Directory Development Fundamentals Ed Shropshire NDS Partner Programs Novell, Inc.

Vision…one Net A world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries Mission To solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world

Deployed Versions Novell eDirectory™ and Novell Directory Services ® (NDS) Product VersionBuild VersionPlatforms NetWare 5.1 SP4 (NDS 7)DS.nlm v7.57NetWare 5.1 NetWare 5.1 SP 4 (NDS 8)DS.nlm v8.79NetWare 5.1 eDirectory 8DS.nlm & DS.dlm v8.79NetWare 5.0,Win NT/2K eDirectory 8.5.xDS v85.23NetWare 5.x,Win,Solaris NetWare 6 (eDirectory 8.6)DS.nlm v NetWare 6 eDirectory 8.6.1DS v NW 5.1,NW 6,Win,Solaris,Linux NetWare 6 SP1 (eDirectory 8.6.2)DS.nlm v NetWare 6 eDirectory 8.6.2DS v103xx.xxNW 5.1,NW 6,Win,Solaris,Linux eDirectory 8.7DS v10410.xxNW 5.1,NW 6,Win,Solaris,Linux,AIX

Differences Between eDirectory and NDS ® NetWare 6 NetWare NDSeDirectory NOS directory focused on managing NetWare ® servers A cross-platform, scalable, standards-based directory used for managing identities that span all aspects of the network—eDirectory is the foundation for eBusiness NetWare 5

Novell one Net and eBusiness Vision Novell provides Net services software that gives organizations the ability to simplify the complexities of the Net, securely extend and integrate networks and applications between companies and accelerate eBusiness transformations Novell eDirectory ™ NW NET Services …

What’s New with Novell eDirectory Novell eDirectory and 8.7 Product of the Year—Network Magazine The Name—Novell eDirectory SunTone Certification Partner Redistribution Program Free eDirectory for Developers LDAPZone AIX LDAP 2000 Server Brand LDAP Java SDK LDAP Java Beans

Novell eDirectory Partner Redistribution Kit Program Get started  Download unlimited eDirectory licenses for development purposes—visit developer.novell.com/eDirectory/download.htm Get profitable  Offer commercial solutions that include FREE 250,000 user versions of eDirectory  Save each application customer up to a half-million US dollars in up-front licensing costs  Visit developer.novell.com/eDirectory

Novell eDirectory Partner Redistribution Kit Program OEMs/ISVs can (AT NO COST):  Distribute 250,000 eDirectory user versions with each copy of their shipping products  Distribute full-featured versions of eDirectory to an unlimited number of application customers  Distribute the latest Multi-OS version of eDirectory— Windows*, Sun Solaris*, Linux*, NetWare ®, and IBM AIX* (*future)  Increase software/hardware/server sales  Rely on proven embedded technology  Build competitive advantage with added services and lower up-front deployment costs

LDAPzone.com Why LDAPzone? Comprehensive  Resources and information on everything LDAP Community  Share ideas, sample code, forums, tips and tricks Directions  The latest LDAP news, updates and developments

Novell Developer Offerings Support options  What can you get if you pay Benefits 24 hour turnaround Developer labs Priority support Dedicated support contacts Certification Solutions search Developer labs Developer training

eGuide iInstall iMonitor iManage Novell eDirectory Architecture eDirectory Management Framework Database Storage Management Interface (SMI) Replication Security Maintenance Schema Utilities Repair Merge Backup Access LDAPNDAP System Abstraction Layer (SAL) Linux NetWare NT Solaris DirXML™ OnDemand SM SSOiChain ® AIX ???

