Novell ODBC driver for eDirectory Novell controls for ActiveX (NWDir)
advertisement
Directory Development
Fundamentals
www.novell.com
Ed Shropshire
NDS Partner Programs
Novell, Inc.
eshropshire@novell.com
Vision…one Net
A world where networks of all types—corporate and public,
intranets, extranets, and the Internet—work together as
one Net and securely connect employees, customers,
suppliers, and partners across organizational boundaries
Mission
To solve complex business and technical challenges with Net
business solutions that enable people, processes, and
systems to work together and our customers to profit from
the opportunities of a networked world
Deployed Versions Novell eDirectory™
and Novell Directory Services® (NDS)
Product Version
Build Version
Platforms
NetWare 5.1 SP4 (NDS 7)
DS.nlm v7.57
NetWare 5.1
NetWare 5.1 SP 4 (NDS 8)
DS.nlm v8.79
NetWare 5.1
eDirectory 8
DS.nlm & DS.dlm v8.79
NetWare 5.0,Win NT/2K
eDirectory 8.5.x
DS v85.23
NetWare 5.x,Win,Solaris
NetWare 6 (eDirectory 8.6)
DS.nlm v10110.20
NetWare 6
eDirectory 8.6.1
DS v10210.43
NW 5.1,NW 6,Win,Solaris,Linux
NetWare 6 SP1 (eDirectory 8.6.2)
DS.nlm v10310.17
NetWare 6
eDirectory 8.6.2
DS v103xx.xx
NW 5.1,NW 6,Win,Solaris,Linux
eDirectory 8.7
DS v10410.xx
NW 5.1,NW 6,Win,Solaris,Linux,AIX
Differences Between eDirectory
and NDS®
NDS
eDirectory
NOS directory focused on
managing NetWare® servers
A cross-platform, scalable,
standards-based directory
used for managing identities
that span all aspects of
the network—eDirectory
is the foundation for eBusiness
NetWare 5
NetWare
NetWare 6
Novell one Net and eBusiness Vision
Novell provides Net services software that gives
organizations the ability to simplify the complexities
of the Net, securely extend and integrate networks
and applications between companies and accelerate
eBusiness transformations
NET Services
Novell eDirectory™
NW
…
What’s New with Novell eDirectory
•
•
•
•
•
•
•
•
•
•
•
Novell eDirectory 8.6.1 and 8.7
Product of the Year—Network Magazine
The Name—Novell eDirectory
SunTone Certification
Partner Redistribution Program
Free eDirectory for Developers
LDAPZone
AIX
LDAP 2000 Server Brand
LDAP Java SDK
LDAP Java Beans
Novell eDirectory Partner
Redistribution Kit Program
• Get started
Download
unlimited eDirectory licenses for
development purposes—visit
developer.novell.com/eDirectory/download.htm
• Get profitable
Offer
commercial solutions that include FREE 250,000
user versions of eDirectory
Save each application customer up to a half-million
US dollars in up-front licensing costs
Visit developer.novell.com/eDirectory
Novell eDirectory Partner
Redistribution Kit Program
• OEMs/ISVs can (AT NO COST):
Distribute
250,000 eDirectory user versions with each
copy of their shipping products
Distribute full-featured versions of eDirectory to an
unlimited number of application customers
Distribute the latest Multi-OS version of eDirectory—
Windows*, Sun Solaris*, Linux*, NetWare®, and IBM
AIX* (*future)
Increase software/hardware/server sales
Rely on proven embedded technology
Build competitive advantage with added services and
lower up-front deployment costs
LDAPzone.com
Why LDAPzone?
• Comprehensive
Resources and information
on everything LDAP
• Community
Share ideas, sample code,
forums, tips and tricks
• Directions
The latest LDAP news,
updates and developments
www.ldapzone.com
Novell Developer Offerings
• Support options
What
•
•
•
•
•
•
•
•
can you get if you pay
Benefits 24 hour turnaround
Developer labs
Priority support
Dedicated support contacts
Certification
Solutions search
Developer labs
Developer training
Novell eDirectory Architecture
DirXML™
OnDemandSM
LDAP
iInstall
eGuide
iChain®
Solaris
NDAP
Access
Schema
Utilities
Maintenance
Security
Repair
Merge
Backup
Replication
Storage Management Interface (SMI)
Database
System Abstraction Layer (SAL)
iMonitor
eDirectory Management Framework
iManage
SSO
NT
NetWare
Linux
AIX
???
Net Directory Service Solutions
App 1
App 2
How do I accelerate
App 3my
SSO/
App 4so
existing business
systems
NMAS employees
my customers,
• and
IS professionals are not
•
waiting for them?•
DirXML™
How do I use the Internet
Browser
to let my partners, customers
and employees
Web Server access secure
applications andiChain
data?
eDirectory
• Novell Account
Management
• Novell Authentication
Services
How
How do
do II simplify
simplify my
my business
business
PBX
E-mail
process
and
redundant
process
and eliminate
eliminate
redundant
Application
Application
and
and inconsistent
inconsistent data?
data?
HR
Application
Web Server
168 Applications Before Zero-Day Start
Oracle
a4001
BIG
(Requests by
Phone 1-6000
(First Phase)
Archibus DB
(Located in Phoenix AZ)
(DB used by BIG)(Will be
used to house CAD
drawings)
tW
New "Regular"
Employee
Documents
w
Hir
eI
Administrators &
Managers
nf.
