Transcript Directory Services

CEG 2400 Fall 2012
Directory Services
Directory
Services
eDir
LDAP
Active
Directory
1
Directory Services
• What is it?
A way to store, manage, and access information
about many different network objects
– Directory Services plays an important role in
integrating different NOS (Network Operating
Systems) into one system that can be
centrally administered and accessed
– The directory database contains entries that
store information about network objects in
containers organized into a hierarchical tree
structure and provides information to network
services and clients
2
Directory Services
• The X.500 directory model (original standard)
It defined directory services, how they are
displayed, and how they are accessed by users
– X.500 model describes it as a collection of systems
that work in a client-server relationship to represent
information about network objects
– X.500 directory architecture - the client queries and
receives responses from one or more servers in the
server’s directory service, with the Directory Access
Protocol (DAP) controlling communication between
client and server
3
4
Directory Services
• X.500: Directory Information Base (DIB)
– The directory database is made up of entries
that contain information about objects, such
as users, printers, computers, and data
volumes - these objects are collectively
known as the DIB
– Within the DIB, each entry is made up of a
collection of information fields called attributes
– These attributes contain values
5
6
Directory Services
• X.500: Directory Information Tree (DIT)
– Directory Information Base (DIB) is arranged
into a tree-like structure called the DIT
– To keep the directory organized, a set of rules
known as the Directory Schema is enforced
– The Directory Schema defines a set of
attributes and valid object classes
– An object class defines a type of network
object, such as a user or a printer, and
includes all attributes that make up that type
of object
7
Directory Services
• X.500: Directory User and Service Agents
– X.500 takes a client-server approach
– The directory client, called the Directory User
Agent (DUA), allows for the accessing of, and
data retrieval from directory database
– Processing a DUA request for information
from the directory service consists of these
steps: workstation-based DUA sends a
request to the server-based Directory
System Agent (DSA), DSA retrieves DIB
data and sends it back to the DUA
8
9
Directory Services
•
X.500: Directory Service Protocols
1. The Directory Service Protocol (DSP) controls the
interaction between two or more DSAs (directory
system agent) so that users can access information
in the directory without knowing its exact location
2. The Directory Access Protocol (DAP) controls
communication between a DUA (directory user
agent) and DSA (directory system agent)
3. The Directory Information Shadowing Protocol
(DISP) is a special DSP that’s responsible for
keeping multiple copies of the DIB synchronized, as
is necessary in the shadowing process
10
Directory Services
• The LDAP directory standard
– Lightweight Directory Access Protocol (LDAP)
was developed as a simpler version of X.500
– Although LDAP started as a simplified
component of the X.500 directory, it
developed into a protocol used to access
information stored in a directory
– LDAP supports TCP/IP
– Now at version 3
11
Directory Services
• Directory Services
(3 major players)
– Novell Directory
Services (NDS)
eDirectory
– LDAP
– Active Directory
(Microsoft)
Directory
Services
eDir
LDAP
Active
Directory
12
Some Directory Services
• Some LDAP/X.500 based implementations
are:
– Active Directory
– eDirectory
– Red Hat Directory Server
– Open Directory (Apple’s Mac OS X Server)
– Oracle Internet Directory
– CA Directory
– OpenDS
– OpenLDAP
13
Directory Services Tree Design
• Using standards minimizes confusion as
more servers, more users, and new
directory tree objects appear
– One of the most important areas for network
standards is naming conventions
– Balance tree depth and tree width so that
distinguished names do not become too
unwieldy (to wide or to deep)
– Use a design approach that matches the
directory tree to the organization
14
Directory Services Tree Design
• Design approaches involve reflecting the actual
organizational structure, based on geographic
locations, or using a combination of the two
approaches
– Two possible organizational structures:
functional areas and workgroups
– The functional approach is based on the
classic functional business areas such as
operations, sales, marketing, finance, etc.
– The workgroup approach is based on
workgroups, or groups of members from
15
functional areas
16
17
Directory Services Tree Design
• Design approaches (cont.)
– Some organizations create their primary
organizational structure based on geographic
location - in each location the directory tree
can reflect a functional or workgroup structure
– There may be situations where combining the
functional area, workgroup and geographical
approaches is warranted (so you can see
there is a lot of different ways)
18
Location and
business function
19
Location and
business function
20
Location,
organizational, and
business function
21
Directory Services Tree Design
• So you can see, many different ways
– One of the most important areas for network
standards is naming conventions
– Plan for the future
– Once implemented, hard to make major
changes
– Directory Services becoming a must have for
most large environments
22
Directory Services Terms
• Identity Management (idM)
– Sometimes called Access and Identity
Management (AIM)
– refers to an information system, or to a set of
technologies that can be used for enterprise
or cross-network Identity management.
– describes the management of individual
identities, their authentication, authorization,
roles, and privileges within or across system
and enterprise boundaries
23
Summary
• Directory Services play an important role in
administering and managing networks
• Most directory services are based on the
X.500 standard, which defines protocols for
the Directory Information Base, Directory
Information Tree, Directory User Agent, and
Directory Service Agent
• Directory Tree Design
• Identity Management
24
Directory Services
Directory
Services
Questions
eDir
LDAP
Active
Directory
25