Upload
phamdieu
View
222
Download
0
Embed Size (px)
Citation preview
879
Index
: (colon), in DNs, 93–96 ( ) (parentheses), grouping search terms, 78& (ampersand), AND operator within search filters, 78* (asterisk), wildcard within search filters, 73–74= (equal sign)
equality operator within search filters, 74in multivalued RDNs, 66
! (exclamation point), negation within search filters, 78<= (left angle, equal sign), greater than or equal to
operator within search filters, 75+ (plus sign), in search operations, 73# (pound sign), comment indicator, 783>= (right angle, equal sign), greater than or equal to
operator within search filters, 75| (vertical bar), OR operator within search filters, 78~= (tilde, equal sign)
approximation operator within search filters, 74–752222 (
SASL...)
RFC, 1392251 (
LDAPv3)
RFC,
47
2252 (
LDAPv3 Attribute Syntax Definitions
) RFC, 47, 61–62, 274
2253 (
LDAPv3 UTF-8 String Representation of Distinguished Names
) RFC, 472254 (
String Representation of LDAP Search Filters
) RFC, 47
2255 (
LDAP URL Format
) RFC, 482256 (
Summary of the X.500(96) User Schema for Use with LDAPv3
) RFC, 482587 (
Internet X.509 Public Key Infrastructure LDAPv2 Schema)
RFC, 2902820 (
Access Control Requirements for LDAP)
RFC, 142
2829 (
Authentication Methods for LDAP
) RFC, 48, 90, 125
2830 (
Extension for Transport Layer Security
) RFC, 48, 92–93
2830 (
[LDAPv3] Extension for Transport Layer Security
) RFC, 1422831 (
Using Digest Authentication as a SASL Mechanism
) RFC, 1402891 (
LDAP...Sorting of Search Results)
RFC, 1313377 (
LDAPv3: Technical Specification
) RFC, 48
abandon operation, 56, 87–88abstract object classes, 268Access, Searching, and Indexing of Directories (ASID)
IETF working group, 49access control
application needs definition, 219applications for, 654–657data design, 239definition, 90delegation, case study, 867–871in the hands of users, 841information, backup and restore, 542models, 91namespace design, 311Netscape Directory Server, 167–173replication, 396security design, 432–434
access control instructions (ACIs), 167, 169–173access control lists (ACLs).
See
ACLs (access control lists).
access control policy, 433–434
Access Control Requirements for LDAP
(RFC 2820), 142ACIs (access control instructions), 167, 169–173ACLs (access control lists)
description, 432–433examples, 434–438placement, 439–440replication, 396
actionPerformed()
method, 752Active Directory, 345, 394Active Directory Services Interface (ADSI) API, 118
add
changetype
LDIF statement, 96–97
add
modifytype
LDIF statement, 97adding
ACIs (access control instructions), 169–171auxiliary information to directory entries.
See
auxiliary classes.
directory entriesadd operation, 56, 82
ldapmodify
utility, 111–112LDIF, 96–97
schemas to directory servers, 289–290
Howes.book Page 879 Friday, April 4, 2003 11:38 AM
880
Index
address book applications, 356administrators.
See
system administrators.ADSI (Active Directory Services Interface) API, 118aggregating servers, 368AIM Enterprise Gateway, 177alias dereferencing, 72aliases, 68–69allowed (optional) attributes, 268, 274–277Alvestrand, Harald, 292American Standards Institute (ANSI), 292ampersand (&), AND operator within search filters, 78analyzing
data elements, 251environment
application software, 215coexistence with other systems, 228computer systems, 213–214criticality of service, 228hardware constraints, 227network constraints, 227–228networks, 214–215organizational structure and geography, 213overview, 210, 211–212prioritizing constraints, 228–229security constraints, 228software constraints, 227
log files, 410, 580–581, 590–591AND operators within search filters, 78Andreesen, Marc, 798anonymous bind (authentication), 102–103, 427–428anonymous users, 427–428ANSI (American Standards Institute), 292AOL Instant Messenger (AIM), 177, 179, 738AOL Time Warner, 821APIs
ADSI (Active Directory Services Interface), 118, 662C language, 116–117, 658Java, 117, 658, 662JNDI (Java Naming and Directory Interface), 118,
662, 693online resources, 115–116, 117–118Perl, 117, 659Python, 117, 659SDKs, sources for, 115–116
application-maintained data, 560–562application needs
access control, 219auditing, 219authentication, 219data, 216–217level of service, 218overview, 211performance, 217–218prioritizing, 219–220privacy, 219security, 219
versus
user needs and expectations, 223application-specific directories, 6, 761–762applications
as data source, 254developing.
See
developing applications.namespace design considerations, 312, 320–321needs definition, 215
arcs, for OIDs 77, 292ASID (Access, Searching, and Indexing of Directories)
IETF working group, 49ASN.1 schema format, 280–283asterisk (*), wildcard within search filters, 73–74attribute types.
See
attributes.attribute values, 60–62, 95–96.
See also
data, element values.
attributescase sensitivity, 262definition, 33description, 60–62designing schemas
allowed (optional), 268, 274–277hierarchies, 264–265matching rules, 265, 267naming, 262, 291operational, 263subtypes, 264–265supertypes, 264–265syntax, 265, 266type example, 263–264usage indicators, 262, 276values, 262
mandatory, 268usage indicators, 262, 276
attributeTypes
attribute type, 274–277auditing, 219, 417authentication.
See also
security.application needs definition, 219certificate-based client, distributed directories, 350credentials, verifying, 650–652data maintenance, 567definition, 10, 88designing, 427–431distributed directories, 348–351LDAPv3 methods, 90process of.
See
binding.simple, 88tools for, 417, 418
authentication and control operations, 56, 86–88authentication applications, 356authentication database, 35
Authentication Methods for LDAP
(RFC 2829), 48, 90, 125
authorization, proxied, 136–137, 167–173auxiliary classes, 268, 279, 295–297availability, 17–18, 248, 331, 358, 398, 504,
backdoor access, 413backup and restore.
See also
disaster recovery.access control information, 542case studies, 815, 846, 874causes of, 538change history, 542
Howes.book Page 880 Friday, April 4, 2003 11:38 AM
Index
881
cost, 514–515databases, 164–165directories
versus
file systems, 538directory server configuration files, 542incremental backups, 539LDIF backup and restore, 540–542Netscape Directory Server, 540, 543online directory servers, 539with replication, 543–545restoring databases, 165–167safeguarding backups, 545, 548schema configuration files, 542single-master replication, 546–547snapshot restores, 540verifying backups, 548–549
bak2db
command, 165–167
bak2db
script, 540base-64 encoding, 95–96Basic Encoding Rules (BER), 59batch updates, as data source, 256–257BER (Basic Encoding Rules), 59bind operation, 56, 86–87binding, 89, 102–103British Standards Institute (BSI), 292browsing
versus
searching, 25BSI.
See
British Standards Institute.Bulk Import Finished extended operation, 138–139Bulk Import Start extended operation, 138–139bulk loading databases, 161
C language API, 116–117, 658C language SDK, 115–116, 658
The
C LDAP Application Program Interface
, 142cascaded replication configuration, 403case studies.
See
enterprise with an extranet; examples; large multinational enterprise; Netscape Communications Corporation.
centrally maintained data, 563–565certificate authority, 444certificate-based client authentication, 350certificates
authentication, 430–431issuance, 444life cycle management, 31, 652location problem, 31revocation list, 445
chaining, 343–344change control policy, 638change history, 542change sequence numbers (CSNs), 379changelog, 379chasing referrals, 342, 381, 670choosing an overall approach, 212, 229–230choosing directory services software.
See
evaluating directory services software.
Clark, Jim, 798class of service (CoS) feature, 179
clearSessionValues()
method, 708client replication updates
versus
replica updates, 387
client use of LDAP, 54–56clock synchronization, 385–386coexistence
common data sources, 761–763copying to/from data sources
migration, 763–764N-way join, 768–770, 783–793one-way synchronization, 764–766, 783–793two-way synchronization, 766–768virtual synchronization, 770–773
data source security, 776data translation, 772–774data transport, 775–776designing for, 228implementation considerations, 780–783importance of, 761–763monitoring, 782–783new applications, 663–665overview, 759–761performance considerations, 781requirements definition, 777–780security and privacy considerations, 774–776tools for, 781–782troubleshooting, 782tuning, 782unique join attributes, 775
coexistence tables, 779cold-site recovery, 552–554colon (:), in DNs, 93–96combining data from multiple sources.
