMail, directory-enabled, 746-756LDAP address lookup in e-mail client, 746–756ldapsync tool, 783–793lfingerd.pl gateway, 737–746Netscape Directory Server value constraint plug-in,

180–197one-way synchronization tool, 783–793partitioning directories, 361–369setpwd, a password resetting utility, 671–687SimpleSite, a Web Site with User Profile Storage,

687–722exception handling, 239, 559, 571exclamation point (!), negation within search filters, 78export. See import/export.extended operations

Bulk Import Finished, 138–139Bulk Import Start, 138–139definition, 58, 124

extending object classes. See subclassing.extensibility

definition, 58–59evaluating directory services software, 470–471information, 14LDAP innovation, 47

eXtensible Markup Language (XML), 143–145, 163–164extensible matching, 75–78extensibleObject object class, 272extension discovery, 125–127Extension for Transport Layer Security (RFC 2830), 48,

92–93extensions (Netscape Directory Server value constraint

plug-in example), 180–197external databases, 762EXTERNAL SASL authentication, 139–140extranets

case study. See enterprise with an extranet.evaluating directory services software, 459

failure types, monitoring, 589false alarms, monitoring, 593feedback from piloting, 492–494, 496–497file systems versus directories, 33files as data source, 253–254find.htm file, 695finger service, directory-enabled, 737–746firewalls, 417–418flat namespace structure, example, 325–326flat versus hierarchical namespace schemes, 315–317flexibility

of directories, 8–10evaluating directory services software, 470–471

focus groups, 494following referrals. See chasing referrals.forging credentials, 412format

data elements, 244schemas, 273–283

fractional replicas, 392–394FTP servers versus directories, 34functional model

authentication and control operationsbind operation, 86-87unbind operation, 87abandon operation, 87-88

interrogation operationscompare operation, 81–82search filters, 74–81search operation, 70–73

purpose of, 69update operations

add operation, 82delete operation, 82modify operation, 84-86modify DN (rename) operation, 83–85

GC (global catalog), Microsoft Active Directory, 352, 394general purpose directories, 6getIDWithRedirect() method, 708get_rebind_credentials() function, 683getResponseControls() method, 138getSecondsToExpiration() method, 138global catalog (GC), Microsoft Active Directory, 352, 394glue entries, 394goals and milestones, 212, 230–232groups, 179

hackers, 411hard failures, 579–580hardware constraints, 227hardware cost

apportioning to software costs, 510deployment phase, 504–507upgrade and replacement, 511–512

Hickman, Kipp, 418hiding search filters, 80–81hierarchical namespace, example, 326–327hierarchies, attributes, 264–265


888 Index

hijacking connections, 412homegrown databases, 762horizontal scalability, 17host-based SNMP agents, 587hot backups, 164hot-site recovery, 552–554Howes, Tim, 117HTTP digest authentication, 428hung connections, 622

IANA (Internet Assigned Numbers Authority), 292ICEMail client, directory enabling, 746–756IDS (Integrated Directory Services) IETF working

group, 49IDSs (intrusion detection systems), 418IETF (Internet Engineering Task Force), 42, 49immediate superior knowledge references, 336–337implementation, coexistence considerations, 780–783import/export

bulk import, 138–139data interchange format. See LDIF.DSML, 163–164

incremental backups, 539incremental replication updates, 377–379indirect monitoring, 580, 591–592, 848information model, 60–63information privacy and integrity, 440–446inheritance, object class, 271–272init() method, 698–699installing Netscape Directory Server, 148–155instant messaging, 177, 179, 738Integrated Directory Services (IDS) IETF working

group, 49interactive authentication and login applications, 356internationalization, 47, 118–119Internet Assigned Numbers Authority (IANA), 292Internet drafts. See also publications; RFCs; standards.

definition, 42LDAP Client Update Protocol, 142[LDAP] over UDP/IP, 142LDAP...Browsing of Search Results, 132LDAPv3: All Operational Attributes, 73Named Subordinate References in [LDAP]

Directories, 128Password Policy for LDAP Directories, 136Proxied Authorization Control, 136A Taxonomy of Methods for...Finding Servers, 142

Internet Engineering Task Force (IETF), 42, 49Internet-facing hosted applications, 459–460Internet resources. See online resources.Internet Security Scanner (ISS), 419Internet X.509 Public Key Infrastructure LDAPv2

Schema (RFC 2587), 290interoperability, 21–22, 469interrogation operations

compare operation, 81–82definition, 56search filters, 74–81search operation, 70–73

interviews, 494intranet applications, 458–459intrusion detection systems (IDSs), 418IP Security Protocol (IPsec), 419ISO 639 (Code for the Representation of Names of

Languages), 119ISO 3166 (Codes for the Representation of Names of

Countries), 119ISS (Internet Security Scanner), 419

Java API, 117, 658, 662The Java LDAP Application Program Interface, 142, 658Java Naming and Directory Interface (JNDI) API, 118,

662, 693JNDI (Java Naming and Directory Interface) API, 118,

662, 693join attributes, 775joins, 22–24, 768–770, 783–793

Kerberos, 418–419key pairs, 444keys, 444knowledge references, 336–337

language codes, 118–119large multinational enterprise (case study). See also

enterprise with an extranet; examples; Netscape Communications Corporation.

