The Integration of LDAP into the Messaging Infrastructure at CERN

Ray Jackson

CERN / IT-IS Group

29th Nov 2000 - CERN IT Auditorium, bldg. 31, 3-005

Roadmap

Introduction to LDAP

LDAP vs. Traditional Databases

How we use LDAP today

Future projects using LDAP

Introduction to LDAP

“Lightweight Directory Access Protocol”

Official Internet Standard Protocol for Accessing Directories (IETF)

TCP/IP implementation of X.500 Information Model (Hierarchical, Attribute-Value)

V3 Enhancements: Security, Distribution…

Replaces proprietary protocols with an ‘open’ protocol (like SMTP & IMAP for e-mail)

How is LDAP organised?

‘Root’ (starting place/source of the tree)

Countries (or TLD e.g. com,org,net)

Organizations (CERN)

Organizational units (departments etc.)

Individuals (includes people, files, and shared resources such as printers)

e.g. cn=Ray Jackson,ou=People,o=cern,c=ch

Example of an LDAP tree

Why do we need LDAP?

Everyone is using it already!

Wide industry support (Microsoft, Novell, Netscape, Oracle etc.)

The only successful ‘open’ DAP standard

Simple, highly scalable, robust

No viable ‘open’ alternatives

Powerful features of LDAP

Very fast search/read access (5k+ p.s)

Flexibility (design & implementation)

Highly Scalable (using referrals)

Platform independent

Secure (v.3+ SSL, Kerberos)

Broad industry support (MS Act Dir, Oracle, Novell, Netscape etc.)

LDAP operations

Bind: Identify & authenticate client

Search: Find entries matching criteria

Add: Create a new entry

Delete: Remove an entry

Modify: Add,remove,modify an entry’s attribute

ModifyDN: Move an entry in the tree

Others: Application specific operations…

LDAP vs. Relational Databases

LDAP does NOT have transactions, rollbacks, multi-table queries, views & joins

Greater speed & lower cost

Few overheads, simpler data model

Easier management & implementation

Hierarchical rather than relational

LDAP indexed for very fast searches/reads but slower writes (5000 reads, 50 writes p.s)

LDAP Schema definitions

Objectclasses – A collection of attributes which make up an objectclass

Attributes – A description of the type of data stored (e.g. givenName = cis / multiple)

Standard & User defined. e.g. Object: person vs. cernperson & Attribute: cn vs CCID.

Inheritance from superior objectclass

Multiple or single allowed attributes

Require vs. Allowed attributes

Example of an objectclass

objectclass person

        oid 2.5.6.6

        superior top

        requires

                sn,

                cn

        allows

                description,

                seeAlso,

                telephoneNumber,

                userPassword

LDIF the language of LDAP

LDIF (LDAP Data Interchange Format)

Used to create,remove and modify entries in an LDAP directory

Very simple (text based definitions)

Can store binaries (e.g. JPEG) in base64 encoding

Usually used to initially build an LDAP directory and maintain via the command-line

Example using LDIF

dn: cn=Fred Bloggs, ou=People, o=exampleorg,c=ch

   objectClass: top

   objectClass: person

   objectClass: organizationalPerson

   objectClass: inetOrgPerson

   cn: Fred Bloggs

   sn: Bloggs

   givenName: Frederic

   mail: Fred.Bloggs@exampleorg.ch

   userPassword: {crypt}KDIE3AL9DK

   ou: Accounting

   ou: people

   telephoneNumber: 54321

   roomNumber: 220

Security in LDAP

Access control information (ACI’s usually linked to Group definitions)

LDAPS protocol running on top of SSL

Passwords stored in Unix crypt, SHA or text (user defined)

Certificates (Public key cryptography)

Plug-ins available (e.g. Kerberos)

LDAP at CERN

Address Book and White Pages

Address auto-completion

Listbox Web Interface (SIMBA)

Calendar Pilot Service (50+ users)

Netscape Roaming Pilot Service (40+ users)

Web authentication (Archives, interface)

PAM authentication (System Level)

Message routing in sendmail

CERN Address Books

32,000+ people (15,000+ external)

Mixture of CCDB entries and Listbox users

Mailing List & Services Addressbooks

HEP Global addressbook (o=hep)

Supported by Netscape, Pine, Eudora and Outlook

Web based search engines (Currently test only – possibility of xwho data in future?)