See
joins.command-line utilities
ldapmodify
, 110–115, 569
ldapsearch
binding, 102–103definition, 101encrypting server communications, 105–106filters, 102, 104–105options, 106–110retrieving a single entry, 102retrieving specified attributes, 103–104sample searches, 101–102search base, 102searching with SSL (Secure Sockets Layer), 105–106
online sources for, 127compare operation, 56, 81–82.
See also
search operation.
ComposeFrame
class, 750–751computer systems, needs definition, 213–214configuration
backing up and restoring, 543changing using LDAP, 173
Directory Server Configuration, Command, and File Reference
, 173managing, 27–28
configuration filesbackup and restore, 542
dse.ldif
, 173
notify.conf
, 605schema, backup and restore, 542
Howes.book Page 881 Friday, April 4, 2003 11:38 AM
882
Index
configuringcascaded replication, 403distributed directories, 345–348Netscape Directory Server, 173–176schemas, 285–286, 301user preferences, 28
conflict resolution, 384–388connecting servers, 345–348connection hijacking, 412connection timeouts, 622consistency, 238, 375–377constraints, data element values, 245–246.
See also
value constraint plug-in.
consumers, 246–247, 375continuous mode for the ldapmodify command, 112control operations.
See
authentication and control operations.
controlsdefinition, 59, 124Entry Change Notification Response, 128–130
ManageDSAIT
, 128Password Expired, 137–138Password Expiring, 137–138Persistent Search Request, 128–130Proxied Authorization, 136–137Server-Side Sorting Request, 130–131Server-Side Sorting Response, 130–131VLV (Virtual List View) Request, 132–136VLV (Virtual List View) Response, 132–136
convergence, 375–377copying directories.
See
replication.copying to/from data sources
migration, 763–764N-way join, 768–770, 783–793one-way synchronization, 764–766, 783–793two-way synchronization, 766–768virtual synchronization, 770–773
corporate databases, 762correcting bad data, 573CoS (class of service) feature, 179cost
backup and restore, 514–515case study, 844–845data maintenance, 513–514, 559design phase, 502–503disaster recovery, 516–517evaluating directory services software, 457, 470hardware
apportioning to software costs, 510deployment phase, 504–507upgrade and replacement, 511–512
maintenance contracts, 518–519monitoring, 512–513piloting directory services, 503–504political considerations, 500reductions through applications, 644–647software
apportioning to hardware cost, 510deployment phase, 507–509
upgrades, 509–511training and support, 517–519, 567–568
Crack password cracking package, 447
createLDAPContext()
methods, 703–705creating directory entries.
See
adding, directory entries.credentials, forging and stealing, 412criticality of service, 228CSNs (change sequence numbers), 379custom probing tools, 588–592
dampening replication, 388DAS (Directory Assistance Service) protocol, 41data
definition, 236distribution, 14–16element values.
See also
attribute values.characteristics of, 243–247definition, 236format, 244number of, 245ownership, 245–246pointers to, 236restrictions, 245–246size, 244–245
elements.
See
also attributes.analyzing, 251characteristics of, 243–247consumers, 246–247definition, 236dynamic
versus
static, 248example, 249–251format, 244inventory (example), 803needs definition, 240–243number of values, 245ownership, 245–246relationships with other elements, 249restrictions, 245–246shared
versus
application-specific, 248value sizes, 244–245
integrity, 91–93maintenance.
See also
maintenance phase.application-maintained data, 560–562authentication and security, 567centrally maintained data, 563–565checking data quality, 572–574correcting bad data, 573cost, 513–514, 559data validation, 569–570definition, 557developer awareness, 562exception handling, 559, 571importance of, 558new data sources, 570–571performance effects, 568–569responsibility for, 559source of truth method, 572spot checks, 573training and support costs, 567–568
Howes.book Page 882 Friday, April 4, 2003 11:38 AM
Index
883
update-capable clients, 566–567user-maintained data, 565–570user surveys, 573
organization, namespace design, 310owners, 802partitioning, 310–311policy statement, creating, 239–240quality, monitoring, 591reference, 309–310related problems, 237–238replication.
See
replication.sensitivity, privacy needs definition, 421translation, 772–774transport, 775–776users, 803values.
See
data, element values.data design
access control, 239application needs definition, 216–217case studies, 801–804, 829–830, 860consistency, 238data elements
analyzing, 251characteristics of, 243–247consumers, 246–247definition, 236dynamic
versus
static, 248example, 249–251format, 244needs definition, 240–243number of values, 245ownership, 245–246relationships with other elements, 249restrictions, 245–246shared
versus
application-specific, 248value sizes, 244–245
data-related problems, 237–238data source inventory, 242–243
versus
designing schemas, 286directory content, 239exception handling, 239legal considerations, 239multiple storage locations, 239overview, 236–237policy statement, creating, 239–240political considerations, 257redundancy, 238sources of data
administrators, 254applications, 254batch updates, 256–257databases, 253end users, 254files, 253–254NOSs (network operating systems), 253–254other directory services, 253overview, 251–253replication, 255synchronization, 255–256
data sourcesadministrators, 254applications, 254batch updates, 256–257copying to/from
migration, 763–764N-way join, 768–770, 783–793one-way synchronization, 764–766, 783–793two-way synchronization, 766–768virtual synchronization, 770–773
databases, 253definition, 236end users, 254files, 253–254inventory, 242–243list of, 761–763NOSs (network operating systems), 253–254other directory services, 253overview, 251–253replication, 255security, 776synchronization, 255–256
databases.
See also
directory partitioning.corporate, 762as data source, 253
versus
directories, 29–30, 32–33embedding in applications, 30external, 762homegrown, 762links, 347Netscape Directory Server
backing up, 164–165bulk loading, 161default, 160dumping in DSML, 163–164dumping to an LDIF file, 161–162restoring, 165–167
db2bak
command, 164–165
db2bak
script, 539–540
db2dsml
command, 163
db2ldif
command, 161DDoS (distributed denial of service) attacks, 416delegating OID arcs, 292
delete
changetype
LDIF statement, 97
delete
modifytype
LDIF statement, 97–98delete operation, 56, 82deleted entries, restoring, 390deleted entry conflicts, 390deleting
attributes and values, 97–98directory entries, 56, 82, 97
denial of service (DoS) attacks, 415–416deployability, and security, 449–450deployment phase.
See also
production rollout.case studies
enterprise with an extranet, 871–874, 877large multinational enterprise, 842–845, 850–852Netscape Communications Corporation,
812–815, 819–821
Howes.book Page 883 Friday, April 4, 2003 11:38 AM
884
Index
deployment phase
continued
constraints on directory designdesign openness, 224overview, 211political considerations, 225–226prioritizing, 226resources, 224system administrators, 225system designers, 224–225
definition, 202description, 204–205
dereferencing aliases, 72design center, 12design openness, 224design phase.
See also
needs definition.case studies
data, 801–804, 829–830, 860data element inventory, 803data owners, 802data users, 803namespace, 805–808, 833–835, 863–865needs definition, 799–801, 828–829, 859–860privacy, 810–812, 839–841, 867–871replication, 809–810, 836–839, 867schemas, 804–805, 831–833, 861–863security, 810–812, 839–841, 867–871topology, 808–809, 836, 865–866
cost, 502–503description, 202–204
designers.
See
system designers.designing
data.
See
data design.namespaces.
See
namespace design.replication.
See
replication design.schemas.
See
schema design.security.
See
security design.topology.
See
topology design.developing applications
access control decisions, 654–657coexistence, 663–665common mistakes, 669–671common uses for, 649–658cost reductions, 644–647customizing your directory, 646–647directory-agnostic SDKs, 662–663directory-enabling, 648–649directory interactions, 665–666DSML tools and SDKs, 662examples
directory-enabled finger service (lfingerd.pl), 737–746
LDAP address lookup in e-mail client (ICEMail), 746–756
resetting passwords (setpwd), 671–687Web site with user profile storage (SimpleSite),
687–722facilitating PKI deployment, 652–654LDAP command line tools, 659LDAP SDKs, 658–659
LDAP tag libraries, 660–661leveraging existing code, 668–669locating and sharing information, 649–650location independence, 657–658performance, 666–668piloting, 668prototyping, 668reasons for, 644–649roaming, 657–658scalability, 666–668tools for, 658–663verifying authentication credentials, 650–652
device and application probing, 578DIGEST-MD5 SASL authentication, 140–141directories
accessibility, and privacy, 423–424accessing data.
