the ldap directory life
play

The LDAP Directory Life After Sun A story of migration Alban - PowerPoint PPT Presentation

Dec 27, 2023 •542 likes •876 views

The LDAP Directory Life After Sun A story of migration Alban MEUNIER IdM Senior consultant ameunier@smartwavesa.com www.smartwavesa.com Agenda Introduction Common layer Migrate a standalone instance Migrate a replicated infra

  1. The LDAP Directory Life After Sun A story of migration Alban MEUNIER IdM Senior consultant ameunier@smartwavesa.com www.smartwavesa.com

  2. Agenda  Introduction  Common layer  Migrate a standalone instance  Migrate a replicated infra  Migrate a complex LDAP infra  Conclusion The LDAP Directory Life After Sun 2

  3. Agenda  Introduction  Common layer  Migrate a standalone instance  Migrate a replicated infra  Migrate a complex LDAP infra  Conclusion The LDAP Directory Life After Sun 3

  4. Introduction  Ageing versions of former directories market leaders  Sun Directory 5.2  Novell eDirectory 8.7  Compatibility matrix of applications has changed  Solaris and Suse   Sun and Novell directories   MS Active Directory   LDAP V3, OpenLDAP   IBM,TDS, OpenDJ, Apache DS, Redhat DS   Open source went out universities  Political trend on public sector  Ready for critical applications  Several enterprise grade level projects The LDAP Directory Life After Sun 4

  5. Agenda  Introduction  Common layer  Migrate a standalone instance  Migrate a replicated infra  Migrate a complex LDAP infra  Conclusion The LDAP Directory Life After Sun 5

  6. Common layer  The directory you operate is unique  Fast  Stable  Effortless to operate  Fits all the current needs  Low/no more support cost  Well designed with no need to improve  Unique? Probably not…. The LDAP Directory Life After Sun 6

  7. Common layer  Limited implementation of best pratices  Intensive usage of default admin account  Poor password policy  Use of unsecure LDAP communication  Logs not consolidated  No regular DRP tests  Lazy schema extension (no unique OID number)  Minimum/no periodic reports  External constraints force you to plan a migration  Better Microsoft integration (AD, SharePoint)  New OS, virtualisation,  New editor strategic partnerships  Delegated operation (contractor, self service, apps owner) The LDAP Directory Life After Sun 7

  8. Common layer Anticipate and choose your migration path The LDAP Directory Life After Sun 8

  9. Start with a good preparation  Data cleaning  Attributes with no value  Unify data format  Unused entries  Schema check  Identify unused extensions  Have your IANA PEN ready http://pen.iana.org/pen/PenApplication.page  Indexes  Third party: inventory and DNS alias  Scripts, application config  DNS, load balancers, LDAP proxies, virtual directory The LDAP Directory Life After Sun 9

  10. Start with a good preparation  Well known complex features  Define minimum performance metrics  Multiple intricate nested groups  ACL’s  avoid redundancy and conflicting rules  limit personal ACLs and privilege group/sub tree  Check the best way to track fine grain changes  Change log, audit log, persistent search  External tool for delta evaluation  Identity management, provisioning  Supported control  Server-Side Sort Control, Virtual List View Control, ...  Persistent Search Control, Proxy Authorisation Control, Get Effective Rights Control, …. ldapsearch – s base – b "" (objectclass=*) supportedControl The LDAP Directory Life After Sun 10

  11. The password case  The password policies  Identify each one and get  complexity  entries concerned  inheritance  Get the special attributes like  Pointers to the password policy  Failed login count  Locked status  Internal key for password encryption  Gettable or not  Compatible hash or not The LDAP Directory Life After Sun 11

  12. The operational attributes are often lost or changed  TimeStamp  Creation  Modification  Last login  DN  Created by, Updated by  Parent entry, referal  Other  Nb of subordinates  Internal entry ID  Tombstone and replication data  Virtual attributes The LDAP Directory Life After Sun 12

  13. Different LDAPv3 implementation  Schema  intetorgPerson vs user  groupOfName vs groupOfUniqueName  naming attributes (users with uid vs cn)  DIT  An entry could be a container or a leaf  ACL  No standard for the syntax  Several types (global, default, custom, dynamic)  Plug-ins, overlay, extensions, DSML  Virtual attributes The LDAP Directory Life After Sun 13

  14. Install a DEV environment  Check supported control  If all you need is present   If not, you will have to   find a workaround in the client applications  develop a custom extension of the directory if possible  change the version/vendor of the new directory  Check existing vendor schema  Check syntax of attributes editor schema (DN, timestamp)  Check required and optional attributes  Adapt if necessary (script changes for future update)  Extend the schema using OID  Set indexes and virtual attributes (if supported) The LDAP Directory Life After Sun 14

