everything ldap - Connections 101.net
Transcription
everything ldap - Connections 101.net
EVERYTHING LDAP Gabriella Davis gabriella@turtlepartnership.com Agenda What is LDAP? LDAP structure and behavior Domino and LDAP LDAP tools Notes as an LDAP client IBM Lotus Sametime, Quickr, Connections, and LDAP LDAP security – risks and mitigation LDAP performance tuning Wrap-up What Is LDAP? Lightweight Directory Access Protocol Standard “language” for reading and writing to directories Adopted as a directory protocol by most large providers IBM Tivoli Directory Server Sun One Novell eDirectory Microsoft Active Directory If you want to connect two systems together and use a single directory, you will be using LDAP If you want to have a central directory used by many different systems, you will be using LDAP Why Do We Need LDAP? Directories are central to everything we do They identify people and things that exist in our world and what they do They identify the hierarchy of those people and things Without a directory we would have no audience for our applications – everyone would be anonymous If everyone is anonymous, then everyone is also identical and we can’t create a custom experience LDAP Structure and Behaviour LDAP Queries and How They Work In most cases, the “client” will be a server acting on behalf of a user of its software LDAP Behavior What happens when a client performs an LDAP query? The client asks for the directory by hostname E.g., ldap.theview.com Connect to the directory over TCP LDAP uses port 389 by default, which is unsecured, or port 636 secured Search the directory for the directory entries you need E.g., “all people with a last name of “davis” Take the values from those directory entries E.g., “give me the email address of everyone you found” Terms That Come Up a Lot When Working with LDAP LDAP Server – host server Directory Services Agent – the service you connect to Bind – how you connect to the directory, using what credentials and over what port Schema – the definition of the directory and the objects within it Directory information tree. Think of this as the design. Directory entries – these could be people, servers, printers, etc. Think of these as documents Attribute – defined in the schema, a directory entry contains attributes that themselves hold values Think of these as fields What Is Bind? Assuming we know “where” the server is (its hostname) To connect to the LDAP server we need to know “how” “How” consists of: What port is the server listening on How to use a certificate if one is needed for security What identity is going to be used to access the directory You can configure an LDAP server to allow “anonymous” access and not need to supply any name or password But it’s a directory and has valuable information in it. In the majority of cases, we want it secured. The name and password is that of a directory entry in the LDAP directory These are called the “bind credentials” Bind Credentials When you bind using credentials to an LDAP server, you are gaining access to anything in the directory those credentials can see More on this later in security The LDAP administrator can assign credentials that themselves have access to only a limited part of the directory For example the credentials “salesldap bind” may have access to only the “Sales” part of the directory Any search done with those credentials would only find matching entries within Sales Bind credentials should be Unique across all directories Have a complex non-expiring password Not used for anything else Searching Every LDAP query starts with a search, otherwise how do we find the right people? Searches are constructed strictly according to the schema Although LDAP is a common protocol, each server will have its own schema and so its own search syntax The syntax for searching Active Directory is different from that used to search Domino for instance The good news is that most IBM software has pre-defined search strings to suit the most common LDAP servers Constructing a Search The realities of searching are that in large directories you want your search to: Be efficient Be accurate Return as few entries as possible If we search only for “last name is davis” we will find both “Gabriella Davis” and “Tim Davis” Expanding the search to include first name would help with that “Tim Davis” in marketing needs a different kind of search than “Tim Davis” in sales We could choose to include department in our search filter, if that information is available It would be more efficient to choose to search in only a specific part of the hierarchy, such as looking for “Tim Davis” only within the “sales” part of our directory Constructing a Search (cont.) To focus our search on a specific part of the directory, we use a baseobject or base_dn. This is the name of the part of the directory we want to search. Examples: AD: base_dn=OU=sales,OU=europe,dc=theview,dc=com Domino: base_dn=OU=sales,OU=europe,O=theview This tells the search to look only in that part of the directory for any results. It makes the search more efficient and prevents any false positives. “scope” is a search parameter that tells the search how many levels down in the directory from the base_dn it should look singlelevel means search only ou=sales… wholesubtree means search ou=sales and anything