See
functional model.application-specific, 6characteristics of
data distribution, 14–16information extensibility, 14interoperability, 21–22joins, 22–24performance, 19–21read-to-write ratio, 13–14, 37, 248replication, 16–19standards, 21–22transactions, 22–24
complementing other services, 35–36content design.
See
data design.data problems, troubleshooting, 628–630data types, defining.
See
information model; schemas.
versus
databases, 29–30, 32–33.
See also
directories, characteristics of.
definition, 5–6design center, 12
versus
DNS servers, 34–35dynamic nature of, 6–8evaluating the need for, 37everyday, 5
versus
file systems, 33flexibility, 8–10
versus
FTP servers, 34general purpose, 6information types, rules, and behavior.
See
schemas.information units, defining.
See
information model; schemas.
integrating other data sources.
See
coexistence.NOS (network operating system)-based, 6offline, 5online, 5–6personalization, 11–12purpose-specific, 6querying, 56security, 10–11standards-based, 6, 37updating, 56uses for
authentication database, 35
Howes.book Page 884 Friday, April 4, 2003 11:38 AM
Index
885
certificate location problem, 31configuration management, 27–28finding things, 25–26lightweight database applications, 29–30location independence, 29managing things, 26–29network-accessible storage device, 36organizing and accessing Web server
information, 36–37PKI life cycle management, 31, 652searching
versus
browsing, 25security applications, 31synchronization, 27user configuration and preference management, 28
versus
Web servers, 33–34directory-agnostic SDKs, 662–663Directory Assistance Service (DAS) protocol, 41directory design, constraints on
choosing an overall approach, 229deployment
design openness, 224overview, 211political considerations, 225–226prioritizing, 226resources, 224system administrators, 225system designers, 224–225
hardware, 227network, 227–228prioritizing, 228–229security, 228software, 227
directory-enabling existing applicationsconsidering alternatives, 736–737effects on directory service, 735examples
directory-enabled finger service (lfingerd.pl), 737–746
LDAP address lookup in e-mail client (ICEMail), 746–756
hiding directory integration, 731–732making capabilities visible, 732problematic architecture, 733–734protocol gateways, 732–733reasons for, 726–730transition phase, 735–736
directory entriesadding auxiliary information.
See
auxiliary classes.aliases, 68–69change notification, 128–130creating, 56, 82definition, 60–62deleting with delete operation, 56, 82deleting with LDIF, 97modifying content, 56, 84–86modifying DN (renaming), 56, 83–84, 85naming, 66representing with DSML, 143–145representing with LDIF, 93–96
Directory Interface to X.500 Implemented Efficiently (DIXIE) protocol, 41
directory life cycle.
See
deployment phase; design phase; maintenance phase.
directory outages, 621–623directory partitioning
description, 332–335examples, 361–369multiple-partition example, 364–369pros and cons, 351–354single-partition example, 361–364
directory partitions, discovery, 336directory requirements, privacy needs, 420–423directory schemas.
See
schemas.directory server access logs, monitoring, 606–607directory server configuration files, backup and
restore, 542directory services
choosing software for.
See evaluating directory services software.
components, 4–5as data source, 253definition, 4–5embedding in applications, 30versus protocols, 50putting into production. See production rollout.testing. See piloting, directory services.
Directory Services Markup Language (DSML), 143–145, 163–164
disablingNetscape Directory Server updates, 174schema checking, 287, 813–814write access to directory data, 173–176
disaster recovery. See also backup and restore.case studies, 815, 846, 874cold-site recovery, 552–554cost, 516–517developing a plan, 550–552directory-specific issues, 553–554hot-site recovery, 552–554risk assessment, 550–551types of disasters, 549–550vendor services, 549
discovery of LDAP features and schema, 47, 125–127displayEntry subroutine, 743–744displayOneEntry() method, 711–712distinguished names (DNs). See DNs (distinguished
names).distributed data. See data, distribution.distributed denial of service (DDoS) attacks, 416distributed directories
authentication, 348–351certificate-based client authentication, 350configuring, 345–348definition, 332–333directory server software, 345–348security implications, 351
DIXIE (Directory Interface to X.500 Implemented Efficiently) protocol, 41
Howes.book Page 885 Friday, April 4, 2003 11:38 AM
886 Index
DNs (distinguished names). See also RDNs (relative distinguished names).
base-64 encoding, 95–96definition, 55escaping special characters, 67–68identifying replicated entries, 386in namespace design, 308–309naming entries, 66non-ASCII, 95–96restricted characters, 67–68
DNS servers versus directories, 34–35DNS update capabilities, 35documentation. See Internet drafts; publications; RFCs;
standards.documenting schemas, 299–300doEditProfile() method, 699, 712–714doFind() method, 701, 708–711doGet() method, 699–700doLogin() method, 701–702doLogout() method, 699, 707domains. See directory partitioning.doNewProfile() method, 699, 712–714doPost() method, 700–701DoS (denial of service) attacks, 415–416doSaveProfile() method, 701, 716–720DSML (Directory Services Markup Language), 143–145,
163–164DSML tools and SDKs, 662dumping databases, 161–164duplicating directories. See replication.dynamic groups, 179dynamic nature of directories, 6–8dynamic roles, 179dynamic versus static data elements, 248
e-mail, LDAP address lookup, 746–756email2LDAPDN() method, 705–706emitProfileForm() method, 714–716enabling
applications for directory services. See directory-enabling applications.
schema checking, 287, 813–814encryption
government restrictions, 429server communications, 105–106SSL (Secure Sockets Layer), 91–93, 105–107,
113–114, 412, 414, 417, 418TLS (Transport Layer Security), 91–93, 412, 414,
417, 418tools for, 417
enterprise numbers. See OIDs (object identifiers).enterprise service providers (ESPs), 459–460enterprise with an extranet (case study). See also
examples; large multinational enterprise; Netscape Communications Corporation.
access control, delegation, 867–871backup and restore, 874deployment, 871–874, 877
design phasedata, 860namespace, 863–865needs definition, 859–860privacy, 867–871replication, 867schemas, 861–863security, 867–871topology, 865–866
disaster recovery, 874leveraging directory services, 876–877maintenance phase, 874–876monitoring, 876motivation, 859organizational overview, 856–859piloting, 872–873product choice, 871–872production rollout, 873–874summary of results, 877troubleshooting, 876
entries. See directory entries.Entry Change Notification Response control, 128–130entry naming conflicts, 389environmental analysis. See analyzing, environment.equal sign (=)
equality operator within search filters, 74in multivalued RDNs, 66
error handling for the ldapmodify command, 112escapedValue() method, 706–707escaping special characters
within DNs, 67–68within search filters 78–80
ESPs (enterprise service providers), 459–460establishAddresses() method, 751–752evaluating directory services software
criteriacore features, 463cost, 457, 470example, 472–474extensibility, 470–471flexibility, 470–471interoperability, 469management features, 463–464overview, 462–463performance, 465–466product completeness, 471product future, 471product support, 471–472reliability, 464–465scalability, 465–466security, 466–467standards compliance, 467–469vendor services, 472
ESPs (enterprise service providers), 459–460extranet applications, 459gathering product information, 475–476Internet-facing hosted applications, 459–460intranet applications, 458–459
Howes.book Page 886 Friday, April 4, 2003 11:38 AM
Index 887
lightweight database applications, 460, 462negotiating price, 476–477NOS applications, 458overview, 456–457piloting candidates, 476product categories, 457–462vendor input, 475–476virtual networks, 459
event correlation, monitoring, 578examples. See also enterprise with an extranet; large
multinational enterprise; Netscape Communications Corporation.
