What are directory services?

DISTRIBUTED SYSTEMS
Principles and Paradigms
Second Edition
ANDREW S. TANENBAUM
MAARTEN VAN STEEN
Chapter 5
Naming
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Names, Identifiers, And Addresses
Properties of a true identifier:
• An identifier refers to at most one entity.
•
Each entity is referred to by at most one
identifier.
•
An identifier always refers to the same
entity
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Flat naming
Broadcasting e Multicasting
•
Solo per reti locali
•
Viene inviato un messaggio contenente un
identificatore a tutte le macchine e viene richiesto a
ciascuna di verificarne la corrispondenza
•
Es. ARP per capire la corrispondenza IP/Indirizzo
ethernet
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Flat naming
Forwarding pointers
•
Usato per entità mobili;
•
Quando un oggetto si sposta lascia nel punto di
partenza un riferimento al punto di arrivo
•
Le catene di riferimenti possono diventare lunghe
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Forwarding Pointers (1)
Figure 5-1. The principle of forwarding pointers
using (client stub, server stub) pairs.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Forwarding Pointers (2)
Figure 5-2. Redirecting a forwarding pointer by
storing a shortcut in a client stub.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Forwarding Pointers (3)
Figure 5-2. Redirecting a forwarding pointer by
storing a shortcut in a client stub.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Home-Based Approaches
Figure 5-3. The principle of Mobile IP.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Distributed Hash Tables
General Mechanism
Figure 5-4.
Resolving key
26 from node 1
and key 12 from
node 28 in a
Chord system.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Hierarchical Approaches (1)
Figure 5-5. Hierarchical organization of a location service into
domains, each having an associated directory node.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Name Space Distribution (1)
Figure 5-13. An example partitioning of the DNS name space,
including Internet-accessible files, into three layers.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Name Space Distribution (2)
Figure 5-14. A comparison between name servers for
implementing nodes from a large-scale name space
partitioned into a global layer, an administrational
layer, and a managerial layer.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Example: The Domain Name System
Figure 5-18. The comparison between recursive and iterative
name resolution with respect to communication costs.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
What are directory services?
All Directory services use a hierarchical structure that stores
information about objects on the network. What differentiates
the various implementations are the types of objects that they
track.
Shared Resources:
–
–
–
–
Servers,
Shared volumes,
Printers;
Applications
Administration of:
–
–
–
–
Users
User/Group access
Network resources
Management of domains,
applications, services, security
policies, and just about everything
else in your network.
http://www.ischool.washington.edu/mcdonald/courses/imt546_au04/pres-12.11/ActiveDirectoryFinal.ppt
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Basic Network Identity Services
Microsoft's Active Directory
Novell Directory Services (NDS)
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
x.500
• X.500 is a series of computer networking standards
covering electronic directory services. The X.500
series was developed by ITU-T, formerly known as
CCITT.
• The directory services were developed in order to
support the requirements of X.400 electronic mail
exchange and name lookup.
• ISO was a partner in developing the standards,
incorporating them into the Open Systems
Interconnection suite of protocols. ISO/IEC 9594 is the
corresponding ISO identification.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
x.500
The protocols defined by X.500 include:
• DAP (Directory Access Protocol)
• DSP (Directory System Protocol)
• DISP (Directory Information Shadowing Protocol)
• DOP (Directory Operational Bindings Management Protocol)
Because these protocols used the OSI networking stack, a number of
alternatives to DAP were developed to allow Internet clients to access
to the X.500 Directory using the TCP/IP networking stack. The most
well-known alternative to DAP is Lightweight Directory Access Protocol
(LDAP).
http://en.wikipedia.org/wiki/X.500
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
The LDAP Name Space
Attribute
Abbr.
Value
Country
C
NL
Locality
L
Amsterdam
Organization
L
Vrije Universiteit
OrganizationalUnit
OU
Math. & Comp. Sc.
CommonName
CN
Main server
Mail_Servers
--
130.37.24.6, 192.31.231,192.31.231.66
FTP_Server
--
130.37.21.11
WWW_Server
--
130.37.21.11
A simple example of a LDAP directory
entry using LDAP naming conventions.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
The LDAP Name Space
Part of the directory
information tree.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
The LDAP Name Space
Attribute
Value
Attribute
Value
Country
NL
Country
NL
Locality
Amsterdam
Locality
Amsterdam
Organization
Vrije Universiteit
Organization
Vrije Universiteit
OrganizationalUnit
Math. & Comp. Sc.
OrganizationalUnit
Math. & Comp. Sc.
