LDAP/TIO implementations -2- Overview of TIO-index implementations Henny Bekker The DAG, GIDS and Desire TIO/LDAP index servers.

Slides:



Advertisements
Similar presentations
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Advertisements

Indications in green = Live content Indications in white = Edit in master Indications in blue = Locked elements Indications in black = Optional elements.
File Management Chapter 12. File Management A file is a named entity used to save results from a program or provide data to a program. Access control.
15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
EEC-681/781 Distributed Computing Systems Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Introduction To Windows NT ® Server And Internet Information Server.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
1 The Mystery of Cooperative Web Caching 2 b b Web caching : is a process implemented by a caching proxy to improve the efficiency of the web. It reduces.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.
CORDRA Philip V.W. Dodds March The “Problem Space” The SCORM framework specifies how to develop and deploy content objects that can be shared and.
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.
Understanding Active Directory
Chapter 11: Dial-Up Connectivity in Remote Access Designs
Host Identity Protocol
1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.
SWITCHaai Team Introduction to Shibboleth.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr Michel Jouvin
Introduction To OpenLDAP Directory Services. What is a Directory Service? A specialized database optimized for reading, browsing, and searching. No complicated.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.
Web HTTP Hypertext Transfer Protocol. Web Terminology ◘Message: The basic unit of HTTP communication, consisting of structured sequence of octets matching.
Session Initiation Protocol (SIP). What is SIP? An application-layer protocol A control (signaling) protocol.
Secure Credential Manager Claes Nilsson - Sony Ericsson
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
Appendix A UM in Microsoft® Exchange Server 2010.
AIMS’99 Workshop Heidelberg, May 1999 P805: Internet Roaming Giuseppe Sisto - Telecom Italia / CSELT Project participants:
Implementing LDAP Client/Server System for Directory Service By Maochun Sun Project Advisor: Dr. Chung-E Wang Department of Computer Science California.
XML Web Services Architecture Siddharth Ruchandani CS 6362 – SW Architecture & Design Summer /11/05.
Web Client-Server Server Client Hypertext link TCP port 80.
ACM CCS 2005 CPOL: High-Performance Policy Evaluation Kevin Borders Xin Zhao Atul Prakash University of Michigan.
4BP1 Electronic & Computer Engineering Paul Gildea th Year Interim Project Presentation.
1 CS 502: Computing Methods for Digital Libraries Lecture 19 Interoperability Z39.50.
Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 8 Omar Meqdadi Department of Computer Science and Software Engineering University of.
Module 7 Planning and Deploying Messaging Compliance.
1 Web Services Web and Database Management System.
Fonkey Project Update: Target Applications TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.
15 May 2001© 2001 University of Salford1 Deficiencies in LDAP when used to support Public Key Infrastructures David W Chadwick
Lecture 4 Mechanisms & Kernel for NOSs. Mechanisms for Network Operating Systems  Network operating systems provide three basic mechanisms that support.
Linux Operations and Administration
Spring LDAP Dima Ionut Daniel.
X-ASVP Technical Overview eXtensible Anti-spam Verification Protocol X-ASVP Committee Technical Working Group July 22, 2007.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
The Hierarchical Trust Model. PGP Certificate Server details Fast, efficient key repository –LDAP, HTTP interfaces Secure remote administration –“Pending”
The overview How the open market works. Players and Bodies  The main players are –The component supplier  Document  Binary –The authorized supplier.
LDAP for PKI Problems Cannot search for particular certificates or CRLs Cannot retrieve particular certificates or CRLs.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:
1 Directories in Europe SURFnet.NL Innovation Manager CAMP, Tempe, Arizona – 1-3 Feb 2002.
1 CEG 2400 Fall 2012 Directory Services Directory Services eDirLDAP Active Directory.
Ben - Gurion University Department Of Communication Systems Engineering DNS For Cell Phones Yoav Peer, Eugene Volchek Instructor: Dr. Chen Avin.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
 Project Team: Suzana Vaserman David Fleish Moran Zafir Tzvika Stein  Academic adviser: Dr. Mayer Goldberg  Technical adviser: Mr. Guy Wiener.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
REST API Design. Application API API = Application Programming Interface APIs expose functionality of an application or service that exists independently.
Introduction to LDAP Frank A. Kuse.
Radius, LDAP, Radius used in Authenticating Users
File System Implementation
Index Object Schema and Replication Infrastructure
IIS.
Architecture Competency Group
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL
Presentation transcript:

LDAP/TIO implementations -2- Overview of TIO-index implementations Henny Bekker The DAG, GIDS and Desire TIO/LDAP index servers