ACLs (access control lists), 434–438data element design, 249–251designing schemas, 269directory-enabled finger service, 746–756directory partitioning, 361–369evaluating directory services software, 472–474extending Netscape Directory Server, 180-197finger service, directory-enabled, 737–746flat namespace structure, 325–326hierarchical namespace, 326–327ICEMail, directory-enabled, 746-756LDAP address lookup in e-mail client, 746–756ldapsync tool, 783–793lfingerd.pl gateway, 737–746Netscape Directory Server value constraint plug-in,
180–197one-way synchronization tool, 783–793partitioning directories, 361–369setpwd, a password resetting utility, 671–687SimpleSite, a Web Site with User Profile Storage,
687–722exception handling, 239, 559, 571exclamation point (!), negation within search filters, 78export. See import/export.extended operations
Bulk Import Finished, 138–139Bulk Import Start, 138–139definition, 58, 124
extending object classes. See subclassing.extensibility
definition, 58–59evaluating directory services software, 470–471information, 14LDAP innovation, 47
eXtensible Markup Language (XML), 143–145, 163–164extensible matching, 75–78extensibleObject object class, 272extension discovery, 125–127Extension for Transport Layer Security (RFC 2830), 48,
92–93extensions (Netscape Directory Server value constraint
plug-in example), 180–197external databases, 762EXTERNAL SASL authentication, 139–140extranets
case study. See enterprise with an extranet.evaluating directory services software, 459
failure types, monitoring, 589false alarms, monitoring, 593feedback from piloting, 492–494, 496–497file systems versus directories, 33files as data source, 253–254find.htm file, 695finger service, directory-enabled, 737–746firewalls, 417–418flat namespace structure, example, 325–326flat versus hierarchical namespace schemes, 315–317flexibility
of directories, 8–10evaluating directory services software, 470–471
focus groups, 494following referrals. See chasing referrals.forging credentials, 412format
data elements, 244schemas, 273–283
fractional replicas, 392–394FTP servers versus directories, 34functional model
authentication and control operationsbind operation, 86-87unbind operation, 87abandon operation, 87-88
interrogation operationscompare operation, 81–82search filters, 74–81search operation, 70–73
purpose of, 69update operations
add operation, 82delete operation, 82modify operation, 84-86modify DN (rename) operation, 83–85
GC (global catalog), Microsoft Active Directory, 352, 394general purpose directories, 6getIDWithRedirect() method, 708get_rebind_credentials() function, 683getResponseControls() method, 138getSecondsToExpiration() method, 138global catalog (GC), Microsoft Active Directory, 352, 394glue entries, 394goals and milestones, 212, 230–232groups, 179
hackers, 411hard failures, 579–580hardware constraints, 227hardware cost
apportioning to software costs, 510deployment phase, 504–507upgrade and replacement, 511–512
Hickman, Kipp, 418hiding search filters, 80–81hierarchical namespace, example, 326–327hierarchies, attributes, 264–265
Howes.book Page 887 Friday, April 4, 2003 11:38 AM
888 Index
hijacking connections, 412homegrown databases, 762horizontal scalability, 17host-based SNMP agents, 587hot backups, 164hot-site recovery, 552–554Howes, Tim, 117HTTP digest authentication, 428hung connections, 622
IANA (Internet Assigned Numbers Authority), 292ICEMail client, directory enabling, 746–756IDS (Integrated Directory Services) IETF working
group, 49IDSs (intrusion detection systems), 418IETF (Internet Engineering Task Force), 42, 49immediate superior knowledge references, 336–337implementation, coexistence considerations, 780–783import/export
bulk import, 138–139data interchange format. See LDIF.DSML, 163–164
incremental backups, 539incremental replication updates, 377–379indirect monitoring, 580, 591–592, 848information model, 60–63information privacy and integrity, 440–446inheritance, object class, 271–272init() method, 698–699installing Netscape Directory Server, 148–155instant messaging, 177, 179, 738Integrated Directory Services (IDS) IETF working
group, 49interactive authentication and login applications, 356internationalization, 47, 118–119Internet Assigned Numbers Authority (IANA), 292Internet drafts. See also publications; RFCs; standards.
definition, 42LDAP Client Update Protocol, 142[LDAP] over UDP/IP, 142LDAP...Browsing of Search Results, 132LDAPv3: All Operational Attributes, 73Named Subordinate References in [LDAP]
Directories, 128Password Policy for LDAP Directories, 136Proxied Authorization Control, 136A Taxonomy of Methods for...Finding Servers, 142
Internet Engineering Task Force (IETF), 42, 49Internet-facing hosted applications, 459–460Internet resources. See online resources.Internet Security Scanner (ISS), 419Internet X.509 Public Key Infrastructure LDAPv2
Schema (RFC 2587), 290interoperability, 21–22, 469interrogation operations
compare operation, 81–82definition, 56search filters, 74–81search operation, 70–73
interviews, 494intranet applications, 458–459intrusion detection systems (IDSs), 418IP Security Protocol (IPsec), 419ISO 639 (Code for the Representation of Names of
Languages), 119ISO 3166 (Codes for the Representation of Names of
Countries), 119ISS (Internet Security Scanner), 419
Java API, 117, 658, 662The Java LDAP Application Program Interface, 142, 658Java Naming and Directory Interface (JNDI) API, 118,
662, 693JNDI (Java Naming and Directory Interface) API, 118,
662, 693join attributes, 775joins, 22–24, 768–770, 783–793
Kerberos, 418–419key pairs, 444keys, 444knowledge references, 336–337
language codes, 118–119large multinational enterprise (case study). See also
enterprise with an extranet; examples; Netscape Communications Corporation.
backup and restore, 846cost analysis, 844–845deployment, 842–845, 850–852design phase
data, 829–830namespace, 833–835needs definition, 828–829privacy, 839–841replication, 836–839schemas, 831–833security, 839–841topology, 836
disaster recovery, 846leveraging directory services, 849–852maintenance phase, 846–849monitoring, 848–849motivating factors, 826–828organizational overview, 824–826piloting, 843–844product choice, 842production rollout, 845summary of results, 852–853troubleshooting, 849
latency, 217–218latency by attribute type, replication, 395LBER (Lightweight BER), 59LCUP (LDAP Client Update Protocol), 142LDAP
advantages, 50–51command line tools, 659definition, 49
Howes.book Page 888 Friday, April 4, 2003 11:38 AM
Index 889
directory hierarchy versus UNIX file system hierarchy, 63–66
future directions, 141–145history and origins, 38–50models. See functional model; information model;
naming model; security model.as monitoring tool, 580overview, 54–58typical protocol exchange, 56–57on the wire, 59
LDAP: Programming...with Lightweight Directory Access Protocol, 117
LDAP Client Update Protocol (LCUP), 142LDAP controls. See controls.LDAP Data Interchange Format (LDIF). See LDIF
(LDAP Data Interchange Format).[LDAP] over UDP/IP, 142LDAP SDKs, 658–659LDAP tag libraries, 660–661LDAP URL Format (RFC 2255), 48LDAP (v3) Attribute Syntax Definitions (RFC 2252),
61–62ldap_analyzer.pl script, 607–615LDAPBIS (LDAPv3 Revision) IETF working group, 49LDAP...Browsing of Search Results, 132ldapcompare command, 659LDAPConnection.authentication() methods, 140ldap_create_persistentsearch_control()
function, 130ldap_create_proxyauth_control() function, 137ldap_create_sort_control() function, 131ldap_create_sort_keylist() function, 131ldap_create_virtuallist_control() function,
135ldapdelete command, 659LDAPEntryChangeControl class, 130LDAPEXT IETF working group, 49ldapLookup() method, 752–755ldapmodify command-line utility, 110–115, 659ldap_parse_entrychange_control() function, 130ldap_parse_result() function, 137ldap_parse_sort_control() function, 131ldap_parse_virtuallist_control() function,
135LDAPPersistSearchControl class, 130ldap_probe.pl script, 600–602LDAPProxiedAuthControl class, 137ldap_sasl_bind() function, 140ldap_sasl_bind_s() function, 140ldapsearch command, 659ldapsearch command-line utility
binding, 102–103definition, 101encrypting server communications, 105–106filters, 102, 104–105options, 106–110retrieving a single entry, 102retrieving specified attributes, 103–104sample searches, 101–102
search base, 102searching with SSL (Secure Sockets Layer), 105–106
LDAPSortControl class, 131LDAP...Sorting of Search Results (RFC 2891), 131LDAPSortKey class, 131ldapssl_clientauth_init() function, 140LDAPSSLSocketFactory class, 140LDAPv3: All Operational Attributes, 73LDAPv3: Technical Specification (RFC 3377), 48LDAPv3 (RFC 2251), 47LDAPv3 Attribute Syntax Definitions (RFC 2252), 47,
61–62, 274[LDAPv3] Extension for Transport Layer Security (RFC
2830), 142LDAPv3 extensions, 125–127. See also controls;
extended operations; SASL authentication.LDAPv3 Revision (LDAPBIS) IETF working group, 49LDAPv3 schema format, 273–279LDAPv3 UTF-8 String Representation of Distinguished
Names (RFC 2253), 47LDAPVirtualListControl class, 135–136LDAPVirtualListResponse class, 136LDIF backup, 540–542LDIF (LDAP Data Interchange Format)
adding entries, 96–97backup and restore, 540–542definition, 93deleting attribute values, 97–98deleting attributes, 98deleting entries, 97dumping databases to, 161–162file types, 93folding long lines, 94–95modifying attribute values, 97–99modifying entries, 97–99moving entries, 99–100renaming entries, 99–100representing directory entries, 93–96update statements, 96–100
ldif2db command, 161left angle, equal sign (<=), greater than or equal to,
within search filters, 75legal considerations, 239, 426–427level of service, 218leveraging directory services, case studies, 818–821,
849–852, 876–877lfingerd.pl gateway example, 737–746LFMs (log file monitors), 420life cycle
directory. See deployment phase; design phase; maintenance phase.