beneath that part of the directory In Short … We connect to a host server and create a search based on the schema to pull the values we want from attributes in matching directory entries Domino & LDAP Domino and LDAP Domino’s directory format for names.nsf is not LDAP by default Domino uses its own protocol to read and manage its primary directory This is consistent across all Domino servers so any other Domino server can read any Domino directory But no non-Domino server can read a Domino directory without having it “translated” The LDAP task, when run on a Domino server, makes the names.nsf available to any LDAP query If you use Directory Assistance, this can also apply to other directories your server can see LDAP Task “Load LDAP” on the Domino Server Loads by default on Domino servers now Spawns two separate tasks LDAP listener – for handling inbound connections LDAP utility – for building and propagating the schema Runs the LDAP protocol which can make names.nsf and other directories available for LDAP searches LDAP is specific to each server, so running it on Server A does not grant access to Server B Schema.nsf The LDAP task uses the database schema.nsf on each server to determine how to “translate” Domino object references into LDAP object references Schema.nsf is created automatically by the Administration server of your Domino domain the first time LDAP is loaded on that server For LDAP to work anywhere in your organization, you must first create schema.nsf by loading LDAP on your administration server A replica of schema.nsf is automatically pushed from the administration server the first time you “Load LDAP” on any other server in your domain Any server in your domain that runs, or has ever run, the LDAP task will have a replica of schema.nsf in place Once schema.nsf is created, you don’t have to keep LDAP running on the Administration server if you don’t need it Schema Template You should never need to manually create a schema.nsf but any databases that do exist should be based on the schema template Template name is StdDominoLDAPSchema (schema.ntf) If you do manually create one for whatever reason, don’t call it anything other than schema.nsf Domino Attributes in the Schema Open schema.nsf on your server Go to the view “LDAP Attribute Types” Review list of notes field names and matching LDAP attribute names LDAP Configuration Document LDAP configuration is available only from a global configuration document in the names.nsf The global configuration document is the one marked for [All Servers] Configuring LDAP in Domino On a Global Configuration document, there is a new page called “LDAP” This is not visible on any other configuration document On the LDAP page, you can configure how LDAP behaves on every server in your organization There can be only one Global Configuration Document per domain so the configuration applies to all servers running the LDAP task The default LDAP settings will work in most cases, but you should always review these carefully to ensure you are configuring for best security and performance Exposing Domino Data to Anonymous Users LDAP Options Affecting Domino Performance Allow LDAP users write access Do you want LDAP clients to be able to make changes to your Domino Directories? This doesn’t override directory ACL or roles Timeout How many seconds before a search is cancelled? Don’t leave it as zero, which means indefinite. Maximum number of entries returned When doing an LDAP search against a large directory, you can restrict the number of results returned Minimum characters for wildcard search Do you really want people searching for the letter “S” if they are looking for “Smith” or even “Sm” Allow Alternate Language Information processing LDAP Options Affecting Domino Performance (cont.) Rules to follow when this directory is the primary directory, and there are multiple matches on the distinguished name being compared/modified Don’t modify any/Modify first match/Modify all matches? Automatically Full Text Index Domino Directory? Improves performance of searches against Domino Directory, but use only if you are performing high demand searches against a large Directory Enforce schema? If the LDAP user has write access to the Domino Directory, can they write or change attributes that aren’t defined in the Domino schema? DN Required on Bind? Require fully distinguished name for security LDAP Options Affecting Domino Performance (cont.) Encode results in UTF8 for LDAPv2 clients? This is about the formatting of results for older LDAP client queries Maximum number of referrals An LDAP query against a server can return a referral to yet another LDAP server, how many layers down are you happy for these referrals to go? Activity Logging truncation size Allow dereferencing of aliases on search requests? Instructs Domino to return search values that correspond to aliases matched by a search Setting Up the LDAP Task LDAP should be configured as an Internet Site Document You can configure it directly in the server document under Internet Protocols – LDAP But this is less secure than using Internet site documents Setting Up the LDAP Port You configure the LDAP overall port and behavior under ports – internet ports – directory Enforce server access settings control whether Domino will enforce server