NDS Technical Overview - PowerPoint PPT Presentation

1 / 21

About This Presentation

Title:

NDS Technical Overview

Description:

The marketing/product name is 'eDirectory' ... The same code runs on NetWare, Solaris, Linux, Windows NT/2K servers ... 'simple password' (Unix crypt, MD5, SHA) ... – PowerPoint PPT presentation

Number of Views:68

Avg rating:3.0/5.0

Slides: 22

Provided by: debbiec7

Category:

more less

Transcript and Presenter's Notes

Title: NDS Technical Overview

1
NDS Technical Overview

July 2, 2002

2
What is NDS?

NDS Novell Directory Services.
The marketing/product name is eDirectory
It is a full-featured, open standards-based
directory service
Cross platform
The same code runs on NetWare, Solaris, Linux,
Windows NT/2K servers
1st directory to become SunTone certified

Directory servicesDatabase optimized for read
Relational databaseDatabase optimized for write
3
Whats in the NDS Database?

Users
login name (cn), last name (surname) are
mandatory
NDS password (RSA private key),
simple password (Unix crypt, MD5, SHA),
directory info like full name, telephone number,
dept, location
Access control lists
Workstations, printers, servers, clusters,
Application objects, user and workstation
policies, server policies (Zen)
Biometrics, mailing lists doors?

4
How are these things stored?

Every entry in the database is an object of a
particular kind, or object class
Object classes are collections of
attributes/properties and syntax rules. (Ex User
object class includes string attributes like
Department and Last Name, binary like Photo)
Attributes can be mandatory, optional,
operational
Objects can inherit properties from other object
classes (ACLs)
Some objects can contain others (containers
such as O, OU), others cant (leaf nodes such
as User, Group)

5
Schema!

The NDS schema is completely LDAP v3 compliant
all base objects/attributes have IANA-registered
OID numbers, implements inetOrgPerson
Schema is stored separately from data
The schema is extensible two ways
Add/remove/modify attributes of existing object
class, or define new object class (could create
an MP3 object with attributes like Artist, Title,
Kazaa)
auxiliary classes just add attributes to some
instantiations of an object class (ie, only
Corporate Time users would get the calendar
node attribute)

SchemaRules that define the structure of the
database
6
Lets See Whats In There

ConsoleOne demo
Check out objects, attributes
Snap-ins required for various products that
extend the schema
Take a look at the schema in Schema Manager

7
ConsoleOne

ConsoleOne is the current admin tool for managing
eDirectory objects schema
Java-based, so its really, really fast ?
v1.31 and up perform OK
Available for NetWare, Solaris, Linux, Windows,
Tru64
The future is web-based management tools are in
the works.
? This is a lie.

8
Partitioning

Some directories require you to treat the entire
database as a single unit Active Directory,
iPlanet 5.1 affects scalability administrator
must manage external referrals
NDS allows you to partition the database into
smaller segments, at container boundaries
So, we can store the NDS data for the .USERS
container on our servers, CHASS can store its NDS
data on its own servers still one database
NDS LDAP services automatically handle referrals
among partitions

9
Replication

A copy of the data in a partition is called a
replica multiple copies for fault tolerance,
performance
NDS has true multimaster replication data can
be written to any copy of the database normal
configuration is one master, 2 read/write
Being master affects certain partitioning
operations, otherwise masterread/write
Other types
Read only cant do authentication or modification
Filtered store only certain attributes/objects
can be r/w or r/o were not currently using this
type
Subordinate reference (subref)- pointer to a
child partition whose replicas are stored on a
different server enables tree-walking

10
Partitioning Replication
nds07rs
11
Synchronization

Process of propagating changes to objects
attributes among replicas- loosely consistent
Changes are timestamped each second is divided
into 65,536 pieces
Changes are written to a change cache, and
syncd either immediately or at next scheduled
interval this is set per attribute (sync
immediate or slow sync)
Only the changes are syncd attribute level
syncs error-checking is done
Transitive vector Server A tells Server B
about changes, Server B tells Server C

12
Referential Integrity

Referential Integrity NDS verifies ensures that
objects referred to by other objects actually
exist (uses backlinks, external references)
this is an option in iPlanet 5.1 with a plug-in,
can only be used on one master, disabled by
default Active Directory calculates
backlinks/forward links at time of access(!)
When an user is deleted, it is also automatically
deleted from the ACLs of all objects in the
directory
Because of the way the NetWare file systems are
designed, those users are also removed from ACL
lists that control file/directory access

13
iMonitor

Web-based administration tool for eDirectory
Complete diagnostics, health checks, repairs,
status information
Can view all synchronization traffic, background
process activity with DSTRACE
Lets take a quick look

14
Access Control in NDS

Object rights Browse, Create, Delete, Rename,
Supervisor
With Create rights to a container, a user can
create any type of NDS object
Supervisor rights to an object also gives
Supervisor rights to all attributes of that
object. Otherwise, the rights apply ONLY to the
object, not to its attributes.
Attribute rights Compare, Read, Write, Add Self,
Supervisor
Rights are stored with each object in its ACL
attribute

15
Rights Calculation

You can get object or attribute rights 3 ways
explicit assignment, inheritance, security
equivalence
Rights are inheritable for example, you can
assign rights to a container, and all users in
that container get the rights
Inherited rights filters (IRFs) can block
inheritance
Security equivalence is used when a group is
granted rights the members of the group are
security equivalent to the group object
Access rights are dynamically calculated at the
time access is attempted!

16
Role Based Services

Something relatively new
Requires a product or custom code to set up
Use to limit a user's access to only the tasks
permitted by the user's role in an organization
For example, instead of being able to create any
kind of object in a container, a user in a
particular role (like Application Builder, if
there were such a thing), might only be able to
create objects from the AppApplication object
class

17
Access Control in NetWare

The directory and the file system are related,
but not the same!
Each server keeps its own access control list
file system rights are NOT stored in NDS
File system rights are assigned to NDS objects,
such as users, groups, workstations, containers
(can grant everyone in the CALS container read
access to a particular file) distributed
management!
NetWare supports file-level rights, as well as
inheritance of rights from folders rights are
dynamically calculated at time of access!
File rights are File Scan, Read, Create, Write,
Modify, Erase, Access Control

18
Internet Standards

TCP/IP encapsulation with NW4, full support
since NW 5.0 (1997). No IPX dependencies.
IPv4 or IPv6 if you like
LDAP v3, LDIF both schema and data accessible
modifiable ICE utility to simplify
import/convert/export of LDIF files
XML/XSL all new development _at_ Novell is being
done with XML you can access NetWares NSS file
system with XML via a built-in virtual file
system
SOAP, UDDI with eDir 8.7, shipping shortly
SNMP MIBs allow detailed monitoring

19
Programmatic Access Methods