HP UX Direry Server 140

For more information about macro ACIs, refer to the HP-UX Directory Server administrator guide.

Example Corp. adds the following access controls to support its extranet:

•Example Corp. decides to use certificate-based authentication for all extranet activities. When people log in to the extranet, they need a digital certificate. The directory is used to store the certificates. Because the directory stores the certificates, users can send encrypted email by looking up public keys stored in the directory.

•Example Corp. creates an ACI that forbids anonymous access to the extranet. This protects the extranet from denial of service attacks.

•Example Corp. wants updates to the directory data to come only from an Example Corp. hosted application. This means that partners and suppliers using the extranet can only use the tools provided by Example Corp. Restricting extranet users to Example Corp.'s preferred tools allows Example Corp. administrators to use the audit logs to track the use of the directory and limits the types of problems that can be introduced by extranet users outside of Example Corp. International.

140 Directory design examples

Contents

HP-UXDirectory Server Version Page Table of Contents 1 Introduction to directory services 2 Planning the directory data 3 Designing the directory schema 4 Designing the directory tree 5 Designing the directory topology 6 Designing the replication process 7 Designing synchronization 8 Designing a secure directory 9 Directory design examples 10 Support and other resources Index 1 Introduction to directory services 1.1 About directory services 1.2 Introduction to Directory Server NOTE: Directory Server runs as a daemon; the process is ns-slapd 1.2.2 Server plug-insoverview Directory Server plug-in reference 1.2.3 Overview of the basic directory tree 1.3 Directory Server data storage 1.3.1.1 Performing queries on directory entries 1.4 Directory design overview 1.4.1Design process outline 1.Chapter 2 “Planning the directory data” 2.Chapter 3 “Designing the directory schema” 3.Chapter 4 “Designing the directory tree” 4.Chapter 5 “Designing the directory topology” 1.5 Other general directory resources Page 2 Planning the directory data 2.1 Introduction to directory data 2.2 Defining directory needs 2.3Performing a site survey •Determine data ownership •Determine data access •Document the site survey 2.3.1 Identifying the applications that use the directory •Directory browser applications, such as online telephone books •Email applications, especially email servers •Directory-enabledhuman resources applications •Microsoft Active Directory 2.3.2Identifying data sources •Identify organizations that provide information •Identify the tools and processes that are information sources •Determine how centralizing each piece of data affects the management of data Table 2.3.4 Determining level of service 2.3.5 Considering a data master •Replication among Directory Servers •Synchronization between Directory Server and Active Directory •Independent client applications which access the Directory Server data 2.3.6 Determining data ownership Allow •Create roles that give groups of people read or write access privileges “Grouping directory entries” 2.3.7 Determining data access For each piece of information stored in the directory, decide the following: •Can the data be read anonymously •Can the data be read widely across the enterprise For more information about access controls, see “Designing access control” 2.4 Documenting the site survey 2.5Repeating the site survey Page 3 Designing the directory schema 3.1 Schema design process overview 3.2 Standard schema This schema entry states the object identifier, or OID, for the class ), the name of the object class 3.2.2 Standard attributes cn: Babs Jensen In the schema, each attribute definition contains the following information: •A unique name •An object identifier (OID) for the attribute 3.2.3 Standard object classes Directory Server Schema Reference Object class definitions contain the following information: •An object identifier (OID) that names the object •A set of mandatory attributes 3.3 Mapping the data to the default schema 3.4 Customizing the schema 3.4.1 When to extend the schema 3.4.2 Getting and assigning object identifiers 3.4.3Naming attributes and object classes 3.4.4 Strategies for defining new object classes For example, suppose an administrator wants to create the attributes , and One object class , is created and allows and 3.4.5 Strategies for defining new attributes Directory Server Schema Guide dateOfBirth 3.4.6 Deleting schema elements 3.4.7 Creating custom schema files 3.4.8.1 Naming schema files 3.4.8.2Using 'user defined' as the origin 3.4.8.3Defining attributes before object classes 3.4.8.4Defining schema in a single file 3.5 Maintaining consistent schema 3.5.1 Schema checking For example, if an entry is defined to use the object class, then