  15. Tune the DEV environment  Activate LDAPS/TSL and HTTPS  Adjust anonymous access  Rewrite the ACLs, referrals  Rewrite the password policies  Plug-ins, overlay, extension, DSML  Implement regular monitoring (snmp, logs, scripts, …)  Think periodic reports (dedicated tools, custom script or standard tools with http://myvd.sourceforge.net/bridge.html)  Update best pratices and docs The LDAP Directory Life After Sun 15

  16. Install a PROD environment  Install as DEV but  Rename and/or use non default admins  Use complex and dedicated passwords  Use crypted disk volumes  Use dedicated system user and avoid root  Use scripted installation +++  Bind to network interface  Set the certificates  CA certificate  Instance certificate  Replication certificates  Activate LDAPS, TLS, HTTPS  Clients certificate store The LDAP Directory Life After Sun 16

  17. Backup and restore  Backup  Old directory  New directory with no data  TEST full restore  Old directory (on a new machine)  New directory  Environment  Engine  Instance  Configuration  TEST at least one rollback  Define procedure and time for rollback The LDAP Directory Life After Sun 17

  18. Go Live  Communicate about changes and potential service disruption  Load data in the new directory (detailed in next slides)  Check list  Eventually apply delta from old directory  Open firewalls, switch DNS alias  Restart some client applications  Get confident with the new directory  Decomission the old directory The LDAP Directory Life After Sun 18

  19. Agenda  Introduction  Common layer  Migrate a standalone instance  Migrate a replicated infra  Migrate a complex LDAP infra  Conclusion The LDAP Directory Life After Sun 19

  20. Standalone Compatible directory  Example of compatible directories  Same editor N – > N+x release (including Sun – > Oracle)  Same origine like  Sun – > Redhat DS, CentOS DS, 389  OpenDS – > OpenDJ, Oracle Unified Directory  Set the replication  Configure ONE WAY flow  Old to new  2 ways are rarely supported  Initialise the new directory with data from the old one The LDAP Directory Life After Sun 20

  21. Standalone Not compatible directory  On the old directory  activate the changelog/audit/persistant search tool  prepare delta export and import automation (coexistence)  Export data in LDIF  Full DB if possible to avoid virtual atributes and referals  Data without following referals  Adapt the export file to be compliant with new directory  ++++ script +++++  Normalise DN (‘, ’ –> ‘,’ case)  Add: objectClasse, default values  Remove: system attributes, incompatible attributes/objectclass  Change: attribute name, trim spaces, date format, DIT, referals  …. The LDAP Directory Life After Sun 21

  22. Standalone Not compatible directory  Import LDIF in new directory  When possible, use bulk import tools  On the new directory  activate the changelog/audit/persistant search tool  prepare delta export and import automation (rollback)  ++++ script +++++  Normalize DN (‘, ’ –> ‘,’ case)  Add: objectClasse, default values  Remove: system attributes, incompatible attributes/objectclass  Change: attribute name, trim spaces, date format, DIT, referals  …. The LDAP Directory Life After Sun 22

  23. Agenda  Introduction  Common layer  Migrate a standalone instance  Migrate a replicated infra  Migrate a complex LDAP infra  Conclusion The LDAP Directory Life After Sun 23

  24. Replicated infra Compatible directory  Set the replication  Configure ONE WAY flow  If nb of existing replica is already at it’s max supported, unconfigure one replica  Old to new  2 ways are rarely supported   Initialise the new directory with data from one old one  Adapt the procedure with referal, multiple dbs, … The LDAP Directory Life After Sun 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP

Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP

Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP LDAP Servers Information Structure Protocol Overview LDAP operations UNDERSTANDING LDAP LDAP stands for Lightweight Directory Access

268 views • 12 slides
How we implemented an LDAP directory Multiple Simultaneous Requests . . . . . . . . . . . . . . .

How we implemented an LDAP directory Multiple Simultaneous Requests . . . . . . . . . . . . . . .

Getting Started What do you already know about ldap ? . . . . . . . . . . . . . . slide #3 What Do You Want? . . . . . . . . . . . . . . . . . . . . . . . . . . . . slide #4 Argument for LDAP Account Information . . . . . . . . . . . . . . . . .