PKI life cycle management, 31, 652Lightweight BER (LBER), 59lightweight database applications, 29–30, 460, 462Lightweight Directory Access Protocol. See LDAP.locality, effects of replication, 17location independence, 29, 657–658log file monitors (LFMs), 420login.htm file, 694
Howes.book Page 889 Friday, April 4, 2003 11:38 AM
890 Index
logsanalyzing, 410, 580–581, 590–591changelog, 379directory server access, 606–607LFMs (log file monitors), 420operating system, 607transaction, 539
main() function, 675–680maintenance phase. See also data, maintenance.
case studies, 815–818, 846–849, 874–876cost of contracts, 518–519definition, 202description, 206–207schemas, 300
man-in-the-middle attacks, 414ManageDSAIT control, 128management features, evaluating directory services
software, 463–464Management Information Base (MIB), 584–587mandatory attributes, 268manuals. See Internet drafts; publications; RFCs; standards.mapping
networks, 214–215organizational structure and geography, 213
marketing and publicity plan, 528–529masquerading, 415matching rules, 61, 265, 267message-oriented protocols, 54messaging applications, 356–357MIB (Management Information Base), 584–587Microsoft Active Directory, 345, 394migration, 763–764milestones and goals, 212, 230–232mix-in (auxiliary) object classes, 268, 295moddn changetype LDIF statement, 99–100modify changetype LDIF statement, 97–99modify DN (rename) operation, 56, 83–84, 85modify operation, 56, 84–86. See also ldapmodify
command-line utility.modifying
attribute values with LDIF, 97–99directory entries, 56, 84–86DNs (distinguished names), 56, 83–84, 85entries with LDIF, 97–99entry names, 56, 83–84, 85
modifytype LDIF statement, 97monitoring. See also troubleshooting.
case studies, 817–818, 848–849, 876coexistence, 782–783conceptual models, 578–579cost, 512–513data quality, 591device and application probing, 578directory server access logs, 606–607event correlation, 578failure types, 589false alarms, 593hard failures, 579–580
indirect, 580, 591–592introduction, 578–582LDAP traffic, 59log file analysis, 580–581, 590–591messages, 584methods, 580–581MIB (Management Information Base), 584minimizing failure effects, 596–597notification, 578, 592–596operating system logs, 607operating system performance data, 580performance analysis, 578, 605–616principles, 581–582problem correction, 598problem histories, 581problem reports, 598–599problem spotting, 616raw usage data, 606–607reported problems, 638root causes, 597–598sample utility, 599–605synchronization processes, 591taking action, 596–599tools for
custom probing tools, 588–592host-based SNMP agents, 587LDAP (Lightweight Directory Access Protocol),
580MIB (Management Information Base), 585–587NMSs (network management systems), 583–587SNMP (Simple Network Management
Protocol), 580, 583–587traps, 584trend spotting, 616unobtrusiveness, 581
moving entries, 99–100Mozilla project, 115–116, 658, 737, 817multimaster replication, 383–391, 544multiple storage locations, 239multivalued RDNs, namespace design, 308, 320mutual authentication, 417
N-way join, 768–770, 783–793N+1 directory problem, 27name resolution
chaining, 343–344client-side processing, 339–343, 344–345definition, 337LDAP referrals, 339–341purported names, 338–339search result continuation references, 339–343server-side processing, 343–345
Named Subordinate References in [LDAP] Directories, 128namespace design
access control, 311application support, 312case studies, 805–808, 833–835, 863–865data organization, 310data reference, 309–310
Howes.book Page 890 Friday, April 4, 2003 11:38 AM
Index 891
flat structure, example, 325–326hierarchical, example, 326–327motivating factors, 324multivalued RDNs, 308, 320needs definition
application considerations, 320–321flat versus hierarchical schemes, 315–317future needs, 324naming attributes, 318–320, 322–323naming RDNs, 322–323privacy considerations, 323–324suffixes, 313–315
overview, 305–306partitioning data, 310–311
purposes of a namespace, 309–313RDNs, 308, 320replication, 311reuse policy, 322structure of a namespace, 306–309topology design, 359–360
namingdirectory entries, 66RDNs, 322–323schema attributes, 262, 291
naming attributes, 318–320, 322–323naming context. See directory partitioning.naming model, 63–69needs definition, case studies, 799–801, 828–829,
859–860Net::LDAP Perl-LDAP modules, 659Netscape 7.0, 177Netscape Certificate Management System, 177Netscape Communications Corporation (case study).
See also enterprise with an extranet; examples; large multinational enterprise.