the common name ) and surname 3.5.2 Selecting consistent data formats 3.6Other schema resources 4 Designing the directory tree 4.1 Introduction to the directory tree 4.2 Designing the directory tree 4.2.1.1 Suffix naming conventions 4.2.1.2 Naming multiple suffixes 4.2.2.1Branching the directory 4.2.2.2 Identifying branch points Figure 4-5Directory tree for example isp o=example, c=US Consider the following when choosing attributes for the branch points: •Be consistent Try to use only the traditional attributes (shown in 4.2.2.3 Replication considerations 4.2.2.4 Access control considerations 4.2.3.1Naming person entries 4.2.3.2Naming group entries 4.2.3.3 Naming organization entries 4.2.3.4Naming other kinds of entries 4.3 Grouping directory entries nsRoleDN 4.3.2Deciding between roles and groups 4.3.3 About class of service facsimileTelephoneNumber Each CoS is comprised of the several entries in the directory: •A service class attribute value stored with the entry 4.4 Virtual directory information tree views Figure 4-10Examples of a flat and an organizationally-basedDIT nsview nsviewfilter Page Figure 4-12A DIT with a virtual DIT view hierarchy •The sub-tree ou=People contains the real Entry A and Entry B entries •The sub-tree ou=Location Views is a view hierarchy The leaf nodes 4.4.2Advantages of using virtual DIT views The deployment decisions become easier with virtual DIT views because: Virtual DIT view hierarchies can be created as a kind of 4.4.3Example of virtual DIT views A subtree search based at would return all entries below which match the filters , or 4.4.4 Views and other directory features 4.4.5 Effects of virtual views on performance 4.4.6 Compatibility with existing applications 4.5Directory tree design examples 4.6 Other directory tree resources Page 5 Designing the directory topology 5.1 Topology overview 5.2 Distributing the directory data 5.2.1 About using multiple databases 5.2.2 About suffixes 5.3 About knowledge references 5.3.1.1 The structure of an LDAP referral 5.3.1.2 About default referrals 5.3.1.3 Smart referrals Page 5.3.1.4 Tips for designing smart referrals 5.3.2 Using chaining Database links provide the following features: •Invisible access to remote data •Dynamic management •Access control 5.3.3.1 Usage differences 5.3.3.2 Evaluating access controls Figure 5-12Sending a client request to a server using chaining In the illustration above, the following steps are performed: 3.Server B sends an acceptance response to Server A Figure 5-13Authenticating a client and retrieving data using different servers In this illustration, the following steps are performed: 5.4Using indexes to improve database performance •International index •Browsing index or virtual list view (VLV) index 5.4.2Evaluating the costs of indexing •Indexes increase the time it takes to modify entries •Index files use disk space •Index files use memory •Index files take time to create Page 6 Designing the replication process 6.1 Introduction to replication 6.1.1.1 Unit of replication 6.1.1.2 Read-writeand read-onlyreplicas 6.1.1.3 Suppliers and consumers 6.1.1.4 Replication and changelogs 6.1.1.5 Replication agreement 6.2Common replication scenarios •“Single-masterreplication” •“Multi-masterreplication” •“Cascading replication” •“Mixed environments” 6.2.1Single-masterreplication Figure 6-1 Single-masterreplication 6.2.2 Multi-masterreplication Page Figure 6-4 Multi-masterreplication configuration B (four suppliers) 6.2.3 Cascading replication Page 6.2.4 Mixed environments 6.3 Defining a replication strategy See “Using replication for local availability” for more information See “Using replication for load balancing” for more information 6.3.1 Conducting a replication survey •The number and size of the entries stored in the directory service 6.3.2 Replicated selected attributes with fractional replication Fractional replication is particularly useful in the following situations: 6.3.3 Replication resource requirements 6.3.4Managing disk space required for multi-masterreplication cn=replica suffixDN nsDS5ReplicaTombstonePurgeInterval 6.3.5 Replication across a wide-areanetwork •Use a T-1or faster Internet connection for the network When creating agreements for replication over a 6.3.6Using replication for high availability 6.3.7 Using replication for local availability Use replication for local availability for the following reasons: •To keep a local master copy of the data •To mitigate unreliable or intermittently available network connections 6.3.8Using replication for load balancing 6.3.8.1 Example of network load balancing 6.3.8.2Example of load balancing for improved performance 6.3.8.3Example replication strategy for a small site 6.3.8.4Example replication strategy for a large site 6.4 Using replication with other Directory Server features Figure 6-10Replicating chained databases 6.4.4 Schema replication WARNING See “Creating custom schema files” for more information 