Security Approval for
K2 (Master Keys)
No Special Approval
for Office Keys
(K1)(Key Info Stored in
KeyCode Sybase DB)
Hir
eI
Re
gula
Hir
rN
w
ew
Ne
nf.
i1001
Reg. Employee Inf.
or
kO
rd
e
rR
eq
ue
s
2
rK )
t fo ey
es K
qu ter
Re Mas
(
ts
Preferred Name or Legal Name
(if Preferred is blank), Business Title,
Status, Account Code, Manager ID,
Workforce ID, Regular-Temporary
PeopleSoft
a1001
Tracks resume, job openings,
offer letters etc.
c
S
yn
f.
. In
Terme-mail rt)
o
via ly rep
ek
(we
Subscribers To
Termination Data
(Weekly Report)From
Human Resources
Termination Inf.
Via E-Mail (Weekly Report)
Termination Inf.
Via E-Mail (Daily Notification)
ck#
#
ne &
ho X
t p PB ce
g e a l l ur
ns r c So
mi e o nfo
Ad hon in I
f p it
of nter
e
Corporate
Directory
HR Department Employee
Termination(Term)
Notification Process Via EMail
(EmTerm)(HR Line 1)
refe
s, P
rr
top
ailS
to M
Termination
Inf.
InfoSource E-mail
Or
Help Desk(HD)
Personnel E-Mail
ter
ed
an
ds
Ex
yn
c'd
tra
ct
wit
hR
Ce For
oo
ll P 16
m#
ho 411
in
ne
S
Info
Bil yst
So
lin em
u
g
&
rce
Telecommunications
(Telephone # Ext. are
entered into Infosource
by Admins)(Telecom
Personnel sync jack#'s
into Infosource)(Audix#'s
& Names entered Man.)
Administrators &
Managers
.
rm il
Te ma
tion
tiva
dic eeac
rio via
e d ail
Pe ort
adg r e-m
p
b
e
R
for
eo
sts hon
que via p
Re
Te
v rm.
(we ia e-m Inf.
ekly
ail
rep
ort
)
Vantive
(Help Desk)(HD)
HD deactivates accounts
in Infosource
(No incident is created)
en
Security Personnel
or Access Utah/SJF
E-Mail
Vantive notifies HD for
account activation/
deactivation
o
n t ian
atio nic
tific ech
No g T
in
ild
Bu
ta
Da
rce r
Fo nsfe
rk
a
W o file tr
Oracle, Equity Edge, Metlife,
ADP, Etc.
(401k, Health, Stock etc.)
tatu
pS
, Em
Notification to Vantive
(Creates Vantive incident)
InfoSource
a1008
(WorkForce Data)
Ja
Termination
Inf.
d
ges
e
Mad
)
ARISTO DB
(DB used by
Archer, mail
delivery)
IS-NDS & G.W.
Gateway Utility
d es
Co
unt
i1032 (Mail Stop/Domain, Post
Office,GroupWise User ID 'e-mail name'
Busness phone, Fax#, Full Context)
Personic
a1002
cke
Che
Info
min
, Ad
ame
N
ed
an
(Ch
B
TO D
ARIS
rchers
# to A
)
Phone
30 Min.
ame,
N
(Every
p,
lSto
orce ID
o
Workf
of Mai
Acc
ce ID,
nloads
foSour
e Only)
ow
In
at
D
p,
pd
to
(U
Min.)
Daily
, MailS
st. Name
(Every 30
b Title
NDS Di
orce ID
Fax, Jo
name),
ID, Workf
one#,
(e-mail
oSource
me, Ph
top, Inf
B.W. ID
ast Na
le, MailS
Office,
First-L
, Post
x, Job Tit
Name,
DN
.
Fa
.
,
pt
W
e#
G.
De
me, Phon
Last Na
me, FirstDept. Na
lar
W
Facilities Move/Preventive Maintenance/
Cushman & Wakefield
K2 Req.
Forwarded
F ac
Ne
Hardware
Request
Inf.
gu
e In
lar
ce
Re
f.
Re
gu
or k
for
(K1) Single office keys cut
(K2) Keys cut with Security approval
W ork
orde
by Fa r approved
then P c. In Que,
BX
return Phone# E
ed to
Vantiv xt.
e.
en
ility
forw reques
arde ts
d
ng
ThanksGiving Point (Landscape &
Gardening)
Maximo
a1011
(Old Facilities
Applicaton)
Archibus Data Sync/Manual
nti
Archer Management
(Account Codes, Emp
Status, Pref. Name,
Admin Info checked in
InfoSource)(Some
mailstop corrections
made to InfoSource)
Bon Appe'tit
Budget Analysts or
Financial Planning
Analysis (FP&A)
Co
Web
(Browser Access)
Request entered into
Oracle Web
Requisitions
Contingent
Workforce
Documents
Outsourced Work Flow
& Work Orders for
Contractors with BIG
web queue
Request Module for lights, heat, ac,
plumbing, boxes for move, furniture
moves, toilet plugs, paper products, SJF
keys, vending requests, equipment
service requists
Notification to Que on Web
Phone Ext.
Retrieved
From PBX
rm
in
Inf atio
.
Building Techs, Cach
Valley Elect.,
CompuCom, HR &
BayQuality, Access
For Incidents/Work
Orders
Inf.
ation
Applic tered
en
n
Acc. created or
NDS
deactivated
(Novell Directory
in NDS
Services)
Acc
dea . crea
NDSDis. Name, Dep. Name, First-Last Name, Phone#,
te
Gro
c
upW tivate d oFax,
r
Job Title, Mail Stop, Infosource ID, WorkForce ID
ise d via
Sna
p-in
Ch
e
un ck to
iqu
in
e n sure
am
Ch
e
e
u n ck t
iqu o in
GroupWise
e n su
am r e
e
UNS
(Unique Name
Search)(Searches NDS,
GW & Alliases in SMTP
Agent 86
Call requests to HD for
Employee Account
Termination
Incidents or Work Requests
entered via Innerweb
16411 Auxilliary
Phone System
Web
(Browser Access For
Incident and Work Order
creation in Vantive)
Requests for
deactivation of
badges
WorkForce Access
Application
filled out & approved
by Manager
(Tool that facilitates account
creation, activation etc.)