backup and restore, 815deployment phase, 812–815, 819–821design phase
data, 801–804data element inventory, 803data owners, 802data users, 803namespace, 805–808needs definition, 799–801privacy, 810–812replication, 809–810schemas, 804–805security, 810–812topology, 808–809
disaster recovery, 815leveraging directory services, 818–821maintenance phase, 815–818monitoring, 817–818motivating factors, 799organizational overview, 798–799piloting, 813product choice, 813production rollout, 814–815
schema checking, enabling, 813–814summary of results, 821–822
Netscape Communicator, 177Netscape Delegated Administrator, 177–178Netscape Directory Server
access control, 167–173databases
backing up, 164–165, 538-543bulk loading, 161default, 160dumping to a DSML file, 163–164dumping to an LDIF file, 161–162restoring, 165–167
default port, 151disabling updates, 174distribution and chaining, 346–348extending (value constraint plug-in example),
180–197features, 178–180history, 176–177installing, 148–155LDAP-enabled companion products, 177–178loading sample data, 152–155product focus, 177–178Proxied Authorization, 167–173proxy right, 167–173reconfiguring with LDAP, 173–176searching, 155–160system requirements, 148
Netscape Directory Server Administrator's Guide, 91, 105
Netscape LDAP C SDK, 658Netscape LDAP Java SDK, 658network intrusion detection systems (NIDSs), 419network management systems (NMSs), 583–587network operating system (NOS)-based directories, 6network operating systems (NOSs), 253–254, 761networks
constraints on system design, 227–228managing, 583–587mapping, 214–215monitoring, 419, 583–587needs definition, 214–215security and privacy needs definition, 424–425security tools, 419sniffing, 412topology design, 358–359virtual, 459
NIDSs (network intrusion detection systems), 419NMSs (network management systems), 583–587non-ASCII attribute values, 95–96non-ASCII DNs, 95–96NOS applications, 458NOS (network operating system)-based directories, 6NOSs (network operating systems), 253–254, 761notification of problems, 578, 592–596, 633–635notify.conf configuration file, 605notify.pl script, 602–604Novell eDirectory, 345
Howes.book Page 891 Friday, April 4, 2003 11:38 AM
892 Index
OASIS (Organization for the Advancement of Structured Information Standards), 143
object classes, designing schemasabstract, 268allowed (optional) attributes, 268, 274–277ASN.1 format, 282–283auxiliary (mix-in), 268, 279, 295–297example, 269extensibleObject, 272inheritance, 271–272kind of object, 268LDAPv3 format, 277–279mandatory attributes, 268mix-in (auxiliary), 268, 295multiple, 269–270names, 268overview, 267–269structural, 268, 278subclassing, 271–272, 293–295superclasses, 271–272superior classes, 271–272
object identifiers (OIDs), 76–77, 124objectClasses attribute, 274–277offline directories, 5OIDs (object identifiers), 76–77, 124, 292one-way authentication, 417one-way synchronization, 764–766, 783–793online comments, user feedback, 494online directories, 5–6online backup and restore, 539online resources
ADSI API, 118APIs, 115–116, 117–118C language SDK, 115–116Crack password cracking package, 447IETF (Internet Engineering Task Force), 42IETF working groups, 49Java API, 117JNDI API, 118LDAPBIS IETF Working Group, 141LDAPv3: All Operational Attributes Internet
Draft, 73Mozilla project, 115–116obtaining OIDs, 292OpenLDAP Project, 115–116password cracking, 447Perl API, 117Python API, 117SDKs, 115–116security tools, 419, 420Snort network intrusion detection system, 419Sun Microsystems, 115Swatch log file monitor package, 420Tripwire system integrity verifier package, 420
OpenLDAP Project, 115–116operating system logs, 607operating system performance data, 580operational attributes, 62, 263operations, canceling, 56
OR operators within search filters, 78organization data. See naming model.Organization for the Advancement of Structured
Information Standards (OASIS), 143organizational structure and geography, needs
definition, 213originating writes, 387OSI-DS IETF working group, 49ownership of data, 245–246
parentheses (( )), grouping terms within search filters, 78partition root, 333partitioning. See data, partitioning; directory partitioning.Password Expired control, 137–138Password Expiring control, 137–138Password Policy for LDAP Directories, 136passwords
cracking, 447encrypting, 428–430expiration, 137–138hashing, 89policies, 446–448resetting, sample utility, 671–687rules for choosing, 447simple, 428zero-length, 670
performanceapplication needs definition, 217–218applications for, 666–668coexistence considerations, 781data maintenance effects, 568–569directory characteristic, 19–21effects of replication, 17evaluating directory services software, 465–466monitoring, 578, 605–616problems, troubleshooting, 623–627replication design, 400–402testing, 466vendor-supplied figures, 401
Perl API, 117PerLDAP Perl module, 659, 737, 787, 817Persistent Search Request control, 128–130personalizing directories, 11–12physical access, 413physical security, privacy needs definition, 424–425piloting
case studies, 813, 843–844, 872–873directory services. See also production rollout.
applying the results, 496–497collecting feedback, 492–494, 496–497cost, 503–504documentation, 485–487goals, 484prepilot testing, 482–483prospective software purchases, 476rollout, 491–492scaling up, 495–496scope, 484–485setting up the environment, 489–491
Howes.book Page 892 Friday, April 4, 2003 11:38 AM
Index 893
timeline, 484–485training materials, 485–487user categories, 486–487users, selecting, 487–489
new applications, 668PKI
certificate life cycle management, 31, 652facilitating deployment, 652–654overview, 444–445privacy and security, 443–446revocation, 445
plus sign (+), in search operations, 73pointers to data element values, 236political considerations
cost, 500data design, 257deployment constraints, 225–226topology design, 361
pound sign (#), comment indicator, 605, 783prefix notation for search filters, 78presence filters, 75print_ldap_error() function, 683prioritizing
application needs definition, 219–220constraints, 228–229deployment constraints, 226user needs and expectations, 223
privacyapplication needs definition, 219case studies, 810–812, 839–841, 867–871coexistence considerations, 774–776information, 440–446namespace design, 323–324needs definition
administration, 422–423applicable laws, 426–427corporate policies, 426–427data sensitivity, 421directory accessibility, 423–424directory requirements, 420–423environment analysis, 423–425network environment, 424–425physical security, 424–425read/write access, 420replication, 421–422synchronization, 421–422user community, 423user expectations, 425–426
TLS (Transport Layer Security), 91–93, 412, 414, 417, 418
user information, 448–449user needs and expectations, 222
problem reports, 598–599, 638–639problems. See monitoring; troubleshooting.product choice, case studies, 813, 842, 871–872product completeness, software criteria, 471product evaluation. See evaluating directory services
software.
product future, software criteria, 471product support, software criteria, 471–472production rollout. See also piloting, directory services.
case studies, 814–815, 845, 873–874incremental approach, 530maintaining focus, 530potential problems, 532prerequisite tasks, 525–526publicity and marketing plan, 528–529required resources, 525rollout plan, 527success criteria, 527–528thinking ahead, 530–533timing, 529–530
protocol operations, 56–58prototyping new applications, 668Proxied Authorization, 136–137, 167–173Proxied Authorization Control, 136proxy right, 136, 167–173publications. See also Internet drafts; RFCs.
Directory Server Configuration, Command, and File Reference, 173
LDAP: Programming...with Lightweight Directory Access Protocol, 117
Netscape Directory Server 6 Administrator's Guide, 91, 105
Netscape Directory Server 6 Installation Guide, 148publicity and marketing plan, 528–529purported names, 338–339purpose-specific directories, 6Python-LDAP module, 117, 659
querying directories, 56Quipu, 40
randompwd() function, 684–685randomword() function, 685–686RDNs (relative distinguished names). See also DNs
(distinguished names).definition, 66multivalued, 66–67, 308in namespace design, 308, 320
read-to-write ratio, 13–14, 37, 248read/write access, privacy needs definition, 420redundancy, data design, 238reference material. See Internet drafts; publications;
RFCs; standards.referrals
chasing, 342, 381, 670definition, 339–341direct manipulation, 128LDAP innovation, 47rebind function, 670, 679, 683
referring to data. See naming model.refused connections, 622rejects file, 112relative distinguished names (RDNs). See RDNs
(relative distinguished names).
Howes.book Page 893 Friday, April 4, 2003 11:38 AM
894 Index
reliabilityversus availability, 18effects of replication, 17evaluating directory services software, 464–465replication design, 398–400
rename (modify DN) operation, 56, 83–84, 85renaming
directory entries (changing DNs), 56, 83–84, 85LDIF, 99–100modify DN (rename) operation, 56, 83–84, 85
replace modifytype LDIF statement, 97–98replica update vectors (RUVs), 387–388replicas
maximum number of, 402–404refreshes, 377–379replication updates versus client updates, 387
replicationaccess control, 396ACLs (access control lists), 396agreements, 375as backup and restore tool, 543–545case studies, 809–810, 836–839, 867changelog, 379client updates versus replica updates, 387clock synchronization, 385–386conflict resolution, 384–388consistency, 375–377consumers, 375convergence, 375–377CSNs (change sequence numbers), 379dampening, 388of data sources, 255definition, 16deleted entries, restoring, 390deleted entry conflicts, 390directory characteristic, 16–19entry naming conflicts, 389fractional replicas, 392–394GC (global catalog), 352, 394glue entries, 394granularity, 386horizontal scalability, 17incremental updates, 377–379initial population, 379–380latency by attribute type, 395multimaster strategy, 383–391namespace design, 311originating writes, 387privacy needs definition, 421–422protocols, 391purpose of, 272reasons for, 16–17replica refreshes, 377–379RUVs (replica update vectors), 387–388scheduling, 395schemas, 395–396sequence numbers, 385–386server-to-server, 179single-master strategy, 381–383
single-value constraint conflicts, 391sparse replicas, 392–394subsets of directory information, 392–394suppliers, 375synthetic time, 385tombstone entries, 390total updates, 377–379unique identifiers, 386unit of replication, 375update conflict resolution policy, 383–384update resolution policies, 389–391wall-clock time, 385
replication designcapacity planning, 401cascaded configuration, 403choosing a solution, 404maximum number of replicas, 402–404overhead considerations, 404overview, 396–398performance, 400–402reliability, 398–400synchronization traffic reduction, 403vendor-supplied performance figures, 401
reportError() method, 721–722repositories of data. See data sources.Requests for Comments. See RFCs.resetpwd() function, 680–681resources, deployment constraints, 224restore. See backup and restore; disaster recovery.restricted characters
DNs (distinguished names), 67–68search filters, 78–79, 80
restrictions. See constraints.reuse policy, namespace design, 322RFCs. See also Internet drafts; publications; standards.
