Directory Services DIT Design Jim Rommel Perot Systems Corporation.

Slides:



Advertisements
Similar presentations
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
Advertisements

Active Directory: Final Solution to Enterprise System Integration
Directory services in Nextra - experiences and future plans Kari Marvik, Nextra AS
Chapter 4 Chapter 4: Planning the Active Directory and Security.
Directory & Naming Services CS-328 Dick Steflik. A Directory.
CS603 Directory Services January 30, Name Resolution: What would you like? Historical? –Mail –Telephone DNS? X.500 / LDAP? DCE? ActiveDirectory?
CS603 Active Directory February 1, 2001.
By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.
By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.
Authenticating REST/Mobile clients using LDAP and OERealm
Understanding Active Directory
Module 1: Introduction to Active Directory
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
Active Directory at the University of Michigan Data Population and Kerberos Interoperability MaryBeth Stuenkel LAN/NOS/Groupware Services.
Distributed Computing COEN 317 DC2: Naming, part 1.
Lesson 17. Domains and Active Directory. Objectives At the end of this Presentation, you will be able to:
Overview of Active Directory Domain Services Lesson 1.
Corso referenti S.I.R.A. – Modulo 2 06 – Active Directory 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.
(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
Chapter 11: Directory Services. Directory Services A directory service is a database that contains information about all objects on the network. Directory.
BZUPAGES.COM An Introduction to. BZUPAGES.COM Introduction Large corporations today face the following problems Finding a certain file. Seeing everything.
Directory services Unit objectives
OU Passwords What they all mean. What is a password Webster’s Online Dictionary describes a password as “a sequence of characters required for access.
Ready For A Directory Enabled World? Nand Mulchandani Co-Founder, Oblix, Inc. March 31, 1999.
Introduction To OpenLDAP Directory Services. What is a Directory Service? A specialized database optimized for reading, browsing, and searching. No complicated.
The Directory A distributed database Distributed maintenance.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
Windows 2000 Active Directory Service COSC 513 Yongquan Cai 03/10/2001.
USM Regional PeopleSoft Conference
LINSOL.ORG Red Hat Enterprise Linux Variants  Server:  Red Hat Enterprise Linux Advanced Platform  Red Hat Enterprise Linux  Client:  Red Hat Enterprise.
Distributed Computing COEN 317 DC2: Naming, part 1.
1 Chapter Summary Understanding DNS Understanding Name Resolution Configuring a DNS Client Understanding Active Directory Understanding Active Directory.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Implementing LDAP Client/Server System for Directory Service By Maochun Sun Project Advisor: Dr. Chung-E Wang Department of Computer Science California.
Sonoma State White Pages Implementation Barry Blackburn Andru Luvisi Brian Biggs.
LDAP Authentication Copyright © Liferay, Inc. All Rights Reserved. No material may be reproduced electronically or in print without written permission.
 Identify Active Directory functions and Benefits.  Identify the major components that make up an Active Directory structure.  Identify how DNS relates.
Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.
By Rashid Khan Lesson 6-Building a Directory Service.
The HEP White Pages Project Ray Jackson CERN / IT - Internet Services Group 23rd April HEPiX/HEPNT Conference, LAL-Orsay, France.
15 May 2001© 2001 University of Salford1 Deficiencies in LDAP when used to support Public Key Infrastructures David W Chadwick
OVERVIEW OF ACTIVE DIRECTORY
Introduction to Active Directory
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
Module 1: Introduction to Active Directory
Logical and Physical Network Design 1. Active Directory Objects Objects Represent Network Resources (Users,Groups,Computers,Printers) Attributes Store.
Hussain Ali Department of Computer Engineering KFUPM, Dhahran, Saudi Arabia Active Directory.
LDAP Namespace CNS 4650 Fall 2004 Rev. 2. What is a namespace? Different from XML, C++, Java, etc. Names permitted and used in a directory Can include.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
CEG 2400 Fall 2012 Directory Services Active Directory Tree Domain.
Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:
1 Introduction to Active Directory Directory Services Uniquely identify users and resources on a network Provide a single point of network management.
1 CEG 2400 Fall 2012 Directory Services Directory Services eDirLDAP Active Directory.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Planning an Active Directory Deployment Lesson 1.
© 2013 IBM Corporation LDAP Fundamentals & LDAP for CLM Bruce Besch IBM Rational Services.
Finding Information in an LDAP Directory Info. Tech. Svcs. University of Hawaii Russell Tokuyama 05/02/01 University of Hawaii © 2001.
LDAP: Synchronizing LDAP Information CNS 4650 Fall 2004 Rev. 2.
1 Directory Services  What is a Directory Service?  Directory Services model  Directory Services naming model  X.500 and LDAP  Implementations of.
Introduction to LDAP Frank A. Kuse.
Implementing Active Directory Domain Services
Overview of Active Directory Domain Services
Active Directory Administration
(ITI310) SESSIONS 6-7-8: Active Directory.
CONFIGURING LDAP Authentication (rsso 9.1)
CEG 2400 Fall 2012 Directory Services - LDAP
LDAP – Light Weight Directory Access Protocol
Introduction to Name and Directory Services
Introduction to Active Directory Directory Services
Developing with uConnect
Presentation transcript:

Directory Services DIT Design Jim Rommel Perot Systems Corporation

Jim Rommel Sr. Directory Specialist: Perot Systems Incorporated 4 years experience with X.500/LDAP Directory Services at Texas Instruments and Perot Systems Prior experience with Object Repository Technology X.500/LDAP Experience includes:  Schema and DIT Design  Directory Infrastructure Integration  Directory Synchronization  LDAP Development  Client DUA Development  X.500/LDAP Vendor evaluations  Installation and Maintennance of 4 several X.500/LDAP products

DIT Design  Directory Information Tree  The logical hierarchical structure and categorization of directory information  Different naming attributes within the tree: c : country o : organization ou : organizational unit l : locality cn : common name  DIT Structure rules determine which naming attributes must preceed others in the hierarchy  Each entry in a Directory must have a unique Distinguished Name (DN) What is a DIT?

c=US o=Acme ou=Sales ou=Accounting ou=R&D ou=Engineering cn=Mike Smith DIT Design: People By Department ou=Mfg.

ou=Employees ou=Customers ou=Contractors DIT Design: Types of People ou=Others cn=Mike Smith c=US o=Acme

l=Headquarters l=Los Angeles l=Chicago l=Dallas l=New York cn=Mike Smith DIT Design: By Location c=US o=Acme

c=US o=Acme l=Los Angeles l=Dallasl=New York l=North America l=Europe l=Asia l=Singapore l=Japan l=Munich l=London l=Paris ou=People cn=Mike Smith DIT Design: Deep Tree By Department

l=North America l=Asia ou=People cn=Joe Boss cn=Clara Jordan ou=Engineering ou=R&D ou=MFG ou=Engineering ou=Sales cn=Mike Smith DIT Design: Deep Tree l=DFW l=NYC l=LA cn=Soopy Sales c=US o=Acme

DIT Design: Flat Tree ou=People cn=Mike Smith c=US o=Acme

DIT Design: Flat Tree ou=People cn=Mike Smith #2 c=US o=Acme cn=Mike Smith #1

ou=People cn =SmithET cn =AikmanTA cn =SandersDJ cn = GonzalesJ cn =ModanoMW DIT Design: Perot Systems DIT c=US o=Acme

ou=People cn =SmithET cn =AikmanTA cn =SandersDJ cn = GonzalesJ cn =ModanoMW cn=Directory User cn=Mail Admin cn=Medical Admin cn=Medical User site=TX-SD site=TX-RI site=SW-BK site=NY-AA ou=Medical ou=Web Sites ou=Resumes DIT Design: Perot Systems DIT c=US o=Acme ou=Groups ou=Locations ou=Apps ou=Systems ou=Schema

DIT Design: Deep -vs- Flat Trees  Can result in long Distinguished Names (DN)  May reflect your actual corporate structure  Can result in administrative problems if your organization is constantly changing  Better chance of having unique names within a subtree  Works well if you want to distribute the data across multiple DSAs and do multi-mastering Deep Trees:

DIT Design: Deep -vs- Flat Trees  No need to categorize people  Short Distinguished Names, easy to remember and type  DIT is very stable: not affected by organizational changes, and easy to administer  Higher chance of name collisions  Not well suited for Browsing  Can result in longer load times or startup times, depending on the Directory Product you use Flat Trees:

DIT Design: Selecting a Distinguished Name - DN Changes if a female marries - DN Changes if I change my nickname - Name may not be unique. cn=Mike Smith, ou=People, o=Perot Systems, c=US c=US o=Perot Systems ou=People cn = Mike Smith

DIT Design: Selecting a Distinguished Name + DN Guaranteed to be unique + DN Never Changes + More robust searching using name components cn= , ou=People, o=Perot Systems, c=US c=US o=Perot Systems ou=People cn = givenName = Michael nickname = Mike surname = Smith - Browser shows useless information - Microsoft and Netscape mail clients expected a real name in the commonName (cn) field.