442 views • 26 slides
LDAP (Lightweight Directory Access Protocol) wangth Computer Center, CS, NCTU What is Directory

LDAP (Lightweight Directory Access Protocol) wangth Computer Center, CS, NCTU What is Directory

LDAP (Lightweight Directory Access Protocol) wangth Computer Center, CS, NCTU What is Directory Service? What is Directory Service ( ) Highly optimized for reads Implements a distributed model for storing information

554 views • 39 slides
LDAP (Lightweight Directory Access Protocol) tzute Computer Center, CS, NCTU What is Directory

LDAP (Lightweight Directory Access Protocol) tzute Computer Center, CS, NCTU What is Directory

LDAP (Lightweight Directory Access Protocol) tzute Computer Center, CS, NCTU What is Directory Service? What is Directory Service ( ) Highly optimized for reads. Implements a distributed model for storing

854 views • 39 slides
UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity System UCSBnetID authentication UCSB-wide student and employee info http://www.identity.ucsb.edu/ LDAP Overview Lightweight Directory Access Protocol

604 views • 24 slides
Apache Directory Studio A new Open Source LDAP & Directory Tooling Platform Stefan Seelmann

Apache Directory Studio A new Open Source LDAP & Directory Tooling Platform Stefan Seelmann

Apache Directory Studio A new Open Source LDAP & Directory Tooling Platform Stefan Seelmann & Pierre-Arnaud Marcelot seelmann@apache.org pamarcelot@apache.org Apache Directory Studio, a new Open Source LDAP & Directory Tooling

291 views • 18 slides
Active Directory as a powerful LDAP server: the unknown tips Alban Meunier SmartWave SA 45 min

Active Directory as a powerful LDAP server: the unknown tips Alban Meunier SmartWave SA 45 min

Active Directory as a powerful LDAP server: the unknown tips Alban Meunier SmartWave SA 45 min Introduction Active Directory context NT inheritance SAM (Security Account Manager, Samba V3) Active Directory (2000 2003)

429 views • 27 slides
Towards a Common Java LDAP API Emmanuel Lecharny Apache Directory elecharny@apache.org Ludovic

Towards a Common Java LDAP API Emmanuel Lecharny Apache Directory elecharny@apache.org Ludovic

Towards a Common Java LDAP API Emmanuel Lecharny Apache Directory elecharny@apache.org Ludovic Poitou OpenDS ludovic.poitou@sun.com A poor man's choice: JNDI or JLDAP/Netscape LDAP SDK Good News: Apache Directory Client API OpenDS

678 views • 20 slides
How we implemented an LDAP directory for Laboratories A Case Study at Hong Kong Institute of

How we implemented an LDAP directory for Laboratories A Case Study at Hong Kong Institute of

How we implemented an LDAP directory for Laboratories Nick Urbanik How we implemented an LDAP directory for Laboratories A Case Study at Hong Kong Institute of Vocational Education (Tsing Yi), Department of ICT Nick Urbanik

1.17k views • 106 slides
The LDAP Directory Schema AGENDA Why do we need a good schema? From the White Pages to

The LDAP Directory Schema AGENDA Why do we need a good schema? From the White Pages to

The LDAP Directory Schema AGENDA Why do we need a good schema? From the White Pages to Access Control The Design Process The available Standards Best Practices The User object The plumbing Implementing the Schema

494 views • 47 slides
Integrating OpenStack with Active Directory (Because AD != LDAP) Craig Jellick

Integrating OpenStack with Active Directory (Because AD != LDAP) Craig Jellick

Integrating OpenStack with Active Directory (Because AD != LDAP) Craig Jellick Mike Dorman cjellick@godaddy.com mdorman@godaddy.com Go Daddy OpenStack Cloud Platform Group Agenda OpenStack at Go Daddy Keystone

875 views • 28 slides
LDAP LDAPv3, Internet Standard RFC4510 RFC 4510-4521 and about 40 others for extensions Many

LDAP LDAPv3, Internet Standard RFC4510 RFC 4510-4521 and about 40 others for extensions Many

What is LDAP Lightweight Directory Access Protocol Phonebook Based on X.500 DAP on OSI stack Developed in '93 @ UMich LDAP LDAPv3, Internet Standard RFC4510 RFC 4510-4521 and about 40 others for extensions Many implementations OpenLDAP

544 views • 6 slides
DESIRE II LDAP Indexing System 45 IETF, Oslo LDAP Service Deployment - Take 2 BoF 15. July 1999

DESIRE II LDAP Indexing System 45 IETF, Oslo LDAP Service Deployment - Take 2 BoF 15. July 1999

DESIRE DESIRE II LDAP Indexing System 45 IETF, Oslo LDAP Service Deployment - Take 2 BoF 15. July 1999 Peter Gietz, University of Tbingen Peter.Gietz@directory.dfn.de DESIRE LDAP Index system