CERN’s Address Book

Netscape Address Book Feature

http://cern.ch/whitepages

SIMBA - Listbox Web Interface

2,200+ mailing lists stored on LDAP

700+ list owners 32,000+ list users

ALL info related to mailing lists now on LDAP (members, configuration etc.)

Huge improvement on Mowgli (better security, more functionality etc.)

Authentication for all 32,000 users using LDAP authentication

LDAP makes searching for listbox data easy and fast!

SIMBA Listbox Web Interface

https://wwwlistbox.cern.ch

Web authentication & LDAP

All major web servers can support LDAP for authentication (Apache, IIS, E’prise)

Based on ‘group’ ACL’s e.g. ou=it-div-is

Simple to setup and configure (Used extensively in secure web archiving)

Does not require physical accounts to be created on an OS. (few lines of LDIF only)

ACL’s can be easily created based on data in LDAP from CCDB and HR (e.g. division, group, status, mailing list membership etc.)

Web authentication - Archives

https://wwwlistbox.cern.ch/earchive/proj-ldap

PAM authentication

“Plugable-authentication Modules”

Available for numerous UNIX platforms (Solaris, Linux, HP etc.) – pam.conf

Can store most /etc data on LDAP (passwd/shadow, group, fstab, mail alias, protocol, rpc, service, host etc.)

No duplication of accounts and group data across machines (synchronisation issues)

Already used in authenticated SMTP service.

Example of PAM data on LDAP

dn: cn=Ray Jackson,ou=People,o=cern,c=ch

objectclass: posixAccount

uid: rjackson

userpassword: {crypt}G51j29jsl09

loginshell: /usr/local/bin/bash

uidnumber: 416

gidnumber: 10

homedirectory: /homedir/r/rjackson

gecos: Ray Jackson

account: mail4

Message routing in sendmail

Not just sendmail (Sun, Netscape etc.)

Very fast lookups for mail routing

Takes the load off the mail servers!

Simple, dynamic and immediate updates

Single source of routing data rather than distribution to 10+ machines

Synchronisation and update delays eliminated

Highly scalable (millions of addresses possible – ISP’s using LDAP already for routing)

Example of routing in LDAP

dn: cn=Ray Jackson,ou=People,o=cern,c=ch

mail: Ray.Jackson@cern.ch

objectclass: inetLocalMailRecipient

mailHost: mail4.cern.ch

mailRoutingAddress: rjackson@mail4.cern.ch

mailLocalAddress: Ray.Jackson@cern.ch

mailLocalAddress: rjackson@mail.cern.ch

mailLocalAddress: Raymond.Jackson@cern.ch

mailLocalAddress: ldap.support@cern.ch

LDAP Referrals and Scalability!

Referrals already used in HEP address book.

All LDAP v3.x clients support referrals. (Netscape, Outlook etc.)

Referral returns to client the address of another LDAP server to contact to fetch data.

Completely transparent to user. (Sees single directory not concerned with multiple servers)

Potentially scalable to millions of objects on dozens of servers.. Searches made in parallel.

Referral illustration

Use of referrals at CERN

Replication (slurpd)

Replication and Indexing

Now standards exist for replicating data between different LDAP servers

Changes on one server propagated to others. (Master to Slaves mechanism)

Fault tolerance - Single point of failure so replication provides redundancy, transparancy & reliability

Used with “DNS round-robin” you can provide a VERY reliable directory service and achieve load balancing.

CERN – work in progress (LDAP1, LDAP2)

Replication illustration

Other applications of LDAP

No limits to what can be achieved thanks to API’s in Java, C, Perl etc.

Store serialised Java objects on LDAP

Hardware - Network routers etc.

Shared Folders

Archive Information (Catalog data)

NT synchronisation with Unix for authentication etc.

Any search/read intensive application can benefit from the power of LDAP

The future is LDAP!

Industry experts believe LDAP is key to any Inter-networked directory infrastructure

LDAP is the ONLY protocol which interconnects different vendor-driven directory services

All major vendors are pushing towards LDAP now (MS, Novell, Oracle, Sun, Netscape, IBM, HP etc.)

Even hardware vendors are using LDAP in their products (Cisco use LDAP for routing)

Ignore LDAP at your peril!!!

