Transcript OpenLDAP Enterprise Features
OpenLDAP Enterprise Features
Bruce Huang ([email protected]) Tommy Yan ([email protected]) HP Open Source and Linux Organization
Agenda
• 2
Non-Native
English speakers • Directory services in large enterprises- challenges and progress • Technical implementation of some enterprise features
Directories in a large enterprise - an HP example back to 2003
Sunnyvale Houston Boise Atlanta Grenoble Boeblingen Singapore
- Mission-critical repository used by
1500+ applications
in HP - Approximately
50 million+
operations/day - Resolve every @hp.com mail address - Authorize every HP inline login - Hardware: Approximately 30 servers Worldwide - Software: Sun ONE Directory Server 5.x
o=hp.com
Directories in a large enterprise - an HP example back to 2003(cont.) Directory Root ou=People ou=Groups People (Employees/Contingents HR data, email, NT, certs, etc) Groups (News/Mail/Security group owners, members, description, etc) Servers (used to store server certificates) ou=Servers ou=Locations Locations (HP real estate, address, lat/long, time zone, etc) ou=Organizations Organizations (HP organizations, name, address, contact, etc) ou=Partners … Business Partners
What are the challenges in this model? –
Cost
: Per entry pricing mode. (An entry is defined as a single Distinguished Name (DN) and its contained attributes. 1 employee takes 1 entry, 1 server takes 1 entry, for example.) –
Lock
: Vendors don’t want to modify the existing product to meet our technical requirement, but want us to buy more products.
Why was considered the solution
•
Cost
: Symas per server/enterprise license model •
Freedom
: Having the source code •
Support
: IT has the resource and capability to support it (OSMS, Symas) •
Standard, not proprietary
: Why not enhance the applications?
OpenLDAP’s challenges and progress –
General enterprise grade robustness:
• Solid Berkeley DB support • Audit capability • Reconfiguring must be available on-the-fly as much as possible • Reliable replication strategy –
Password Policy
: A security policy for passwords (e.g., must not be a dictionary word, must be over 6 characters, and so on). Overlay by Neil Dunbar (HP) and Howard Chu(Symas)
OpenLDAP’s challenges and progress (cont.) –
Data constraint
: For instance, a telephone number could be forced to follow ITU standard representation rules. Overlay by Neil Dunbar (HP).
–
Translucency
: store department-specific attributes for its employees in a local directory, for extension and speed. Overlay by Symas, sponsored by HP.
–
Group Policy
: Much of HP's authorization data resides in the notion of groups; groups of employees; groups of assets; groups of business partners, and so forth. However, the LDAP/X.500 model does not really impose any notion of what groups mean. Overlay by Symas.
What is the current status
• HP completed migrating the Enterprise Directory to OpenLDAP on Linux in 2006. • HP is completely unchained from the per-entry licensing model • Above directory enterprise requirements are met.
• Source code upstream to the OpenLDAP community.
OpenLDAP working model
Client Request Response Frontend slapd Request Response Backend bdb, dbm, hdb • slapd frontend receives an LDAP request • slapd frontend passes the request to the backend • The backend calls some functions of frontend to send the results to the client
OpenLDAP Overlays
• Overlays: modules working between frontend and backend – introduced since OpenLDAP 2.2
• – change the behavior of backends without changing backend code – process incoming requests before backends – process outgoing results before frontend Frontend 1 Processing Steps − The frontend passes requests to the first overlay − The first overlay forwards requests to the next overlay until requests reach the real backend.
3 Overlay1 Overlay2 ...
2 − The backend directs results from the first overlay to the last one until they are sent to the client.
Backend 4
Create your own overlay
//hello.c
static slap_overinst hello_ovl; { int init_module(int argc, char *argv[]) hello_ovl.on_bi.bi_type = “hello"; hello_ovl.on_bi.bi_op_add = hello_add ; hello_ovl.on_bi.bi_op_modify = hello_modify ; hello_ovl.on_bi.bi_db_close = hello_close ; return overlay_register(&hello_ovl); } static int hello_add (Operation *op, SlapReply *rs) {…} static int hello_modify (Operation *op, SlapReply *rs) {…} …
Two Examples of Using Overlays - Password Policy - Constraint
Password Policy
• provide password control mechanisms, like password aging, password reuse, mandatory password resets and so on.
• define multiple password policies by using ‘pwdPolicy’ object class.