Te
Extract For
16411
Entered
PBX
NW Admin.
Westinghouse
Access Control
System
Applic
ation
entere Inf.
d
EPI
(Security Badge
creation App.)
Badge activated with Access Rights
Badge # forw
arded for
Access Righ
t Assignment
off of
application
Badge created & Bar Coded
(Bar Codes are linked to Employee ID,
but said linkage is not being used)
ID Badge Created
With "Access
Requirements
Number"
One Net Simplifies Business Processes
Employee
Assimilation
Process
Manager
Self
Em
Sel ploye
f Se
e
rvic
e
iClick
SSL
Self Service
Information
forewarded
to PeopleSoft
IP
PeopleSoft
Track
Applicant
Service
r
Process
age
Process
Man ervice
S
lf
Se
Employee forms
scanned into
Peo
into pleData
system
Self
Serv populate
ice f
d
orm
s
Personic
XML
LDAP
Vantive
Dir
X
Oracle/Seibel
Etc.
ML
or
X
Dir
LD
AP
DirXM
L Interf
ace
NDS
DirXML Interface
D
irX
DirX
ML
or L
DA
P
Infrastructure
Tree
DirXML
L
M
EPI
DirXML
DirXML Interface
Workforce
Tree
irX
D
ML
DirX
Authentication
Tree
ML
NDS
tion
Replica e
Virtual
te Tre
ra
e
p
e
or S
M
L
NDS
B.I.G
DirXML
Apps
DirXML
e-Guide
GroupWise
Westing
House
PBX
WITS
(Mail Delivery
System)
DirXML
DirXML
NDS
Customer
Tree
Enlightened Workforce
(Intelligent Portal)
The Three Views Novell eDirectory
• Let’s take a look at it from a different perspective
Schema View
Logical View
Top
Names
Person
Rights
User
Perspective
Physical View
Partitions
Replicas
What Makes It Different?
•
•
•
•
•
•
•
•
•
•
Extensible schema
Inherited rights
Multi-master replication
Filtered replica
Referential integrity
Scalable data store
Multi-protocol support (discovery—access protocols)
Multi-authentication support
Developer interfaces
Platform support
eDirectory Features
Feature details
Filtered replica
LDAP Support
A new replica type that enables
flexible control of what’s replicated
LDAP v3 support including SSL
Down to the attribute level
Improved search speed
Improved administration tools
Monitoring and repair tools in ConsoleOne®
ICE (Import/Convert/Export) utility
iMonitor utility
Cross-platform support
Already runs on NetWare, NT 4, Linux,
Windows 2000 and Solaris
Looking at other UNIX and mainframe
platforms (e.g AIX)
OpenLDAP SDK
ADSI Provider
Translates ADSI calls into LDAP
Apps developed to ADSI are fully
supported
DirXML Support
Provides foundation for integrating
network information for any system,
application, device, etc.
What is LDAP?
LDAP began life as an attempt to simplify access to x.500
(DAP) directories, thus the name:
Lightweight Directory Access Protocol
•
•
•
•
A standardized protocol for accessing X.500 directories
A version of DAP* that contains less code than DAP
An enabled client with TCP/IP access to X.500 directories
Lightweight means you don’t have to manage all of the
connection overhead in your application
• Lightweight doesn’t mean limited access functionality
• LDAP is a client-server protocol
Technical LDAP Benefits
• Applications can be
Directory-Enabled
Applications
directory-neutral
• Directories can be
LDAP
interchanged
Netscape
• Note: All directories
are not equal
Microsoft
Licenses in use: 40 M
Licenses in use: 4.5 M
Novell eDirectory
Licenses in use: 174 M
Overview
• LDAP is a client/server access protocol
• LDAP also describes a data model (ACI, Schema,
Replication)
• LDAP is controlled by the IETF community
• LDAP certifications
Works with LDAP (for applications) and LDAP 2000 (for servers)
Novell is a founding member of the Interoperability Forum/Open
Group
Novell eDirectory SDK
• Everything to integrate with eDirectory
Libraries,
tools, sample code, and documentation
Platforms (server and workstation)
•
•
•
•
•
NetWare®
Windows 2000
NT
Windows 95/98
Solaris, Linux
http://developer.novell.com/ndk/ndssdk.htm
NJCL
eDir libraries for C
NDAP/NCP
LDAP
service
provider
for JNDI
Novell eDirectory
LDAP
LDAP Class Libraries for Java
Novell eCommerce Beans
Novell controls for ActiveX (NWIDir)
LDAP libraries for C
Novell JDBC driver
for eDirectory
eMFramework
Beans for Novell
services
Novell controls for ActiveX (NWDir)
Novell ODBC driver for eDirectory
JNDI
NJCL
NDS libraries for C
NDAP/NCP
LDAP
service
provider
for JNDI
Novell eDirectory
LDAP
LDAP Class Libraries for Java
Novell eCommerce Beans
Novell controls for ActiveX (NWIDir)
LDAP libraries for C
Novell JDBC driver
for eDirectory
eMFramework
Beans for Novell
services
Novell controls for ActiveX (NWDir)
Novell ODBC driver for eDirectory
JNDI
NJCL
NDS libraries for C
NDAP/NCP
LDAP
service
provider
for JNDI
Novell eDirectory
LDAP
LDAP Class Libraries for Java
Novell eCommerce Beans
Novell controls for ActiveX (NWIDir)
LDAP libraries for C
Novell JDBC driver
for eDirectory
eMFramework
Beans for Novell
services