LDAP/TIO implementations -3- Agenda Overview of TIO-index implementations What is a TIO index bla bla bla bla bl abl ablbbabbnsjdsa bla bla General overview of LDAP/TIO-indexes –What are TIO indexes –The generic model Some specific implementations –The generic Desire TIO index server –The Ericsson DAG server –The GIDS server Open Issues –The scope and communication between LDAP/TIO index servers Exchanging TIO’s –Local access policy Access restrictions Security requirements Senario’s

LDAP/TIO implementations -4- Tagged Index Object’s General overview of LDAP/TIO-indexes What is a TIO index bla bla bla bla bl abl ablbbabbnsjdsa bla bla A TIO consists of: Meta information such as –A mime header defining the object –An object type identifier that uniquely identifies the subtree and scope –One or more URI's that will form the base of the created referrals –The security options and credentials such as a PGP or S/MIME key –The update type indicating the type of TIO (e.g. full or incremental) The payload –The tokenization types headers (e.g. Full, Token, RFC822 etc) Indicating which information is ‘tokenizated’ and which delimiters to use –The TAG list Containing multiple consecutive tags which might be grouped using a dash.

LDAP/TIO implementations -5- General overview of LDAP/TIO-indexes What is a TIO index bla bla bla bla bl abl ablbbabbnsjdsa bla bla Content-Type: application/index.obj.tagged; dsi=" "; base-uri= "weetmuts.surfnet.nl:389/o=SURFnet, c=NL" Content-Length:6219 version: x-tagged-index-1 updatetype: total thisupdate: BEGIN IO-Schema sn: FULL cn: FULL. o: TOKEN END IO-Schema BEGIN Index-Info sn: 22/Arends -6/Bezemer -4/Bos -8/Neggers. -2-3,5-9,11,14-15,18-19/ / o: 1/SURFnet END Index-Info

LDAP/TIO implementations -6- Tagged Index Object’s (cont.) General overview of LDAP/TIO-indexes What is a TIO index bla bla bla bla bl abl ablbbabbnsjdsa bla bla What is it used for: Provide pointers to servers which most likely contains the requested information –The number of false hits is depending on the choice of attribute tokenization types –Performing phrase searches is depending on the tokenization of the fields Features a full or incremental update (which uses potentially less bandwidth)

LDAP/TIO implementations -7- The generic model General overview of LDAP/TIO-indexes What is a TIO index bla bla bla bla bl abl ablbbabbnsjdsa bla bla A TIO interface –For importing, deleting and in some cases exporting TIO’s from the index –Implementing authentication control A TIO searchable index –For searching the index on referrals to other information services –Accessible through the TIO query interface The LDAP query interface –Containing a LDAP gateway to the query interface of the TIO index –Can act as an LDAPv2 chaining server or as an LDAPv3 referral server

LDAP/TIO implementations -8- The generic Desire TIO index server Some specific implementations What is a TIO index bla bla bla bla bl abl ablbbabbnsjdsa bla bla Sponsored by the European Community and build by SURFnet & DFN in cooperation with Dante. The server consists of: –The TIO index server Using the MySQL database engine for storing and searching the TIO’s Containing a TIO push/pull interface and a database for storing TIO’s. An HTTP frontend for direct access to the TIO index server by the NPS. –A Native Protocol Server (NPS) for access using the LDAP protocol For connecting clients using specific communication protocols such as LDAPv2, LDAPv3 or WhoIS++. For connecting directory servers with a specific communication protocols such as LDAPv2, LDAPv3 or WhoIS++. –An LdapCrawler for gathering and converting LDIF files to TIO’s Currently no encryption of TIO’s implemented Currently only support for LDAPv2. (no characterset conversion problem)

LDAP/TIO implementations -9- The generic Desire TIO index server (cont.) Some specific implementations

LDAP/TIO implementations -10- The Desire LDAP/TIO index server (cont.) Some specific implementations

LDAP/TIO implementations -11- The Desire LDAP/TIO index server (cont.) Some specific implementations What is a TIO index bla bla bla bla bl abl ablbbabbnsjdsa bla bla Unfortunately we don’t have yet any performance figures  –The package is on the brink of being completed –Presumably the GIDS index server will be faster The generic MySQL engine is slow compared to a dedicated TIO database. Current implementation –Available on Linux and (hopefully) on Digital Unix –The source code and executable for Linux of The LdapCrawler with an integrated LDIF2TIO converter The TIO index (using MySQL v3.23.6) The LDAP NPS implemented using the Open-LDAP v with an API to the TIO index

LDAP/TIO implementations -12- The Ericsson DAG server Some specific implementations What is a TIO index bla bla bla bla bl abl ablbbabbnsjdsa bla bla Offspring of the TISDAG project –Aimed to provide a solution for an uniform telephone directory containing numbers without a centralized database The server consists of: –The DAG (Directory Access Gateway) index server Implemented using the TimesTen “In-Memory” database engine for storing and searching the TIO’s. –One or more CAP (Client Access Point) modules For connecting clients using specific communication protocols such as LDAPv2, LDAPv3 or WhoIS++. –One or more SAP (Server Access Point) modules For connecting directory servers with a specific communication protocols such as LDAPv2, LDAPv3 or WhoIS++.

