everything ldap - Connections 101.net

EVERYTHING LDAP
Gabriella Davis
[email protected]
Agenda
What is LDAP?
LDAP structure and behavior
Domino and LDAP
LDAP tools
Notes as an LDAP client
IBM Lotus Sametime, Quickr, Connections, and LDAP
LDAP security – risks and mitigation
LDAP performance tuning
Wrap-up
What Is LDAP?
Lightweight Directory Access Protocol
Standard “language” for reading and writing to directories
Adopted as a directory protocol by most large providers
IBM Tivoli Directory Server
Sun One
Novell eDirectory
Microsoft Active Directory
If you want to connect two systems together and use a single directory, you
will be using LDAP
If you want to have a central directory used by many different systems, you
will be using LDAP
Why Do We Need LDAP?
Directories are central to everything we do
They identify people and things that exist in our world and what
they do
They identify the hierarchy of those people and things
Without a directory we would have no audience for our applications –
everyone would be anonymous
If everyone is anonymous, then everyone is also identical and we
can’t create a custom experience
LDAP Structure and Behaviour
LDAP Queries and How They Work
In most cases, the “client” will be a server acting on behalf of a user of its
software
LDAP Behavior
What happens when a client performs an LDAP query?
The client asks for the directory by hostname
E.g., ldap.theview.com
Connect to the directory over TCP
LDAP uses port 389 by default, which is unsecured, or port 636
secured
Search the directory for the directory entries you need
E.g., “all people with a last name of “davis”
Take the values from those directory entries
E.g., “give me the email address of everyone you found”
Terms That Come Up a Lot
When Working with LDAP
LDAP Server – host server
Directory Services Agent – the service you connect to
Bind – how you connect to the directory, using what credentials and over
what port
Schema – the definition of the directory and the objects within it
Directory information tree. Think of this as the design.
Directory entries – these could be people, servers, printers, etc.
Think of these as documents
Attribute – defined in the schema, a directory entry contains attributes that
themselves hold values
Think of these as fields
What Is Bind?
Assuming we know “where” the server is (its hostname)
To connect to the LDAP server we need to know “how”
“How” consists of:
What port is the server listening on
How to use a certificate if one is needed for security
What identity is going to be used to access the directory
You can configure an LDAP server to allow “anonymous” access and not
need to supply any name or password
But it’s a directory and has valuable information in it. In the majority
of cases, we want it secured.
The name and password is that of a directory entry in the LDAP directory
These are called the “bind credentials”
Bind Credentials
When you bind using credentials to an LDAP server, you are gaining access to
anything in the directory those credentials can see
More on this later in security
The LDAP administrator can assign credentials that themselves have access to only
a limited part of the directory
For example the credentials “salesldap bind” may have access to only the
“Sales” part of the directory
Any search done with those credentials would only find matching entries
within Sales
Bind credentials should be
Unique across all directories
Have a complex non-expiring password
Not used for anything else
Searching
Every LDAP query starts with a search, otherwise how do we find the
right people?
Searches are constructed strictly according to the schema
Although LDAP is a common protocol, each server will have its own
schema and so its own search syntax
The syntax for searching Active Directory is different from that
used to search Domino for instance
The good news is that most IBM software has pre-defined search
strings to suit the most common LDAP servers
Constructing a Search
The realities of searching are that in large directories you want your search to:
Be efficient
Be accurate
Return as few entries as possible
If we search only for “last name is davis” we will find both “Gabriella Davis” and “Tim Davis”
Expanding the search to include first name would help with that
“Tim Davis” in marketing needs a different kind of search than “Tim Davis” in sales
We could choose to include department in our search filter, if that information is available
It would be more efficient to choose to search in only a specific part of the hierarchy, such
as looking for “Tim Davis” only within the “sales” part of our directory
Constructing a Search (cont.)
To focus our search on a specific part of the directory, we use a baseobject or
base_dn. This is the name of the part of the directory we want to search.
Examples:
AD: base_dn=OU=sales,OU=europe,dc=theview,dc=com
Domino: base_dn=OU=sales,OU=europe,O=theview
This tells the search to look only in that part of the directory for any
results. It makes the search more efficient and prevents any false positives.