How do I simplify my business process and eliminate redundant and inconsistent data? How do I use the Internet to let my partners, customers and employees access secure applications and data? How do I use the Internet to let my partners, customers and employees access secure applications and data? Web Server Browser iChain How do I simplify my business process and eliminate redundant and inconsistent data? Net Directory Service Solutions How do I accelerate my existing business systems so my customers, employees and IS professionals are not waiting for them? App 1 App 2 App 3 App 4 SSO/ NMAS DirXML™ HR Application PBX Application Application eDirectory Novell Account Management Novell Authentication Services

168 Applications Before Zero-Day Start

One Net Simplifies Business Processes LDAP XMLIP SSL

Enlightened Workforce (Intelligent Portal)

The Three Views Novell eDirectory Let’s take a look at it from a different perspective Logical View Names Rights Perspective Physical View Partitions Replicas Schema View Top Person User

What Makes It Different? Extensible schema Inherited rights Multi-master replication Filtered replica Referential integrity Scalable data store Multi-protocol support (discovery—access protocols) Multi-authentication support Developer interfaces Platform support

eDirectory Features ADSI Provider Translates ADSI calls into LDAP Apps developed to ADSI are fully supported LDAP Support LDAP v3 support including SSL OpenLDAP SDK Improved search speed Cross-platform support Already runs on NetWare, NT 4, Linux, Windows 2000 and Solaris Looking at other UNIX and mainframe platforms (e.g AIX) Improved administration tools Monitoring and repair tools in ConsoleOne ® ICE (Import/Convert/Export) utility iMonitor utility Feature details Filtered replica A new replica type that enables flexible control of what’s replicated Down to the attribute level DirXML Support Provides foundation for integrating network information for any system, application, device, etc.

What is LDAP? A standardized protocol for accessing X.500 directories A version of DAP* that contains less code than DAP An enabled client with TCP/IP access to X.500 directories Lightweight means you don’t have to manage all of the connection overhead in your application Lightweight doesn’t mean limited access functionality LDAP is a client-server protocol LDAP began life as an attempt to simplify access to x.500 (DAP) directories, thus the name: Lightweight Directory Access Protocol

Technical LDAP Benefits Microsoft Netscape Novell eDirectory LDAP Directory-Enabled Applications Applications can be directory-neutral Directories can be interchanged Note: All directories are not equal Licenses in use: 40 M Licenses in use: 174 M Licenses in use: 4.5 M

Overview LDAP is a client/server access protocol LDAP also describes a data model (ACI, Schema, Replication) LDAP is controlled by the IETF community LDAP certifications  Works with LDAP (for applications) and LDAP 2000 (for servers)  Novell is a founding member of the Interoperability Forum/Open Group

One Net and LDAP Current widespread standard for access to directory information Core protocol used by Net services software

Novell eDirectory SDK Everything to integrate with eDirectory  Libraries, tools, sample code, and documentation  Platforms (server and workstation) NetWare ® Windows 2000 NT Windows 95/98 Solaris, Linux 

Novell ODBC driver for eDirectory Novell controls for ActiveX (NWDir) Beans for Novell services eMFramework Novell JDBC driver for eDirectory JNDI NJCL eDir libraries for C NDAP/NCP LDAP service provider for JNDI LDAP libraries for C Novell controls for ActiveX (NWIDir) Novell eCommerce Beans LDAP Class Libraries for Java LDAP Novell eDirectory

Novell ODBC driver for eDirectory Novell controls for ActiveX (NWDir) Beans for Novell services eMFramework Novell JDBC driver for eDirectory JNDI NJCL NDS libraries for C NDAP/NCP LDAP service provider for JNDI LDAP libraries for C Novell controls for ActiveX (NWIDir) Novell eCommerce Beans LDAP Class Libraries for Java LDAP Novell eDirectory

Novell ODBC driver for eDirectory Novell controls for ActiveX (NWDir) Beans for Novell services eMFramework Novell JDBC driver for eDirectory JNDI NJCL NDS libraries for C NDAP/NCP LDAP service provider for JNDI LDAP libraries for C Novell controls for ActiveX (NWIDir) Novell eCommerce Beans LDAP Class Libraries for Java LDAP Novell eDirectory

Novell ODBC driver for eDirectory Novell controls for ActiveX (NWDir) Beans for Novell services eMFramework Novell JDBC driver for eDirectory JNDI NJCL NDS libraries for C NDAP/NCP LDAP service provider for JNDI LDAP libraries for C Novell controls for ActiveX (NWIDir) Novell eCommerce Beans LDAP Class Libraries for Java LDAP Novell eDirectory