DIT Design: Selecting a Distinguished Name + DN Guaranteed to be unique + DN Never Changes + More robust searching using name components - Browser shows useless information uid= , ou=People, o=Perot Systems, c=US c=US o=Perot Systems ou=People uid = cn = Mike Smith givenName = Michael nickname = Mike surname = Smith + commonName (cn) field contains a real name to work well with other LDAP applications.

DIT Design: Selecting a Distinguished Name uid=smithMJ, ou=People, o=Perot Systems, c=US c=US o=Perot Systems ou=People uid = smithMJ cn = Mike Smith givenName = Michael nickname = Mike surname = Smith + DN Guaranteed to be unique + More robust searching using name components + commonName (cn) field contains a real name + Browser shows more useful information (although not as ideal as a full name) + Directly maps to a user’s logon ID (can be used for single signon) - DN has the potential to change if the name or UID changes - Entrust product requires the commonName (cn) to be part of the DN.

DIT Design: Selecting a Distinguished Name cn=Mike Smith + uid=smithMJ, ou=People, o=Perot Systems, c=US c=US o=Perot Systems ou=People cn = Mike Smith + uid = smithMJ givenName = Michael nickname = Mike surname = Smith + DN Guaranteed to be unique + More robust searching using name components + Directly maps to a user’s logon ID (can be used for single signon) + commonName (cn) field contains a real name + commonName (cn) is part of the DN - DN has the potential to change - Very hokey way of achieving uniqueness - Complicated DN syntax - More complicated Directory Logon procedures - This syntax may not be accepted as standard in the future.

DIT Design: Selecting a Distinguished Name + DN Guaranteed to be unique + More robust searching using name components + Directly maps to a user’s logon ID (can be used for single signon) + commonName (cn) field contains a real name + commonName (cn) is part of the DN - DN has the potential to change cn=smithMJ, ou=People, o=Perot Systems, c=US c=US o=Perot Systems ou=People cn = smithMJ cn = Mike Smith givenName = Michael nickname = Mike surname = Smith uid = smithMJ - Data is duplicated in several areas (uid and cn) - Value displayed for commonName may vary.

DIT Design: Selecting a Distinguished Name c=US o=Perot Systems ou=People ou=Certificates uid=smithMJ, ou=Certificates, o=Perot Systems, c=US uid = smithMJ cn = Mike Smith givenName = Michael nickname = Mike surname = Smith cn = smithMJ ALIAS POINTER cn=smithMJ, ou=People, o=Perot Systems, c=US + DN Guaranteed to be unique + More robust searching using name components + Directly maps to a user’s logon ID (can be used for single signon) + commonName (cn) field contains a real name + commonName (cn) is part of the DN - DN has the potential to change - Problems with X.500 aliases: - no built-in referential integrity - will LDAPv3 support them?

“The X.500 approach to naming has become an obstacle to the wide deployment of directory-enabled applications on the Internet.” DIT Design: An IETF DIT Naming Proposal

dc=com dc=acme DIT Design: An IETF DIT Naming Proposal  The dc named attribute stands for domain component  The idea is to map the upper levels of the tree with registered DNS Names (in this case acme.com)

dc=com dc=acme dc=Corporate dc=Customers DIT Design: An IETF DIT Naming Proposal  The dc named attribute stands for domain component  The idea is to map the upper levels of the tree with registered DNS Names (in this case acme.com)  Lower levels of the tree will also use the dc named attribute

dc=com dc=acme dc=Corporate dc=DalSite uid = cn = Mike Smith givenName = Michael surname = Smith uid = cn = Jane Doe givenName = Jane surname = Doe DIT Design: An IETF DIT Naming Proposal  The dc named attribute stands for domain component  The idea is to map the upper levels of the tree with registered DNS Names (in this case acme.com)  Lower levels of the tree will also use the dc named attribute  Each user is identified with the uid named attribute containing the address.

 Robust DIT Naming and design standards are not in place yet  There is currently no single “right way” to design your DIT that applies to everyone  Take into consideration your organization –the organizational structure –the organization’s tendency to change –the organization’s current size and potential to grow  Take into consideration the how you want to use the directory –what information will be stored in the directory –who will own what data and how will be be mastered –what what other systems in the infrastructure will be using/storing the data –how and what applications will be accessing the data DIT Design Conclusion

Questions??? Jim Rommel Perot Systems Corporation phone: fax:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.