Presentation is loading. Please wait.

Presentation is loading. Please wait.

EDirectory Update with 8.7.1 Gary J Porter MindWorks, Inc.

Published byLorin West Modified over 9 years ago

Similar presentations

Presentation on theme: "EDirectory Update with 8.7.1 Gary J Porter MindWorks, Inc."— Presentation transcript:

1 eDirectory Update with 8.7.1 Gary J Porter MindWorks, Inc. gporter@mindworks-inc.com

2 © September 15, 2015 Novell Inc, Confidential & Proprietary. 2 Things you should know from 8.7 Extensible Match Dynamic Groups New Event Triggers Persistent Search TLS New Authentication Methods SOAP Access Universal Password & much more… Contents

3 © September 15, 2015 Novell Inc, Confidential & Proprietary. 3 Extensible Match Extensible Match defined in LDAP v3 Support multiple matching rules for the same types of data –Can implement new rules, e.g., “sounds like” Include DN elements in the search criteria –The DN specification allows matching on specific elements of the DN of an object cn=Terry,organizationalRole=adminAssistant,ou=sales,o=usa ou=sal

4 © September 15, 2015 Novell Inc, Confidential & Proprietary. 4 Task: Find All Admin Assistants in All the Sales Groups of this Company Sales Manufacturing FinanceEngineering Admin assistant TerryAliceSam Hilda Admin assistant Admin assistant Bill Admin assistant Root EnglandUSAGermany East West

5 © September 15, 2015 Novell Inc, Confidential & Proprietary. 5 2. In the client, evaluate each DN to see if it is subordinate to a sales-container organizationalRole=adminAssistant,ou=sales,o=usa organizationalRole=adminAssistant,ou=sales,o=germany organizationalRole=adminAssistant,ou=finance,o=germany organizationalRole=adminAssistant,ou=west,ou=sales,o=england Possibility One 1. Search for all admin assistant containers in the tree C:>ldapsearch … (organizationalRole=adminAssistant) organizationalRole=adminAssistant,ou=sales,o=usa organizationalRole=adminAssistant,ou=sales,o=germany organizationalRole=adminAssistant,ou=finance,o=germany organizationalRole=adminAssistant,ou=west,ou=sales,o=england 4 matches

6 © September 15, 2015 Novell Inc, Confidential & Proprietary. 6 Possibility One (cont.) 3. Using each admin assistant container as a base, do a subtree search for users in that container C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=usa” (objectClass=user) cn=Terry,organizationalRole=adminAssistant,ou=sales,o=usa 1 matches C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=germany” (objectClass=user) cn=Sam,organizationalRole=adminAssistant,ou=sales,o=germany cn=Alice,organizationalRole=adminAssistant,ou=sales,o=germany 2 matches C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=west,ou=sales,o=england” (objectClass=user) cn=Bill,organizationalRole=adminAssistant,ou=west,ou=sales,o=england 1 matches

7 © September 15, 2015 Novell Inc, Confidential & Proprietary. 7 Possibility Two 1. Search for all sales containers in the tree C:>ldapsearch … (ou=sales) ou=sales,o=usa ou=sales,o=germany ou=sales,o=england 3 matches 2. Using each sales container as a base, do a subtree search for users in the admin assistant container C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=usa” (objectClass=user) cn=Terry, organizationalRole=adminAssistant,ou=sales,o=usa 1 matches C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=germany” (objectClass=user) cn=Sam, organizationalRole=adminAssistant,ou=sales,o=germany cn=Alice, organizationalRole=adminAssistant,ou=sales,o=germany 2 matches C:>ldapsearch … -b “organizationalRole=adminAssistant,ou=sales,o=england” (objectClass=user) 0 matches What’s wrong? This search assumes everything is at the same level! This search assumes everything is at the same level!