Novell ODBC Driver for eDirectory ODBC driver specifically designed to query and retrieve eDirectory data  Supports standard SQL statements  Makes reporting and retrieving data quick and easy  Abstracts the directory tree into accessible relational database tables  Hides the complexity of the underlying directory syntax

How ODBC Maps eDirectory Data Mapping eDirectory data to relational tables  eDirectory hierarchical directory data is mapped to a flattened relational database table eDirectory object classes correspond to the tables eDirectory class attributes correspond to columns of the table Entries correspond to rows of the table Surname Given name Title Jones Nelson Smith Wilson Kim Chris Sam Lynn Manager Engineer Tester Writer

Troubleshooting Novell ODBC Driver Common problems  Insufficient resources Select fewer attributes or specify the attributes rather than using a wildcard to include all attributes Examine the attributes you select to ensure that only a few of them are multi-valued Restrict the number of objects selected by specifying only one container  eDirectory rights  SQL statement errors Use the correct table and column names in SQL statements Read-only access to eDirectory

Novell ODBC driver for eDirectory Novell controls for ActiveX (NWDir) Beans for Novell services eMFramework Novell JDBC driver for eDirectory JNDI NJCL NDS libraries for C NDAP/NCP LDAP service provider for JNDI LDAP libraries for C Novell controls for ActiveX (NWIDir) Novell eCommerce Beans LDAP Class Libraries for Java LDAP Novell eDirectory

Novell eDirectory LDAP Compliance Novell LDAP SDKs fully implement IETF draft for C Interface –draft-ietf-ldapext-c-api-05.txt IEFT draft for Java Interface –draft-ietf-ldapext-java-api-13.txt – eDirectory supports all LDAP version 3 required functionality IETF RFCs 2247, 2251, 2252, 2253, 2254, 2255 and 2256 eDirectory also supports most optional functionality

More About LDAP Users given “server view” vs. a “tree view” LDAP uses UTF-8 encoding of character strings  Allowing strings of any language to be used in the API LDAP servers listen on two TCP/IP ports  389—Provides clear text connections  636—Secure connections using SSL An LDAP bind (connection) is an eDirectory login  LDAP requires that individual users have passwords  No password is interpreted as an anonymous bind Specifies no file access mechanisms Novell eDirectory event mechanism coming soon

Novell Extensions to LDAP Novell LDAP extensions  Partitions—split, join, get number of entries, abort operation  Replicas—add, remove, change type, list on server, return information  Replica synchronization—to a specified server, to all replicas, at a specified time  Schema synchronization  Get effective eDirectory rights for attributes  Get DN of logged-in caller  Restart the LDAP server

Novell ODBC driver for eDirectory Novell controls for ActiveX (NWDir) Beans for Novell services eMFramework Novell JDBC driver for eDirectory JNDI NJCL NDS libraries for C NDAP/NCP LDAP service provider for JNDI LDAP libraries for C Novell controls for ActiveX (NWIDir) Novell eCommerce Beans LDAP Class Libraries for Java LDAP Novell eDirectory

LDAP Class Libraries for Java Now available on the Novell Developer Kit (NDK)  Conforms to the IETF LDAP Java interface  Socket, threads, queues, connection manager  Referrals  Schema management  Security SSL and SASL  Extensions and controls  Exposes additional classes and methods ASN.1/BER Protocol Methods (APIs)

Benefits of LDAP Libraries for Java Classes and methods reflect LDAP protocol Small footprint Easy to learn and use Synchronous and asynchronous interfaces Pure Java solution Extensions for eDirectory management Tuned and tested with eDirectory Works with other LDAP-aware directories SSL secured through Novell Security Technologies Open Source available on the OpenLDAP Site 

Novell ODBC driver for eDirectory Novell controls for ActiveX (NWDir) Beans for Novell services eMFramework Novell JDBC driver for eDirectory JNDI NJCL NDS libraries for C LDAP service provider for JNDI NDAP/NCP LDAP libraries for C Novell controls for ActiveX (NWIDir) Novell eCommerce Beans LDAP Class Libraries for Java LDAP Novell eDirectory

