OpenLDAP Enterprise Features

Download Report

Transcript OpenLDAP Enterprise Features

OpenLDAP Enterprise Features

Bruce Huang ([email protected]) Tommy Yan ([email protected]) HP Open Source and Linux Organization

Agenda

• 2

Non-Native

English speakers • Directory services in large enterprises- challenges and progress • Technical implementation of some enterprise features

Directories in a large enterprise - an HP example back to 2003

Sunnyvale Houston Boise Atlanta Grenoble Boeblingen Singapore

- Mission-critical repository used by

1500+ applications

in HP - Approximately

50 million+

operations/day - Resolve every @hp.com mail address - Authorize every HP inline login - Hardware: Approximately 30 servers Worldwide - Software: Sun ONE Directory Server 5.x

o=hp.com

Directories in a large enterprise - an HP example back to 2003(cont.) Directory Root ou=People ou=Groups People (Employees/Contingents HR data, email, NT, certs, etc) Groups (News/Mail/Security group owners, members, description, etc) Servers (used to store server certificates) ou=Servers ou=Locations Locations (HP real estate, address, lat/long, time zone, etc) ou=Organizations Organizations (HP organizations, name, address, contact, etc) ou=Partners … Business Partners

What are the challenges in this model? –

Cost

: Per entry pricing mode. (An entry is defined as a single Distinguished Name (DN) and its contained attributes. 1 employee takes 1 entry, 1 server takes 1 entry, for example.) –

Lock

: Vendors don’t want to modify the existing product to meet our technical requirement, but want us to buy more products.

Why was considered the solution

Cost

: Symas per server/enterprise license model •

Freedom

: Having the source code •

Support

: IT has the resource and capability to support it (OSMS, Symas) •

Standard, not proprietary

: Why not enhance the applications?

OpenLDAP’s challenges and progress –

General enterprise grade robustness:

• Solid Berkeley DB support • Audit capability • Reconfiguring must be available on-the-fly as much as possible • Reliable replication strategy –

Password Policy

: A security policy for passwords (e.g., must not be a dictionary word, must be over 6 characters, and so on). Overlay by Neil Dunbar (HP) and Howard Chu(Symas)

OpenLDAP’s challenges and progress (cont.) –

Data constraint

: For instance, a telephone number could be forced to follow ITU standard representation rules. Overlay by Neil Dunbar (HP).

Translucency

: store department-specific attributes for its employees in a local directory, for extension and speed. Overlay by Symas, sponsored by HP.

Group Policy

: Much of HP's authorization data resides in the notion of groups; groups of employees; groups of assets; groups of business partners, and so forth. However, the LDAP/X.500 model does not really impose any notion of what groups mean. Overlay by Symas.

What is the current status

• HP completed migrating the Enterprise Directory to OpenLDAP on Linux in 2006. • HP is completely unchained from the per-entry licensing model • Above directory enterprise requirements are met.

• Source code upstream to the OpenLDAP community.

OpenLDAP working model

Client Request Response Frontend slapd Request Response Backend bdb, dbm, hdb • slapd frontend receives an LDAP request • slapd frontend passes the request to the backend • The backend calls some functions of frontend to send the results to the client

OpenLDAP Overlays

• Overlays: modules working between frontend and backend – introduced since OpenLDAP 2.2

• – change the behavior of backends without changing backend code – process incoming requests before backends – process outgoing results before frontend Frontend 1 Processing Steps − The frontend passes requests to the first overlay − The first overlay forwards requests to the next overlay until requests reach the real backend.

3 Overlay1 Overlay2 ...

2 − The backend directs results from the first overlay to the last one until they are sent to the client.

Backend 4

Create your own overlay

//hello.c

static slap_overinst hello_ovl; { int init_module(int argc, char *argv[]) hello_ovl.on_bi.bi_type = “hello"; hello_ovl.on_bi.bi_op_add = hello_add ; hello_ovl.on_bi.bi_op_modify = hello_modify ; hello_ovl.on_bi.bi_db_close = hello_close ; return overlay_register(&hello_ovl); } static int hello_add (Operation *op, SlapReply *rs) {…} static int hello_modify (Operation *op, SlapReply *rs) {…} …

Two Examples of Using Overlays - Password Policy - Constraint

Password Policy

• provide password control mechanisms, like password aging, password reuse, mandatory password resets and so on.

• define multiple password policies by using ‘pwdPolicy’ object class.

• apply specific password polices to entries • Configuration directives: – moduleload ppolicy.la

– overlay – ppolicy_default ppolicy – more explanations in Linux man page (slapo-ppolicy)

Password Policy (con ’t)

Example: Create two different password policies and apply them to entries.