Novell controls for ActiveX (NWDir)
Novell ODBC driver for eDirectory
JNDI
NJCL
NDS libraries for C
NDAP/NCP
LDAP
service
provider
for JNDI
Novell eDirectory
LDAP
LDAP Class Libraries for Java
Novell eCommerce Beans
Novell controls for ActiveX (NWIDir)
LDAP libraries for C
Novell JDBC driver
for eDirectory
eMFramework
Beans for Novell
services
Novell controls for ActiveX (NWDir)
Novell ODBC driver for eDirectory
JNDI
Novell ODBC Driver for eDirectory
• ODBC driver specifically designed to query and
retrieve eDirectory data
Supports
standard SQL statements
Makes reporting and retrieving data quick and easy
Abstracts the directory tree into accessible
relational database tables
Hides the complexity of the underlying directory
syntax
How ODBC Maps eDirectory Data
• Mapping eDirectory data to relational tables
eDirectory hierarchical directory data is mapped to
a flattened relational database table
• eDirectory object classes correspond to the tables
• eDirectory class attributes correspond to columns of the table
• Entries correspond to rows of the table
Surname
Jones
Nelson
Smith
Wilson
Given name
Kim
Chris
Sam
Lynn
Title
Manager
Engineer
Tester
Writer
Troubleshooting Novell ODBC Driver
• Common problems
Insufficient
resources
• Select fewer attributes or specify the attributes rather than
using a wildcard to include all attributes
• Examine the attributes you select to ensure that only a few
of them are multi-valued
• Restrict the number of objects selected by specifying only
one container
eDirectory
rights
SQL statement errors
• Use the correct table and column names in SQL statements
• Read-only access to eDirectory
NJCL
NDS libraries for C
NDAP/NCP
LDAP
service
provider
for JNDI
Novell eDirectory
LDAP
LDAP Class Libraries for Java
Novell eCommerce Beans
Novell controls for ActiveX (NWIDir)
LDAP libraries for C
Novell JDBC driver
for eDirectory
eMFramework
Beans for Novell
services
Novell controls for ActiveX (NWDir)
Novell ODBC driver for eDirectory
JNDI
Novell eDirectory LDAP Compliance
• Novell LDAP SDKs fully implement
• IETF draft for C Interface
– draft-ietf-ldapext-c-api-05.txt
• IEFT draft for Java Interface
– draft-ietf-ldapext-java-api-13.txt
– eDirectory supports all LDAP version 3 required functionality
• IETF RFCs 2247, 2251, 2252, 2253, 2254, 2255 and 2256
• eDirectory also supports most optional functionality
More About LDAP
• Users given “server view” vs. a “tree view”
• LDAP uses UTF-8 encoding of character strings
Allowing strings of any language to be used in the API
389—Provides clear text connections
636—Secure connections using SSL
• LDAP servers listen on two TCP/IP ports
• An LDAP bind (connection) is an eDirectory login
LDAP requires that individual users have passwords
No password is interpreted as an anonymous bind
• Specifies no file access mechanisms
• Novell eDirectory event mechanism coming soon
Novell Extensions to LDAP
• Novell LDAP extensions
Partitions—split,
join, get number of entries, abort
operation
Replicas—add, remove, change type, list on server,
return information
Replica synchronization—to a specified server, to all
replicas, at a specified time
Schema synchronization
Get effective eDirectory rights for attributes
Get DN of logged-in caller
Restart the LDAP server
NJCL
NDS libraries for C
NDAP/NCP
LDAP
service
provider
for JNDI
Novell eDirectory
LDAP
LDAP Class Libraries for Java
Novell eCommerce Beans
Novell controls for ActiveX (NWIDir)
LDAP libraries for C
Novell JDBC driver
for eDirectory
eMFramework
Beans for Novell
services
Novell controls for ActiveX (NWDir)
Novell ODBC driver for eDirectory
JNDI
LDAP Class Libraries for Java
• Now available on the Novell Developer Kit (NDK)
Conforms
to the IETF LDAP Java interface
Socket, threads, queues, connection manager
Referrals
Schema management
Security SSL and SASL
Extensions and controls
Exposes additional classes and methods
• ASN.1/BER Protocol Methods (APIs)
Benefits of LDAP Libraries for Java
•
•
•
•
•
•
•
•
•
•
Classes and methods reflect LDAP protocol
Small footprint
Easy to learn and use
Synchronous and asynchronous interfaces
Pure Java solution
Extensions for eDirectory management
Tuned and tested with eDirectory
Works with other LDAP-aware directories
SSL secured through Novell Security Technologies
Open Source available on the OpenLDAP Site
www.openldap.org
NJCL
NDS libraries for C
NDAP/NCP
LDAP
service
provider
for JNDI
Novell eDirectory
LDAP
LDAP Class Libraries for Java
Novell eCommerce Beans
Novell controls for ActiveX (NWIDir)
LDAP libraries for C
Novell JDBC driver
for eDirectory
eMFramework
Beans for Novell
services
Novell controls for ActiveX (NWDir)
Novell ODBC driver for eDirectory
JNDI
What is JNDI?