What is JNDI? Java Naming and Directory Interface (JNDI)  An addition to JavaSoft’s enterprise API set  Object-oriented look and feel  Abstracted view Naming-system neutral, enabling many different service providers to be accessed via the same interface Promotes interaction between naming systems Provider issues tend to show through  Providers may or may not be pure Java Platform support is provider-dependent Providers tend to be vendor-specific

Novell ODBC driver for eDirectory Novell controls for ActiveX (NWDir) Beans for Novell services eMFramework Novell JDBC driver for eDirectory JNDI NJCL NDS libraries for C NDAP/NCP LDAP service provider for JNDI LDAP libraries for C Novell controls for ActiveX (NWIDir) Novell eCommerce Beans LDAP Class Libraries for Java LDAP Novell eDirectory

Use Novell LDAP Libraries for C Use the Novell LDAP Libraries for C vs. other SDKs  Extensions for eDirectory management  Tuned and tested for eDirectory  Works with other LDAP-aware directories  Available on NetWare, Windows, UNIX  Supported by Novell Worldwide Developer Support  Internationalized and localized  SSL-secured through Novell Security Technologies LDAP Libraries for C Open Source Novell LDAP Libraries for C leverage

Novell ODBC driver for eDirectory Novell controls for ActiveX (NWDir) Beans for Novell services eMFramework Novell JDBC driver for eDirectory JNDI NJCL NDS libraries for C NDAP/NCP LDAP service provider for JNDI LDAP libraries for C Novell controls for ActiveX (NWIDir) Novell eCommerce Beans LDAP Class Libraries for Java LDAP Novell eDirectory

Novell JDBC Driver for eDirectory Conforms to the JDBC specification Requires the JNDI LDAP service provider for eDirectory Supports standard SQL statements Abstracts the directory tree into accessible relational database tables Hides the complexity of the underlying directory syntax Provides “read only” access of eDirectory

Novell ODBC driver for eDirectory Novell controls for ActiveX (NWDir) Beans for Novell services eMFramework Novell JDBC driver for eDirectory JNDI NJCL NDS libraries for C NDAP/NCP LDAP service provider for JNDI LDAP libraries for C Novell controls for ActiveX (NWIDir) Novell eCommerce Beans LDAP Class Libraries for Java LDAP Novell eDirectory

Novell Controls for ActiveX Application Administration (NWAppA) Bindery (NWBind) Browser (NWBrowse) Catalog Administration (NWCatA) Client and Server Socket (NWCliSkt and NWSvrSkt) Directory (NWDir) Directory Administration (NWDirA) Directory Authenticator (NWDirAuth) Directory Query (NWDirQ) Internet Directory (NWIDir) Internet Directory Query (NWIDirQ) Internet Directory Entries (NWIDirE) NDPS Printer Administration (NWDPPrtA) Network Selector (NWSelect) Peer Socket (NWPrSkt) Print Queue Administration (NWPQA) Print Server Administration (NWPSA) SecretStore (NWSecStr) Server Administration (NWSrvA) Session Management (NWSess) User Group (NWUsrGrp) Volume Administration (NWVolA)

Novell ODBC driver for eDirectory Novell controls for ActiveX (NWDir) Beans for Novell services eMFramework Novell JDBC driver for eDirectory JNDI NJCL NDS libraries for C NDAP/NCP LDAP service provider for JNDI LDAP libraries for C Novell controls for ActiveX (NWIDir) Novell eCommerce Beans LDAP Class Libraries for Java LDAP Novell eDirectory

Beans for Novell eDirectory eCommerce LDAP beans  Components for integrating web applications with LDAP directories  Enabling authentication  Read/write directory access  Contextless login  SSL security NDS bean  Enables access to and manipulation of eDirectory entries  Dependent upon the Novell class libraries for Java  Requires the Novell Client

Scripting Options Third Party Scripting Options  Perl  Python  PHP Visit LDAPZone for a complete list and options

Supercharge Your Web Applications with Novell eDirectory Realize the benefit of using Novell eDirectory to personalize web server applications  The objective of this seminar is to provide ideas and examples that will assist you in developing and deploying more powerful and flexible web-based applications

