EDirectory Update with 8.7.1 Gary J Porter MindWorks, Inc.

Slides:



Advertisements
Similar presentations
Omni eControl. New Features in Version 2.x - Manage Mixed Networks: eDirectory, Active Directory, GroupWise, Exchange eControl Version 2.0 New Features.
Advertisements

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Active Directory: Final Solution to Enterprise System Integration
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Chapter 7 HARDENING SERVERS.
Chapter 11: Active Directory Certificate Services
Network+ Guide to Networks, Fourth Edition Chapter 10 Netware-Based Networking.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Windows 2000 Remote Access. Remote Access Overview With Windows 2000 remote access, remote access clients connect to remote access servers and are transparently.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
MongoDB Sharding and its Threats
Understanding Active Directory
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Password Management Bill Street, Nathan Jensen, Mike Simpson, Will Peterson Identity Management Engineering.
BASIC NETWORK CONCEPTS (PART 6). Network Operating Systems NNow that you have a general idea of the network topologies, cable types, and network architectures,
Introduction to the Hot New LDAP Features in Novell eDirectory™ 8.7
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Implementing Secure Shared File Access
1 Guide to Novell NetWare 6.0 Network Administration Chapter 11.
©Kwan Sai Kit, All Rights Reserved Windows Small Business Server 2003 Features.
Module 7: Implementing Sites to Manage Active Directory Replication.
23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr Michel Jouvin
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
Global Customer Partnership Council Forum | 2008 | November 18 1IBM - GCPC MeetingIBM - GCPC Meeting IBM Lotus® Sametime® Meeting Server Deployment and.
Chapter 9: Novell NetWare
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
September, 2005What IHE Delivers 1 G. Claeys, Agfa Healthcare Audit Trail and Node Authentication.
USM Regional PeopleSoft Conference
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Module 7: Fundamentals of Administering Windows Server 2008.
SUSE Linux Enterprise Desktop Administration Chapter 12 Administer Printing.
Dynamic Symmetric Key Provisioning Protocol (DSKPP) Mingliang Pei Salah Machani IETF68 KeyProv WG Prague.
Novell iManager Introduction and Overview James Whitchurch Director—Software Engineering Novell, Inc. Karl Ford Engineering.
XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.
Module 7 Active Directory and Account Management.
Building Secure, Flexible and Scalable Environments using LDAP - SANS Orlando Sacha Faust PricewaterhouseCoopers
Riva Managed Identity Integration for Active Directory and Novell ® GroupWise ® Aldo Zanoni CEO, Managing Director Omni Technology Solutions
Module 7: Resolving NetBIOS Names by Using Windows Internet Name Service (WINS)
Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,
Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Jini Architecture Introduction System Overview An Example.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
Integrating Active Directory with eDirectory ™ Using Novell Account Manager Reid Oakes Technical Team Manager Novell, Inc.
GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.
An Analysis of XMPP Security Team “Vision” Chris Nelson Ashwin Kulkarni Nitin Khatri Taulant Haka Yong Chen CMPE 209 Spring 2009.
LDAP- Protocol and Applications. Role of LDAP Allow clients to access a directory service Directories hold hierarchical structured information Clients.
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
Module 8 Implementing Security Using Group Policy.
Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:
1 CEG 2400 Fall 2012 eDirectory – Directory Service.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
1 Directory Services  What is a Directory Service?  Directory Services model  Directory Services naming model  X.500 and LDAP  Implementations of.
Architecture Review 10/11/2004
Configuring and Troubleshooting Routing and Remote Access
Module 8: Securing Network Traffic by Using IPSec and Certificates
IBM Certified WAS 8.5 Administrator
IIS.
Module 8: Securing Network Traffic by Using IPSec and Certificates
Overview Multimedia: The Role of WINS in the Network Infrastructure
Presentation transcript:

eDirectory Update with Gary J Porter MindWorks, Inc.