Future of LDAP at CERN

Separating the service from the data!

Move all user,listbox,group data OFF the 10+ mail servers and onto LDAP

Eliminate the need for duplication of data and synchronisation problems.

Retain backup ‘server’ side flat-files as a backup if LDAP goes wrong!

Provide simple web access to mail information (inc. web-mail based on LDAP)


	Ray Jackson
	CERN / IT-IS Group

	29th Nov 2000 - CERN IT Auditorium, bldg. 31, 3-005


	Introduction to LDAP
	LDAP vs. Traditional Databases
	How we use LDAP today
	Future projects using LDAP


	“Lightweight Directory Access Protocol”
	Official Internet Standard Protocol for Accessing Directories (IETF)
	TCP/IP implementation of X.500 Information Model (Hierarchical, Attribute-Value)
	V3 Enhancements: Security, Distribution…
	Replaces proprietary protocols with an ‘open’ protocol (like SMTP & IMAP for e-mail)


	‘Root’ (starting place/source of the tree)
	Countries (or TLD e.g. com,org,net)
	Organizations (CERN)
	Organizational units (departments etc.)
	Individuals (includes people, files, and shared resources such as printers)
		e.g. cn=Ray Jackson,ou=People,o=cern,c=ch


	Everyone is using it already!
	Wide industry support (Microsoft, Novell, Netscape, Oracle etc.)
	The only successful ‘open’ DAP standard
	Simple, highly scalable, robust
	No viable ‘open’ alternatives


	Very fast search/read access (5k+ p.s)
	Flexibility (design & implementation)
	Highly Scalable (using referrals)
	Platform independent
	Secure (v.3+ SSL, Kerberos)
	Broad industry support (MS Act Dir, Oracle, Novell, Netscape etc.)


	Bind: Identify & authenticate client
	Search: Find entries matching criteria
	Add: Create a new entry
	Delete: Remove an entry
	Modify: Add,remove,modify an entry’s attribute
	ModifyDN: Move an entry in the tree
	Others: Application specific operations…


	LDAP does NOT have transactions, rollbacks, multi-table queries, views & joins
	Greater speed & lower cost
	Few overheads, simpler data model
	Easier management & implementation
	Hierarchical rather than relational
	LDAP indexed for very fast searches/reads but slower writes (5000 reads, 50 writes p.s)


	Objectclasses – A collection of attributes which make up an objectclass
	Attributes – A description of the type of data stored (e.g. givenName = cis / multiple)
	Standard & User defined. e.g. Object: person vs. cernperson & Attribute: cn vs CCID.
	Inheritance from superior objectclass
	Multiple or single allowed attributes
	Require vs. Allowed attributes


	objectclass person
	oid 2.5.6.6
	superior top
	requires
	sn,
	cn
	allows
	description,
	seeAlso,
	telephoneNumber,
	userPassword


	LDIF (LDAP Data Interchange Format)
	Used to create,remove and modify entries in an LDAP directory
	Very simple (text based definitions)
	Can store binaries (e.g. JPEG) in base64 encoding
	Usually used to initially build an LDAP directory and maintain via the command-line


	dn: cn=Fred Bloggs, ou=People, o=exampleorg,c=ch
	objectClass: top
	objectClass: person
	objectClass: organizationalPerson
	objectClass: inetOrgPerson
	cn: Fred Bloggs
	sn: Bloggs
	givenName: Frederic
	mail: Fred.Bloggs@exampleorg.ch
	userPassword: {crypt}KDIE3AL9DK
	ou: Accounting
	ou: people
	telephoneNumber: 54321
	roomNumber: 220


	Access control information (ACI’s usually linked to Group definitions)
	LDAPS protocol running on top of SSL
	Passwords stored in Unix crypt, SHA or text (user defined)
	Certificates (Public key cryptography)
	Plug-ins available (e.g. Kerberos)


	Address Book and White Pages
	Address auto-completion
	Listbox Web Interface (SIMBA)
	Calendar Pilot Service (50+ users)
	Netscape Roaming Pilot Service (40+ users)
	Web authentication (Archives, interface)
	PAM authentication (System Level)
	Message routing in sendmail


	32,000+ people (15,000+ external)
	Mixture of CCDB entries and Listbox users
	Mailing List & Services Addressbooks
	HEP Global addressbook (o=hep)
	Supported by Netscape, Pine, Eudora and Outlook
	Web based search engines (Currently test only – possibility of xwho data in future?)