Why Tie Web Applications to Novell eDirectory? Enhance and strengthen business relationships  Allowing secure access to information and applications Provide the ability to simply and securely provide access to personalized and sensitive information  This may be the difference between gaining or disappointing a customer or partner

Use Novell eDirectory to Store identity profiles Control data access Maintain customer identity relationships Manage user security Manage data at the network level Abstract service locations Increase throughput

HTTP is Stateless To enable session tracking, utilize Realms –Browser passes user and password with each request Hidden form fields –Hidden input types that are not displayed when read by the browser Cookies –Keyed piece of data created by the server and stored by the client browser URL rewriting –Requested URL is modified to include a session ID Servlet HTTPsession objects –Enables name/value pairs to be stored per session

Use Novell eDirectory to Track Sessions Take advantage of GUIDs*  Identify who is accessing the site GUIDs eliminate the need to store personal data GUIDs are globally unique across all trees and servers eDirectory automatically creates a GUID for each new entry –GUIDs do not change throughout life of object Administrators may want to create an index on GUID to enhance response time  Operational Attribute *Globally Unique Identifiers

Use Novell eDirectory to Personalize the User Experience Case example (CNN)  Provides worldwide news, sports, financial data and other information  Customized and personalized advertising and content using the GUID as a cookie  Customization is transparent to the user

Netscape web servers on Solaris (CNN Web Farm) (Cookie) LDAP Client eDirectory on NetWare 5 Load Directory Servers - Compaq 6400R - 2GB RAM/72GB RAID Intel Pro/100 Server Adapter (ad-injection) InternalFirewall eDirectory on NetWare and Solaris Development Servers - Compaq 1850R - 2GB RAM/72GB RAID Intel Pro/100 Server Adapter - SUN Sparc U60 - Solaris 2.6 eDirectory on NetWare 5 Staging Server - Compaq 1850R -2GB RAM/72GB RAID Intel Pro/100 Server Adapter HTTP CNN eDirectory Architecture

Tune Your Application and eDirectory to Achieve High Throughput Filter the scope of data searches Create well-formed schema extensions Tune eDirectory  Tune memory/cache  Use proper tree design  Co-locate servers Distributed nature of eDirectory gives better throughput  Utilize filtered replicas  Index on critical attributes

Directory Services and Databases Let’s look at the strengths and weaknesses of both When are they exclusive of each other? When do they compliment each other? The whys and wherefores

Directory Services and Databases (cont.) Directory Service Strengths Fast on the read Distributed Object-oriented Hierarchical Standardized schema Replication Attributes can be multi-valued Relational Database Strengths Designed to handle transactions Schema tuned for exact application needs Can be modeled to handle very complex needs Data integrity built in Management of data failures

When to Use What?? Each has it’s own best use Directories are used most often for  Authentication  Authorization  Personalization RDBMS’s used most often for  Transaction processing  Highly volatile data  Very complex data requirements Examples of each usage

Making the Choice… Frequency of data modifications Primary data requirements Security Flexibility Model the data needs Determine transactional requirements

What Is So Important About Schema? It sets some structure Provides a framework Identifies syntax Schema=Data Dictionary Schema components Directory components Rules for Tree structure rules Object classes Attribute types Attribute syntaxes Directory tree Objects Attributes Values

What Is in the Schema? Object classes Attributes types Syntaxes Matching rules Naming and containment rules Tree structure rules Object classes Attribute types Attribute syntaxes Directory tree Objects Attributes Values Schema components Directory components Rules for

eDirectory Has an Extensible Schema You can extend the schema, you do not change the schema  Create new classes  Add optional attributes  Use auxiliary classes  Delete non-base classes that do not have any object instantiated  Delete attributes that are not used in any classes Schema extensions do not impact directory performance

Extension Options You can make extensions programmatically or by using an LDIF file with the ldapmodify utility  Programmatically Easier to control Not as many files  LDIF No need to recompile changes Easy to run multiple