• apply specific password polices to entries • Configuration directives: – moduleload ppolicy.la
– overlay – ppolicy_default ppolicy
Password Policy (con ’t)
Example: Create two different password policies and apply them to entries.
• Load and configure the overlay in slapd.conf:
…
moduleload overlay ppolicy_default
…
ppolicy.la
ppolicy
cn=default,ou=policy,dc=hp,dc=com
Password Policy (con ’t)
• Add two policy entries – policy.ldif:
dn: cn=default,ou=policy,dc=hp,dc=com
objectClass: pwdPolicy objectClass: device cn: default pwdAttribute: userPassword pwdCheckQuality: 2
pwdMinLength: 5 pwdMaxAge: 2592000 dn: cn=strong,ou=policy,dc=hp,dc=com
objectClass: pwdPolicy objectClass: device cn: strong pwdAttribute: userPassword pwdCheckQuality: 2
pwdMinLength: 8 pwdMaxAge: 1296000
Password Policy (con ’t)
• Set the pwdPolicySubentry attribute in a DN – bruce.ldif: dn: uid=bruce,dc=osms,dc=hp,dc=com objectClass: inetOrgPerson uid: bruce mail: [email protected]
sn: huang employeeNumber: 111111 cn: Bruce Huang
pwdPolicySubentry: cn=strong,ou=policy,dc=hp,dc=com
Password Policy (con ’t)
• Verify whether the overlay works by running ‘ldappassword’ to change the password of ‘uid=bruce,dc=osms,dc=hp,dc=com’ to a word less than 8 characters : Result: Constraint violation (19) Additional info: Password fails quality checking policy •
Note: the bind DN used to change the password must not be the rootdn.
Constraint
• Contributed by HP • Constrain the values of attributes by character set or regular expression • Triggered by LDAP add and modify operations • Configuration directives: – constraint_attribute
Constraint (con ’t)
• Example: Constrain empolyeeNumber as 6 digits and cn as valid letters – Load and configure the overlay in slapd.conf: … moduleload overlay constraint.la
constraint constraint_attribute employeeNumber regex ^[0-9]{6}$ constraint_attribute cn regex ^[a-zA-Z]*$ …
Constraint (con ’t)
• Verify it by running ‘ldapmodify’ to change the employeeNumber attribute of ‘uid=bruce,ou=people,dc=hp,dc=com’ to a number with 5 digits: – modify.ldif:
dn: uid=bruce,ou=people,dc=hp,dc=com changetype: modify replace: employeeNumber employeeNumber: 12345 ldap_modify: Constraint violation (19) additional info: modify breaks regular expression constraint on employeeNumber
More information on overlay
• OpenLDAP admin guide: – http://www.openldap.org/doc/admin24/ • Linux man page • OpenLDAP Source Code
Resource, Thanks and Questions
• • • http://www.openldap.org/conf/odd sandiego-2004/Neil.pdf
(Special thanks to Neil Dunbar and Kartik Subbarao from HP directories team) www.hp.com/go/osms www.symas.com/
Appendix: Attribute Uniqueness
• Enforce the uniqueness of one or some attributes in a subtree • triggered by the operations of add, modify and modrdn • Configuration options: – unique_base
Attribute Uniqueness (con ’t)
• Example: Enforce the uniqueness of uid and mail for all DNs
moduleload overlay unique.la
unique unique_base dc=hp,dc=com unique_ignore objectClass dc ou o cn unique_attributes uid mail dn: uid=bruce,ou=people,dc=hp,dc=com objectClass: inetOrgPerson uid: bruce sn: Huang cn: Bruce mail: [email protected]
Error Message: Constraint violation (19) additional info: some attributes not unique
Translucency
• Enable a translucent proxy • A remote LDAP server and a local database are required • Entries from the remote server may be overridden (attribute level) by entries in the local database • Configuration options: – translucent_strict – translucent_no_glue
Referential Integrity
• maintain the cohesiveness of a schema with reference attributes • triggered by the operations of modrdn and delete • Configuration options: – refint_attributes
Referential Integrity (con ’t)
• Example: Remove Jason and have Tommy as his replacement
moduleload overlay refint_attributes refint_nothing refint.la
refint manager uid=ytommy, ou=people,dc=hp,dc=com
– Delete “uid=zjason,ou=people,dc=hp,dc=com” – The attribute of manager in “uid=hbruce,ou=people,dc=hp,dc=com” and “uid=ytommy,ou=people,dc=hp,dc=com” is set to “uid=ytommy,ou=people,dc=hp,dc=com” automatically.