• Load and configure the overlay in slapd.conf:

moduleload overlay ppolicy_default

ppolicy.la

ppolicy

cn=default,ou=policy,dc=hp,dc=com

Password Policy (con ’t)

• Add two policy entries – policy.ldif:

dn: cn=default,ou=policy,dc=hp,dc=com

objectClass: pwdPolicy objectClass: device cn: default pwdAttribute: userPassword pwdCheckQuality: 2

pwdMinLength: 5 pwdMaxAge: 2592000 dn: cn=strong,ou=policy,dc=hp,dc=com

objectClass: pwdPolicy objectClass: device cn: strong pwdAttribute: userPassword pwdCheckQuality: 2

pwdMinLength: 8 pwdMaxAge: 1296000

Password Policy (con ’t)

• Set the pwdPolicySubentry attribute in a DN – bruce.ldif: dn: uid=bruce,dc=osms,dc=hp,dc=com objectClass: inetOrgPerson uid: bruce mail: [email protected]

sn: huang employeeNumber: 111111 cn: Bruce Huang

pwdPolicySubentry: cn=strong,ou=policy,dc=hp,dc=com

Password Policy (con ’t)

• Verify whether the overlay works by running ‘ldappassword’ to change the password of ‘uid=bruce,dc=osms,dc=hp,dc=com’ to a word less than 8 characters : Result: Constraint violation (19) Additional info: Password fails quality checking policy •

Note: the bind DN used to change the password must not be the rootdn.

Constraint

• Contributed by HP • Constrain the values of attributes by character set or regular expression • Triggered by LDAP add and modify operations • Configuration directives: – constraint_attribute • Possible values of : charset regex

Constraint (con ’t)

• Example: Constrain empolyeeNumber as 6 digits and cn as valid letters – Load and configure the overlay in slapd.conf: … moduleload overlay constraint.la

constraint constraint_attribute employeeNumber regex ^[0-9]{6}$ constraint_attribute cn regex ^[a-zA-Z]*$ …

Constraint (con ’t)

• Verify it by running ‘ldapmodify’ to change the employeeNumber attribute of ‘uid=bruce,ou=people,dc=hp,dc=com’ to a number with 5 digits: – modify.ldif:

dn: uid=bruce,ou=people,dc=hp,dc=com changetype: modify replace: employeeNumber employeeNumber: 12345 ldap_modify: Constraint violation (19) additional info: modify breaks regular expression constraint on employeeNumber

More information on overlay

• OpenLDAP admin guide: – http://www.openldap.org/doc/admin24/ • Linux man page • OpenLDAP Source Code

Resource, Thanks and Questions

• • • http://www.openldap.org/conf/odd sandiego-2004/Neil.pdf

(Special thanks to Neil Dunbar and Kartik Subbarao from HP directories team) www.hp.com/go/osms www.symas.com/

Appendix: Attribute Uniqueness

• Enforce the uniqueness of one or some attributes in a subtree • triggered by the operations of add, modify and modrdn • Configuration options: – unique_base – unique_ignore – unique_attributes – …

Attribute Uniqueness (con ’t)

• Example: Enforce the uniqueness of uid and mail for all DNs

moduleload overlay unique.la

unique unique_base dc=hp,dc=com unique_ignore objectClass dc ou o cn unique_attributes uid mail dn: uid=bruce,ou=people,dc=hp,dc=com objectClass: inetOrgPerson uid: bruce sn: Huang cn: Bruce mail: [email protected]

Error Message: Constraint violation (19) additional info: some attributes not unique

Translucency

• Enable a translucent proxy • A remote LDAP server and a local database are required • Entries from the remote server may be overridden (attribute level) by entries in the local database • Configuration options: – translucent_strict – translucent_no_glue

Referential Integrity

• maintain the cohesiveness of a schema with reference attributes • triggered by the operations of modrdn and delete • Configuration options: – refint_attributes – refint_nothing – refer to Linux man page (slapo-refint)

Referential Integrity (con ’t)

• Example: Remove Jason and have Tommy as his replacement

moduleload overlay refint_attributes refint_nothing refint.la

refint manager uid=ytommy, ou=people,dc=hp,dc=com

– Delete “uid=zjason,ou=people,dc=hp,dc=com” – The attribute of manager in “uid=hbruce,ou=people,dc=hp,dc=com” and “uid=ytommy,ou=people,dc=hp,dc=com” is set to “uid=ytommy,ou=people,dc=hp,dc=com” automatically.