“scope” is a search parameter that tells the search how many levels down in
the directory from the base_dn it should look
singlelevel means search only ou=sales…
wholesubtree means search ou=sales and anything beneath that part of the
directory
In Short …
We connect to a host server and create a search based on the schema
to pull the values we want from attributes in matching directory
entries
Domino & LDAP
Domino and LDAP
Domino’s directory format for names.nsf is not LDAP by default
Domino uses its own protocol to read and manage its primary
directory
This is consistent across all Domino servers so any other Domino
server can read any Domino directory
But no non-Domino server can read a Domino directory
without having it “translated”
The LDAP task, when run on a Domino server, makes the names.nsf
available to any LDAP query
If you use Directory Assistance, this can also apply to other
directories your server can see
LDAP Task
“Load LDAP” on the Domino Server
Loads by default on Domino servers now
Spawns two separate tasks
LDAP listener – for handling inbound connections
LDAP utility – for building and propagating the schema
Runs the LDAP protocol which can make names.nsf and other
directories available for LDAP searches
LDAP is specific to each server, so running it on Server A does not
grant access to Server B
Schema.nsf
The LDAP task uses the database schema.nsf on each server to determine how to
“translate” Domino object references into LDAP object references
Schema.nsf is created automatically by the Administration server of your Domino domain
the first time LDAP is loaded on that server
For LDAP to work anywhere in your organization, you must first create schema.nsf by
loading LDAP on your administration server
A replica of schema.nsf is automatically pushed from the administration server the
first time you “Load LDAP” on any other server in your domain
Any server in your domain that runs, or has ever run, the LDAP task will have a
replica of schema.nsf in place
Once schema.nsf is created, you don’t have to keep LDAP running on the
Administration server if you don’t need it
Schema Template
You should never need to manually create a schema.nsf but any
databases that do exist should be based on the schema template
Template name is StdDominoLDAPSchema (schema.ntf)
If you do manually create one for whatever reason, don’t call it
anything other than schema.nsf
Domino Attributes in the
Schema
Open schema.nsf on your server
Go to the view “LDAP Attribute Types”
Review list of notes field names and matching LDAP attribute names
LDAP Configuration Document
LDAP configuration is available only from a global configuration
document in the names.nsf
The global configuration document is the one marked for
[All Servers]
Configuring LDAP in Domino
On a Global Configuration document, there is a new page called
“LDAP”
This is not visible on any other configuration document
On the LDAP page, you can configure how LDAP behaves on every
server in your organization
There can be only one Global Configuration Document per
domain so the configuration applies to all servers running the
LDAP task
The default LDAP settings will work in most cases, but you should
always review these carefully to ensure you are configuring for best
security and performance
Exposing Domino Data to Anonymous Users
LDAP Options Affecting
Domino Performance
Allow LDAP users write access
Do you want LDAP clients to be able to make changes to your Domino Directories?
This doesn’t override directory ACL or roles
Timeout
How many seconds before a search is cancelled? Don’t leave it as zero, which means
indefinite.
Maximum number of entries returned
When doing an LDAP search against a large directory, you can restrict the number
of results returned
Minimum characters for wildcard search
Do you really want people searching for the letter “S”
if they are looking for “Smith” or even “Sm”
Allow Alternate Language Information processing
LDAP Options Affecting
Domino Performance (cont.)
Rules to follow when this directory is the primary directory, and there are
multiple matches on the distinguished name being compared/modified
Don’t modify any/Modify first match/Modify all matches?
Automatically Full Text Index Domino Directory?
Improves performance of searches against Domino Directory, but use
only if you are performing high demand searches against a large
Directory
Enforce schema?
If the LDAP user has write access to the Domino Directory, can they
write or change attributes that aren’t defined in the Domino schema?
DN Required on Bind?
Require fully distinguished name for security
LDAP Options Affecting
Domino Performance (cont.)
Encode results in UTF8 for LDAPv2 clients?
This is about the formatting of results for older LDAP client
queries
Maximum number of referrals
An LDAP query against a server can return a referral to yet another
LDAP server, how many layers down are you happy for these
referrals to go?
Activity Logging truncation size
Allow dereferencing of aliases on search requests?
