Transcript Distinguished Name

Directory Services
CS5493/7493
Directory Services
• Directory services represent a
technological breakthrough by integrating
into a single management tool:
– Authentication
– Access control
– Accounting
Directory Services
• A directory service organizes data into
objects.
• The directory holds the objects.
• The directory service provides the tools for
accessing and modifying the objects.
Directory Service Objects
• These objects consist of a name and a
group of attributes associated with the
name.
• The object name is formally known as the
object’s “Distinguished Name”
• An object can be a service, hardware, or
user.
Directory Service Examples
• A phonebook – entries in the phonebook
are indexed by name. The name has a
phone number and address associated
with the name.
• DNS – maps human readable names of
network resources to their respective
(binary) numeric network address.
Software Engineered D.S.
• A software engineered directory service
stores, organizes, and provides access to
electronic information in a directory.
• DNS was the first Internet directory
service.
X.500
• A standard model for general-purpose
directory services was developed in the
late 1980’s.
• The X.500 standard emerged from this
effort in 1988.
• A series of supplementary editions and
refinements to X.500 followed.
X.500 Refinements
•
•
•
•
Shadowing (copying) directory information
Access controls
Additional administrative capabilities
Contexts – define actions for an object
according to the context of the objects
use.
• Additional security features
X.500 Concept
• There is a single directory information tree
(DIT)
• The DIT is a hierarchical organization of
objects distributed across one or more
servers.
• Provides the protocol for querying and
updating objects in the DIT.
X.500 Legacy
• The general framework of X.500 has been
adopted in more popular (widely adapted)
directory services like:
– LDAP, lightweight directory access protocol.
OpenLDAP is available for Linux.
– MicroSoft Active Directory
LDAP
• Defines a simple protocol that will manage
directory objects:
– Search and retrieve
– Add
– Modify
– Delete
– Rename
• LDAP uses a client-server model.
LDAP Model
• LDAP uses a client-server model.
• The LDAP protocol uses TCP/IP
LDAP Protocol
• The LDAP client establishes a connection
to an LDAP server.
• The LDAP protocol usually uses port 389.
• The client must authenticate itself to the
server by supplying a distinguished name
and password.
• The LDAP server can restrict access to
directory objects by managing permissions
(access control)
MS Active Directory
• A collection of services for managing
resources in a computer network (LAN,
MAN, CAN, or WAN).
The AD Collection of Services
•
•
•
•
•
AD Lightweight Directory Service
AD Federation Service
AD Certificate Service
AD Rights Management Service
AD Domain Service
AD Lightweight Directory Service
• A lightweight version of AD based on
LDAP.
AD Federation Service
• A single sign-on service allowing a user to
access services in different network
environments using AD-FS.
• The different network environments can be
different companies running AD-FS.
AD Certificate Service
• Issues public key certificates used for such
things as authentication with smart cards;
or encrypting data transmitted over a
network.
• This service can renew or revoke
certificates.
AD Rights Management Service
• Goes beyond access control.
• AD-RMS manages (controls) what users
can do with data once they have accessed
the data.
– Can prevent files from being copied (this
includes disabling cut and paste.
– Prevent saving or forwarding e-mail
messages.
AD Domain Services
• The traditional features of AD from
previous versions.
Active Directory Summary
• A hierarchical framework of data objects.
• AD objects are categorized as
– Resources: computers, printers, etc.
– Services like e-mail
– Users and groups of users
– Any real component and its attributes
Active Directory Summary
• A logical structure = grouping objects
together based on criteria other than
physical location.
• A physical structure = grouping objects
together based on a physical topology (all
the users, equipment, and services
located in a particular office building).
Active Directory Summary
• Acts as the central point for managing
object security
• Individual user policies can be defined
• Group policies can be defined
• Auditing features:
– Monitoring object usage
– Create reports on object usage
– Notify personnel of object usage
Active Directory Summary
• Objects are organized into containers
called Organizational Units (OU).
• Organizational Units belong to a domain.
• A domain is an administrative boundary.
All the objects in a domain operate with
the same security policy.