	2,200+ mailing lists stored on LDAP
	700+ list owners 32,000+ list users
	ALL info related to mailing lists now on LDAP (members, configuration etc.)
	Huge improvement on Mowgli (better security, more functionality etc.)
	Authentication for all 32,000 users using LDAP authentication
	LDAP makes searching for listbox data easy and fast!


	All major web servers can support LDAP for authentication (Apache, IIS, E’prise)
	Based on ‘group’ ACL’s e.g. ou=it-div-is
	Simple to setup and configure (Used extensively in secure web archiving)
	Does not require physical accounts to be created on an OS. (few lines of LDIF only)
	ACL’s can be easily created based on data in LDAP from CCDB and HR (e.g. division, group, status, mailing list membership etc.)


	“Plugable-authentication Modules”
	Available for numerous UNIX platforms (Solaris, Linux, HP etc.) – pam.conf
	Can store most /etc data on LDAP (passwd/shadow, group, fstab, mail alias, protocol, rpc, service, host etc.)
	No duplication of accounts and group data across machines (synchronisation issues)
	Already used in authenticated SMTP service.


	dn: cn=Ray Jackson,ou=People,o=cern,c=ch
	objectclass: posixAccount
	uid: rjackson
	userpassword: {crypt}G51j29jsl09
	loginshell: /usr/local/bin/bash
	uidnumber: 416
	gidnumber: 10
	homedirectory: /homedir/r/rjackson
	gecos: Ray Jackson
	account: mail4


	Not just sendmail (Sun, Netscape etc.)
	Very fast lookups for mail routing
	Takes the load off the mail servers!
	Simple, dynamic and immediate updates
	Single source of routing data rather than distribution to 10+ machines
	Synchronisation and update delays eliminated
	Highly scalable (millions of addresses possible – ISP’s using LDAP already for routing)


	dn: cn=Ray Jackson,ou=People,o=cern,c=ch
	mail: Ray.Jackson@cern.ch
	objectclass: inetLocalMailRecipient
	mailHost: mail4.cern.ch
	mailRoutingAddress: rjackson@mail4.cern.ch
	mailLocalAddress: Ray.Jackson@cern.ch
	mailLocalAddress: rjackson@mail.cern.ch
	mailLocalAddress: Raymond.Jackson@cern.ch
	mailLocalAddress: ldap.support@cern.ch


	Referrals already used in HEP address book.
	All LDAP v3.x clients support referrals. (Netscape, Outlook etc.)
	Referral returns to client the address of another LDAP server to contact to fetch data.
	Completely transparent to user. (Sees single directory not concerned with multiple servers)
	Potentially scalable to millions of objects on dozens of servers.. Searches made in parallel.


	Replication and Indexing
		Now standards exist for replicating data between different LDAP servers
	Changes on one server propagated to others. (Master to Slaves mechanism)
	Fault tolerance - Single point of failure so replication provides redundancy, transparancy & reliability
	Used with “DNS round-robin” you can provide a VERY reliable directory service and achieve load balancing.
	CERN – work in progress (LDAP1, LDAP2)


	No limits to what can be achieved thanks to API’s in Java, C, Perl etc.
	Store serialised Java objects on LDAP
	Hardware - Network routers etc.
	Shared Folders
	Archive Information (Catalog data)
	NT synchronisation with Unix for authentication etc.
	Any search/read intensive application can benefit from the power of LDAP


	Industry experts believe LDAP is key to any Inter-networked directory infrastructure
	LDAP is the ONLY protocol which interconnects different vendor-driven directory services
	All major vendors are pushing towards LDAP now (MS, Novell, Oracle, Sun, Netscape, IBM, HP etc.)
	Even hardware vendors are using LDAP in their products (Cisco use LDAP for routing)
	Ignore LDAP at your peril!!!


	Separating the service from the data!
	Move all user,listbox,group data OFF the 10+ mail servers and onto LDAP
	Eliminate the need for duplication of data and synchronisation problems.
	Retain backup ‘server’ side flat-files as a backup if LDAP goes wrong!
	Provide simple web access to mail information (inc. web-mail based on LDAP)