NDS Technical Overview - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

NDS Technical Overview

Description:

The marketing/product name is 'eDirectory' ... The same code runs on NetWare, Solaris, Linux, Windows NT/2K servers ... 'simple password' (Unix crypt, MD5, SHA) ... – PowerPoint PPT presentation

Number of Views:68
Avg rating:3.0/5.0
Slides: 22
Provided by: debbiec7
Category:

less

Transcript and Presenter's Notes

Title: NDS Technical Overview


1
NDS Technical Overview
  • July 2, 2002

2
What is NDS?
  • NDS Novell Directory Services.
  • The marketing/product name is eDirectory
  • It is a full-featured, open standards-based
    directory service
  • Cross platform
  • The same code runs on NetWare, Solaris, Linux,
    Windows NT/2K servers
  • 1st directory to become SunTone certified

Directory servicesDatabase optimized for read
Relational databaseDatabase optimized for write
3
Whats in the NDS Database?
  • Users
  • login name (cn), last name (surname) are
    mandatory
  • NDS password (RSA private key),
  • simple password (Unix crypt, MD5, SHA),
  • directory info like full name, telephone number,
    dept, location
  • Access control lists
  • Workstations, printers, servers, clusters,
  • Application objects, user and workstation
    policies, server policies (Zen)
  • Biometrics, mailing lists doors?

4
How are these things stored?
  • Every entry in the database is an object of a
    particular kind, or object class
  • Object classes are collections of
    attributes/properties and syntax rules. (Ex User
    object class includes string attributes like
    Department and Last Name, binary like Photo)
  • Attributes can be mandatory, optional,
    operational
  • Objects can inherit properties from other object
    classes (ACLs)
  • Some objects can contain others (containers
    such as O, OU), others cant (leaf nodes such
    as User, Group)

5
Schema!
  • The NDS schema is completely LDAP v3 compliant
    all base objects/attributes have IANA-registered
    OID numbers, implements inetOrgPerson
  • Schema is stored separately from data
  • The schema is extensible two ways
  • Add/remove/modify attributes of existing object
    class, or define new object class (could create
    an MP3 object with attributes like Artist, Title,
    Kazaa)
  • auxiliary classes just add attributes to some
    instantiations of an object class (ie, only
    Corporate Time users would get the calendar
    node attribute)

SchemaRules that define the structure of the
database
6
Lets See Whats In There
  • ConsoleOne demo
  • Check out objects, attributes
  • Snap-ins required for various products that
    extend the schema
  • Take a look at the schema in Schema Manager

7
ConsoleOne
  • ConsoleOne is the current admin tool for managing
    eDirectory objects schema
  • Java-based, so its really, really fast ?
  • v1.31 and up perform OK
  • Available for NetWare, Solaris, Linux, Windows,
    Tru64
  • The future is web-based management tools are in
    the works.
  • ? This is a lie.

8
Partitioning
  • Some directories require you to treat the entire
    database as a single unit Active Directory,
    iPlanet 5.1 affects scalability administrator
    must manage external referrals
  • NDS allows you to partition the database into
    smaller segments, at container boundaries
  • So, we can store the NDS data for the .USERS
    container on our servers, CHASS can store its NDS
    data on its own servers still one database
  • NDS LDAP services automatically handle referrals
    among partitions

9
Replication
  • A copy of the data in a partition is called a
    replica multiple copies for fault tolerance,
    performance
  • NDS has true multimaster replication data can
    be written to any copy of the database normal
    configuration is one master, 2 read/write
  • Being master affects certain partitioning
    operations, otherwise masterread/write
  • Other types
  • Read only cant do authentication or modification
  • Filtered store only certain attributes/objects
    can be r/w or r/o were not currently using this
    type
  • Subordinate reference (subref)- pointer to a
    child partition whose replicas are stored on a
    different server enables tree-walking

10
Partitioning Replication
nds07rs
11
Synchronization
  • Process of propagating changes to objects
    attributes among replicas- loosely consistent
  • Changes are timestamped each second is divided
    into 65,536 pieces
  • Changes are written to a change cache, and
    syncd either immediately or at next scheduled
    interval this is set per attribute (sync
    immediate or slow sync)
  • Only the changes are syncd attribute level
    syncs error-checking is done
  • Transitive vector Server A tells Server B
    about changes, Server B tells Server C

