Directories - PowerPoint PPT Presentation

1 / 43

About This Presentation

Title:

Directories

Description:

history: mostly used for White pages services. today: becoming essential for middleware services ... move from White pages to Directory Enabled Networks ... – PowerPoint PPT presentation

Number of Views:38

Avg rating:3.0/5.0

Slides: 44

Provided by: miroslavm

Category:

more less

Transcript and Presenter's Notes

Title: Directories

1
Directories

Miroslav Milinovic
SRCE / CARNet
Zagreb, Croatia

8th CEENet Workshop on Network Technology,
Budapest, Hungary, August 2002.
2
Content

What is directory service?
Actual standards (services)
Basic concepts
Examples of services
X.500
history, naming model, information model
LDAP
history, commons and differences to X.500
Common Indexing Protocol
Directory Services Markup Language

3
What is directory service?

holds information about
people - individuals (White Pages)
other things (Yellow Pages)
analogy with the telephone directory
service for locating information about
individuals, companies, resources, ...

4
What is directory?

specialised database used for storing and
retrieving information about individuals,
organisations, services, resources, ...
designed for storing and retrieving information
fast reading, writing is slower
static view on the data
simple updates without transactions
network protocol for access (Whois, X.500, LDAP,
...)
history mostly used for White pages services
today becoming essential for middleware services

5
What types of data can be stored?

Text data
names, addresses, descriptions, numbers, etc.
Graphics
photos, diagrams, etc.
Pointers
URLs, pointers to other data, etc.
Public key certificates
Other binary data
Anything else you can think of ...

6
Directory services

can be
global or local
distributed or centralized
may include replication of the data on several
servers
typically accessed through
WWW pages (interfaces)
e-mail clients
special clients (using native protocol)

7
Standards (services)

LDAP
X.500
Whois / Whois
Netfind
CCSO (ph)
RWhois
services based on WWW
...

8
Basic concepts

data model
distributed or centralized?
query language
access control and security
maintenance

9
Data model

NO general standard
almost all services use
attribute-value pair model
database consists of records
special field to identify the type of record
whois uses template field X.500 uses object
class field
list of record types, attributes and their
possible values depends on actual service
Directories need the way to describe
schema - way to describe the sequence of fields
in the database
namespace - the names of the fields
attribute values - the contents of the fields

10
Distributed or centralized?

distributed
many servers tied together
administrative structure (hierarchical)
X.500, LDAP, WHOIS, RWhois
centralized
NETFIND
services based on WWW
can have mirror (peer) sites
independent services - local (CCSO)

11
Query language

servers enable query on values of attributes
exact matches, substring matches
depends on
service
implementation (client or server capabilities)
WWW interfaces
make searching easier
doesnt provide full functionality

12
Access control and security

ability to control
who sees what data
who updates what data
privacy
protocols enable filtering of attributes
main issue to be easy but safe

13
Good directory service

3 main features
easy and efficient access, searching and updating
of information
access control (who sees/updates what)
privacy (right to be unlisted)

14
Stages in building the directory

Designing the directory, including its use on
campus, policies concerning access and update to
its contents, determining sources of information,
identifying applications that will make use of
the data, etc.
Developing the directory, including a deep
technical architecture that captures the design
criteria within a robust and scalable
implementation, building interfaces between
legacy systems and the directory
Operating the directory, including providing
users and systems with tools to update
information, expanding the application base that
uses the directory, and upgrading the
infrastructure as needed.

http//middleware.internet2.edu/core/directories.s
html
15
Actual situation

directories are used for numerous services
move from White pages to Directory Enabled
Networks
currently, LDAP based directories are considered
as the best practice
activities in
IETF, TERENA, Internet 2 Middleware, ...
privacy .vs. currency and quality of information
challenge directory of directories (indexing)
global Internet Directory service
Do we need it?
Can it be done efficiently?
Who will put the information and keep it current?

16
Netfind

part of the history (out of use today)
White Pages service
global centralised
database (SeeedDataBase) administration
list of peer (mirror) servers made available
based on finger
also uses DNS and SMTP
available data depends on finger implementation
on actual host
query parameters
name of a user
rough description of where the user works
accessed through telnet or www interface

17
Whois

RFC 1835
developed from whois protocol (RFC 954)
designed to solve X.500 problems
distributed
one successful implementation
Digger from Bunyip (free to download)
data model
database records are uniquely identified with a
handle
type of record (list of attributes and allowed
values) is defined with a template
templates are standard but can be defined by
server administrator
servers are tied together in hierarchical
structure (indexing mesh)

18
Whois servers mesh
index servers
base level servers
19
Whois

searching
select a server to start search
server either gives information or refers to
server that holds information
server knows about its parents and children
it is possible to search by value of any attribute

20
RWhois

Referral Whois
RFC 2167
designed to provide functions required by NICs
software (was) available on the Internet

21
X.500

ITU / ISO standard for directories
first solid version in 1988.
Part of OSI (Open Systems Interconnection)
problems
(too much) theoretical
complex
little acceptance
advantages
conforming to OSI
good concept
modern design

22
History of the X.500 standard

1984 start of efforts for defining a standard for
distributed data in the net
1988 first version of the X.500 standard
X.509 includes authentication based on asymmetric
encryption
undefined access control and replication
proprietary replication mechanism in first
implementation Quipu from the ISODE Consortium
1993 second version
includes the missing bits
1997 third version
includes enhanced definitions for authentication
(X.509v3)
2000 fourth version

23
Parts of the X.500 Standard

X.500 - Overview of concepts, models and services
X.501 - Models
X.509 - Authentication framework
X.511 - Abstract service definition
X.518 - Procedures for distributed operation
X.519 - Protocol specifications
X.520 - Selected attribute types
X.521 - Selected object classes
X.525 - Replication (since 1993 version)