New Schema Recommendations Determine exact purpose of new classes and attributes Don’t define anything for “future use” Remember to include the domain containment Understand any flags you use Use auxiliary classes whenever possible  Don’t add new attributes to existing classes if possible Reuse/extend existing schema definitions  If small, change to existing definition Add your attributes first, then your classes

Syntaxes Define what your data looks like Not extensible eDirectory supports LDAP equivalence of eDirectory syntaxes Recommendations  For readability limit use of octet string

Matching Rules Equality  Defines how two values are compared i.e., caseIgnoreMatch Ordering  Used to determine if a value is greater or less than another value SUBSTR  Defines the way substring matches work

Attribute Types Attribute type is a string value containing various fields What makes up an attribute  ASN.1 id - OID acts as an unique identifier  Human readable name  A description  Matching rules  Syntax  Flag i.e., if attribute is single valued

Attribute Type Example ( NAME ‘telephone number’ DESC ‘Standard Attribute’ EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringMatch SYNTAX {32} ) ( NAME ‘preferredDeliveryMethod’ SYNTAX SINGLE-Value )

Attribute Types MUST—Mandatory Attributes  In LDAP these are referred to as MUST  When you create an object of this type, you must populate these attributes  Cannot add MUST attributes once objects are created from object class MAY—Optional Attributes  In LDAP these are referred to as MAY  eDirectory does not store these attributes with an object unless they have a value  You can add more optional attributes to a class after the class is created

LDAP Attribute Options NO-USER-MODIFICATION  Equivalent to non-removable in eDirectory SINGLE-VALUE  Default multi-valued Upper Bound  Specified after syntax within { }

Operational Attributes Standard  modifyTimeStamp  createTimeStamp  modifersName  creatorsName  subschemaSubEntry eDirectory-Specific  structuralObjectClass (baseClass)  subordinateCount  entryFlags

Object Class Types Structural—default  Used to create entries Abstract  Building block class Used for sub-classing Auxiliary  Used to add attributes to existing entries If type is not specified, default will be structural

Object Class Definition ASN.1 id - Object ID (OID) Human readable name List of superior object classes Identifier List of required (MUST) attributes List of optional (MAY) attributes

Example of Object Class Definition ( NAME ‘person’ SUP top Structural MUST ( sn $ cn) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )

Defining a New Object Class SUP=Inheritance This is the class you inherit from Your class automatically gets attributes from the parent, as well as any additional that you specify Multiple levels of inheritance is possible You can add superclasses starting in eDirectory 8.5

Naming The naming list specifies which attributes which can be used to name the object Naming can be specified in LDAP with the X-NDS_NAMING option Naming attribute can be multi-valued Complete control over how to name and access the object Defaults (if not supplied)  Inherit from superclass definition if possible  The combination of all string attributes in the MUST and MAY lists

Naming (cont.) Registered prefixes  Provide uniqueness  Distinguish your extensions  Available from Novell LDAP mappings  Provide LDAP accessibility to eDirectory schema  Automatic from eDirectory on as long as you use valid LDAP names  Can be set for non-compatible names

Containment Containment identifies the other object types which can contain this class Note that this is not the container flag If a class is a container, it can be defined to be able to contain itself Containment is now modifiable in eDirectory 8.5  You can add containment

Containment (cont.) Containment can be specified in LDAP with the X-NDS_CONTAINMENT option The defaults if not supplied are  Inherit from Super Class definition, if possible  “C”, “L”, “O”, “OU”, and “domain”

Auxiliary Classes Auxiliary (or aux) classes are a collection of attributes Aux classes are applied at the object level Only the objects that need the attributes have them Doesn’t change the object class definition

Using Auxiliary classes Two steps  Modify the object class of an existing object to include the aux class name  Write values to attributes as you would any other attributes for that class Easy to remove  Delete the aux class name from the objectClass attribute Note—auxiliary classes are available from eDirectory 8 and beyond

X-NDS Class Options The changes you can make to class definitions using the X-NDS options are  Flags X-NDS_NOT_CONTAINER X-NDS_NONREMOVABLE  Containment X-NDS_CONTAINMENT  Naming X-NDS_NAMING  Mapping X-NDS_NAME All X-NDS options have default values

