Directory Services Landscape Services, Technologies, Protocols, - - PowerPoint PPT Presentation

directory services landscape
SMART_READER_LITE
LIVE PREVIEW

Directory Services Landscape Services, Technologies, Protocols, - - PowerPoint PPT Presentation

Jun 03, 2023 161 likes •670 views

Directory Services Landscape Services, Technologies, Protocols, Products, and the Medium Mohsen Banan <public@mohsen.banan.1.byname.net> 07/08/2000 1 Outline Directory Concepts X.500 & OSI Directory X.509 & PKI

slide-1
SLIDE 1

07/08/2000 1

Directory Services Landscape

Services, Technologies, Protocols, Products, and the Medium

Mohsen Banan <public@mohsen.banan.1.byname.net>

slide-2
SLIDE 2

07/08/2000 2

Outline

  • Directory Concepts
  • X.500 & OSI Directory
  • X.509 & PKI
  • LDAP
  • Domain Name System (DNS)
  • Novel Directory Services (NDS)
  • SQL & Oracle
  • Misc.
  • Predictions & the Future
slide-3
SLIDE 3

07/08/2000 3

Basic Directory Concepts

  • Prior to the initiation of any communication, some

addressing and other infrastructural information is needed for interconnection of information processing systems

  • Directory services provide access to such information
  • “The Directory” Is an integrated whole, consisting of a set
  • f systems and the directory information they hold, that

provide the addressing and other infrastructural information needed for communication

slide-4
SLIDE 4

07/08/2000 4

Basic Directory Concepts

  • The Directory (singular) is an integrated whole one global

name space

  • The Directory is not intended to be a general-purpose

database system

  • A considerably higher frequency of ‘queries’ than of

updates is assumed

  • Transient conditions where both old and new versions of

the same information are available, are quite acceptable

  • Except for unpropagated updates and access rights, the

results of directory queries will not be dependent on the identity or location of the inquirer

slide-5
SLIDE 5

07/08/2000 5

Directory and Users

Directory User DUA The Directory

slide-6
SLIDE 6

07/08/2000 6

Outline

  • Directory Concepts
  • X.500 & OSI Directory
  • X.509 & PKI
  • LDAP
  • Domain Name System (DNS)
  • Novel Directory Services (NDS)
  • SQL & Oracle
  • Misc.
  • Predictions & the Future
slide-7
SLIDE 7

07/08/2000 7

X.500 Topics

  • OSI Directory Services standards (The Dreams)

– Directory Model – Information Model – Security Model

  • Directory Services Implementations and

Applications (Reality)

– Scope and field of application of OSI Directory Services – Expected Evolution of Directory Services – IBM, DEC and others – Internet White-Pages Pilot Project

  • Conclusions
slide-8
SLIDE 8

07/08/2000 8

Information Model

  • Directory Information Base (DIB)

– All information to which the Directory provides access – Without regard to distributes or centralized architecture – Without regard to hierarchy

slide-9
SLIDE 9

07/08/2000 9

Informational Model Entries

Distinguished Value Value Value Value

…... …...

Type Values

Entry Attribute Attribute Values

slide-10
SLIDE 10

07/08/2000 10

Information Model Directory Information Tree (DIT)

…...

Type Values

Entry Attribute

Alias

DIT

slide-11
SLIDE 11

07/08/2000 11

Information Model Schema

  • The Directory Schema comprises a

set of:

– DIT structure definition – Object class – Attribute type – Attribute syntax

slide-12
SLIDE 12

07/08/2000 12

Functional Model

DSA DSA DSA DUA DUA DUA DAP DAP

  • Distributed Directory Service Model

DAP = Directory Access Protocol DSP = Directory System Protocol DUA = Directory User Agent DSA = Directory System Agent

slide-13
SLIDE 13

07/08/2000 13

Functional Model

  • Referrals
  • Chaining
  • Multi-casting
slide-14
SLIDE 14

07/08/2000 14

Functional Model

DSA DSA DSA DSA DUA

Request Response

The Directory

  • Referrals
slide-15
SLIDE 15

07/08/2000 15

Functional Model

DSA DSA DSA DSA DUA

Request Response

The Directory

  • Chaining
slide-16
SLIDE 16

07/08/2000 16

Functional Model

DSA DSA DSA DSA DUA

Request Response

The Directory

  • Multi-Casting
slide-17
SLIDE 17

07/08/2000 17

The X.500 Recommendation (ISO-9594)