24
X.500

data model
based on hierarchical namespace
Directory Information Tree (DIT)
geographically organized
entry is defined with its dn (Distinguished Name)
was designed to give applications data in a known
format for
Message handling
File transfer
Name mapping for X.400 addresses
searching
you must select a location in DIT to base your
search
a one-level search or a subtree search
subtree search can be slow

25
X.500 - DIT
World
. . .
cHR
cUSA
RDN cHR
. . .
oIRB
oSRCE
RDN oSRCE
. . .
RDN cnMiro
cnMiro
DN cnMiro, oSRCE, cHR
26
Distinguished Name (DN)

An entry has a distinguished name
in its hierarchy level Relative Distinguished
Name (RDN)
all RDNs from root onwards build the
Distinguished Name (DN)
No two entries in one hierarchy level can have
the same RDN
No two entries in the whole Directory can have
the same DN
Alias Entry having a DN and pointing to another
DN via aliasObjectName Attribute
seeAlso Attribute Entry has data and a seeAlso
pointer

27
X.500 Information Model

An Entry contains a number of Attributes
An Attribute consists of
Attribute Type
Attribute Value
An Attribute Type has an associated Attribute
Syntax
The Attribute Value has to conform to that syntax
To compare Attribute there are Matching Rules

28
Special Attributes

One or more Attribute Types form the RDN
The Naming Attributes or
The Distinguished Attributes
An Entry must have one or more Objectclass
Attributes
It characterizes the Entry
It defines a set of usable Attributes
may contain
must contain
Objectclasses can inherit Attributes from other
Objectclasses
A set of Objectclasses, Attributes and Syntaxes
for a special purpose is called schema

29
Example
DN cnMiro, oSRCE, cHR Objectclasstop Objectc
lassperson ObjectclassorganizationalPerson cnMi
ro cnMiroslav Milinovic mailmiro_at_srce.hr mailMi
roslav.Milinovic_at_srce.hr telephoneNumber385161655
55
30
Open structure

You can define your own schemas e.g. your own
Attribute Types
Attribute Syntaxes
Object Classes
self defined schemas
can be used localy
to make them global you have to follow
standardisation procedure (look at
http//www.alvestrand.no/objectid/top.html)
it is better to define your own schema (with
additional attributes) then to missuse the
existing one

31
Directory Information Base (DIB)
DIB
...
Entry
Entry
Entry
Entry
Entry
attribute
attribute
attribute
...
attr. type
attr. value(s)
Distinguished attr. value
attr. value
attr. value
...
32
LDAP

LDAP - Lightweight Directory Access Protocol
developed to provide basic X.500 features and
make X.500 easier to use
LDAP v1 - RFC 1487, RFC 1488, RFC 1558
LDAP v2 - RFC 1777, RFC 1778, RFC 1798, RFC 1823
LDAP v3 - RFC 2251-2256
Originally (v1,v2) a client access protocol for
X.500
LDAP v3 is a full blown client server system
many client applications have an LDAP interface
mail agents, browsers, PGP clients
other directory implemetations have LDAP
interface
X.500 (since 1993), Novell DS, MS AD

33
LDAP Features

The LDAP standard defines
a network protocol for accessing information in
the directory
an information model defining the form and
character of the information
a namespace defining how information is
referenced and organized
an emerging distributed operation model defining
how data may be distributed and referenced (v3)
Both the protocol itself and the information
model are extensible
A C API and a Java API

34
LDAP Information Model

uses X.500 DIT model (some differences exist)
Entry
Attribute Type
Attribute Syntax
Attribute Value
Matching Rule
Object Classes

35
LDAP Naming Model

Just like X.500
RDN and DN
DIT
Alias and seeAlso
Differences
String representation of DNs
There is not just one international DIT
DC naming based on DNS as alternative to X.520
X.520 cnMiro, oUniversity Computing Centre,
cHR
DC uidMiro, dcSRCE, dcHR
registering problems are handled by DNS

36
LDAP Data Interchange Format (LDIF)

Format for exchanging data
Example

dn cnMiro, oSRCE, cHR objectclasstop objectcl
assperson objectclassorganizationalPerson cnMir
o cnMiroslav Milinovic mailmiro_at_srce.hr mailMir
oslav.Milinovic_at_srce.hr telephoneNumber3851616555
5 dn cnnext entry, ...
37
LDAP connectivity
LDAP
DAP
Client
LDAPD
X.500 server
LDAP
LDAP
SLAPD
Web Gateway
HTTP
Web client
38
LDAP URL (RFC 2255)

Format
ldap///?
???
Examples
ldap//myhost.org9999/cHR,oUniversity?
cn,telephonenumber?subtree?(cnMister X)
ldap//public.srce.hr389/uidmiro,dcpublic-zg,dc
hr

39
LDAP Security Model

Client authentication at start of the LDAP
connection
simple, with clear password
send a DN and a password that is stored in the
userPassword attribute of that entry (with no
encryption)
SSL (Secure Socket Layer) LDAPS
whole session is encrypted
strong authentication with X.509 Certificates
SASL (Simple Authentication and Security Layer)
TLS (Transport Layer Security) new version of
SSL

40
Common Indexing Protocol

The Common Indexing Protocol (CIP) allows
servers to form a referral mesh for query
handling
uses extension of indexing model used in whois
directory service
CIP index server has links (referrals) to
different directory servers
RFCs 2651-2655
Implementations
TISDAG Project http//tisdag.sunet.se/
DESIRE II http//www.desire.org
Isaak Project http//scout.cs.wisc.edu/research/i
ndex.html
Imesh Toolkit Project http//www.imesh.org/toolki
t/