© September 15, 2015 Novell Inc, Confidential & Proprietary. 2 Things you should know from 8.7 Extensible Match Dynamic Groups New Event Triggers Persistent Search TLS New Authentication Methods SOAP Access Universal Password & much more… Contents

© September 15, 2015 Novell Inc, Confidential & Proprietary. 3 Extensible Match Extensible Match defined in LDAP v3 Support multiple matching rules for the same types of data –Can implement new rules, e.g., “sounds like” Include DN elements in the search criteria –The DN specification allows matching on specific elements of the DN of an object cn=Terry,organizationalRole=adminAssistant,ou=sales,o=usa ou=sal

© September 15, 2015 Novell Inc, Confidential & Proprietary. 4 Task: Find All Admin Assistants in All the Sales Groups of this Company Sales Manufacturing FinanceEngineering Admin assistant TerryAliceSam Hilda Admin assistant Admin assistant Bill Admin assistant Root EnglandUSAGermany East West

© September 15, 2015 Novell Inc, Confidential & Proprietary In the client, evaluate each DN to see if it is subordinate to a sales-container organizationalRole=adminAssistant,ou=sales,o=usa organizationalRole=adminAssistant,ou=sales,o=germany organizationalRole=adminAssistant,ou=finance,o=germany organizationalRole=adminAssistant,ou=west,ou=sales,o=england Possibility One 1. Search for all admin assistant containers in the tree C:>ldapsearch … (organizationalRole=adminAssistant) organizationalRole=adminAssistant,ou=sales,o=usa organizationalRole=adminAssistant,ou=sales,o=germany organizationalRole=adminAssistant,ou=finance,o=germany organizationalRole=adminAssistant,ou=west,ou=sales,o=england 4 matches

© September 15, 2015 Novell Inc, Confidential & Proprietary. 6 Possibility One (cont.) 3. Using each admin assistant container as a base, do a subtree search for users in that container C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=usa” (objectClass=user) cn=Terry,organizationalRole=adminAssistant,ou=sales,o=usa 1 matches C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=germany” (objectClass=user) cn=Sam,organizationalRole=adminAssistant,ou=sales,o=germany cn=Alice,organizationalRole=adminAssistant,ou=sales,o=germany 2 matches C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=west,ou=sales,o=england” (objectClass=user) cn=Bill,organizationalRole=adminAssistant,ou=west,ou=sales,o=england 1 matches

© September 15, 2015 Novell Inc, Confidential & Proprietary. 7 Possibility Two 1. Search for all sales containers in the tree C:>ldapsearch … (ou=sales) ou=sales,o=usa ou=sales,o=germany ou=sales,o=england 3 matches 2. Using each sales container as a base, do a subtree search for users in the admin assistant container C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=usa” (objectClass=user) cn=Terry, organizationalRole=adminAssistant,ou=sales,o=usa 1 matches C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=germany” (objectClass=user) cn=Sam, organizationalRole=adminAssistant,ou=sales,o=germany cn=Alice, organizationalRole=adminAssistant,ou=sales,o=germany 2 matches C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=england” (objectClass=user) 0 matches What’s wrong? This search assumes everything is at the same level! This search assumes everything is at the same level!

© September 15, 2015 Novell Inc, Confidential & Proprietary. 8 In eDirectory Use extensibleMatch C:>ldapsearch … (&(ou:dn:=Sales)(organizationalRole=adminAssistant)) cn=Terry, organizationalRole=adminAssistant,ou=sales,o=usa cn=Sam, organizationalRole=adminAssistant,ou=sales,o=germany cn=Alice, organizationalRole=adminAssistant,ou=sales,o=germany cn=Bill, organizationalRole=adminAssistant,ou=west,ou=sales,o=england 4 matches extensible = attr [":dn"] [":" matchingrule] ":=" value / [":dn"] ":" matchingrule ":=" value extensible = attr [":dn"] [":" matchingrule] ":=" value / [":dn"] ":" matchingrule ":=" value

© September 15, 2015 Novell Inc, Confidential & Proprietary. 9 eDirectory Support for extensibleMatch eDirectory 8.7, and 8.7.1, supports extensibleMatch for matching on DN values eDirectory 8.7 treats other extensibleMatch specifications as undefined terms in the filter and will ignore them Versions of eDirectory prior to 8.7 would return a protocol error if an extensibleMatch term was specified in a search filter Advertisement of matching rules in eDirectory 8.7 is done through the LDAP subschema subentry object using the standard matchingRules and matchingRuleUse schema attributes

© September 15, 2015 Novell Inc, Confidential & Proprietary. 10 Too_lazy_to_live Dynamic Groups Creating communities while reducing administrative overhead [RF CEW ]

© September 15, 2015 Novell Inc, Confidential & Proprietary. 11 Dynamic Groups eDirectory and 8.7 allow you to determine group membership dynamically Membership determined by use of a search filter –Search filter is in URL form (RFC 2255) Additional capabilities –Objects specifically excluded –Objects specifically included in the group Web management interface in eDirectory 8.7 Available only via LDAP in eDirectory 8.6.1