backup and restore, 846cost analysis, 844–845deployment, 842–845, 850–852design phase

data, 829–830namespace, 833–835needs definition, 828–829privacy, 839–841replication, 836–839schemas, 831–833security, 839–841topology, 836

disaster recovery, 846leveraging directory services, 849–852maintenance phase, 846–849monitoring, 848–849motivating factors, 826–828organizational overview, 824–826piloting, 843–844product choice, 842production rollout, 845summary of results, 852–853troubleshooting, 849

latency, 217–218latency by attribute type, replication, 395LBER (Lightweight BER), 59LCUP (LDAP Client Update Protocol), 142LDAP

advantages, 50–51command line tools, 659definition, 49


Index 889

directory hierarchy versus UNIX file system hierarchy, 63–66

future directions, 141–145history and origins, 38–50models. See functional model; information model;

naming model; security model.as monitoring tool, 580overview, 54–58typical protocol exchange, 56–57on the wire, 59

LDAP: Programming...with Lightweight Directory Access Protocol, 117

LDAP Client Update Protocol (LCUP), 142LDAP controls. See controls.LDAP Data Interchange Format (LDIF). See LDIF

(LDAP Data Interchange Format).[LDAP] over UDP/IP, 142LDAP SDKs, 658–659LDAP tag libraries, 660–661LDAP URL Format (RFC 2255), 48LDAP (v3) Attribute Syntax Definitions (RFC 2252),

61–62ldap_analyzer.pl script, 607–615LDAPBIS (LDAPv3 Revision) IETF working group, 49LDAP...Browsing of Search Results, 132ldapcompare command, 659LDAPConnection.authentication() methods, 140ldap_create_persistentsearch_control()

function, 130ldap_create_proxyauth_control() function, 137ldap_create_sort_control() function, 131ldap_create_sort_keylist() function, 131ldap_create_virtuallist_control() function,

135ldapdelete command, 659LDAPEntryChangeControl class, 130LDAPEXT IETF working group, 49ldapLookup() method, 752–755ldapmodify command-line utility, 110–115, 659ldap_parse_entrychange_control() function, 130ldap_parse_result() function, 137ldap_parse_sort_control() function, 131ldap_parse_virtuallist_control() function,

135LDAPPersistSearchControl class, 130ldap_probe.pl script, 600–602LDAPProxiedAuthControl class, 137ldap_sasl_bind() function, 140ldap_sasl_bind_s() function, 140ldapsearch command, 659ldapsearch command-line utility

binding, 102–103definition, 101encrypting server communications, 105–106filters, 102, 104–105options, 106–110retrieving a single entry, 102retrieving specified attributes, 103–104sample searches, 101–102

search base, 102searching with SSL (Secure Sockets Layer), 105–106

LDAPSortControl class, 131LDAP...Sorting of Search Results (RFC 2891), 131LDAPSortKey class, 131ldapssl_clientauth_init() function, 140LDAPSSLSocketFactory class, 140LDAPv3: All Operational Attributes, 73LDAPv3: Technical Specification (RFC 3377), 48LDAPv3 (RFC 2251), 47LDAPv3 Attribute Syntax Definitions (RFC 2252), 47,

61–62, 274[LDAPv3] Extension for Transport Layer Security (RFC

2830), 142LDAPv3 extensions, 125–127. See also controls;

extended operations; SASL authentication.LDAPv3 Revision (LDAPBIS) IETF working group, 49LDAPv3 schema format, 273–279LDAPv3 UTF-8 String Representation of Distinguished

Names (RFC 2253), 47LDAPVirtualListControl class, 135–136LDAPVirtualListResponse class, 136LDIF backup, 540–542LDIF (LDAP Data Interchange Format)

adding entries, 96–97backup and restore, 540–542definition, 93deleting attribute values, 97–98deleting attributes, 98deleting entries, 97dumping databases to, 161–162file types, 93folding long lines, 94–95modifying attribute values, 97–99modifying entries, 97–99moving entries, 99–100renaming entries, 99–100representing directory entries, 93–96update statements, 96–100

ldif2db command, 161left angle, equal sign (<=), greater than or equal to,

within search filters, 75legal considerations, 239, 426–427level of service, 218leveraging directory services, case studies, 818–821,

849–852, 876–877lfingerd.pl gateway example, 737–746LFMs (log file monitors), 420life cycle

directory. See deployment phase; design phase; maintenance phase.