  • X.500 Overview
  • X,501 Models
  • X.509 Authentication Framework
  • X.511 Abstract Service Definition
  • X.518 Procedures for Distributed Operations
  • X.519 Protocol Specifications
  • X.520 Selected Attribute Types
  • X.521 Selected Object Classes
slide-18
SLIDE 18

07/08/2000 18

Field of Applications of OSI Directory Services

  • Inter-personal Communication

– Provide humans or their agents with information on how to communicate with other humans, or groups thereof

  • Inter-system Communication

– Map application-titles onto presentation addresses

  • Authentication
slide-19
SLIDE 19

07/08/2000 19

X.500 Conclusions

  • X.500 provides a valuable model and terminology for directory
  • Implementations of OSI Directory Services that address the local

and enterprise-wide directory requirements will soon be available from a number of vendors

  • “Global OSI Directory” requires completion of the specification
  • We need to understand our directory requirements and properly

apply OSI Directory Services to those requirements

  • Policies and procedures for administration of an enterprise-wide

directory must be very carefully planned

slide-20
SLIDE 20

07/08/2000 20

Outline

  • Directory Concepts
  • X.500 & OSI Directory
  • X.509 & PKI
  • LDAP
  • Domain Name System (DNS)
  • Novel Directory Services (NDS)
  • SQL & Oracle
  • Misc.
  • Predictions & the Future
slide-21
SLIDE 21

07/08/2000 21

Security Model

  • Authentication
  • Public Key Cryptographic Systems (PKCS)
  • Digital Signatures
slide-22
SLIDE 22

07/08/2000 22

Security Model

Data Data Cipher Cipher Public Private

  • Public Key Cryptographic Systems (PKCS)
  • Data encrypted by one key half:
  • Can only be decrypted by matching key half
slide-23
SLIDE 23

07/08/2000 23

Security Model

h E h D

  • Digital Signatures

Secret key (Xs)

Public key (Xp) Xs [h(info)] info compare Signer(x) recipient

slide-24
SLIDE 24

07/08/2000 24

Outline

  • Directory Concepts
  • X.500 & OSI Directory
  • X.509 & PKI
  • LDAP
  • Domain Name System (DNS)
  • Novel Directory Services (NDS)
  • SQL & Oracle
  • Misc.
  • Predictions & the Future
slide-25
SLIDE 25

07/08/2000 25

LDAP- related RFCs

  • RFC-1777 Lightweight Directory Access Protocol.
  • RFC-1558 A String Representation of LDAP Search Filters
  • RFC-1778 The String Representation of Standard Attribute

Syntaxes

  • RFC-1779 A String Representation of Distinguished Names
  • RFC-1798 Connectionless LDAP
  • RFC-1823 The LDAP Application Program Interface
  • RFC-1959 An LDAP URL Format
slide-26
SLIDE 26

07/08/2000 26

What is LDAP?

  • What is LDAP?

LDAP is a client-server protocol for accessing a directory

  • service. It was initially used as a front-end to X.500, but can also

be used with stand-alone and other kinds of directory servers.

  • Why do we need LDAP? Why don’t we just use X.500?

LDAP does not require the upper layers OSI stack, it is a simpler protocol to implement(especially in clients), and LDAP is under IETF change control and so can more easily evolve to meet Internet requirements.

slide-27
SLIDE 27

07/08/2000 27

LDAP Info Model

  • What can I store in an LDAP directory?