document security settings LDAP on Domino — All Together Now Directory Assistance and LDAP Directory Assistance can be used to configure additional directories for your Domino server to use when authenticating access or sending mail An additional directory can be Domino or LDAP If you choose to add an LDAP directory to Directory Assistance you need to configure the document DA – Basics Tab Configuration Multiple directories in DA can be prioritized in search order Determines which client types this directory can be accessed by Don’t use this directory for mail addressing or lookups Directory Assistance LDAP Configuration Each step of the LDAP configuration can be tested and verified before saving DA Naming Contexts Configuration Configure to “Trusted for Credentials” as you’re going to use this LDAP source for authentication Testing Directory Assistance Configuration From the server console, type “sh xdir” This shows all directories configured on that server and whether they are LDAP LDAP Tools Ldapsearch Search utility that ships with Domino and Notes Found in the Domino or Notes program directory Used for searching any LDAP server ldapsearch [parameters to connect] [searchfilter to find correct entries] [attributes to return] No searchfilter will be a request for all entries No attributes specified will be an instruction to return all attributes Certain parameters such as hostname are required Ldapsearch Parameters -h hostname to connect to e.g. ldap1.theview.com -b base_dn. Many servers will require you to specify a base_dn for your query and won’t accept a query that doesn’t have one -D bind name, if you aren’t using anonymous access -w bind password to go with –D -p port to connect to usually 636 for secured or 389 for unsecured -? to see the full list of parameters Ldapsearch Search Filter Search filters are to limit the results of an LDAP query to just those directory entries you are interested in The format for a search filter is <attribute> <operator> <value> e.g. sn=Davis (lastname is Davis) Use operators and brackets to nest together search attributes Use * for wildcards in values & AND | OR ! Not equal to = equal to Search Filter Examples Any entry with first name of Gabriella and last name of Davis (&(givenName=Gabriella)(sn=Davis)) Any entry with first name of Gabriella and last name of Davis or Davies (&(givenName=Gabriella)(!(sn=Davis)(sn=Davies)) Any entry with mail address containing theview.com (mail=*theview.com) Search Filter Examples (cont.) Search for anyone with the last name Davis and return their common name ldapsearch –h ldap1.theview.com –p 389 –D ldaplogin –w passwordforldap “(sn=Davis)” cn Search anonymously for anyone with a mail address containing theview.com and return their name ldapsearch –h ldap1.theview.com –p 389 “(mail=*theview.com)” cn Search the marketing division on a secure Active Directory server to find the Marketing Director and return all their details ldapsearch –h ldap1.theview.com –p 636 –b “cn=marketing,ou=global,dc=theview,dc=com” –D ldaplogin –w passwordforldap “(Title=Marketing Director)” Search Filter Demo Softerra’s LDAP Browser Free, powerful GUI interface for performing LDAP queries and searches Does not allow modifications to LDAP entries For that you need to purchase their LDAP administrator Very useful for understanding the schema of a directory Especially if you’re new to Domino LDAP. You can use Softerra to see what Domino looks like to an LDAP client. Always test your LDAP assumptions, hostname, port, credentials and attributes using something like LDAP Browser before assuming they are correct LDAP Browser Demo Working with servers List of configured LDAP servers softerra can access LDAP Browser Adding Profiles Define the LDAP server’s location, connection and bind credentials in the Softerra profile LDAP Browser and LDAP Administrator LDIF LDAP Data Interchange Format Used for importing, exporting and updating LDAP contents Standard format Ldapsearch to export ldap content to an LDIF file Ldapadd to update an LDAP directory with entries from an LDIF Ldapmodify to modify an LDAP directory with change records from an LDIF Lots of tools available to work with LDIFs including native Windows tools and Domino – Migrate Users LDIF Example Snippet dn: CN=Gabriella Davis,CN=Users,DC=int,DC=turtlepartnership,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Gabriella Davis sn: Davis givenName: Gabriella distinguishedName: CN=Gabriella Davis,CN=Users,DC=int,DC=turtlepartnership,DC=com displayName: Gabriella Davis sAMAccountType: 805306368 userPrincipalName: gabriella@int.turtlepartnership.com CN=Person,CN=Schema,CN=Configuration,DC=int,DC=turtlepartnership, DC=com Exporting to LDIF Notes As An LDAP Client Notes As an LDAP Client Regardless of your Domino server configuration, Notes itself can act as an LDAP client performing queries against other servers Configured as an account in the user’s local names.nsf Searching LDAP Directories Within Notes LDAP directories will not show in their entirety in Notes You have to search for what you need You can do either a simple or advanced search Sametime, Quickr, Connections & LDAP LDAP and Other IBM Lotus Products Many of the extended IBM Lotus products now require an LDAP server be defined as the Directory source This allows