PKI life cycle management, 31, 652Lightweight BER (LBER), 59lightweight database applications, 29–30, 460, 462Lightweight Directory Access Protocol. See LDAP.locality, effects of replication, 17location independence, 29, 657–658log file monitors (LFMs), 420login.htm file, 694


890 Index

logsanalyzing, 410, 580–581, 590–591changelog, 379directory server access, 606–607LFMs (log file monitors), 420operating system, 607transaction, 539

main() function, 675–680maintenance phase. See also data, maintenance.

case studies, 815–818, 846–849, 874–876cost of contracts, 518–519definition, 202description, 206–207schemas, 300

man-in-the-middle attacks, 414ManageDSAIT control, 128management features, evaluating directory services

software, 463–464Management Information Base (MIB), 584–587mandatory attributes, 268manuals. See Internet drafts; publications; RFCs; standards.mapping

networks, 214–215organizational structure and geography, 213

marketing and publicity plan, 528–529masquerading, 415matching rules, 61, 265, 267message-oriented protocols, 54messaging applications, 356–357MIB (Management Information Base), 584–587Microsoft Active Directory, 345, 394migration, 763–764milestones and goals, 212, 230–232mix-in (auxiliary) object classes, 268, 295moddn changetype LDIF statement, 99–100modify changetype LDIF statement, 97–99modify DN (rename) operation, 56, 83–84, 85modify operation, 56, 84–86. See also ldapmodify

command-line utility.modifying

attribute values with LDIF, 97–99directory entries, 56, 84–86DNs (distinguished names), 56, 83–84, 85entries with LDIF, 97–99entry names, 56, 83–84, 85

modifytype LDIF statement, 97monitoring. See also troubleshooting.

case studies, 817–818, 848–849, 876coexistence, 782–783conceptual models, 578–579cost, 512–513data quality, 591device and application probing, 578directory server access logs, 606–607event correlation, 578failure types, 589false alarms, 593hard failures, 579–580

indirect, 580, 591–592introduction, 578–582LDAP traffic, 59log file analysis, 580–581, 590–591messages, 584methods, 580–581MIB (Management Information Base), 584minimizing failure effects, 596–597notification, 578, 592–596operating system logs, 607operating system performance data, 580performance analysis, 578, 605–616principles, 581–582problem correction, 598problem histories, 581problem reports, 598–599problem spotting, 616raw usage data, 606–607reported problems, 638root causes, 597–598sample utility, 599–605synchronization processes, 591taking action, 596–599tools for

custom probing tools, 588–592host-based SNMP agents, 587LDAP (Lightweight Directory Access Protocol),

580MIB (Management Information Base), 585–587NMSs (network management systems), 583–587SNMP (Simple Network Management

Protocol), 580, 583–587traps, 584trend spotting, 616unobtrusiveness, 581

moving entries, 99–100Mozilla project, 115–116, 658, 737, 817multimaster replication, 383–391, 544multiple storage locations, 239multivalued RDNs, namespace design, 308, 320mutual authentication, 417

N-way join, 768–770, 783–793N+1 directory problem, 27name resolution

chaining, 343–344client-side processing, 339–343, 344–345definition, 337LDAP referrals, 339–341purported names, 338–339search result continuation references, 339–343server-side processing, 343–345

Named Subordinate References in [LDAP] Directories, 128namespace design

access control, 311application support, 312case studies, 805–808, 833–835, 863–865data organization, 310data reference, 309–310


Index 891

flat structure, example, 325–326hierarchical, example, 326–327motivating factors, 324multivalued RDNs, 308, 320needs definition

application considerations, 320–321flat versus hierarchical schemes, 315–317future needs, 324naming attributes, 318–320, 322–323naming RDNs, 322–323privacy considerations, 323–324suffixes, 313–315

overview, 305–306partitioning data, 310–311

purposes of a namespace, 309–313RDNs, 308, 320replication, 311reuse policy, 322structure of a namespace, 306–309topology design, 359–360

namingdirectory entries, 66RDNs, 322–323schema attributes, 262, 291

naming attributes, 318–320, 322–323naming context. See directory partitioning.naming model, 63–69needs definition, case studies, 799–801, 828–829,

859–860Net::LDAP Perl-LDAP modules, 659Netscape 7.0, 177Netscape Certificate Management System, 177Netscape Communications Corporation (case study).

See also enterprise with an extranet; examples; large multinational enterprise.

backup and restore, 815deployment phase, 812–815, 819–821design phase

data, 801–804data element inventory, 803data owners, 802data users, 803namespace, 805–808needs definition, 799–801privacy, 810–812replication, 809–810schemas, 804–805security, 810–812topology, 808–809

disaster recovery, 815leveraging directory services, 818–821maintenance phase, 815–818monitoring, 817–818motivating factors, 799organizational overview, 798–799piloting, 813product choice, 813production rollout, 814–815

schema checking, enabling, 813–814summary of results, 821–822

Netscape Communicator, 177Netscape Delegated Administrator, 177–178Netscape Directory Server

access control, 167–173databases

backing up, 164–165, 538-543bulk loading, 161default, 160dumping to a DSML file, 163–164dumping to an LDIF file, 161–162restoring, 165–167

default port, 151disabling updates, 174distribution and chaining, 346–348extending (value constraint plug-in example),

180–197features, 178–180history, 176–177installing, 148–155LDAP-enabled companion products, 177–178loading sample data, 152–155product focus, 177–178Proxied Authorization, 167–173proxy right, 167–173reconfiguring with LDAP, 173–176searching, 155–160system requirements, 148