CommonName
Main server
CommonName
Main server
Host_Name
star
Host_Name
zephyr
Host_Address
192.31.231.42
Host_Address
192.31.231.66
Two directory entries having Host_Name as RDN.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
LDAP API
The LDAP API references an LDAP object by its distinguished
name (DN). A DN is a sequence of relative distinguished
names (RDN) connected by commas.
An RDN is an attribute with an associated value in the form
attribute=value; normally expressed in a UTF-8 string
format. The following table lists typical RDN attribute types.
Es.
CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
LDAP Example
#include <winldap.h>
ULONG CallValue;
LDAP *ld = ldap_init(NULL,LDAP_PORT);
CallValue = ldap_connect(ld,NULL);
if(CallValue!=LDAP_SUCCESS)
{
return 0;
}
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
// Specify the distinguished name for the entry.
char *entry_dn = "cn=Jeff Smith,CN=Users";
// Attributes include Name, Class, First name, Last name,
Title, and Telephone number
LDAPMod Name, OClass, FName, LName, Title, Phone;
char *cn_values[] = { "Jeff Smith", NULL };
Name.mod_op = LDAP_MOD_ADD;
Name.mod_type = "cn";
Name.mod_values = cn_values;.
char *oc_values[] = { "user", NULL };
OClass.mod_op = LDAP_MOD_ADD;
OClass.mod_type = "objectClass";
OClass.mod_values = oc_values;.
char *gn_values[] = { "Jeff", NULL };
…
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
// Build the array of attributes.
LDAPMod *NewEntry[7];
NewEntry[0]
NewEntry[1]
NewEntry[2]
NewEntry[3]
NewEntry[4]
NewEntry[5]
NewEntry[6]
=
=
=
=
=
=
=
&Name;
&OClass
&FName;
&LName;
&Title;
&Phone;
NULL;
// Add the entry.
CallValue = ldap_add( ld, entry_dn, NewEntry);
// Pass CallValue to ldap_result to verify the
// status of the asynchronous operation.
CallValue = ldap_unbind(ld);
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Key Features of Active Directory
• Some directory services are integrated with an operating
system, and others are applications such as e-mail directories.
• Operating system directory services, such as AD, provide
user, computer, and shared resource management.
• A namespace that is integrated with the Internet's Domain
Name System (DNS).
• A new directory service central to the Windows 2000 Server
operating system, runs only on domain controllers.
http://www.ischool.washington.edu/mcdonald/courses/imt546_au04/pres-12.11/ActiveDirectoryFinal.ppt
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Active Directory utilizes a distributed
architecture
Active Directory, in addition to providing a place to store
data and services to make that data available, also protects
network objects from unauthorized access and replicates
information about objects across the entire network so that
information about objects is not lost if one domain controller
fails.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Active Directory
Network identity services each perform specific tasks and also
frequently interact. Managing interactions becomes
challenging when multiple internal organizations administer
the various services, which may be duplicated in numerous
locations throughout the network and use different data
stores.
• The global catalog is the mechanism that tracks all of the
objects managed across the network, across all domains
within the organization.
• Elements of the catalog are replicated across all of the
domain controllers within all domains across the org.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Global Catalog -Service Discovery
• For Active Directory to function properly, DNS servers
must support Service Location (SRV) resource records.
• SRV resource records map the name of a service to the
name of a server offering that service.
• Active Directory clients and domain controllers use SRV
resource records to determine the IP addresses of domain
controllers.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Domain authority
Active Directory replicates its administration information
across domain controllers throughout the “forest”
utilizing a “multi-master” approach.
Multi-master replication among peer domain controllers is
impractical for some types changes, so only one
domain controller, called the operations master,
accepts requests for such changes.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Authentication
• Each domain controller has information for the entire
forest to support authentication and access control.
• This provides the ability for local domain controllers (the
“tree”) to provide a quick local lookup of authority.
• Not just users but every object authenticating to Active
Directory must reference the global catalog server,
including every computer that boots up
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Mapping to Distributed Hash Tables (1)
Figure 5-24. (a) A general description of a resource.
(b) Its representation as an AVTree (Attribute/Value tree).
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Mapping to Distributed Hash Tables (2)
Figure 5-25. (a) The resource description of a query.
(b) Its representation as an AVTree.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Semantic Overlay Networks
Figure 5-26. Maintaining a semantic overlay through gossiping.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Riferimenti
• http://www.ischool.washington.edu/mcdonald/courses/imt5
46_au04/pres-12.11/ActiveDirectoryFinal.ppt
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5