• Java Naming and Directory Interface (JNDI)
An
addition to JavaSoft’s enterprise API set
Object-oriented look and feel
Abstracted view
• Naming-system neutral, enabling many different service
providers to be accessed via the same interface
• Promotes interaction between naming systems
• Provider issues tend to show through
Providers
may or may not be pure Java
• Platform support is provider-dependent
• Providers tend to be vendor-specific
NJCL
NDS libraries for C
NDAP/NCP
LDAP
service
provider
for JNDI
Novell eDirectory
LDAP
LDAP Class Libraries for Java
Novell eCommerce Beans
Novell controls for ActiveX (NWIDir)
LDAP libraries for C
Novell JDBC driver
for eDirectory
eMFramework
Beans for Novell
services
Novell controls for ActiveX (NWDir)
Novell ODBC driver for eDirectory
JNDI
Use Novell LDAP Libraries for C
• Use the Novell LDAP Libraries for C vs. other SDKs
Extensions for eDirectory management
Tuned and tested for eDirectory
Works with other LDAP-aware directories
Available on NetWare, Windows, UNIX
Supported by Novell Worldwide Developer Support
Internationalized and localized
SSL-secured through Novell Security Technologies
• LDAP Libraries for C Open Source
• Novell LDAP Libraries for C leverage
www.OpenLDAP.org
NJCL
NDS libraries for C
NDAP/NCP
LDAP
service
provider
for JNDI
Novell eDirectory
LDAP
LDAP Class Libraries for Java
Novell eCommerce Beans
Novell controls for ActiveX (NWIDir)
LDAP libraries for C
Novell JDBC driver
for eDirectory
eMFramework
Beans for Novell
services
Novell controls for ActiveX (NWDir)
Novell ODBC driver for eDirectory
JNDI
Novell JDBC Driver for eDirectory
• Conforms to the JDBC specification
• Requires the JNDI LDAP service provider for
•
•
•
•
eDirectory
Supports standard SQL statements
Abstracts the directory tree into accessible
relational database tables
Hides the complexity of the underlying
directory syntax
Provides “read only” access of eDirectory
NJCL
NDS libraries for C
NDAP/NCP
LDAP
service
provider
for JNDI
Novell eDirectory
LDAP
LDAP Class Libraries for Java
Novell eCommerce Beans
Novell controls for ActiveX (NWIDir)
LDAP libraries for C
Novell JDBC driver
for eDirectory
eMFramework
Beans for Novell
services
Novell controls for ActiveX (NWDir)
Novell ODBC driver for eDirectory
JNDI
Novell Controls for ActiveX
• Application Administration
•
•
•
•
•
•
•
•
•
•
(NWAppA)
Bindery (NWBind)
Browser (NWBrowse)
Catalog Administration (NWCatA)
Client and Server Socket (NWCliSkt
and NWSvrSkt)
Directory (NWDir)
Directory Administration (NWDirA)
Directory Authenticator
(NWDirAuth)
Directory Query (NWDirQ)
Internet Directory (NWIDir)
Internet Directory Query (NWIDirQ)
• Internet Directory Entries
•
•
•
•
•
•
•
•
•
•
(NWIDirE)
NDPS Printer Administration
(NWDPPrtA)
Network Selector (NWSelect)
Peer Socket (NWPrSkt)
Print Queue Administration
(NWPQA)
Print Server Administration
(NWPSA)
SecretStore (NWSecStr)
Server Administration (NWSrvA)
Session Management (NWSess)
User Group (NWUsrGrp)
Volume Administration (NWVolA)
NJCL
NDS libraries for C
NDAP/NCP
LDAP
service
provider
for JNDI
Novell eDirectory
LDAP
LDAP Class Libraries for Java
Novell eCommerce Beans
Novell controls for ActiveX (NWIDir)
LDAP libraries for C
Novell JDBC driver
for eDirectory
eMFramework
Beans for Novell
services
Novell controls for ActiveX (NWDir)
Novell ODBC driver for eDirectory
JNDI
Beans for Novell eDirectory
• eCommerce LDAP beans
Components for integrating web applications with LDAP
directories
Enabling authentication
Read/write directory access
Contextless login
SSL security
• NDS bean
Enables access to and manipulation of eDirectory entries
Dependent upon the Novell class libraries for Java
Requires the Novell Client
Scripting Options
• Third Party Scripting Options
Perl
Python
PHP
• Visit LDAPZone for a complete list and options
www.LDAPZone.com
Supercharge Your Web Applications
with Novell eDirectory
• Realize the benefit of using Novell eDirectory to
personalize web server applications
The
objective of this seminar is to provide ideas and
examples that will assist you in developing and
deploying more powerful and flexible web-based
applications
Why Tie Web Applications
to Novell eDirectory?
• Enhance and strengthen business relationships
Allowing
secure access to information and
applications
• Provide the ability to simply and securely provide
access to personalized and sensitive information
This
may be the difference between gaining or
disappointing a customer or partner
Use Novell eDirectory to
•
•
•
•
•
•
•
Store identity profiles
Control data access
Maintain customer identity relationships
Manage user security
Manage data at the network level
Abstract service locations
Increase throughput
HTTP is Stateless
• To enable session tracking, utilize
• Realms
– Browser passes user and password with each request
• Hidden form fields
– Hidden input types that are not displayed when read by the
browser
• Cookies
– Keyed piece of data created by the server and stored by the
client browser
• URL rewriting
– Requested URL is modified to include a session ID
• Servlet HTTPsession objects
– Enables name/value pairs to be stored per session
Use Novell eDirectory to Track Sessions
• Take advantage of GUIDs*
Identify
who is accessing the site
• GUIDs eliminate the need to store personal data
• GUIDs are globally unique across all trees and servers
• eDirectory automatically creates a GUID for each new entry
– GUIDs do not change throughout life of object
• Administrators may want to create an index on GUID to
enhance response time
Operational
Attribute
*Globally Unique Identifiers
Use Novell eDirectory to Personalize
the User Experience
• Case example (CNN)
Provides
worldwide news, sports, financial data and
other information
Customized and personalized advertising and content
using the GUID as a cookie
Customization is transparent to the user
CNN eDirectory
Architecture
(ad-injection)
Netscape web servers on Solaris
(CNN Web Farm)
(Cookie)
HTTP
LDAP Client
Internal
eDirectory on NetWare
Firewall
and Solaris
Development Servers
- Compaq 1850R
- 2GB RAM/72GB RAID 0
- 1 Intel Pro/100 Server
Adapter
eDirectory on NetWare 5
- SUN Sparc U60
Staging Server
- Solaris 2.6
- Compaq 1850R
-2GB RAM/72GB RAID 0
- 1 Intel Pro/100 Server Adapter
eDirectory on NetWare 5 Load
Directory Servers
- Compaq 6400R
- 2GB RAM/72GB RAID 0
- 1 Intel Pro/100 Server Adapter
Tune Your Application and eDirectory
to Achieve High Throughput
• Filter the scope of data searches
• Create well-formed schema extensions
• Tune eDirectory
Tune
memory/cache
Use proper tree design
Co-locate servers
• Distributed nature of eDirectory gives better throughput
Utilize
filtered replicas
Index on critical attributes
Directory Services and Databases
• Let’s look at the strengths and weaknesses
of both
• When are they exclusive of each other?