Netscape Directory Server Administrator's Guide, 91, 105

Netscape LDAP C SDK, 658Netscape LDAP Java SDK, 658network intrusion detection systems (NIDSs), 419network management systems (NMSs), 583–587network operating system (NOS)-based directories, 6network operating systems (NOSs), 253–254, 761networks

constraints on system design, 227–228managing, 583–587mapping, 214–215monitoring, 419, 583–587needs definition, 214–215security and privacy needs definition, 424–425security tools, 419sniffing, 412topology design, 358–359virtual, 459

NIDSs (network intrusion detection systems), 419NMSs (network management systems), 583–587non-ASCII attribute values, 95–96non-ASCII DNs, 95–96NOS applications, 458NOS (network operating system)-based directories, 6NOSs (network operating systems), 253–254, 761notification of problems, 578, 592–596, 633–635notify.conf configuration file, 605notify.pl script, 602–604Novell eDirectory, 345


892 Index

OASIS (Organization for the Advancement of Structured Information Standards), 143

object classes, designing schemasabstract, 268allowed (optional) attributes, 268, 274–277ASN.1 format, 282–283auxiliary (mix-in), 268, 279, 295–297example, 269extensibleObject, 272inheritance, 271–272kind of object, 268LDAPv3 format, 277–279mandatory attributes, 268mix-in (auxiliary), 268, 295multiple, 269–270names, 268overview, 267–269structural, 268, 278subclassing, 271–272, 293–295superclasses, 271–272superior classes, 271–272

object identifiers (OIDs), 76–77, 124objectClasses attribute, 274–277offline directories, 5OIDs (object identifiers), 76–77, 124, 292one-way authentication, 417one-way synchronization, 764–766, 783–793online comments, user feedback, 494online directories, 5–6online backup and restore, 539online resources

ADSI API, 118APIs, 115–116, 117–118C language SDK, 115–116Crack password cracking package, 447IETF (Internet Engineering Task Force), 42IETF working groups, 49Java API, 117JNDI API, 118LDAPBIS IETF Working Group, 141LDAPv3: All Operational Attributes Internet

Draft, 73Mozilla project, 115–116obtaining OIDs, 292OpenLDAP Project, 115–116password cracking, 447Perl API, 117Python API, 117SDKs, 115–116security tools, 419, 420Snort network intrusion detection system, 419Sun Microsystems, 115Swatch log file monitor package, 420Tripwire system integrity verifier package, 420

OpenLDAP Project, 115–116operating system logs, 607operating system performance data, 580operational attributes, 62, 263operations, canceling, 56

OR operators within search filters, 78organization data. See naming model.Organization for the Advancement of Structured

Information Standards (OASIS), 143organizational structure and geography, needs

definition, 213originating writes, 387OSI-DS IETF working group, 49ownership of data, 245–246

parentheses (( )), grouping terms within search filters, 78partition root, 333partitioning. See data, partitioning; directory partitioning.Password Expired control, 137–138Password Expiring control, 137–138Password Policy for LDAP Directories, 136passwords

cracking, 447encrypting, 428–430expiration, 137–138hashing, 89policies, 446–448resetting, sample utility, 671–687rules for choosing, 447simple, 428zero-length, 670

performanceapplication needs definition, 217–218applications for, 666–668coexistence considerations, 781data maintenance effects, 568–569directory characteristic, 19–21effects of replication, 17evaluating directory services software, 465–466monitoring, 578, 605–616problems, troubleshooting, 623–627replication design, 400–402testing, 466vendor-supplied figures, 401

Perl API, 117PerLDAP Perl module, 659, 737, 787, 817Persistent Search Request control, 128–130personalizing directories, 11–12physical access, 413physical security, privacy needs definition, 424–425piloting

case studies, 813, 843–844, 872–873directory services. See also production rollout.

applying the results, 496–497collecting feedback, 492–494, 496–497cost, 503–504documentation, 485–487goals, 484prepilot testing, 482–483prospective software purchases, 476rollout, 491–492scaling up, 495–496scope, 484–485setting up the environment, 489–491


Index 893

timeline, 484–485training materials, 485–487user categories, 486–487users, selecting, 487–489

new applications, 668PKI

certificate life cycle management, 31, 652facilitating deployment, 652–654overview, 444–445privacy and security, 443–446revocation, 445

plus sign (+), in search operations, 73pointers to data element values, 236political considerations

cost, 500data design, 257deployment constraints, 225–226topology design, 361

pound sign (#), comment indicator, 605, 783prefix notation for search filters, 78presence filters, 75print_ldap_error() function, 683prioritizing

application needs definition, 219–220constraints, 228–229deployment constraints, 226user needs and expectations, 223

privacyapplication needs definition, 219case studies, 810–812, 839–841, 867–871coexistence considerations, 774–776information, 440–446namespace design, 323–324needs definition

administration, 422–423applicable laws, 426–427corporate policies, 426–427data sensitivity, 421directory accessibility, 423–424directory requirements, 420–423environment analysis, 423–425network environment, 424–425physical security, 424–425read/write access, 420replication, 421–422synchronization, 421–422user community, 423user expectations, 425–426

TLS (Transport Layer Security), 91–93, 412, 414, 417, 418

user information, 448–449user needs and expectations, 222

problem reports, 598–599, 638–639problems. See monitoring; troubleshooting.product choice, case studies, 813, 842, 871–872product completeness, software criteria, 471product evaluation. See evaluating directory services

software.

product future, software criteria, 471product support, software criteria, 471–472production rollout. See also piloting, directory services.

case studies, 814–815, 845, 873–874incremental approach, 530maintaining focus, 530potential problems, 532prerequisite tasks, 525–526publicity and marketing plan, 528–529required resources, 525rollout plan, 527success criteria, 527–528thinking ahead, 530–533timing, 529–530

protocol operations, 56–58prototyping new applications, 668Proxied Authorization, 136–137, 167–173Proxied Authorization Control, 136proxy right, 136, 167–173publications. See also Internet drafts; RFCs.