Instructs Domino to return search values that correspond to aliases
matched by a search
Setting Up the LDAP Task
LDAP should be configured as an Internet
Site Document
You can configure it directly in the
server document under Internet
Protocols – LDAP
But this is less secure than using
Internet site documents
Setting Up the LDAP Port
You configure the LDAP overall port and behavior under ports –
internet ports – directory
Enforce server access settings control whether Domino will
enforce server document security settings
LDAP on Domino — All
Together Now
Directory Assistance and LDAP
Directory Assistance can be used to configure additional directories
for your Domino server to use when authenticating access or sending
mail
An additional directory can be Domino or LDAP
If you choose to add an LDAP directory to Directory Assistance
you need to configure the document
DA – Basics Tab Configuration
Multiple directories in
DA can be prioritized in
search order
Determines which client
types this directory can be
accessed by
Don’t use this directory for
mail addressing or lookups
Directory Assistance LDAP Configuration
Each step of the LDAP configuration
can be tested and verified before saving
DA Naming Contexts
Configuration
Configure to “Trusted for Credentials” as you’re going to use this
LDAP source for authentication
Testing Directory Assistance
Configuration
From the server console, type “sh xdir”
This shows all directories configured on that server and whether
they are LDAP
LDAP Tools
Ldapsearch
Search utility that ships with Domino and Notes
Found in the Domino or Notes program directory
Used for searching any LDAP server
ldapsearch [parameters to connect] [searchfilter to find correct
entries] [attributes to return]
No searchfilter will be a request for all entries
No attributes specified will be an instruction to return all
attributes
Certain parameters such as hostname are required
Ldapsearch Parameters
-h
hostname to connect to e.g. ldap1.theview.com
-b
base_dn. Many servers will require you to specify a base_dn for your
query and won’t accept a query that doesn’t have one
-D
bind name, if you aren’t using anonymous access
-w
bind password to go with –D
-p
port to connect to usually 636 for secured or 389 for unsecured
-?
to see the full list of parameters
Ldapsearch Search Filter
Search filters are to limit the results of an LDAP query to just those
directory entries you are interested in
The format for a search filter is
<attribute> <operator> <value> e.g. sn=Davis (lastname is Davis)
Use operators and brackets to nest together search attributes
Use * for wildcards in values
& AND
| OR
! Not equal to
= equal to
Search Filter Examples
Any entry with first name of Gabriella and last name of Davis
(&(givenName=Gabriella)(sn=Davis))
Any entry with first name of Gabriella and last name of Davis or Davies
(&(givenName=Gabriella)(!(sn=Davis)(sn=Davies))
Any entry with mail address containing theview.com
(mail=*theview.com)
Search Filter Examples (cont.)
Search for anyone with the last name Davis and return their common name
ldapsearch –h ldap1.theview.com –p 389 –D ldaplogin –w
passwordforldap “(sn=Davis)” cn
Search anonymously for anyone with a mail address containing
theview.com and return their name
ldapsearch –h ldap1.theview.com –p 389 “(mail=*theview.com)” cn
Search the marketing division on a secure Active Directory server to find
the Marketing Director and return all their details
ldapsearch –h ldap1.theview.com –p 636 –b
“cn=marketing,ou=global,dc=theview,dc=com” –D ldaplogin –w
passwordforldap “(Title=Marketing Director)”
Search Filter Demo
Softerra’s LDAP Browser
Free, powerful GUI interface for performing LDAP queries and
searches
Does not allow modifications to LDAP entries
For that you need to purchase their LDAP administrator
Very useful for understanding the schema of a directory
Especially if you’re new to Domino LDAP. You can use Softerra
to see what Domino looks like to an LDAP client.
Always test your LDAP assumptions, hostname, port, credentials
and attributes using something like LDAP Browser before
assuming they are correct
LDAP Browser Demo
Working with servers
List of configured LDAP
servers softerra can access
LDAP Browser Adding Profiles
Define the LDAP server’s location, connection and bind credentials in
the Softerra profile
LDAP Browser and LDAP
Administrator
LDIF
LDAP Data Interchange Format
Used for importing, exporting and updating LDAP contents
Standard format
Ldapsearch to export ldap content to an LDIF file
Ldapadd to update an LDAP directory with entries from an
LDIF
Ldapmodify to modify an LDAP directory with change records
from an LDIF
Lots of tools available to work with LDIFs including native
Windows tools and Domino – Migrate Users
LDIF Example Snippet
dn: CN=Gabriella Davis,CN=Users,DC=int,DC=turtlepartnership,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Gabriella Davis
sn: Davis
givenName: Gabriella
distinguishedName: CN=Gabriella
Davis,CN=Users,DC=int,DC=turtlepartnership,DC=com
displayName: Gabriella Davis
sAMAccountType: 805306368
userPrincipalName: [email protected]
CN=Person,CN=Schema,CN=Configuration,DC=int,DC=turtlepartnership,