2222 (SASL...), 1392251 (LDAP (v3)), 472252 (LDAP (v3) Attribute Syntax Definitions), 47,
61–62, 2742253 (LDAP (v3) UTF-8 String Representation of
Distinguished Names), 472254 (String Representation of LDAP Search
Filters), 472255 (LDAP URL Format), 482256 (Summary of the X.500(96) User Schema for
Use with LDAPv3), 482587 (Internet X.509 Public Key Infrastructure
LDAPv2 Schema), 2902820 (Access Control Requirements for LDAP), 1422829 (Authentication Methods for LDAP), 48, 90, 1252830 ([LDAPv3] Extension for Transport Layer
Security), 48, 92–93, 1422831 (Using Digest Authentication as a SASL
Mechanism), 1402891 (LDAP...Sorting of Search Results), 1313377 (LDAP (v3): Technical Specification), 48
right angle, equal sign (>=), greater than or equal to operator within search filters, 75
risk assessment, disaster recovery, 550–551
Howes.book Page 894 Friday, April 4, 2003 11:38 AM
Index 895
roaming, 657–658roles, 179rollback, definition, 23rollout. See production rollout.root DSE, 47, 125–127, 336Ruby/LDAP module, 659RUVs (replica update vectors), 387–388
SASL... (RFC 2222), 139SASL authentication
definition, 124–125description, 431DIGEST-MD5, 140–141EXTERNAL, 139–140
SASL bind operation, 86–87SASL (Simple Authentication and Security Layer),
59, 419SATAN (Security Administrator Tool for Analyzing
Networks), 419scalability. See also replication.
evaluating directory services software, 465–466horizontal, 17
scheduling replication, 395schema design
ASN.1 format, 280–283attributes, 274–277
allowed (optional), 268, 274–277hierarchies, 264–265matching rules, 265, 267naming, 262, 291operational, 263subtypes, 264–265supertypes, 264–265syntax, 265, 266type example, 263–264usage indicators, 262, 276values, 262
changing existing schemas, 301configuration, 285–286, 301versus designing data, 286documenting schemas, 299–300elements
defining, 291–299modifying, 293summary of, 272–273
evolution, 300formats, 273–283LDAPv3 format, 273–279maintenance, 300new object types, 297–298object classes
abstract, 268allowed (optional) attributes, 268, 274–277ASN.1, 282–283auxiliary (mix-in), 268, 279, 295–297example, 269extensibleObject, 272inheritance, 271–272kind of object, 268
LDAPv3, 277–279mandatory attributes, 268mix-in (auxiliary), 268, 279, 295–297multiple objects, 269–270names, 268overview, 267–269structural, 268, 278subclassing, 271–272, 293–295superclasses, 271–272superior classes, 271–272
OIDs, obtaining and assigning, 292overview, 285–287predefined, sources of, 287–290purpose of schemas, 260–261review boards, 300schema checking, description, 283–284schema checking, disabling, 287subschema entries, 274tips for, 298–299upgrading directory service software, 301using existing schemas, 285
schemasadding to directory servers, 289–290ASN.1 format, 280–283case studies, 804–805, 831–833, 861–863changing, 301checking, description, 283–284checking, disabling, 287checking, enabling, 813–814configuration, 285–286, 301configuration files, backup and restore, 542definition, 14, 62–63, 259–260versus designing data, 286directory-enabled applications, 287–288from directory vendors, 289discovery, 47documenting schemas, 299–300evolution, 300formats, 273–283LDAPv3 format, 273–279maintenance, 300new object types, 297–298OIDs, obtaining and assigning, 292predefined, sources of, 287–290purpose of, 260–261replication, 395–396reusing existing, 285review boards, 300standard, 288–289subschema entries, 274
script kiddies, 411SDKs, 115–116search base, 70, 102search filters
( ) (parentheses), grouping search terms, 78& (ampersand), AND operator, 78* (asterisk), wildcard, 74= (equal sign), equality operator, 74! (exclamation point), negation operator, 78
Howes.book Page 895 Friday, April 4, 2003 11:38 AM
896 Index
search filters continued<= (left angle, equal sign), greater than or equal to
operator, 75>= (right angle, equal sign), greater than or equal to
operator, 75| (vertical bar), OR operator, 78~= (tilde, equal sign), approximation operator,
74–75combining terms, 78escaping special characters, 78–79, 80extensible matching, 75–78hiding from users, 80–81ldapsearch utility, 102, 104–105list of, 79OIDs (object identifiers), 76–77AND operator, 78OR operator, 78prefix notation, 78presence, 75restricted characters, 78–79, 80specifying, 72substrings, 74
search operation. See also compare operation.abusive searches, 669alias dereferencing, 72all entries below an entry, 80all entries within a subtree, 80definition, 56filters, 72Netscape Directory Server, examples, 155–160parameters, 70–73requests, canceling, 56, 87–88retrieving a single entry, 102retrieving all operational attributes, 73retrieving attributes only, 72–73retrieving specified attributes, 103–104sample searches, 101–102single entries, 80size limit, 72with SSL (Secure Sockets Layer), 105–106starting point, specifying, 70time limit, 72types of searches, 80
search resultscontinuation references, 339–343sorting, 130–131viewing, 132–136
search scope, 70–71, 102searching versus browsing, 25Secure Shell (SSH), 419Secure Sockets Layer (SSL), 91–93, 105–107,
113–114, 180, 412, 414, 417, 418security. See also authentication; passwords.
application needs definition, 219backdoor access, 413case studies, 810–812, 839–841, 867–871certificate authority, 444certificate issuance, 444certificate revocation list, 445
certificates, 444coexistence considerations, 774–776connection hijacking, 412constraints on system design, 228credential forging, 412credential stealing, 412data maintenance, 567DDoS (distributed denial of service) attacks, 416delegation risks, 869directory characteristic, 10–11distributed directory implications, 351DoS (denial of service) attacks, 415–416encryption
government restrictions, 429server communications, 105–106SSL (Secure Sockets Layer), 91–93, 105-107,
113–114, 412, 414, 417, 418TLS (Transport Layer Security), 91–93, 412,
414, 417, 418tools for, 417
evaluating directory services software, 466–467guidelines, 408–409hackers, 411key pairs, 444keys, 444LDAP as server administration protocol, 175LDAP innovations, 47log analysis, 410man-in-the-middle attacks, 414masquerading, 415network sniffing, 412physical, privacy needs definition, 424–425physical access, 413PKI revocation, 445problems, troubleshooting, 630–632purpose of, 409–411script kiddies, 411software bugs, 413–414threats, 411–416trawling, 410Trojan horses, 413–414unauthorized access, 412–414unauthorized tampering, 414–415
Security Administrator Tool for Analyzing Networks (SATAN), 419
security applications, 31security design
access control, 432–434access control policy, 433–434ACLs (access control lists)
description, 432–433examples, 434–438placement, 439–440
administrative controls, 446–448anonymous authentication, 427–428authentication, 427–431certificate authentication, 430–431deployability, 449–450HTTP digest authentication, 428
Howes.book Page 896 Friday, April 4, 2003 11:38 AM
Index 897
information privacy and integrity, 440–446password policies, 446–448passwords, encrypting, 428–430passwords, simple, 428PKI, 443–446SASL authentication, 431user privacy, 448–449
security modelaccess control, 90–91authentication, 88, 90binding, 89TLS (Transport Layer Security), 91–93, 412, 414,
417, 418security needs definition
administration, 422–423applicable laws, 426–427corporate policies, 426–427data sensitivity, 421directory accessibility, 423–424directory requirements, 420–423environment analysis, 423–425network environment, 424–425physical security, 424–425read/write access, 420replication, 421–422synchronization, 421–422user community, 423user expectations, 425–426
security toolsauditing, 417authentication, 417, 418Crack password cracking package, 447encryption, 417firewalls, 417–418IDSs (intrusion detection systems), 418IPsec (IP Security Protocol), 419ISS (Internet Security Scanner), 419Kerberos, 418–419LFMs (log file monitors), 420mutual authentication, 417NIDSs (network intrusion detection systems), 419one-way authentication, 417online resources, 419, 420SASL (Simple Authentication and Security Layer), 419SATAN (Security Administrator Tool for Analyzing
Networks), 419signing, 417SIVs (system integrity verifiers), 419–420Snort network intrusion detection system, 419SSH (Secure Shell), 419SSL (Secure Sockets Layer), 91–93, 105–107,
113–114, 412, 414, 417, 418Swatch log file monitor package, 420TLS (Transport Security Layer), 91–92, 412, 414,
417, 418Tripwire system integrity verifier package, 420two-way authentication, 417
sequence numbers, replication, 385–386
Server-Side Sorting Request control, 130–131Server-Side Sorting Response control, 130–131server software, 100sessions, terminating, 56setpwd utility example, 671–687setpwd.c prelude, 672–674setting goals and milestones, 230–232signing, 417simple authentication, 88Simple Authentication and Security Layer (SASL), 59,
419Simple Network Management Protocol (SNMP), 580,
583–587SimpleSite example, a Web Site with User Profile
Storage, 687–722SimpleSiteServelet.java, 695–698single-master replication, 381–383, 546–547single-value constraint conflicts, 391SIVs (system integrity verifiers), 419–420size, data element values, 244–245slapd (standalone LDAP daemon), 45–46Smith, Mark, 117snapshot restores, 540sniffers, monitoring LDAP traffic, 59SNMP (Simple Network Management Protocol), 580,
583–587Snort network intrusion detection system, 419software
bugs, security risks, 413–414constraints on system design, 227cost
apportioning to hardware cost, 510deployment phase, 507–509upgrades, 509–511
directory service, choosing. See evaluating directory services software.