8 © September 15, 2015 Novell Inc, Confidential & Proprietary. 8 In eDirectory 8.7... 1. Use extensibleMatch C:>ldapsearch … (&(ou:dn:=Sales)(organizationalRole=adminAssistant)) cn=Terry, organizationalRole=adminAssistant,ou=sales,o=usa cn=Sam, organizationalRole=adminAssistant,ou=sales,o=germany cn=Alice, organizationalRole=adminAssistant,ou=sales,o=germany cn=Bill, organizationalRole=adminAssistant,ou=west,ou=sales,o=england 4 matches extensible = attr [":dn"] [":" matchingrule] ":=" value / [":dn"] ":" matchingrule ":=" value extensible = attr [":dn"] [":" matchingrule] ":=" value / [":dn"] ":" matchingrule ":=" value

9 © September 15, 2015 Novell Inc, Confidential & Proprietary. 9 eDirectory Support for extensibleMatch eDirectory 8.7, and 8.7.1, supports extensibleMatch for matching on DN values eDirectory 8.7 treats other extensibleMatch specifications as undefined terms in the filter and will ignore them Versions of eDirectory prior to 8.7 would return a protocol error if an extensibleMatch term was specified in a search filter Advertisement of matching rules in eDirectory 8.7 is done through the LDAP subschema subentry object using the standard matchingRules and matchingRuleUse schema attributes

10 © September 15, 2015 Novell Inc, Confidential & Proprietary. 10 Too_lazy_to_live Dynamic Groups Creating communities while reducing administrative overhead [RF CEW ]

11 © September 15, 2015 Novell Inc, Confidential & Proprietary. 11 Dynamic Groups eDirectory 8.6.1 and 8.7 allow you to determine group membership dynamically Membership determined by use of a search filter –Search filter is in URL form (RFC 2255) Additional capabilities –Objects specifically excluded –Objects specifically included in the group Web management interface in eDirectory 8.7 Available only via LDAP in eDirectory 8.6.1

12 © September 15, 2015 Novell Inc, Confidential & Proprietary. 12 Dynamic Groups—Schema ObjectClasses dynamicGroup—Structural class for dynamic group dynamicGroupAux—Auxiliary class Attributes memberQueryURL—The search query in URL form excludedMember—Objects specifically excluded uniqueMember—Objects specifically included in the group –Reading the “uniqueMember” (or “member”) attribute returns specifically returned objects as well as objects which satisfy the query

13 © September 15, 2015 Novell Inc, Confidential & Proprietary. 13 Dynamic Groups—Compatibility Static groups may be converted to dynamic groups Add dynamicGroupAux to the objectClass attribute Set a search query in memberQueryURL For either static or dynamic groups, obtain a membership list by simply reading the “member” attribute By default, the implicit search is limited to the local server

14 © September 15, 2015 Novell Inc, Confidential & Proprietary. 14 Dynamic Groups The student registers for a course The student can now see the list of other students in the course automatically because he becomes part of the dynamic group for the course ldap:///ou=students,l=Denver, l=USA, o=OutdoorAdv??sub?(&(objectclass=aspenStudent) (aspenRegisteredSections=cn=EA-sec1, ou=sections, l=Denver, l=USA, o=OutdoorAdv))

15 © September 15, 2015 Novell Inc, Confidential & Proprietary. 15 eDirectory Events Automate and monitor

16 © September 15, 2015 Novell Inc, Confidential & Proprietary. 16 Applications of eDirectory Events What can I do with eDirectory Events? eDirectory monitoring Auditing Automation of infrastructure changes Automated business logic All of these things can be done with eDirectory— they don’t exist in the same form on other directory products

17 © September 15, 2015 Novell Inc, Confidential & Proprietary. 17 Selectively Monitor eDirectory Events eDirectory defines several directory-related events, including Operations on individual entries and their attributes Partition and replica operations These events can be used for Debugging Auditing Management Access to each event is controlled by rights checking If the user does not have the required privileges the request will fail or, No event will be sent

18 © September 15, 2015 Novell Inc, Confidential & Proprietary. 18 LDAP Persistent Search Alters the standard LDAP search operation to perform a continuous search, notifying the application of changes that occur on an LDAP server Persistent search allows the client to be notified when changes are made to entries that satisfy the specified search filter The connection to the server remains open until the search is abandoned Persistent search is supported by multiple directories

