Embed Size (px)
Citation preview
Exploring Directory Services
Need for DS
• Multiple servers, multiple services in single network– Multiple servers for reliability, security, optimizing
cpu usage– Impossible to handle separate administration on
each server for all users.
• DS brings organization to this clutter– All network information stored in the directory
• Printers, folders, users, groups, servers– Eliminates duplicating information on different
servers• No need to maintain separate user list on all servers• Single directory service with single set of users
– Assign rights/privileges using directory
More on DS• Five Important DS:
• NDS: (runs on Netware 4.x or higher)– Popular for the longest time– Provides single directory for managing multivendor
network (edirectory)• ADS: (Windows 2003 servers)• Windows NT Domain:
– Not a full DS. Provides some features• X.500 Directory Access Protocol (DAP):
– International standard directory– Provides too many feature to be used– Deployment and management is difficult
• LDAP:– Subset of X.500– NDS and ADS
Directory Structure• (inverted) Tree-based organization• Consists of three major types of objects:
– Root• Represents the beginning of the tree
– Containers.• Can hold other containers or objects• Three types
– Country: uses valid two-digit country code. C=– Organization: must have atleast one O= – Organizational Unit: OU=
– Leaf.• Represent the actual resource on the network• Entities such as printers, folders, users• Cannot contain other objects
• All objects on the tree has attributes/properties
DS management:• Replication:
No directory -> no network.– Two approaches:
• Primary/backup model– Backups can be promoted in the absence of
primary
• Multimaster model– All servers are peers to one another
• Partition:– Different servers keep different parts of the
directory
DS management:
• Replicating:• Duplicate DS database for redundancy.• Improved performance: by reducing time to
authenticate• Fault Tolerance : authenticating when master server
is down• Reliability : by maintaining a separate copy.• Synchronization & communication time overhead (-)
– DS distributed over WAN.
• Handling concurrent changes:– NDS: uses time stamps– ADS: uses sequence numbers
..DS management:• Partitioning:
– Reduce overhead of sync-ing entire DS.– Dividing the DS database, so that only part of the
entire DS is replicated.• Each LAN holding host its own partition and can still
access the entire tree.• Improved WAN performance
– Typically not necessary for smaller networks on same LAN.
– Windows 2003• Global catalog: controlling directory server managing
the entire tree.
Tree Models• Single-site Networks
– Multiple servers on a single LAN
• Multisite, geographically designed trees– OU = regional offices, branch office within region– Easier to share resources on a regional basis
• Multisite, function-based networks– Containers represent functional areas– resource sharing within regions becomes difficult.– Failure could affect other OU’s.
• Multisite, Star-configured Networks.– Network partitioned into satellite units.– Partitions replicated to central site.– synchronized from central to other site.– Heavy dependence on central site
DS Trees
• Defining factors– cost and efficiency of the WAN links– amount of DS information to be transferred
over the links.
• DS Challenge:– Using a single DS to handle multiple NOS on
the same network.
Useful tips to plan a tree
• Place users & resource they use in close proximity.
• Use aliases, roles, groups, profiles• avoid excessive sub-categorization• “rights flow down” - eases
administration.• Impact of partition & replication on n/w
performance.
Novell Directory Service– Uses the Master/Slave model– Easily handles hundreds of servers and millions
of users.– Can manage other NOS like windows 2k, Unix,
linux– Tree can be managed from workstations using
graphical or text-based tools (NetAdmin).– Console1 – latest java based management tool.
Active Directory Service
• Runs on windows 2000/2003/2008• Fully compatible with LDAP v.2 and v.3• Tightly integrated with DNS• Multimaster model
– All domain controllers are full participants
• Allows Forests – Group of trees– Each tree has its own domain and domain controllers
• No more trust-relationships• Two modes
– mixed (compatibility with NT servers) – Native mode (all 2000 based systems)
Windows NT Domain
• Breaks an organization into chunks called domains
• Controlled by PDC and BDC’s.– BDC can be promoted or demoted
• Four possible models– Single-domain model– Master domain model– Multiple master domain model– Complete trust model
• Trust becomes very difficult to manage in case of large numbers of domains
X.500
• Developed by ITU and OSI• A standard that can be used by the
entire internet.• Complex and extensive functionalities
CN=foo, OU=Engg, OU= EastCoast, O=info, C= USA
LDAP
• Developed by a consortium of companies• Subset of X.500
– Fewer fields and functions that X.500
• Four basic models:– Information Model
• Defines the structure of data stored in directory– Naming Model
• Defines how to reference and organize the data– Functional Model
• Defines how to work with the data– Security Model
• Defines how to secure the data