sorting search results, 130–131source of truth method, 572sources of data. See data sources.sparse replicas, 392–394spot checks for bad data, 573SSH (Secure Shell), 419SSL (Secure Sockets Layer), 105–106, 180, 418standalone directory service, 45–46standalone LDAP daemon (slapd), 45–46standard directories, 38–41standards. See also Internet drafts; RFCs.
directory characteristic, 21–22DNS update capabilities, 35ISO 639 (Code for the Representation of Names of
Languages), 119ISO 3166 (Codes for the Representation of Names of
Countries), 119in the works, 141–142
standards-based directories, 6, 37standards compliance, software evaluation criteria, 467–469standards documents. See Internet drafts; RFCs,
standards.
Howes.book Page 897 Friday, April 4, 2003 11:38 AM
898 Index
standards groupsASID (Access, Searching, and Indexing of
Directories) IETF working group, 49IDS (Integrated Directory Services) IETF working
group, 49IETF (Internet Engineering Task Force), 42, 49LDAPBIS (LDAPv3 Revision) IETF working
group, 49LDAPEXT (LDAP Extensions) IETF working
group, 49OASIS (Organization for the Advancement of
Structured Information Standards), 143OSI-DS IETF working group, 49
stealing credentials, 412String Representation of LDAP Search Filters (RFC
2254), 47structural object classes, 268, 278subarcs, OID, 77subclassing object classes, 271–272, 293–295subordinate knowledge references, 336–337subschema entries, 274substring search filters, 74subtypes, 264–265suffixes, namespace design, 313–315Summary of the X.500(96) User Schema for Use with
LDAPv3 (RFC 2256), 48Sun Microsystems, 115superclasses, 271–272superior classes, 271–272supertypes, 264–265suppliers, replication, 375support costs, 517–519, 567–568Swatch log file monitor package, 420synchronization
of data sources, 255–256monitoring, 591privacy needs definition, 421–422role of directories, 27traffic, reducing, 403syntax associated with attribute types, 61-62, 265–266
synthetic time, 385system administration
privacy needs definition, 422–423security controls, 446–448
system administratorsas data source, 254as deployment constraints, 225
system designers, as deployment constraints, 224–225system integrity verifiers (SIVs), 419–420
A Taxonomy of Methods for...Finding Servers, 142testing directory services. See piloting, directory services.throughput, 217–218
tilde, equal sign (~=) approximation operator within search filters, 74–75
TLS (Transport Layer Security), 91–93, 412, 414, 417, 418
tombstone entries, 390
tools forauditing, 417authentication, 417, 418coexistence, 781–782custom probing, 588–592developing applications, 658–663encryption, 417monitoring, 580, 583–592security, 417–420
topology case studies, 808–809, 836, 865–866topology design
connecting servers, 345–348distributed directories. See also name resolution.
authentication, 348–351certificate-based client authentication, 350configuring, 345–348definition, 332–333directory server software, 345–348security implications, 351
factors affectingaddress book applications, 356authentication applications, 356directory-enabled applications, 354–357directory namespace design, 359–360directory server software capabilities, 357–358interactive authentication and login applications,
356messaging applications, 356–357physical network topology, 358–359political considerations, 361
knowledge references, 336–337name resolution
chaining, 343–344client-side processing, 339–343, 344–345definition, 337LDAP referrals, 339–341purported names, 338–339search result continuation references, 339–343server-side processing, 343–345
overview, 332–335partition discovery, 336partition relationships. See knowledge references;
name resolution.partitioning directories
description, 332–335examples, 361–369multiple-partition example, 364–369pros and cons, 351–354single-partition example, 361–364
total replication updates, 377–379training costs, 517–518, 567–568transaction logs, 539transactions, 22–24Transport Layer Security (TLS), 91–93, 412, 414,
417, 418traps (monitoring messages), 584trawling, 410trends, spotting, 616
Howes.book Page 898 Friday, April 4, 2003 11:38 AM
Index 899
Tripwire system integrity verifier package, 420Trojan horses, 413–414troubleshooting. See also monitoring.
assessing the problem, 633–635case studies, 849, 876change control policy, 638coexistence, 782connection timeouts, 622containing damage, 635directory data problems, 628–630directory outages, 621–623discovering problems, 620–621hung connections, 622long-term fixes, 636–637monitoring the problem, 638notifying affected persons, 633–635performance problems, 623–627preventing recurrences, 637–638problem reports, 638–639refused connections, 622security problems, 630–632short-term fixes, 635–636step-by-step process, 632–639
tuning coexistence, 782two-way authentication, 417two-way synchronization, 766–768
UCS Transformation Format 8 (UTF-8), 118–119unauthorized access, 412–414unauthorized tampering, 414–415unbind operation, 56, 87undo updates. See rollback.unique identifiers, replication, 386unique names. See DNs (distinguished names); unique
identifiers.unit of replication, 375UNIX file system hierarchy versus LDAP directory
hierarchy, 63–66unknownRequest() method, 721–722update-capable clients, data maintenance, 566–567update conflict resolution policy, 383–384update operations
add, 56, 82delete, 56, 82modify, 56, 84–86modify DN (rename), 56, 83–84, 85
update resolution policies, 389–391update statements, LDIF, 96–100updating directories, 56URLs of LDAP resources. See online resources.usage() function, 674–675user attributes, 62
user-maintained data, 565–570user surveys, 573userid2dn() function, 681–682users
configuration and preference management, 28as data source, 254feedback from piloting, 492–494, 496–497needs and expectations
accuracy and completeness, 221–222versus application needs, 223asking your users, 220–221determining your audience, 222–223overview, 211prioritizing, 223privacy, 222
privacy needs definition, 423, 425–426Using Digest Authentication as a SASL Mechanism (RFC
2831), 140UTF-8 (UCS Transformation Format 8), 118–119utilities. See command-line utilities; setpwd utility; tools.
value constraint plug-in example, 180–197values (of attributes). See attribute values.vendors
disaster recovery services, 549evaluating directory services software, 472, 475–476performance figures, 401
verifying backups, 548–549vertical bar (|), OR operator within search filters, 78Virtual List View (VLV) Request control, 132–136Virtual List View (VLV) Response control, 132–136virtual directories, 770–773virtual networks, 459virtual synchronization, 770–773VLV (Virtual List View) Request control, 132–136VLV (Virtual List View) Response control, 132–136
wall-clock time, replication, 385Web resources. See online resources.Web server information, organizing and accessing,
36–37Web servers versus directories, 33–34Web site with user profile storage, SimpleSite sample
application, 687–722writeHREFButton() method, 720–721writePageFooter() method, 720–721writePageHeader() method, 720–721
X.500 directory server software, 345–346X.500 specification, 38–41XML (eXtensible Markup Language), 143–145,
163–164
Howes.book Page 899 Friday, April 4, 2003 11:38 AM