LDAP/TIO implementations -13- The Ericsson DAG server (cont.) Some specific implementations

LDAP/TIO implementations -14- The Ericsson DAG server (cont.) Some specific implementations What is a TIO index bla bla bla bla bl abl ablbbabbnsjdsa bla bla Unfortunately we aren’t allowed to present exact figures  –The next version is said to be much faster Performance figures –Response times Use LDAPv3 referral requests to measure the response time of the referral server without doing chaining or following referrals. The mean response time related to the number of parallel search queries. (measured with a large number of queries) –Number of queries/second (or minute??) –The number of parallel requests Related to the response time –Maximum number of entries in the TIO index Bounded by the memory size and the algorithm used to search the index

LDAP/TIO implementations -15- The GIDS server Some specific implementations What is a TIO index bla bla bla bla bl abl ablbbabbnsjdsa bla bla Offspring of the TISDAG project –Second implementation of the TISDAG TIO index server The server consists of: –An index server Using a dedicated database engine for storing and searching the TIO’s. Is using a dedicated communication protocol (analogous with LDAP) to communicate with the CAP and SAP modules. –One or more CAP (Client Access Point) modules For connecting clients using specific communication protocols such as LDAPv2, LDAPv3 and HTTP –One or more SAP (Server Access Point) modules For connecting directory servers with a specific communication protocols such as LDAPv2 and LDAPv3 –An LdapCrawler for gathering and converting LDIF files to TIO’s With support for LDAPv2 and LDAPv3 and character-set conversion

LDAP/TIO implementations -16- The GIDS server (cont.) Some specific implementations What is a TIO index bla bla bla bla bl abl ablbbabbnsjdsa bla bla Performance figures –Response times Measured with LDAPv3 requests (an LDAPv3 bind, sending the query, receiving the message, doing an unbind operation) With one sequence of LDAPv3 requests, a mean time of approximately 23 msec. per LDAPv3 request. With 10 simultaneously LDAPv3 requests approximately 150 msec per LDAPv3 request. –Maximum number of queries/second Approximately 65 LDAPv3 queries/second With LDAPv2 the number will be lower because the server has to do chaining. –Maximum number of entries in the TIO index Bounded by the memory size and the algorithm used to search the index Current demo implementation (CH, DE, NL, NO & SE) 120K tokens of 450 different data sets. (which consumes about 35-Mbyte of memory).

LDAP/TIO implementations -17- The scope and communication between TIO index servers Open issues What is a TIO index bla bla bla bla bl abl ablbbabbnsjdsa bla bla Scope –Centralized versus distributed LDAP/TIO engines Location of the TIO/LDAP-index server –Located close by (in network terms) the end users to minimize the RTT –Located close by the referred LDAP servers to minimize the RTT related to LDAPv2 chaining Exchanging TIO’s –Global TIO collection versus distributed collections on country level Distributed to country level Knowledge base or ‘where to find what’?? –Encrypted transport via HTTP –Push or pull ??

LDAP/TIO implementations -18- Local access policy Open issues What is a TIO index bla bla bla bla bl abl ablbbabbnsjdsa bla bla Security requirements –Personal data is subjected to privacy legislation –For public data other security requirements might be imposed –No unauthorized access to local directory servers Only accessible by local inhabitants and peer countries –All applications able to access the index should be known –Only a limited number of referrals might be returned –No ‘access denied’ messages Don’t show entries which are not accessible Access restrictions –Restrict access to the TIO/LDAP-index server –Restrict access to the LDAP servers containing the information Chaining versus LDAPv3 referral HTTP access control versus LDAP access control Access via HTTP proxies versus LDAP proxies

LDAP/TIO implementations -19- Senario’s Open issues Create trusted relation between country level TIO servers –Only peers will communicate with each other Besides the local LDAP clients –A peer will enforce their own local access rules The TIO index server should only be accessible by known clients –The LDAP query will be chained to the remote peers The TIO objects of the peer country should deliver referrals which will point to a known access point e.g. an LDAP proxy or the FLDSA An LDAP search requests from a known LDAP client must be chained to the known access point. –The number of known access points should be limited –The TIO objects cannot be duplicated between the peers

LDAP/TIO implementations -20- Senario’s (cont.) Open issues

LDAP/TIO implementations -21- Discussion..

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.