Directory Server Configuration, Command, and File Reference, 173

LDAP: Programming...with Lightweight Directory Access Protocol, 117

Netscape Directory Server 6 Administrator's Guide, 91, 105

Netscape Directory Server 6 Installation Guide, 148publicity and marketing plan, 528–529purported names, 338–339purpose-specific directories, 6Python-LDAP module, 117, 659

querying directories, 56Quipu, 40

randompwd() function, 684–685randomword() function, 685–686RDNs (relative distinguished names). See also DNs

(distinguished names).definition, 66multivalued, 66–67, 308in namespace design, 308, 320

read-to-write ratio, 13–14, 37, 248read/write access, privacy needs definition, 420redundancy, data design, 238reference material. See Internet drafts; publications;

RFCs; standards.referrals

chasing, 342, 381, 670definition, 339–341direct manipulation, 128LDAP innovation, 47rebind function, 670, 679, 683

referring to data. See naming model.refused connections, 622rejects file, 112relative distinguished names (RDNs). See RDNs

(relative distinguished names).


894 Index

reliabilityversus availability, 18effects of replication, 17evaluating directory services software, 464–465replication design, 398–400

rename (modify DN) operation, 56, 83–84, 85renaming

directory entries (changing DNs), 56, 83–84, 85LDIF, 99–100modify DN (rename) operation, 56, 83–84, 85

replace modifytype LDIF statement, 97–98replica update vectors (RUVs), 387–388replicas

maximum number of, 402–404refreshes, 377–379replication updates versus client updates, 387

replicationaccess control, 396ACLs (access control lists), 396agreements, 375as backup and restore tool, 543–545case studies, 809–810, 836–839, 867changelog, 379client updates versus replica updates, 387clock synchronization, 385–386conflict resolution, 384–388consistency, 375–377consumers, 375convergence, 375–377CSNs (change sequence numbers), 379dampening, 388of data sources, 255definition, 16deleted entries, restoring, 390deleted entry conflicts, 390directory characteristic, 16–19entry naming conflicts, 389fractional replicas, 392–394GC (global catalog), 352, 394glue entries, 394granularity, 386horizontal scalability, 17incremental updates, 377–379initial population, 379–380latency by attribute type, 395multimaster strategy, 383–391namespace design, 311originating writes, 387privacy needs definition, 421–422protocols, 391purpose of, 272reasons for, 16–17replica refreshes, 377–379RUVs (replica update vectors), 387–388scheduling, 395schemas, 395–396sequence numbers, 385–386server-to-server, 179single-master strategy, 381–383

single-value constraint conflicts, 391sparse replicas, 392–394subsets of directory information, 392–394suppliers, 375synthetic time, 385tombstone entries, 390total updates, 377–379unique identifiers, 386unit of replication, 375update conflict resolution policy, 383–384update resolution policies, 389–391wall-clock time, 385

replication designcapacity planning, 401cascaded configuration, 403choosing a solution, 404maximum number of replicas, 402–404overhead considerations, 404overview, 396–398performance, 400–402reliability, 398–400synchronization traffic reduction, 403vendor-supplied performance figures, 401

reportError() method, 721–722repositories of data. See data sources.Requests for Comments. See RFCs.resetpwd() function, 680–681resources, deployment constraints, 224restore. See backup and restore; disaster recovery.restricted characters

DNs (distinguished names), 67–68search filters, 78–79, 80

restrictions. See constraints.reuse policy, namespace design, 322RFCs. See also Internet drafts; publications; standards.

2222 (SASL...), 1392251 (LDAP (v3)), 472252 (LDAP (v3) Attribute Syntax Definitions), 47,

61–62, 2742253 (LDAP (v3) UTF-8 String Representation of

Distinguished Names), 472254 (String Representation of LDAP Search

Filters), 472255 (LDAP URL Format), 482256 (Summary of the X.500(96) User Schema for

Use with LDAPv3), 482587 (Internet X.509 Public Key Infrastructure

LDAPv2 Schema), 2902820 (Access Control Requirements for LDAP), 1422829 (Authentication Methods for LDAP), 48, 90, 1252830 ([LDAPv3] Extension for Transport Layer

Security), 48, 92–93, 1422831 (Using Digest Authentication as a SASL

Mechanism), 1402891 (LDAP...Sorting of Search Results), 1313377 (LDAP (v3): Technical Specification), 48

right angle, equal sign (>=), greater than or equal to operator within search filters, 75

risk assessment, disaster recovery, 550–551


Index 895

roaming, 657–658roles, 179rollback, definition, 23rollout. See production rollout.root DSE, 47, 125–127, 336Ruby/LDAP module, 659RUVs (replica update vectors), 387–388