© September 15, 2015 Novell Inc, Confidential & Proprietary. 12 Dynamic Groups—Schema ObjectClasses dynamicGroup—Structural class for dynamic group dynamicGroupAux—Auxiliary class Attributes memberQueryURL—The search query in URL form excludedMember—Objects specifically excluded uniqueMember—Objects specifically included in the group –Reading the “uniqueMember” (or “member”) attribute returns specifically returned objects as well as objects which satisfy the query

© September 15, 2015 Novell Inc, Confidential & Proprietary. 13 Dynamic Groups—Compatibility Static groups may be converted to dynamic groups Add dynamicGroupAux to the objectClass attribute Set a search query in memberQueryURL For either static or dynamic groups, obtain a membership list by simply reading the “member” attribute By default, the implicit search is limited to the local server

© September 15, 2015 Novell Inc, Confidential & Proprietary. 14 Dynamic Groups The student registers for a course The student can now see the list of other students in the course automatically because he becomes part of the dynamic group for the course ldap:///ou=students,l=Denver, l=USA, o=OutdoorAdv??sub?(&(objectclass=aspenStudent) (aspenRegisteredSections=cn=EA-sec1, ou=sections, l=Denver, l=USA, o=OutdoorAdv))

© September 15, 2015 Novell Inc, Confidential & Proprietary. 15 eDirectory Events Automate and monitor

© September 15, 2015 Novell Inc, Confidential & Proprietary. 16 Applications of eDirectory Events What can I do with eDirectory Events? eDirectory monitoring Auditing Automation of infrastructure changes Automated business logic All of these things can be done with eDirectory— they don’t exist in the same form on other directory products

© September 15, 2015 Novell Inc, Confidential & Proprietary. 17 Selectively Monitor eDirectory Events eDirectory defines several directory-related events, including Operations on individual entries and their attributes Partition and replica operations These events can be used for Debugging Auditing Management Access to each event is controlled by rights checking If the user does not have the required privileges the request will fail or, No event will be sent

© September 15, 2015 Novell Inc, Confidential & Proprietary. 18 LDAP Persistent Search Alters the standard LDAP search operation to perform a continuous search, notifying the application of changes that occur on an LDAP server Persistent search allows the client to be notified when changes are made to entries that satisfy the specified search filter The connection to the server remains open until the search is abandoned Persistent search is supported by multiple directories

© September 15, 2015 Novell Inc, Confidential & Proprietary. 19 eDirectory Events Extension Novell extension allowing an LDAP client to be notified of the occurrence of various events on an eDirectory server Utilizes the LDAPv3 extended operation extension mechanism It also uses an intermediate response PDU* as described in the IETF draft –draft-rharrison-ldap-intermediate-resp-00.txt Available on all platforms supported by Novell eDirectory 8.7 This is Novell-specific and not standard LDAP *Protocol Data Unit

© September 15, 2015 Novell Inc, Confidential & Proprietary. 20 Using eDirectory Events Student registers for a course Persistent Search updates instructor’s class list automatically

© September 15, 2015 Novell Inc, Confidential & Proprietary. 21 Transport Layer Security Securing eDirectory access

© September 15, 2015 Novell Inc, Confidential & Proprietary. 22 Transport Layer Security (TLS) TLS 1.0 provides privacy and data integrity between the LDAP client and the LDAP server TLS ensures that The connection is private The connection is reliable Identities can be authenticated using asymmetric or public key cryptography Negotiation of a shared secret is secure (no middle man) The negotiation is reliable (attackers detected) TLS = SSL

© September 15, 2015 Novell Inc, Confidential & Proprietary. 23 Selectable Channel Encryption I’m connected to the directory on the clear-text port, and I want to access my credit card information. What do I do? I can drop my connection, re-authenticate to the SSL port, and get the data I can send the StartTLS extended request along with the query to read my credit card OR

© September 15, 2015 Novell Inc, Confidential & Proprietary. 24 Connecting with TLS eDirectory LDAP server can now be configured to use the following TLS handshakes This configuration is done through iManager Require client certificate Request client certificate Server certificate only

© September 15, 2015 Novell Inc, Confidential & Proprietary. 25 Ending TLS on a Connection Client or server sends a TLS end notification Connection reverts to anonymous Who are you, anyway?