19 © September 15, 2015 Novell Inc, Confidential & Proprietary. 19 eDirectory Events Extension Novell extension allowing an LDAP client to be notified of the occurrence of various events on an eDirectory server Utilizes the LDAPv3 extended operation extension mechanism It also uses an intermediate response PDU* as described in the IETF draft –draft-rharrison-ldap-intermediate-resp-00.txt Available on all platforms supported by Novell eDirectory 8.7 This is Novell-specific and not standard LDAP *Protocol Data Unit

20 © September 15, 2015 Novell Inc, Confidential & Proprietary. 20 Using eDirectory Events Student registers for a course Persistent Search updates instructor’s class list automatically

21 © September 15, 2015 Novell Inc, Confidential & Proprietary. 21 Transport Layer Security Securing eDirectory access

22 © September 15, 2015 Novell Inc, Confidential & Proprietary. 22 Transport Layer Security (TLS) TLS 1.0 provides privacy and data integrity between the LDAP client and the LDAP server TLS ensures that The connection is private The connection is reliable Identities can be authenticated using asymmetric or public key cryptography Negotiation of a shared secret is secure (no middle man) The negotiation is reliable (attackers detected) TLS = SSL

23 © September 15, 2015 Novell Inc, Confidential & Proprietary. 23 Selectable Channel Encryption I’m connected to the directory on the clear-text port, and I want to access my credit card information. What do I do? I can drop my connection, re-authenticate to the SSL port, and get the data I can send the StartTLS extended request along with the query to read my credit card OR

24 © September 15, 2015 Novell Inc, Confidential & Proprietary. 24 Connecting with TLS eDirectory LDAP server can now be configured to use the following TLS handshakes This configuration is done through iManager Require client certificate Request client certificate Server certificate only

25 © September 15, 2015 Novell Inc, Confidential & Proprietary. 25 Ending TLS on a Connection Client or server sends a TLS end notification Connection reverts to anonymous Who are you, anyway?

26 © September 15, 2015 Novell Inc, Confidential & Proprietary. 26 Configurable Transport Security Instructor connects with clear text Start TLS - Instructor changes to a secure connection to see the student information

27 © September 15, 2015 Novell Inc, Confidential & Proprietary. 27 New LDAP Authentication Methods

28 © September 15, 2015 Novell Inc, Confidential & Proprietary. 28 Multiple Authentication Mechanisms (SASL) Students authenticate with SASL EXTERNAL DIGEST-MD5 NMAS_LOGIN Student registers thumbprint eDirectory Replication Students can modify their own profiles

29 © September 15, 2015 Novell Inc, Confidential & Proprietary. 29 SASL EXTERNAL TLS handshake establishes client identity by means of certificate-based client authentication LDAP SASL EXTERNAL uses that identity for the user connection

30 © September 15, 2015 Novell Inc, Confidential & Proprietary. 30 SASL DIGEST_MD5 Allows password to be securely sent over a clear-text connection Requires that the server maintain a clear-text copy of the password in the NMAS encrypted store that can be hashed using data provided in the bind and then compared to the hashed password contained in the bind Simple bind packet with hashed password

31 © September 15, 2015 Novell Inc, Confidential & Proprietary. 31 SASL NMAS_LOGIN Full functionality of Novell Modular Authentication Services (NMAS™) applied to LDAP binds Login policy maintained by the server Provides for multiple levels of authentication and identification Fingerprint Smart card Certificate Biometric

32 © September 15, 2015 Novell Inc, Confidential & Proprietary. 32 Web Services & Novell eDirectory8.7 SOAP Access to eDirectory

33 © September 15, 2015 Novell Inc, Confidential & Proprietary. 33 DSML Connector J2EE Container DSMLSOAPServlet eDirectoryLDAP Reader Writer JavaLDAPAPI LDAP SOAP UDDI DSML URL DSML WSDL DSML Web Server

34 © September 15, 2015 Novell Inc, Confidential & Proprietary. 34 Clientless install (Windows only) This provides the ability to install eDirectory on a Windows NT or 2000 server without the Novell Client.