6.4.5 Replication and synchronization 7 Designing synchronization 7.1 Windows synchronization overview 7.2 Planning windows synchronization •The number and size of the entries stored in the directory 7.2.2 Managing disk space for the changelog cn=changelog5 The other two attributes are under the synchronization agreement entry in sync_agreement 7.2.3 Defining the connection type 7.2.5 Determining the subtree to synchronize 7.2.6 Interaction with a replicated environment Figure 7-1 Multi-masterDirectory Server — Windows domain synchronization 7.2.7 Identifying the directory data to synchronize •Contact information for trading partners, clients, and customers •User’s software preferences or software configuration information •Group information and group membership 7.3Schema elements sycnhronized between Active Directory and Directory Server ntDomainUser samAccountName User entries only “User schema that are the same in Directory Server and Windows servers” “User schema mapped between Directory Server and Active Directory” 7.3.2.1 Values for cn attributes 7.3.2.2 Password policies 7.3.2.3 Values for street and streetAddress 7.3.2.4Contraints on the initials attribute 7.3.4 Group schema differences between Directory Server and Active Directory 8 Designing a secure directory 8.1 About security threats 8.2 Analyzing security needs 8.3Overview of security methods 8.4 Selecting appropriate authentication methods command 8.4.2 Simple password 1.The user enters a unique identifier, such as a user ID (for example, fchen) 8.4.3 Certificate-basedauthentication For more information about certificates and SSL, see the Administrator's Guide 8.4.4 Simple password over SSL/TLS 8.4.5 Simple authentication and security layer 8.4.6 Proxy authentication 8.5 Preventing authentication by account deactivation 8.6 Designing a password policy nsslapd-pwpolicy-local ns-newpwpolicy.pl To determine whether the off Page Page 8.6.2.1 Password change after reset 8.6.2.2User-definedpasswords 8.6.2.3Password expiration 8.6.2.4Expiration warning 8.6.2.5Grace login limit 8.6.2.6Password syntax checking 8.6.2.7Password length 8.6.2.8Password minimum age 8.6.2.9Password history 8.6.2.10 Password storage schemes 8.7 Designing access control 8.7.1.1 Targets 8.7.1.2 Permissions 8.7.1.3 Bind rules 8.7.2.1 The precedence rule 8.7.2.2 Allowing or denying access 8.7.2.3 When to deny access 8.7.2.4Where to place access control rules 8.7.2.5 Using filtered access control rules Create an attribute on every user's directory entry called publishHomeContactInfo 8.7.3 Viewing ACIs: Get effective rights ldapsearch title salary homePostalAddress 8.7.4 Using ACIs: Some hints and tricks •Minimize the number of ACIs in the directory 8.8Database encryption 8.9 Securing server to server connections 8.10 Other security resources 9 Directory design examples 9.1 Design example: A local enterprise 9.1.3 Local enterprise directory tree design 9.1.4.1 Database topology 9.1.5.1 Supplier architecture 9.1.5.2 Supplier consumer architecture Figure 9-5Supplier and consumer architecture for Example Corp 9.1.6 Local enterprise security design •They create an ACI that allows employees to modify their own entries manager department This ACI denies anonymous write access to password information 9.2 Design example: A multinational enterprise and its extranet 9.2.1 Multinational enterprise data design 9.2.2Multinational enterprise schema design exampleSupplier examplePartner exampleSupplierID Page 9.2.4.1 Database topology 9.2.4.2 Server topology Page 9.2.5.1 Supplier architecture Page 9.2.6 Multinational enterprise security design Page 10 Support and other resources 10.1 Contacting HP 10.2 Related information •HP-UXDirectory Server administration server guide •HP-UXDirectory Server configuration, command, and file reference 10.2.2 HP-UXdocumentation set •HP-UX11i v3 Operating Environments: http://docs.hp.com/en/oshpux11iv3.html •HP-UX11i v2 Operating Environments: http://docs.hp.com/en/oshpux11iv2.html 10.3 Typographic conventions Page Glossary bind See bind DN bind DN bind rule branch entry CoS definition entry affects CoS template Contains a list of the shared attribute values file type extension (for example, .GIF or .HTML) filter filtered role role LDAP and across multiple platforms LDAP client Software used to request and view LDAP entries from an LDAP Directory Server See also browser determine which server holds the most recent version multiplexor n+1 directory problem resulting in increased hardware and personnel costs presence index Allows searches for entries that contain a specific indexed attribute protocol A set of rules that describes how devices on a network exchange information protocol data unit SASL Simple Authentication and Security Layer schema access the directory may be unable to display the proper results superuser privileges to all files on the machine. Also called root supplier servers supplier server Page Index