SASL... (RFC 2222), 139SASL authentication

definition, 124–125description, 431DIGEST-MD5, 140–141EXTERNAL, 139–140

SASL bind operation, 86–87SASL (Simple Authentication and Security Layer),

59, 419SATAN (Security Administrator Tool for Analyzing

Networks), 419scalability. See also replication.

evaluating directory services software, 465–466horizontal, 17

scheduling replication, 395schema design

ASN.1 format, 280–283attributes, 274–277

allowed (optional), 268, 274–277hierarchies, 264–265matching rules, 265, 267naming, 262, 291operational, 263subtypes, 264–265supertypes, 264–265syntax, 265, 266type example, 263–264usage indicators, 262, 276values, 262

changing existing schemas, 301configuration, 285–286, 301versus designing data, 286documenting schemas, 299–300elements

defining, 291–299modifying, 293summary of, 272–273

evolution, 300formats, 273–283LDAPv3 format, 273–279maintenance, 300new object types, 297–298object classes

abstract, 268allowed (optional) attributes, 268, 274–277ASN.1, 282–283auxiliary (mix-in), 268, 279, 295–297example, 269extensibleObject, 272inheritance, 271–272kind of object, 268

LDAPv3, 277–279mandatory attributes, 268mix-in (auxiliary), 268, 279, 295–297multiple objects, 269–270names, 268overview, 267–269structural, 268, 278subclassing, 271–272, 293–295superclasses, 271–272superior classes, 271–272

OIDs, obtaining and assigning, 292overview, 285–287predefined, sources of, 287–290purpose of schemas, 260–261review boards, 300schema checking, description, 283–284schema checking, disabling, 287subschema entries, 274tips for, 298–299upgrading directory service software, 301using existing schemas, 285

schemasadding to directory servers, 289–290ASN.1 format, 280–283case studies, 804–805, 831–833, 861–863changing, 301checking, description, 283–284checking, disabling, 287checking, enabling, 813–814configuration, 285–286, 301configuration files, backup and restore, 542definition, 14, 62–63, 259–260versus designing data, 286directory-enabled applications, 287–288from directory vendors, 289discovery, 47documenting schemas, 299–300evolution, 300formats, 273–283LDAPv3 format, 273–279maintenance, 300new object types, 297–298OIDs, obtaining and assigning, 292predefined, sources of, 287–290purpose of, 260–261replication, 395–396reusing existing, 285review boards, 300standard, 288–289subschema entries, 274

script kiddies, 411SDKs, 115–116search base, 70, 102search filters

( ) (parentheses), grouping search terms, 78& (ampersand), AND operator, 78* (asterisk), wildcard, 74= (equal sign), equality operator, 74! (exclamation point), negation operator, 78


896 Index

search filters continued<= (left angle, equal sign), greater than or equal to

operator, 75>= (right angle, equal sign), greater than or equal to

operator, 75| (vertical bar), OR operator, 78~= (tilde, equal sign), approximation operator,

74–75combining terms, 78escaping special characters, 78–79, 80extensible matching, 75–78hiding from users, 80–81ldapsearch utility, 102, 104–105list of, 79OIDs (object identifiers), 76–77AND operator, 78OR operator, 78prefix notation, 78presence, 75restricted characters, 78–79, 80specifying, 72substrings, 74

search operation. See also compare operation.abusive searches, 669alias dereferencing, 72all entries below an entry, 80all entries within a subtree, 80definition, 56filters, 72Netscape Directory Server, examples, 155–160parameters, 70–73requests, canceling, 56, 87–88retrieving a single entry, 102retrieving all operational attributes, 73retrieving attributes only, 72–73retrieving specified attributes, 103–104sample searches, 101–102single entries, 80size limit, 72with SSL (Secure Sockets Layer), 105–106starting point, specifying, 70time limit, 72types of searches, 80

search resultscontinuation references, 339–343sorting, 130–131viewing, 132–136

search scope, 70–71, 102searching versus browsing, 25Secure Shell (SSH), 419Secure Sockets Layer (SSL), 91–93, 105–107,

113–114, 180, 412, 414, 417, 418security. See also authentication; passwords.

application needs definition, 219backdoor access, 413case studies, 810–812, 839–841, 867–871certificate authority, 444certificate issuance, 444certificate revocation list, 445

certificates, 444coexistence considerations, 774–776connection hijacking, 412constraints on system design, 228credential forging, 412credential stealing, 412data maintenance, 567DDoS (distributed denial of service) attacks, 416delegation risks, 869directory characteristic, 10–11distributed directory implications, 351DoS (denial of service) attacks, 415–416encryption

government restrictions, 429server communications, 105–106SSL (Secure Sockets Layer), 91–93, 105-107,