• When do they compliment each other?
• The whys and wherefores
Directory Services and Databases
Directory Service Strengths
• Fast on the read
• Distributed
• Object-oriented
• Hierarchical
• Standardized schema
• Replication
• Attributes can be
multi-valued
(cont.)
Relational Database Strengths
• Designed to handle
transactions
• Schema tuned for exact
application needs
• Can be modeled to handle
very complex needs
• Data integrity built in
• Management of data
failures
When to Use What??
• Each has it’s own best use
• Directories are used most often for
Authentication
Authorization
Personalization
• RDBMS’s used most often for
Transaction processing
Highly volatile data
Very complex data requirements
• Examples of each usage
Making the Choice…
• Frequency of data modifications
• Primary data requirements
• Security
• Flexibility
• Model the data needs
• Determine transactional requirements
What Is So Important About Schema?
• It sets some structure
Directory
Schema
components
components
Rules for
Tree
structure
rules
Directory
tree
Object
classes
Objects
Attribute
types
Attributes
Attribute
syntaxes
Values
• Provides a framework
• Identifies syntax
• Schema=Data Dictionary
What Is in the Schema?
• Object classes
• Attributes types
• Syntaxes
• Matching rules
• Naming and containment rules
Directory
Schema
components
components
Rules for
Tree
structure
rules
Directory
tree
Object
classes
Objects
Attribute
types
Attributes
Attribute
syntaxes
Values
eDirectory Has an Extensible Schema
• You can extend the schema, you do not
change the schema
Create
new classes
Add optional attributes
Use auxiliary classes
Delete non-base classes that do not have any
object instantiated
Delete attributes that are not used in any classes
• Schema extensions do not impact directory
performance
Extension Options
• You can make extensions programmatically or
by using an LDIF file with the ldapmodify utility
Programmatically
• Easier to control
• Not as many files
LDIF
• No need to recompile changes
• Easy to run multiple
New Schema Recommendations
•
•
•
•
•
Determine exact purpose of new classes and attributes
Don’t define anything for “future use”
Remember to include the domain containment
Understand any flags you use
Use auxiliary classes whenever possible
Don’t add new attributes to existing classes if possible
• Reuse/extend existing schema definitions
If small, change to existing definition
• Add your attributes first, then your classes
Syntaxes
• Define what your data looks like
• Not extensible
• eDirectory supports LDAP equivalence
of eDirectory syntaxes
• Recommendations
For
readability limit use of octet string
Matching Rules
• Equality
Defines
how two values are compared
• i.e., caseIgnoreMatch
• Ordering
Used
to determine if a value is greater or less than
another value
• SUBSTR
Defines
the way substring matches work
Attribute Types
• Attribute type is a string value containing
various fields
• What makes up an attribute
ASN.1
id - OID acts as an unique identifier
Human readable name
A description
Matching rules
Syntax
Flag
• i.e., if attribute is single valued
Attribute Type Example
• (2.5.4.20
•
NAME ‘telephone number’
•
DESC ‘Standard Attribute’
•
EQUALITY telephoneNumberMatch
•
SUBSTR telephoneNumberSubstringMatch
•
SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32}
)
• (2.5.4.28
•
NAME ‘preferredDeliveryMethod’
•
SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
•
SINGLE-Value )
Attribute Types
• MUST—Mandatory Attributes
In LDAP these are referred to as MUST
When you create an object of this type, you must populate
these attributes
Cannot add MUST attributes once objects are created from
object class
• MAY—Optional Attributes
In LDAP these are referred to as MAY
eDirectory does not store these attributes with an object unless
they have a value
You can add more optional attributes to a class after the class
is created
LDAP Attribute Options
• NO-USER-MODIFICATION
Equivalent
to non-removable in eDirectory
• SINGLE-VALUE
Default
multi-valued
• Upper Bound
Specified
after syntax within { }
Operational Attributes
• Standard
modifyTimeStamp
createTimeStamp
modifersName
creatorsName
subschemaSubEntry
• eDirectory-Specific
structuralObjectClass
subordinateCount
entryFlags
(baseClass)
Object Class Types
• Structural—default
Used
to create entries
• Abstract
Building
block class
• Used for sub-classing
• Auxiliary
Used
to add attributes to existing entries
• If type is not specified, default will be structural
Object Class Definition
•
•
•
•
•
•
ASN.1 id - Object ID (OID)
Human readable name
List of superior object classes
Identifier
List of required (MUST) attributes
List of optional (MAY) attributes
Example of Object Class Definition
• (2.5.6.6
•
NAME ‘person’
•
SUP top
•
Structural
•
MUST ( sn $ cn)
•
MAY ( userPassword $ telephoneNumber $
seeAlso $ description ) )
Defining a New Object Class
SUP=Inheritance
• This is the class you inherit from
• Your class automatically gets attributes from the
parent, as well as any additional that you specify
• Multiple levels of inheritance is possible
• You can add superclasses starting in
eDirectory 8.5
Naming
• The naming list specifies which attributes which can be
•
•
•
•
used to name the object
Naming can be specified in LDAP with the X-NDS_NAMING
option
Naming attribute can be multi-valued
Complete control over how to name and access the
object
Defaults (if not supplied)
Inherit from superclass definition if possible
The combination of all string attributes in the MUST and MAY
lists
Containment
• Containment identifies the other object types
which can contain this class
• Note that this is not the container flag
• If a class is a container, it can be defined to be
able to contain itself
• Containment is now modifiable in eDirectory 8.5
You
can add containment
Containment
(cont.)