© September 15, 2015 Novell Inc, Confidential & Proprietary. 26 Configurable Transport Security Instructor connects with clear text Start TLS - Instructor changes to a secure connection to see the student information

© September 15, 2015 Novell Inc, Confidential & Proprietary. 27 New LDAP Authentication Methods

© September 15, 2015 Novell Inc, Confidential & Proprietary. 28 Multiple Authentication Mechanisms (SASL) Students authenticate with SASL EXTERNAL DIGEST-MD5 NMAS_LOGIN Student registers thumbprint eDirectory Replication Students can modify their own profiles

© September 15, 2015 Novell Inc, Confidential & Proprietary. 29 SASL EXTERNAL TLS handshake establishes client identity by means of certificate-based client authentication LDAP SASL EXTERNAL uses that identity for the user connection

© September 15, 2015 Novell Inc, Confidential & Proprietary. 30 SASL DIGEST_MD5 Allows password to be securely sent over a clear-text connection Requires that the server maintain a clear-text copy of the password in the NMAS encrypted store that can be hashed using data provided in the bind and then compared to the hashed password contained in the bind Simple bind packet with hashed password

© September 15, 2015 Novell Inc, Confidential & Proprietary. 31 SASL NMAS_LOGIN Full functionality of Novell Modular Authentication Services (NMAS™) applied to LDAP binds Login policy maintained by the server Provides for multiple levels of authentication and identification Fingerprint Smart card Certificate Biometric

© September 15, 2015 Novell Inc, Confidential & Proprietary. 32 Web Services & Novell eDirectory8.7 SOAP Access to eDirectory

© September 15, 2015 Novell Inc, Confidential & Proprietary. 33 DSML Connector J2EE Container DSMLSOAPServlet eDirectoryLDAP Reader Writer JavaLDAPAPI LDAP SOAP UDDI DSML URL DSML WSDL DSML Web Server

© September 15, 2015 Novell Inc, Confidential & Proprietary. 34 Clientless install (Windows only) This provides the ability to install eDirectory on a Windows NT or 2000 server without the Novell Client.

© September 15, 2015 Novell Inc, Confidential & Proprietary. 35 Novell iMonitor 2.1 This new version of iMonitor provides: SSL support on all platforms Object statistics reports Enhanced obituary processing reports Server advertising reports Enhanced tracing functions Event monitoring and statistics

© September 15, 2015 Novell Inc, Confidential & Proprietary. 36 Novell iManager 2.0 This utility provides a single Web-based management console for the administration of Novell products on NetWare 6.5 & NNLS iManager standardizes all Novell Web-based administration utilities into a single management framework Provides an architecture for easy development of Web-based administration and management modules through open standard application interfaces Uses Roles to delegate eDirectory administration, management, and services tasks

© September 15, 2015 Novell Inc, Confidential & Proprietary. 37 Novell iManager 2.0 Novell iManager consists of two pieces: eDirectory Management Framework (eMFrame) eDirectory Management Toolbox (eMBox) EMBox is the server-side piece that works with iManager to access functionality in various eDirectory utilities. Other Utilities: DSRepair DSMerge Backup and Restore LDAP WAN Manager Novell Import Convert Export utility

© September 15, 2015 Novell Inc, Confidential & Proprietary. 38 Universal Password In the past, administrators have had to manage multiple passwords (simple password, NDS RSA passwords) because of password limitations Administrators have also had to deal with keeping the passwords synchronized Universal Password addressed these problems by creating a single password that can be used by all protocols to authenticate users

© September 15, 2015 Novell Inc, Confidential & Proprietary. 39 UTF8 Encoded In addition, all Novell utilities are now UTF8 encoded When a password is reset by a user or an administrator, the Secure Password Manager (SPM), an NMAS components, will take the unicode password and convert it to a Universal Password (UTF8-encoded) and reset the NDS password.

© September 15, 2015 Novell Inc, Confidential & Proprietary. 40 Backup and Restore eDirectory 8.7 introduced a new focus for backup and restore, called "hot continuous backup With the new Backup eMTool, you back up the eDirectory database for each server individually, and you can do it while eDirectory is running

© September 15, 2015 Novell Inc, Confidential & Proprietary. 41 Novell eGuide 2.11 eGuide provides a Web-based GUI for searching, viewing, and editing information stored in Novell eDirectory and other directory data sources Because eGuide is highly customizable for any type of environment, administrators can configure it to their own specifications

© September 15, 2015 Novell Inc, Confidential & Proprietary. 42

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.