X-NDS Attribute Options Most attribute options are flags  X-NDS_PUBLIC_READ  X-NDS_SERVER_READ  X-NDS_NEVER_SYNC NDS per replica flag  X-NDS_NOT_SCHED_SYNC_IMMEDIATE  X-NDS_SCHED_SYNC_NEVER  X-NDS_NAME_VALUE_ACCESS NDS write managed flag One other attribute option  X-NDS_LOWER_BOUND

Schema Naming Recommendations LDAP schema name valid character set  Alpha-numeric and dash  First character must be alpha  Nothing else Name format  Lowercase prefix, followed by uppercase words Old—“MYAPP:New Attribute Name” New—“myappNewAttributeName” Don’t use delimiter characters

Schema Naming Recommendations If you follow the naming rules, LDAP mapping for the names are not needed If you haven’t followed rules in past (or future), then mappings are needed for access to schema items via LDAP What are mappings, anyway?  Object Class objectClass

Schema Available Definitions LDAP ships with a subset of inetOrgPerson mapped to the eDirectory user class Schema extensions are available for…  Full inetOrgPerson mapped to eDirectory user  Full inetOrgPerson  residentialPerson  newPilotPerson 

ASN 1 OIDs and Prefixes What is an OID?  Novell’s base OID joint-iso-ccitt(2) country(16) us(840) organization(1) Novell(113719) LDAP allows access via the OID Be sure to have OIDs for your application How do you use your allocated sub-arc?   is your assigned subarc value is the sequence number you assign is the version number you assign Find out more about OIDs 

ASN 1 OID Registration Sites Find out more about OIDs  Sites to obtain OIDs  Novell Developer Support developer.novell.com/ Will allocate and register a schema prefix for you, and optionally allocate an OID sub-arc for you  Internet Assigned Numbers Authority (IANA)

Sample Schema Output #This LDIF file was generated by Novell's ICE and the LDIF destination handler. version: 1 dn: cn=schema changetype: add ldapSyntaxes: ( X-NDS_SYNTAX '9' ) ldapSyntaxes: ( X-NDS_SYNTAX '9' ) ldapSyntaxes: ( X-NDS_SYNTAX '6' ) objectClass: top objectClass: subschema objectClasses: ( NAME 'top' DESC 'Standard ObjectClass' STRUCTURAL MUST objectClass MAY (cAPublicKey $ CAPrivateKey $ certificateValidityInterval $ authorityRevocation $ lastReferencedTime $ equivalentToMe $ ACL $ backLink $ binderyProperty $ Obituary $ Reference $ revision $ certificateRevocation $ usedBy $ GUID $ otherGUID $ DirXML-Associations $ creatorsName $ modifiersName $ unknownBaseClass $ unknownAuxiliaryClass $ auditFileLink $ masvProposedLabel $ masvDefaultRange $ masvAuthorizedRange ) X-NDS_NAME 'Top' X-NDS_NONREMOVABLE '1' ) objectClasses: ( NAME 'organizationalPerson' DESC 'Standard ObjectClass' SUP person STRUCTURAL MAY (facsimileTelephoneNumber $ l $ Address $ ou $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOfficeBox $ st $ street $ title $ mailboxLocation $ mailboxID $ uid $ mail $ employeeNumber $ destinationIndicator $ internationaliSDNNumber $ preferredDeliveryMethod $ registeredAddress $ teletexTerminalIdentifier $ telexNumber $ x121Address $ businessCategory $ roomNumber $ x500UniqueIdentifier ) X-NDS_NAMING ('cn' 'ou' 'uid' ) X-NDS_CONTAINMENT ('organization' 'organizationalUnit’ 'domain' ) X-NDS_NAME 'Organizational Person' X-NDS_NOT_CONTAINER '1' X-NDS_NONREMOVABLE '1' ) attributeTypes: ( NAME 'createTimeStamp' DESC 'Operational Attribute' SINGLE-VALUE NO-USER-MODIFICATION SYNTAX ) attributeTypes: ( NAME ( 'cn' 'commonName' ) DESC 'Standard Attribute' SYNTAX {64} X-NDS_NAME 'CN' X-NDS_LOWER_BOUND '1')