multiple servers to share a common directory with a common protocol regardless of their own platform Connections, Sametime 8.5x and Quickr J2EE all use WebSphere Application Server (WAS) as a platform, but WAS doesn’t have a directory of its own – it must use an external LDAP directory Within WAS, you can define multiple LDAP sources to act as a single directory – much like Directory Assistance in Domino The is called federating the directories WAS LDAP Configuration Login to the Integrated Solutions Console (or Sametime System Console) and choose Security – Global Security Viewing Federated Repositories The list of federated repositories shown here comprises what WAS considers to be its directory Configuring Each LDAP Source Testing LDAP Configuration in WAS LDAP Sources As we’ve seen, Domino can act as an LDAP server and could therefore be used in configuring a product like Sametime Sametime instant messaging is still based on the Domino platform but you cannot use that same Domino server as your LDAP server Otherwise you are telling the Sametime Community Server to use itself as an external LDAP reference LDAP Security Risks & Mitigations LDAP Security Risks Exposing a directory to anonymous queries, allowing for harvesting of corporate information Not providing secure enough bind credentials so they can be potentially hacked Not connecting using SSL, which means your connection isn’t encrypted and bind credentials are sent in clear text Trusting users from another LDAP source you don’t control to authenticate onto your servers Does the password quality for users on the external LDAP source match that for your own users Once you have trusted an entire directory, your own directory security is lowered to the level of that uncontrolled source LDAP Security Mitigation Ensure you are only exposing the LDAP entries and attributes you need to Use an LDAP tool to connect to your own server with the bind credentials you are making available to see what others see If you are adding an LDAP server to Directory Assistance in Domino and are trusting it for authentication purposes, ensure you lock down – Default – access to databases in your environment Use catalog.nsf and DDM to find potential problem areas Never let anyone connect to your directory using credentials without enabling SSL LDAP Performance Tuning LDAP Performance Tuning Several things impact LDAP performance on any LDAP server Size of directory Using a base_dn limits the search scope for queries and is required for efficiency in very large directories Number of search results returned for a query Length of search string Don’t force the server to search as each character is entered Nested groups or dereferencing Anything that causes a lookup to generate another lookup, then another, has a big performance impact LDAP Performance Searching Searching for a user to authenticate when someone logs in requires a directory lookup Most LDAP servers are optimized to find entries if you’re using a login name or email address If you’re using a special or non-standard attribute for login then that may affect performance Domino LDAP uses predefined views if you are allowing logins by name In most cases, you would want to full text index the directory on your Domino LDAP server for performance Many LDAP servers such as Active Directory have strict default limits on LDAP search timeouts and size of search results returned for both performance and security reasons These can always be modified LDAP and DDM If your Domino server is configured to use another LDAP directory in Directory Assistance you can monitor that via a DDM probe Configured in events4.nsf Reported into ddm.nsf on your Domino server Resources Softerra’s LDAP Software www.ldapbrowser.com/info_softerra-ldap-browser.htm Steven Tuttle, Ami Ehlenberger, Ramakrishna Gorthi, et al., Understanding LDAP – Design and Implementation (IBM Redbooks, June 2004). www.redbooks.ibm.com/abstracts/sg244986.html Steven Tuttle, Kedar Godbole, Grant McCarthy, Using LDAP for Directory Integration (IBM Redbooks, February 2004). www.redbooks.ibm.com/abstracts/sg246163.html Wikipedia on Lightweight Directory Access Protocol (LDAP) http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol Rob Fox, Paul Godby, Moacyr Mallemont, “Configuring Domino to Be an Ldap Directory and to Use an LDAP Directory” (IBM Software Group). IBM presentation on configuring LDAP for Domino www.slideshare.net/edsonlo/configuring-domino-to-be-an-ldap-directory-and-touse-an-ldap-directory Summary LDAP is a standard protocol for directories used by all the major directory providers so in general, no matter the provider, all LDAP servers are equal Many software products that do not have their own directories require connection to an LDAP source of some kind Using LDAP allows you to connect multiple systems together all using the same directory source Domino can be an LDAP server, making its own directories available over the LDAP protocol to other clients and programs Domino can also connect to other LDAP servers using a Directory Assistance document Many IBM products now require or recommend the use of an LDAP directory including Sametime, Connections, and Quickr Integrating LDAP into your solution can have a significant performance and security impact which must be managed