• Containment can be specified in LDAP with
the X-NDS_CONTAINMENT option
• The defaults if not supplied are
Inherit
from Super Class definition, if possible
“C”, “L”, “O”, “OU”, and “domain”
Auxiliary Classes
• Auxiliary (or aux) classes are a collection of
attributes
• Aux classes are applied at the object level
• Only the objects that need the attributes
have them
• Doesn’t change the object class definition
Using Auxiliary classes
• Two steps
Modify
the object class of an existing object to
include the aux class name
Write values to attributes as you would any other
attributes for that class
• Easy to remove
Delete
the aux class name from the objectClass
attribute
• Note—auxiliary classes are available from
eDirectory 8 and beyond
X-NDS Class Options
• The changes you can make to class definitions
using the X-NDS options are
Flags
• X-NDS_NOT_CONTAINER
• X-NDS_NONREMOVABLE
Containment
• X-NDS_CONTAINMENT
Naming
• X-NDS_NAMING
Mapping
• X-NDS_NAME
• All X-NDS options have default values
X-NDS Attribute Options
• Most attribute options are flags
X-NDS_PUBLIC_READ
X-NDS_SERVER_READ
X-NDS_NEVER_SYNC
• NDS per replica flag
X-NDS_NOT_SCHED_SYNC_IMMEDIATE
X-NDS_SCHED_SYNC_NEVER
X-NDS_NAME_VALUE_ACCESS
• NDS write managed flag
• One other attribute option
X-NDS_LOWER_BOUND
Schema Naming Recommendations
• LDAP schema name valid character set
Alpha-numeric
and dash
First character must be alpha
Nothing else
• Name format
Lowercase
prefix, followed by uppercase words
• Old—“MYAPP:New Attribute Name”
• New—“myappNewAttributeName”
• Don’t use delimiter characters
Schema Naming Recommendations
• If you follow the naming rules, LDAP mapping
for the names are not needed
• If you haven’t followed rules in past (or future),
then mappings are needed for access to schema
items via LDAP
• What are mappings, anyway?
Object
Class
objectClass
Schema Available Definitions
• LDAP ships with a subset of inetOrgPerson
mapped to the eDirectory user class
• Schema extensions are available for…
Full
inetOrgPerson mapped to eDirectory user
Full inetOrgPerson
residentialPerson
newPilotPerson
www.novell.com/products/nds/schema/index.html
ASN 1 OIDs and Prefixes
• What is an OID?
Novell’s base OID 2.16.840.1.113719
• joint-iso-ccitt(2) country(16) us(840) organization(1) Novell(113719)
• LDAP allows access via the OID
• Be sure to have OIDs for your application
• How do you use your allocated sub-arc?
2.16.840.1.113719.2.<a>.4.<x>.<v>
2.16.840.1.113719.2.<a>.6.<x>.<v>
• <a> is your assigned subarc value
• <x> is the sequence number you assign
• <v> is the version number you assign
• Find out more about OIDs
www.alvestrand.no/harald/objectid/
ASN 1 OID Registration Sites
• Find out more about OIDs
www.alvestrand.no/harald/objectid/
• Sites to obtain OIDs
Novell
Developer Support
• developer.novell.com/
• Will allocate and register a schema prefix for you,
and optionally allocate an OID sub-arc for you
Internet
Assigned Numbers Authority (IANA)
• www.isi.edu/cgi-bin/iana/enterprise.pl
Sample Schema Output
#This LDIF file was generated by Novell's ICE and the LDIF destination handler.
version: 1
dn: cn=schema
changetype: add
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.1 X-NDS_SYNTAX '9' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.2 X-NDS_SYNTAX '9' )
ldapSyntaxes: ( 2.16.840.1.113719.1.1.5.1.6 X-NDS_SYNTAX '6' )
objectClass: top
objectClass: subschema
objectClasses: ( 2.5.6.0 NAME 'top' DESC 'Standard ObjectClass' STRUCTURAL MUST objectClass MAY (cAPublicKey $
CAPrivateKey $ certificateValidityInterval $ authorityRevocation $ lastReferencedTime $ equivalentToMe $ ACL $ backLink
$ binderyProperty $ Obituary $ Reference $ revision $ certificateRevocation $ usedBy $ GUID $ otherGUID $ DirXML-Associations $
creatorsName $ modifiersName $ unknownBaseClass $ unknownAuxiliaryClass $ auditFileLink $ masvProposedLabel $
masvDefaultRange $ masvAuthorizedRange ) X-NDS_NAME 'Top' X-NDS_NONREMOVABLE '1' )
objectClasses: ( 2.5.6.7 NAME 'organizationalPerson' DESC 'Standard ObjectClass' SUP person STRUCTURAL MAY
(facsimileTelephoneNumber $ l $ eMailAddress $ ou $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOfficeBox
$ st $ street $ title $ mailboxLocation $ mailboxID $ uid $ mail $ employeeNumber $ destinationIndicator $ internationaliSDNNumber
$ preferredDeliveryMethod $ registeredAddress $ teletexTerminalIdentifier $ telexNumber $ x121Address $ businessCategory $
roomNumber $ x500UniqueIdentifier ) X-NDS_NAMING ('cn' 'ou' 'uid' ) X-NDS_CONTAINMENT ('organization' 'organizationalUnit’
'domain' ) X-NDS_NAME 'Organizational Person' X-NDS_NOT_CONTAINER '1' X-NDS_NONREMOVABLE '1' )
attributeTypes: ( 2.5.18.1 NAME 'createTimeStamp' DESC 'Operational Attribute'
SINGLE-VALUE NO-USER-MODIFICATION SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributeTypes: ( 2.5.4.3 NAME ( 'cn' 'commonName' ) DESC 'Standard Attribute'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} X-NDS_NAME 'CN' X-NDS_LOWER_BOUND '1')
Sample LDIF
•
•
•
•
•
•
•
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.113719.1.186.4.0
NAME 'aspenCourseName'
DESC 'The name of the course'
SYNTAX
1.3.6.1.4.1.1466.115.121.1.15
•
SINGLE-VALUE
•
)
If not present, this creates “testAttr1”, then adds a
mapping to the just created or existing “Test Attr 1”
attribute
LDIF File Example—inetOrgPerson
# Full definition of the standard inetOrgPerson
# as a separate class
version: 1
#Delete the existing class mapping "inetOrgPerson ==> User" class to allow "inetOrgPerson ==> inetOrgPerson".