113–114, 412, 414, 417, 418TLS (Transport Layer Security), 91–93, 412,

414, 417, 418tools for, 417

evaluating directory services software, 466–467guidelines, 408–409hackers, 411key pairs, 444keys, 444LDAP as server administration protocol, 175LDAP innovations, 47log analysis, 410man-in-the-middle attacks, 414masquerading, 415network sniffing, 412physical, privacy needs definition, 424–425physical access, 413PKI revocation, 445problems, troubleshooting, 630–632purpose of, 409–411script kiddies, 411software bugs, 413–414threats, 411–416trawling, 410Trojan horses, 413–414unauthorized access, 412–414unauthorized tampering, 414–415

Security Administrator Tool for Analyzing Networks (SATAN), 419

security applications, 31security design

access control, 432–434access control policy, 433–434ACLs (access control lists)

description, 432–433examples, 434–438placement, 439–440

administrative controls, 446–448anonymous authentication, 427–428authentication, 427–431certificate authentication, 430–431deployability, 449–450HTTP digest authentication, 428


Index 897

information privacy and integrity, 440–446password policies, 446–448passwords, encrypting, 428–430passwords, simple, 428PKI, 443–446SASL authentication, 431user privacy, 448–449

security modelaccess control, 90–91authentication, 88, 90binding, 89TLS (Transport Layer Security), 91–93, 412, 414,

417, 418security needs definition

administration, 422–423applicable laws, 426–427corporate policies, 426–427data sensitivity, 421directory accessibility, 423–424directory requirements, 420–423environment analysis, 423–425network environment, 424–425physical security, 424–425read/write access, 420replication, 421–422synchronization, 421–422user community, 423user expectations, 425–426

security toolsauditing, 417authentication, 417, 418Crack password cracking package, 447encryption, 417firewalls, 417–418IDSs (intrusion detection systems), 418IPsec (IP Security Protocol), 419ISS (Internet Security Scanner), 419Kerberos, 418–419LFMs (log file monitors), 420mutual authentication, 417NIDSs (network intrusion detection systems), 419one-way authentication, 417online resources, 419, 420SASL (Simple Authentication and Security Layer), 419SATAN (Security Administrator Tool for Analyzing

Networks), 419signing, 417SIVs (system integrity verifiers), 419–420Snort network intrusion detection system, 419SSH (Secure Shell), 419SSL (Secure Sockets Layer), 91–93, 105–107,

113–114, 412, 414, 417, 418Swatch log file monitor package, 420TLS (Transport Security Layer), 91–92, 412, 414,

417, 418Tripwire system integrity verifier package, 420two-way authentication, 417

sequence numbers, replication, 385–386

Server-Side Sorting Request control, 130–131Server-Side Sorting Response control, 130–131server software, 100sessions, terminating, 56setpwd utility example, 671–687setpwd.c prelude, 672–674setting goals and milestones, 230–232signing, 417simple authentication, 88Simple Authentication and Security Layer (SASL), 59,

419Simple Network Management Protocol (SNMP), 580,

583–587SimpleSite example, a Web Site with User Profile

Storage, 687–722SimpleSiteServelet.java, 695–698single-master replication, 381–383, 546–547single-value constraint conflicts, 391SIVs (system integrity verifiers), 419–420size, data element values, 244–245slapd (standalone LDAP daemon), 45–46Smith, Mark, 117snapshot restores, 540sniffers, monitoring LDAP traffic, 59SNMP (Simple Network Management Protocol), 580,

583–587Snort network intrusion detection system, 419software

bugs, security risks, 413–414constraints on system design, 227cost

apportioning to hardware cost, 510deployment phase, 507–509upgrades, 509–511

directory service, choosing. See evaluating directory services software.

sorting search results, 130–131source of truth method, 572sources of data. See data sources.sparse replicas, 392–394spot checks for bad data, 573SSH (Secure Shell), 419SSL (Secure Sockets Layer), 105–106, 180, 418standalone directory service, 45–46standalone LDAP daemon (slapd), 45–46standard directories, 38–41standards. See also Internet drafts; RFCs.

directory characteristic, 21–22DNS update capabilities, 35ISO 639 (Code for the Representation of Names of

Languages), 119ISO 3166 (Codes for the Representation of Names of

Countries), 119in the works, 141–142

standards-based directories, 6, 37standards compliance, software evaluation criteria, 467–469standards documents. See Internet drafts; RFCs,

standards.


898 Index

standards groupsASID (Access, Searching, and Indexing of

Directories) IETF working group, 49IDS (Integrated Directory Services) IETF working

group, 49IETF (Internet Engineering Task Force), 42, 49LDAPBIS (LDAPv3 Revision) IETF working

group, 49LDAPEXT (LDAP Extensions) IETF working

group, 49OASIS (Organization for the Advancement of

Structured Information Standards), 143OSI-DS IETF working group, 49

stealing credentials, 412String Representation of LDAP Search Filters (RFC

2254), 47structural object classes, 268, 278subarcs, OID, 77subclassing object classes, 271–272, 293–295subordinate knowledge references, 336–337subschema entries, 274substring search filters, 74subtypes, 264–265suffixes, namespace design, 313–315Summary of the X.500(96) User Schema for Use with