The LDAP information model is based on the entry, which contains information about some object (e.g., a person). Entries are composed of attributes, which have a type and one or move values. Each attribute has a syntax that determines what kind of values are allowed in the attribute and how those values behave during directory operations. Examples of attribute syntaxes are for IA5 (ASCII) strings, JPEG photographs, u-law encoded sounds, URLs and PGP keys.

slide-28
SLIDE 28

07/08/2000 28

LDAP & X.500

  • Can I connect a stand-alone LDAP directory server into an

X.500 directory? Yes! See for example the X.500 Enabler.

slide-29
SLIDE 29

07/08/2000 29

Outline

  • Directory Concepts
  • X.500 & OSI Directory
  • X.509 & PKI
  • LDAP
  • Domain Name System (DNS)
  • Novel Directory Services (NDS)
  • SQL & Oracle
  • Misc.
  • Predictions & the Future
slide-30
SLIDE 30

07/08/2000 30

Domain Name System (DNS)

  • What is DNS?

DNS is a distributed Internet directory service. DNS is used mostly to translate between domain names and IP addresses, and to control Internet email delivery. Most Internet services rely on DNS to work, and if DNS fails, web sites cannot be located and email delivery stalls.

slide-31
SLIDE 31

07/08/2000 31

Structure of DNS Name

  • Each name consists of a sequence of alphanumeric

components separated by periods

  • Examples:

– www.eg.bucknell.edu – www.netbook.cs.purdue.edu – charcoal.eg.bucknell.edu

  • Names are hierarchical, with most-significant component
  • n the right
  • Left-most component is computer name
slide-32
SLIDE 32

07/08/2000 32

DNS naming structure

  • Top level domains (right-most components; also known as

TLDs) defined by global authority

  • Organizations apply for names in a top-level domain:

– bucknell.edu – macdonalds.com

  • Organizations determine own internal structure

– eg.bucknell.edu – cs.purdue.edu

slide-33
SLIDE 33

07/08/2000 33

Top Level Domains

Com Commercial organization edu Educational institution gov Government organization mil Military group net Major network support center

  • rg

Organization other than those above arpa Temporary ARPA domain (still used) int International organization country code A country Domain Name Assign To

slide-34
SLIDE 34

07/08/2000 34

Name Server Concept

  • Zone

– A zone is part of the name space ( such as ee.usm.maine.edu or bbn.com) delegated to a single server. If a nameserver is listed at the internic (or a higher level nameserver as authoritative for part of the name space, and it has full data on that part of the name space then it is authoritative for that zone.

  • Domain

– A domain is also part of the name space, but it may covers several zones. (maine.edu is a domain that covers both the usm.maine.edu and the caps.maine.edu zones)

slide-35
SLIDE 35

07/08/2000 35

Zone Example

.edu .mit.edu

.edu domain

.usm.maine.edu .maine.edu

.edu zone .usm.maine.edu zone .maine.edu zone

slide-36
SLIDE 36

07/08/2000 36

Name Servers

  • The DNS Server

– Answers DNS Queries sent by resolvers – Listens at UDP and TCP port 53

  • UDP for routine queries
  • TCP used for zone transfers
  • Configurations

– Caching-only: relies on other name servers for authoritative answers – Primary: Contains the writable authoritative copy for the zones that it is primary for – Secondary: Contains mirror copy of the data from a primary nameserver. No updates take place here, used to provide redundancy

slide-37
SLIDE 37

07/08/2000 37

Client-server computing

  • Clients and servers communicate in distributed computing

– Client initiates contact to request some remote computation – Server waits for clients and answers requests as received

  • Clients are usually invoked by users as part of an end-user

application

  • Servers are usually run on central, shared computers
slide-38
SLIDE 38

07/08/2000 38

Primary vs. Secondary Servers

  • Primary

– Data loaded from a file. – One primary server per zone.

  • Secondary

– Data transferred from a primary server. – Data may be stored in a file. – Checks every refresh period with the primary, looking for changes. – Might have many secondaries per zone

slide-39
SLIDE 39

07/08/2000 39

Outline

  • Directory Concepts
  • X.500 & OSI Directory
  • X.509 & PKI
  • LDAP
  • Domain Name System (DNS)
  • Novel Directory Services (NDS)
  • SQL & Oracle
  • Misc.
  • Predictions & the Future
slide-40
SLIDE 40

07/08/2000 40

NDS According to Novell

  • Directory-enabled applications are the future of e-business --

the directory will soon be to the network what the operating system is to the PC.

  • eDirectory supports more open standards and protocols than

all other directory services combined.