dn: cn=schema
changetype: modify
delete: objectclasses
objectclasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' X-NDS_NAME 'User')
# Add the inetOrgPerson object class - 17
dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' SUP organizationalPerson MAY ( audio $
businessCategory $ carLicense $ departmentNumber $ employeeNumber $ employeeType $ givenName $ homePhone $
homePostalAddress $ initials $ jpegPhoto $ labeledUri $ mail $ manager $ mobile $ pager $ ldapPhoto $
preferredLanguage $ roomNumber $ secretary $ uid $ userCertificate $ userSMIMECertificate $ x500UniqueIdentifier $
displayName ) X-NDS_CONTAINMENT ( 'country' 'locality' 'organizationalUnit' 'organization' 'domain' ) XNDS_NAMING ( 'cn' 'uid' 'givenName' 'mail' 'sn' ) )
Schema Changes in eDirectory 8.5
•
•
•
•
•
•
•
•
Some attributes made public read, some made multivalued
New classes defined—domain and ndsLoginProperties
Syntax changed on existing attributes
Several classes changed to be containers
Some changed to be effective or added domain containment
O and OU added ndsLoginProperties
Device class now effective
Operational attributes
creatorsName
modifiersName
modifyTimeStamp
createTimeStamp
Schema Changes in eDirectory 8.6
• Unlimited LDAP schema name size—up to 63K
long (was previously 64 characters)
• Ability to have more that 63K total worth of
schema name mappings (depending on size of
names, was limited to less than 2000 mappings)
• Ability to save and retrieve the description field
from a schema definition
• New schema definitions for dynamic groups and
for persistent search
Schema Changes in
eDirectory 8.7
Informational Draft
• LDAP Schema for eDirectory document
http://search.ietf.org/internet-drafts/
The Novell Import Convert Export Tool
• Features
Client/server (remote) architecture
LDIF import
LDIF export
Data migration between LDAP servers
Efficient
• Availability
Included with eDirectory 8.5
• ConsoleOne® snap-in
Included in Novell Developer Kit (NDK)
in C Libraries for LDAP
• Command line only (developer use)
Architecture
ICE Engine
• Orchestrates the interaction between source
and destination handler
• Provides logging facility
• Provides an “error LDIF logging” facility
Writes
all records that fail to an output file in
LDIF format
Used to help debug import or export sessions
Can aid in dealing with “rogue” records
Currently Available Handlers
• Source Handlers
LDIF
• Reads in a LDIF data file
LDAP
• Performs searches and retrieves LDAP data
• Destination Handlers
LDIF
• Writes to an LDIF data file
LDAP
• Writes to an LDAP server
• Supports—LBURP (up to 10 times faster adds), forward
references, hashed passwords, and more
What Handlers Are Coming
in the Future?
• Source Handlers
DELIM
• Reads in data from a delimited file
DirLoad
• Generates data from a template and data files
• For creating test trees and environments
ECM
• Generates a LDAP record from an LDAP search
• For example you can create a group from all users
that are from Provo (L: Provo)
SCH
• Reads in data from a SCH file
(SCH files are legacy NDS schema data files)
What Handlers Are Coming
in the Future? (cont.)
• Destination Handlers
DELIM
• Writes to a delimited data file
Novell eDirectory Development Options
• Broad range of SDKs available
Pick
appropriate SDK based on
• Information needed from Novell eDirectory
– Are you looking for data from eDirectory or to
manage the directory itself?
• Operations you want to perform on eDirectory
• Your preferred programming language
• Protocol preference
– LDAP
– NDAP
– HTTP
Novell LDAP Developer’s Guide
To Learn More About LDAP
•
•
•
•
www.LDAPZone.com
Novell LDAP Developer Guide
Novell NDS Developer Guide
DeveloperNet® University
http://developer.novell.com/education/
• http://developer.novell.com/nds/
• http://developer.novell.com/nds/ndsldap.htm
• http://developer.novell.com/ndk/doc/ldapover/
The LDAP Community
• IETF LDAP discussions and proposals
• www.ietf.org
• www.ietf.org/maillist.html
• IETF announcement list
– E-mail: ietf-announce-request@ietf.org
– subj: subscribe
– body: subscribe
• IETF general discussion list
– E-mail: ietf-request@ietf.org
– subj: subscribe
– body: subscribe