12
Referential Integrity
  • Referential Integrity NDS verifies ensures that
    objects referred to by other objects actually
    exist (uses backlinks, external references)
    this is an option in iPlanet 5.1 with a plug-in,
    can only be used on one master, disabled by
    default Active Directory calculates
    backlinks/forward links at time of access(!)
  • When an user is deleted, it is also automatically
    deleted from the ACLs of all objects in the
    directory
  • Because of the way the NetWare file systems are
    designed, those users are also removed from ACL
    lists that control file/directory access

13
iMonitor
  • Web-based administration tool for eDirectory
  • Complete diagnostics, health checks, repairs,
    status information
  • Can view all synchronization traffic, background
    process activity with DSTRACE
  • Lets take a quick look

14
Access Control in NDS
  • Object rights Browse, Create, Delete, Rename,
    Supervisor
  • With Create rights to a container, a user can
    create any type of NDS object
  • Supervisor rights to an object also gives
    Supervisor rights to all attributes of that
    object. Otherwise, the rights apply ONLY to the
    object, not to its attributes.
  • Attribute rights Compare, Read, Write, Add Self,
    Supervisor
  • Rights are stored with each object in its ACL
    attribute

15
Rights Calculation
  • You can get object or attribute rights 3 ways
    explicit assignment, inheritance, security
    equivalence
  • Rights are inheritable for example, you can
    assign rights to a container, and all users in
    that container get the rights
  • Inherited rights filters (IRFs) can block
    inheritance
  • Security equivalence is used when a group is
    granted rights the members of the group are
    security equivalent to the group object
  • Access rights are dynamically calculated at the
    time access is attempted!

16
Role Based Services
  • Something relatively new
  • Requires a product or custom code to set up
  • Use to limit a user's access to only the tasks
    permitted by the user's role in an organization
  • For example, instead of being able to create any
    kind of object in a container, a user in a
    particular role (like Application Builder, if
    there were such a thing), might only be able to
    create objects from the AppApplication object
    class

17
Access Control in NetWare
  • The directory and the file system are related,
    but not the same!
  • Each server keeps its own access control list
    file system rights are NOT stored in NDS
  • File system rights are assigned to NDS objects,
    such as users, groups, workstations, containers
    (can grant everyone in the CALS container read
    access to a particular file) distributed
    management!
  • NetWare supports file-level rights, as well as
    inheritance of rights from folders rights are
    dynamically calculated at time of access!
  • File rights are File Scan, Read, Create, Write,
    Modify, Erase, Access Control

18
Internet Standards
  • TCP/IP encapsulation with NW4, full support
    since NW 5.0 (1997). No IPX dependencies.
  • IPv4 or IPv6 if you like
  • LDAP v3, LDIF both schema and data accessible
    modifiable ICE utility to simplify
    import/convert/export of LDIF files
  • XML/XSL all new development _at_ Novell is being
    done with XML you can access NetWares NSS file
    system with XML via a built-in virtual file
    system
  • SOAP, UDDI with eDir 8.7, shipping shortly
  • SNMP MIBs allow detailed monitoring

19
Programmatic Access Methods
  • http//developer.novell.com
  • Docs sample code
  • Novell provides APIs for C/C, Perl, Java,
    ActiveX (Visual Basic)
  • Python, PHP anything that can do LDAP can do
    NDS
  • ODBC, JDBC use SQL queries against NDS
  • LDAP/SSL unauthenticated binds on port 389,
    secure via SSL on 636

20
Cryptographic Libraries
  • You need crypto for certain functions
  • You can use OpenSSL or NICI (Novell International
    Cryptographic Infrastructure)
  • NICI is available for Windows, Solaris, Linux,
    AIX, NetWare
  • NICI libraries includes SSL as well as other
    encryption methods
  • download.novell.com

21
Developer-Speak
  • John Andy ?
Write a Comment
User Comments (0)
About PowerShow.com