  • It is well on its way to becoming the de facto standard for

directory services.

  • Companies like Alta Vista, BroadVision, Cisco, CNN, Lucent

Technologies, Nortel, Oracle, Sun Microsystems, Xircom, and many others support NDS an offer NDS-enabled services.

  • This NDS momentum is driving computing into a new era

based on the directory.

slide-41
SLIDE 41

07/08/2000 41

NDS Security According to Novell

  • With NDS eDirectory you can also be sure your resources

are secure.

  • eDirectory’s superior security features include:

– Novell International Cryptographic Infrastructure – passwords encrypted over Secure Sockets Layer – RSA private key/public key encryption – Secure Authentication Services, smart cards, and X.509v3 certificates.

  • You will be able to designate exactly who is allowed access

to which information; granting rights to one directory will not provide rights to your entire network or even to all the information in that directory.

slide-42
SLIDE 42

07/08/2000 42

NDS Comparison According to Novell

  • Why is NDS eDirectory better for e-business than Netscape

Directory Server, Oracle Internet Directory or other existing LDAP directories? Besides a technical argument, we can boil our answer down to three reasons:

– Maturity--we’ve been around for 8 years. – Performance--Key Labs testing shows that we beat Netscape in head to head benchmarking – Scalability--We demonstrated at Brainshare SLC 99 a billion user tree

Check out www.novell.com/advantage/nds for competitive briefs.

slide-43
SLIDE 43

07/08/2000 43

NDS vs. X.500 According to Novell

  • X.500 directories are being pulled along as part of PKI

deployments, how do you expect NDS to penetrate this market? NDS eDirectory provides the foundation for e business. Security and PKI are becoming an increasingly important component in thee-business e-costructure.

slide-44
SLIDE 44

07/08/2000 44

Outline

  • Directory Concepts
  • X.500 & OSI Directory
  • X.509 & PKI
  • LDAP
  • Domain Name System (DNS)
  • Novel Directory Services (NDS)
  • SQL & Oracle
  • Misc.
  • Predictions & the Future
slide-45
SLIDE 45

07/08/2000 45

What About SQL?

  • Structured Query Language (SQL) is a language that provides an

interface to relational database systems. SQL was developed by IBM in the 1970s for use in System R.

  • SQL is a de facto standard, as well as an ISO and ANSI standard.

SQL is often pronounced SEQUEL.

  • In common usage SQL also encompasses DML (Data Manipulation

Language), for INSERTs, UPDATEs, DELETEs and DDL (Data Definition Language), used for creating and modifying tables and

  • ther database structures.
  • The development of SQL is governed by standards. A major

revision to the SQL standard was completed in 1992, called SQL2. SQL3 support object extensions and will be (partially?) implemented in Oracle8.

slide-46
SLIDE 46

07/08/2000 46

SQL Features

  • SQL allows users to access data in relational database

management systems, such as Oracle, Sybase, Informix, Microsoft SQL Server, Access, and others, by allowing users to describe the data the user wishes to see.

  • SQL also allows users to define the data in a database, and

manipulate that data.

slide-47
SLIDE 47

07/08/2000 47

Outline

  • Directory Concepts
  • X.500 & OSI Directory
  • X.509 & PKI
  • LDAP
  • Domain Name System (DNS)
  • Novel Directory Services (NDS)
  • SQL & Oracle
  • Misc.
  • Predictions & the Future
slide-48
SLIDE 48

07/08/2000 48

Others & Misc

  • Oracle
  • Netscape Directory
  • The Web itself
  • ….
slide-49
SLIDE 49

07/08/2000 49

Outline

  • Directory Concepts
  • X.500 & OSI Directory
  • X.509 & PKI
  • LDAP
  • Domain Name System (DNS)
  • Novel Directory Services (NDS)
  • SQL & Oracle
  • Misc.
  • Predictions & the Future
slide-50
SLIDE 50

07/08/2000 50

True Of All

  • Technology is not all that relevant
  • What information & why?
  • Who owns the information
  • Trust -- Show stopper -- Unless dealt with
  • Privacy -- Show stopper -- Unless dealt with
  • Not a big brother problem -- Lots of small brothers