35 © September 15, 2015 Novell Inc, Confidential & Proprietary. 35 Novell iMonitor 2.1 This new version of iMonitor provides: SSL support on all platforms Object statistics reports Enhanced obituary processing reports Server advertising reports Enhanced tracing functions Event monitoring and statistics

36 © September 15, 2015 Novell Inc, Confidential & Proprietary. 36 Novell iManager 2.0 This utility provides a single Web-based management console for the administration of Novell products on NetWare 6.5 & NNLS iManager standardizes all Novell Web-based administration utilities into a single management framework Provides an architecture for easy development of Web-based administration and management modules through open standard application interfaces Uses Roles to delegate eDirectory administration, management, and services tasks

37 © September 15, 2015 Novell Inc, Confidential & Proprietary. 37 Novell iManager 2.0 Novell iManager consists of two pieces: eDirectory Management Framework (eMFrame) eDirectory Management Toolbox (eMBox) EMBox is the server-side piece that works with iManager to access functionality in various eDirectory utilities. Other Utilities: DSRepair DSMerge Backup and Restore LDAP WAN Manager Novell Import Convert Export utility

38 © September 15, 2015 Novell Inc, Confidential & Proprietary. 38 Universal Password In the past, administrators have had to manage multiple passwords (simple password, NDS RSA passwords) because of password limitations Administrators have also had to deal with keeping the passwords synchronized Universal Password addressed these problems by creating a single password that can be used by all protocols to authenticate users

39 © September 15, 2015 Novell Inc, Confidential & Proprietary. 39 UTF8 Encoded In addition, all Novell utilities are now UTF8 encoded When a password is reset by a user or an administrator, the Secure Password Manager (SPM), an NMAS components, will take the unicode password and convert it to a Universal Password (UTF8-encoded) and reset the NDS password.

40 © September 15, 2015 Novell Inc, Confidential & Proprietary. 40 Backup and Restore eDirectory 8.7 introduced a new focus for backup and restore, called "hot continuous backup With the new Backup eMTool, you back up the eDirectory database for each server individually, and you can do it while eDirectory is running

41 © September 15, 2015 Novell Inc, Confidential & Proprietary. 41 Novell eGuide 2.11 eGuide provides a Web-based GUI for searching, viewing, and editing information stored in Novell eDirectory and other directory data sources Because eGuide is highly customizable for any type of environment, administrators can configure it to their own specifications

42 © September 15, 2015 Novell Inc, Confidential & Proprietary. 42

Download ppt "EDirectory Update with 8.7.1 Gary J Porter MindWorks, Inc."

Similar presentations

Omni eControl. New Features in Version 2.x - Manage Mixed Networks: eDirectory, Active Directory, GroupWise, Exchange eControl Version 2.0 New Features.

Omni eControl. New Features in Version 2.x - Manage Mixed Networks: eDirectory, Active Directory, GroupWise, Exchange eControl Version 2.0 New Features.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Chapter 11: Active Directory Certificate Services

Chapter 11: Active Directory Certificate Services
Network+ Guide to Networks, Fourth Edition Chapter 10 Netware-Based Networking.

Network+ Guide to Networks, Fourth Edition Chapter 10 Netware-Based Networking.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Windows 2000 Remote Access. Remote Access Overview With Windows 2000 remote access, remote access clients connect to remote access servers and are transparently.

Windows 2000 Remote Access. Remote Access Overview With Windows 2000 remote access, remote access clients connect to remote access servers and are transparently.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
MongoDB Sharding and its Threats

MongoDB Sharding and its Threats
Understanding Active Directory

Understanding Active Directory
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Password Management Bill Street, Nathan Jensen, Mike Simpson, Will Peterson Identity Management Engineering.

Password Management Bill Street, Nathan Jensen, Mike Simpson, Will Peterson Identity Management Engineering.
BASIC NETWORK CONCEPTS (PART 6). Network Operating Systems NNow that you have a general idea of the network topologies, cable types, and network architectures,

BASIC NETWORK CONCEPTS (PART 6). Network Operating Systems NNow that you have a general idea of the network topologies, cable types, and network architectures,
Introduction to the Hot New LDAP Features in Novell eDirectory™ 8.7

Introduction to the Hot New LDAP Features in Novell eDirectory™ 8.7

Similar presentations

Ads by Google