855 views • 12 slides
Directory Services A service that stores collections of bindings between names and attributes, and

Directory Services A service that stores collections of bindings between names and attributes, and

Directory Services A service that stores collections of bindings between names and attributes, and looks up entries that match attribute-based specifications (e.g., Microsoft's Active Directory Service, X.500 and LDAP) Case Study - X.500

515 views • 12 slides
Sun Identity Management & Open Directory Jennifer Walbank/Pascal

Sun Identity Management & Open Directory Jennifer Walbank/Pascal

Sun Identity Management & Open Directory Jennifer Walbank/Pascal Grosvenor, LDAP Guru from the server group :) & Berry Mak University of Technology,

555 views • 31 slides
Active Directory By: Kishor Datar 10/25/2007 What is a directory service? Directory

Active Directory By: Kishor Datar 10/25/2007 What is a directory service? Directory

Active Directory By: Kishor Datar 10/25/2007 What is a directory service? Directory Collection of related objects Files, Printers, Fax servers etc. Directory Service Information needed to use and manage the objects. Source

438 views • 27 slides
os Module Today File I/O from last time Behind the scenes, this module loads a module

os Module Today File I/O from last time Behind the scenes, this module loads a module

os Module Today File I/O from last time Behind the scenes, this module loads a module for your particular operating system Slides 38-48 The os and sys modules Regardless of your actual OS, Python imports os The exec()

346 views • 11 slides
ECE 650 Systems Programming & Engineering Spring 2018 File Systems Tyler Bletsch Duke

ECE 650 Systems Programming & Engineering Spring 2018 File Systems Tyler Bletsch Duke

ECE 650 Systems Programming & Engineering Spring 2018 File Systems Tyler Bletsch Duke University Slides are adapted from Brian Rogers (Duke) File Systems Disks can do two things: read_block and write_block We want better

635 views • 32 slides
Soft Updates Made Simple and Fast on Non-volatile Memory Mingkai Dong , Haibo Chen Institute of

Soft Updates Made Simple and Fast on Non-volatile Memory Mingkai Dong , Haibo Chen Institute of

Soft Updates Made Simple and Fast on Non-volatile Memory Mingkai Dong , Haibo Chen Institute of Parallel and Distributed Systems, Shanghai Jiao Tong University @ NVMW 18 Non-volatile Memory (NVM) Non-volatile Byte-addressable High

762 views • 52 slides
CSE410 aka CSE306 Software Quality Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall

CSE410 aka CSE306 Software Quality Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall

CSE410 aka CSE306 Software Quality Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall http:/ /www.cse.buffalo.edu/faculty/alphonce/SP17 /CSE410 https:/ /piazza.com/class/iybn33z3aro2p GNU make, cont'd text and examples from gmake

484 views • 19 slides
DIRECTORY COHERENCE Mahdi Nazm Bojnordi Assistant Professor School of Computing University of

DIRECTORY COHERENCE Mahdi Nazm Bojnordi Assistant Professor School of Computing University of

DIRECTORY COHERENCE Mahdi Nazm Bojnordi Assistant Professor School of Computing University of Utah CS/ECE 7810: Advanced Computer Architecture Overview Upcoming deadline Tonight: project proposal This lecture Snooping wrap-up

482 views • 32 slides
Goals for Today Learning Objective: Learn about directory structures Run through some

Goals for Today Learning Objective: Learn about directory structures Run through some

Goals for Today Learning Objective: Learn about directory structures Run through some disk performance exercises Announcements, etc: C4: I removed 2 papers from your reading list No longer need to read Multics Security Eval

421 views • 27 slides
Advancing RFC 5280 to Draft Standard David Cooper 74 th IETF, March 2009 Normative Down

Advancing RFC 5280 to Draft Standard David Cooper 74 th IETF, March 2009 Normative Down

Advancing RFC 5280 to Draft Standard David Cooper 74 th IETF, March 2009 Normative Down References 3454 Preparation of Internationalized Strings ("stringprep") 3490 Internationalizing Domain Names in Applications

245 views • 8 slides
Lecture 08: Networking services: theres no place like 127.0.0.1 Hands-on Unix system

Lecture 08: Networking services: theres no place like 127.0.0.1 Hands-on Unix system

Lecture 08: Networking services: theres no place like 127.0.0.1 Hands-on Unix system administration DeCal 2012-10-15 1 / 22 DNS About DNS Common DNS records Other DNS records Networking DNS SSH Network users 2 / 22 About

594 views • 22 slides

More recommend