Sample LDIF dn: cn=schema changetype: modify add: attributetypes attributetypes: ( NAME 'aspenCourseName' DESC 'The name of the course' SYNTAX SINGLE-VALUE )  If not present, this creates “testAttr1”, then adds a mapping to the just created or existing “Test Attr 1” attribute

LDIF File Example—inetOrgPerson # Full definition of the standard inetOrgPerson # as a separate class version: 1 #Delete the existing class mapping "inetOrgPerson ==> User" class to allow "inetOrgPerson ==> inetOrgPerson". dn: cn=schema changetype: modify delete: objectclasses objectclasses: ( NAME 'inetOrgPerson' X-NDS_NAME 'User') # Add the inetOrgPerson object class - 17 dn: cn=schema changetype: modify add: objectclasses objectclasses: ( NAME 'inetOrgPerson' SUP organizationalPerson MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledUri $ mail $ manager $ mobile $ pager $ ldapPhoto $ preferredLanguage $ roomNumber $ secretary $ uid $ userCertificate $ userSMIMECertificate $ x500UniqueIdentifier $ displayName ) X-NDS_CONTAINMENT ( 'country' 'locality' 'organizationalUnit' 'organization' 'domain' ) X- NDS_NAMING ( 'cn' 'uid' 'givenName' 'mail' 'sn' ) )

Schema Changes in eDirectory 8.5 Some attributes made public read, some made multivalued New classes defined—domain and ndsLoginProperties Syntax changed on existing attributes Several classes changed to be containers Some changed to be effective or added domain containment O and OU added ndsLoginProperties Device class now effective Operational attributes  creatorsName  modifiersName  modifyTimeStamp  createTimeStamp

Schema Changes in eDirectory 8.6 Unlimited LDAP schema name size—up to 63K long (was previously 64 characters) Ability to have more that 63K total worth of schema name mappings (depending on size of names, was limited to less than 2000 mappings) Ability to save and retrieve the description field from a schema definition New schema definitions for dynamic groups and for persistent search

Schema Changes in eDirectory 8.7

Informational Draft LDAP Schema for eDirectory document

The Novell Import Convert Export Tool Features  Client/server (remote) architecture  LDIF import  LDIF export  Data migration between LDAP servers  Efficient Availability  Included with eDirectory 8.5 ConsoleOne ® snap-in  Included in Novell Developer Kit (NDK) in C Libraries for LDAP Command line only (developer use)

Architecture

ICE Engine Orchestrates the interaction between source and destination handler Provides logging facility Provides an “error LDIF logging” facility  Writes all records that fail to an output file in LDIF format  Used to help debug import or export sessions  Can aid in dealing with “rogue” records

Currently Available Handlers Source Handlers  LDIF Reads in a LDIF data file  LDAP Performs searches and retrieves LDAP data Destination Handlers  LDIF Writes to an LDIF data file  LDAP Writes to an LDAP server Supports—LBURP (up to 10 times faster adds), forward references, hashed passwords, and more

What Handlers Are Coming in the Future? Source Handlers  DELIM Reads in data from a delimited file  DirLoad Generates data from a template and data files For creating test trees and environments  ECM Generates a LDAP record from an LDAP search For example you can create a group from all users that are from Provo (L: Provo)  SCH Reads in data from a SCH file (SCH files are legacy NDS schema data files)

What Handlers Are Coming in the Future? (cont.) Destination Handlers  DELIM Writes to a delimited data file

Novell eDirectory Development Options Broad range of SDKs available  Pick appropriate SDK based on Information needed from Novell eDirectory –Are you looking for data from eDirectory or to manage the directory itself? Operations you want to perform on eDirectory Your preferred programming language Protocol preference –LDAP –NDAP –HTTP

Novell LDAP Developer’s Guide

To Learn More About LDAP Novell LDAP Developer Guide Novell NDS Developer Guide DeveloperNet ® University 

The LDAP Community IETF LDAP discussions and proposals IETF announcement list – –subj: subscribe –body: subscribe IETF general discussion list – –subj: subscribe –body: subscribe