LDAPv3 (RFC 2256), 48Sun Microsystems, 115superclasses, 271–272superior classes, 271–272supertypes, 264–265suppliers, replication, 375support costs, 517–519, 567–568Swatch log file monitor package, 420synchronization

of data sources, 255–256monitoring, 591privacy needs definition, 421–422role of directories, 27traffic, reducing, 403syntax associated with attribute types, 61-62, 265–266

synthetic time, 385system administration

privacy needs definition, 422–423security controls, 446–448

system administratorsas data source, 254as deployment constraints, 225

system designers, as deployment constraints, 224–225system integrity verifiers (SIVs), 419–420

A Taxonomy of Methods for...Finding Servers, 142testing directory services. See piloting, directory services.throughput, 217–218

tilde, equal sign (~=) approximation operator within search filters, 74–75

TLS (Transport Layer Security), 91–93, 412, 414, 417, 418

tombstone entries, 390

tools forauditing, 417authentication, 417, 418coexistence, 781–782custom probing, 588–592developing applications, 658–663encryption, 417monitoring, 580, 583–592security, 417–420

topology case studies, 808–809, 836, 865–866topology design

connecting servers, 345–348distributed directories. See also name resolution.

authentication, 348–351certificate-based client authentication, 350configuring, 345–348definition, 332–333directory server software, 345–348security implications, 351

factors affectingaddress book applications, 356authentication applications, 356directory-enabled applications, 354–357directory namespace design, 359–360directory server software capabilities, 357–358interactive authentication and login applications,

356messaging applications, 356–357physical network topology, 358–359political considerations, 361

knowledge references, 336–337name resolution

chaining, 343–344client-side processing, 339–343, 344–345definition, 337LDAP referrals, 339–341purported names, 338–339search result continuation references, 339–343server-side processing, 343–345

overview, 332–335partition discovery, 336partition relationships. See knowledge references;

name resolution.partitioning directories

description, 332–335examples, 361–369multiple-partition example, 364–369pros and cons, 351–354single-partition example, 361–364

total replication updates, 377–379training costs, 517–518, 567–568transaction logs, 539transactions, 22–24Transport Layer Security (TLS), 91–93, 412, 414,

417, 418traps (monitoring messages), 584trawling, 410trends, spotting, 616


Index 899

Tripwire system integrity verifier package, 420Trojan horses, 413–414troubleshooting. See also monitoring.

assessing the problem, 633–635case studies, 849, 876change control policy, 638coexistence, 782connection timeouts, 622containing damage, 635directory data problems, 628–630directory outages, 621–623discovering problems, 620–621hung connections, 622long-term fixes, 636–637monitoring the problem, 638notifying affected persons, 633–635performance problems, 623–627preventing recurrences, 637–638problem reports, 638–639refused connections, 622security problems, 630–632short-term fixes, 635–636step-by-step process, 632–639

tuning coexistence, 782two-way authentication, 417two-way synchronization, 766–768

UCS Transformation Format 8 (UTF-8), 118–119unauthorized access, 412–414unauthorized tampering, 414–415unbind operation, 56, 87undo updates. See rollback.unique identifiers, replication, 386unique names. See DNs (distinguished names); unique

identifiers.unit of replication, 375UNIX file system hierarchy versus LDAP directory

hierarchy, 63–66unknownRequest() method, 721–722update-capable clients, data maintenance, 566–567update conflict resolution policy, 383–384update operations

add, 56, 82delete, 56, 82modify, 56, 84–86modify DN (rename), 56, 83–84, 85

update resolution policies, 389–391update statements, LDIF, 96–100updating directories, 56URLs of LDAP resources. See online resources.usage() function, 674–675user attributes, 62

user-maintained data, 565–570user surveys, 573userid2dn() function, 681–682users

configuration and preference management, 28as data source, 254feedback from piloting, 492–494, 496–497needs and expectations

accuracy and completeness, 221–222versus application needs, 223asking your users, 220–221determining your audience, 222–223overview, 211prioritizing, 223privacy, 222

privacy needs definition, 423, 425–426Using Digest Authentication as a SASL Mechanism (RFC

2831), 140UTF-8 (UCS Transformation Format 8), 118–119utilities. See command-line utilities; setpwd utility; tools.

value constraint plug-in example, 180–197values (of attributes). See attribute values.vendors

disaster recovery services, 549evaluating directory services software, 472, 475–476performance figures, 401

verifying backups, 548–549vertical bar (|), OR operator within search filters, 78Virtual List View (VLV) Request control, 132–136Virtual List View (VLV) Response control, 132–136virtual directories, 770–773virtual networks, 459virtual synchronization, 770–773VLV (Virtual List View) Request control, 132–136VLV (Virtual List View) Response control, 132–136

wall-clock time, replication, 385Web resources. See online resources.Web server information, organizing and accessing,

36–37Web servers versus directories, 33–34Web site with user profile storage, SimpleSite sample

application, 687–722writeHREFButton() method, 720–721writePageFooter() method, 720–721writePageHeader() method, 720–721

X.500 directory server software, 345–346X.500 specification, 38–41XML (eXtensible Markup Language), 143–145,

163–164


index [ptgmedia.pearsoncmg.com]ptgmedia.pearsoncmg.com/images/0672323168/index/howesindex.pdf ·...

Documents