LDAP Interoperability and Integration with Active Directory

1
LDAP Interoperability and Integration with Active
Directory
2
Original Abstract

• This session would cover Active Directory LDAP
  integration, interoperability and security. First
  it would present a brief history if LDAP showing
  its evolution. Then it would present an overview
  of LDAP discuss LDAPs role in AD. Next, it could
  show how to query an LDAP server from AD and how
  you can manage AD with LDAP. Finally It would
  discuss directory integration using Microsoft
  Identity Integration Server (MIIS) and how to
  ensure a tighter, more secured interoperability.

3
Agenda

• A Brief History of LDAP
• LDAP and Active Directory
• Integrating Other Directories with Active
  Directory

4
A Brief History of LDAP
5
ca. 1988

• Before the World Wide Web
• Before TCP/IP on every desktop
• Before Windows
• Back when 7.44 Mhz, 128Kb of RAM and a 10MB hard
  drive was slammin
• There was X.500

6
X.500

• ITU/ISO
• X.500 series of documents
• Schema
• Data model
• Protocols
• OSI stack

7
OSI Protocol Stack
The problem? No PC could reasonably implement the
OSI stack
8
The Solution? An LDAP Gateway
9
But if No One Uses DAP over OSI
10
So What IS LDAP Anyway?

• Its a protocol for accessing and modifying an
  X.500-like directory tree
• It specifies a hierarchical organization of
  objects, attributes, and values
• It defines operations like search and update
• It provides for vendor-specific extensions
  through controls

11
The New and Improved LDAP Standard

• RFC 4511 The Protocol
• RFC 4512 Directory Information Models
• RFC 4513 Authentication Methods and Security
  Mechanisms
• RFC 4514 String Representation of Distinguished
  Names
• RFC 4515 String Representation of Search Filters
• RFC 4516 Uniform Resource Locator
• RFC 4517 Syntaxes and Matching Rules
• RFC 4518 Internationalized String Preparation
• RFC 4519 Schema for User Applications

12
LDAP and Active Directory
13
Managing Active Directory Using LDAP

• LDAP is the gateway to managing Active Directory
• Almost everything in and about AD can be managed
  using LDAP
• Most any LDAP utility will work
• But compliant does not equal interoperable!

14
Authentication

• LDAP simple bind
• Works, but is not secure
• SASL
• Really hard to make work

15
Multiple Writable Replicas

• AD provides a multi-master model where updates on
  the same object can occur on different DCs
• Some applications dont work well with this model

16
Global Catalog

• If an application needs access to all objects in
  the forest, you can point it to a global catalog
• The GC contains only a partial read-only replica
  of all objects in the forest

17
Partitioning and Referrals

• An AD forest always at least two partitions under
  the root domain
• CNConfiguration
• CNConfiguration,CNSchema
• A subtree search on the root domain will always
  cause two subordinate referrals

18
LDAP Controls

• Vendor-defined extensions to the LDAP protocol
  that modify a LDAP operation like search
• LDAP controls can be optional or mandatory for
  any given operation
• Some utilities require controls that AD doesnt
  support
• GQ requires Netscapes Manage DSAIT control
  2.16.840.1.113730.3.4.2

19
OpenLDAP Controls Supported by AD

• 1.2.840.113556.1.4.319 Paged results
• 1.2.840.113556.1.4.473 Sort request RFC 2891
• 2.16.840.1.113730.3.4.9 Virtual List View request
• 2.16.840.1.113730.3.4.10 Virtual List View
  response
• 1.2.840.113556.1.4.1339 No referrals (NC scope)
• 1.2.840.113556.1.4.1340 Search options
• 1.2.840.113556.1.4.1413 Easy update restrictions

20
OpenLDAP Controls Not Supported by AD

• 1.3.6.1.4.1.4203.1.10.1 Subentries (RFC 3672)
• 1.2.826.0.1.3344810.2.3 Filter returned values
• 1.3.6.1.1.13.1 Pre read
• 1.3.6.1.1.13.2 Post read
• 1.3.6.1.1.12 Assertion
• 2.16.840.1.113730.3.4.2 Manage DSAIT
• 1.2.840.1.113730.3.4.18 Proxy authorization
• 1.3.6.1.4.1.4203.666.5.2 No-op
• 1.3.6.1.4.1.4203.1.9.1 LDAP sync

21
Administrative Limits

• LDAP admin limits allow the administrator to
  configure certain capacity limits for AD
• CnDefault Query Policy,CNQuery-Policies,CNDirec
  tory Service,CNWindows NT,CNServices,CNConfigur
  ation,DCltroot domaingt
• MaxPageSize
• MaxResultSetSize

22
Multi-valued Attributes

• AD has some limits on the number of values in a
  multi-valued attribute
• No more than 800 values per object (except for
  linked attributes)
• No more than 1000 values returned in one
  operation
• AD uses the ltoptionsgt attribute description (RFC
  2251 4.1.5) to return sections of multi-values,
  e.g. memberRange0-999

23
Schema

• Everyones schema is different
• ADs schema is more different than most ?
• AD user vs. iNetOrgPerson and RFC 2307
• DC naming vs. O,C naming

24
DC Location

• AD clients locate DCs using SRV lookups in DNS
• Most LDAP tools use a host name and port to
  identify a directory server

25
TCP Ports

• Most LDAP servers are configurable as to which
  ports they listen on
• AD can only listen on port 389

26
Binary Blob Attributes

• AD stores some interesting attributes in binary
• nTSecurityDescriptor
• objectSid
• msDS-NCReplCursor
• msDS-ReplAttributeMetaData
• replPropertyMetaData
• etc
• LDAP tools can read them but will not be able to
  interpret them

27
That All Being Said

• Most LDAP utilities work just fine with AD

28
Using OpenLDAP Tools With AD
29
Directory Integration

• Lower identity-related costs
• Higher security
• Improved identity-related service levels
• Better user experience

30
Integrating Other Directories with AD

• Simple directory synchronization
• Virtual Directories
• Metadirectory
• Microsoft Identity Integration Server (MIIS)

31
MIIS Terms
MV
CS
CD
MA

• Connected Data Source (CD)
• Any source and/or destination containing identity
  data
• Management Agent (MA)
• Facilitates the communication between MIIS and
  the CD
• Connector Space (CS)
• Staging area (SQL) for inbound or outbound
  synchronized attributes
• Metaverse (MV)
• Central (SQL) store of identity information
• Matching CS entries to a single MV entry is
  called join

32
MIIS Concepts Example

• Scenario
• HR system in Oracle
• Hiring Approval system on SQL Server
• Sun One Directory Server
• Notes

Sun One
SQL
33
MIIS Concepts

• MV entries are linked to CS entries through
• Projection
• Provisioning a connector
• Joining
• CS entries represent objects in Connected Data
  Sources
• Synchronization is between MV and CS
• Staging is from CD to CS
• Export is from CS to CD

• Lets zoom in on what MIIS does

34
Advantages of MIIS

• Automated account provisioning/deprovisioning
• No agents, no changes needed to connected
  directories
• Password sync and management
• State-based synchronization
• SQL Server back end provides performance
• Out-of-the-box connectivity
• Highly customizable through .NET programming
  interfaces

35
Summary

• LDAP
• Managing AD with LDAP
• Identity management with MIIS

Questions?
36

• Thank You!

Gil Kirkpatrick CTO, NetPro gilk_at_netpro.com
www.netpro.com