DC=com
Exporting to LDIF
Notes As An LDAP Client
Notes As an LDAP Client
Regardless of your Domino server configuration, Notes itself can act
as an LDAP client performing queries against other servers
Configured as an account in the user’s local names.nsf
Searching LDAP Directories Within Notes
LDAP directories will not show in their entirety in Notes
You have to search for what you need
You can do either a simple or advanced search
Sametime, Quickr, Connections
& LDAP
LDAP and Other IBM Lotus
Products
Many of the extended IBM Lotus products now require an LDAP
server be defined as the Directory source
This allows multiple servers to share a common directory with a
common protocol regardless of their own platform
Connections, Sametime 8.5x and Quickr J2EE all use WebSphere
Application Server (WAS) as a platform, but WAS doesn’t have a
directory of its own – it must use an external LDAP directory
Within WAS, you can define multiple LDAP sources to act as a single
directory – much like Directory Assistance in Domino
The is called federating the directories
WAS LDAP Configuration
Login to the Integrated Solutions Console (or Sametime System
Console) and choose Security – Global Security
Viewing Federated Repositories
The list of federated repositories shown here comprises what WAS
considers to be its directory
Configuring Each LDAP Source
Testing LDAP Configuration in
WAS
LDAP Sources
As we’ve seen, Domino can act as an LDAP server and could therefore
be used in configuring a product like Sametime
Sametime instant messaging is still based on the Domino platform
but you cannot use that same Domino server as your LDAP server
Otherwise you are telling the Sametime Community Server to
use itself as an external LDAP reference
LDAP Security
Risks & Mitigations
LDAP Security Risks
Exposing a directory to anonymous queries, allowing for harvesting of
corporate information
Not providing secure enough bind credentials so they can be potentially
hacked
Not connecting using SSL, which means your connection isn’t encrypted
and bind credentials are sent in clear text
Trusting users from another LDAP source you don’t control to
authenticate onto your servers
Does the password quality for users on the external LDAP source
match that for your own users
Once you have trusted an entire directory, your own directory security
is lowered to the level of that uncontrolled source
LDAP Security Mitigation
Ensure you are only exposing the LDAP entries and attributes you
need to
Use an LDAP tool to connect to your own server with the bind
credentials you are making available to see what others see
If you are adding an LDAP server to Directory Assistance in Domino
and are trusting it for authentication purposes, ensure you lock down
– Default – access to databases in your environment
Use catalog.nsf and DDM to find potential problem areas
Never let anyone connect to your directory using credentials without
enabling SSL
LDAP Performance Tuning
LDAP Performance Tuning
Several things impact LDAP performance on any LDAP server
Size of directory
Using a base_dn limits the search scope for queries and is
required for efficiency in very large directories
Number of search results returned for a query
Length of search string
Don’t force the server to search as each character is entered
Nested groups or dereferencing
Anything that causes a lookup to generate another lookup, then
another, has a big performance impact
LDAP Performance Searching
Searching for a user to authenticate when someone logs in requires a directory
lookup
Most LDAP servers are optimized to find entries if you’re using a login name or
email address
If you’re using a special or non-standard attribute for login then that may
affect performance
Domino LDAP uses predefined views if you are allowing logins by name
In most cases, you would want to full text index the directory on your
Domino LDAP server for performance
Many LDAP servers such as Active Directory have strict default limits on LDAP
search timeouts and size of search results returned for both performance and
security reasons
These can always be modified
LDAP and DDM
If your Domino server is configured to use another LDAP directory in
Directory Assistance you can monitor that via a DDM probe
Configured in events4.nsf
Reported into ddm.nsf on your Domino server
Resources
Softerra’s LDAP Software
www.ldapbrowser.com/info_softerra-ldap-browser.htm
Steven Tuttle, Ami Ehlenberger, Ramakrishna Gorthi, et al., Understanding LDAP – Design
and Implementation (IBM Redbooks, June 2004).
www.redbooks.ibm.com/abstracts/sg244986.html
Steven Tuttle, Kedar Godbole, Grant McCarthy, Using LDAP for Directory Integration (IBM
Redbooks, February 2004).
www.redbooks.ibm.com/abstracts/sg246163.html
Wikipedia on Lightweight Directory Access Protocol (LDAP)
http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
Rob Fox, Paul Godby, Moacyr Mallemont, “Configuring Domino to Be an Ldap Directory and
to Use an LDAP Directory” (IBM Software Group).
IBM presentation on configuring LDAP for Domino
www.slideshare.net/edsonlo/configuring-domino-to-be-an-ldap-directory-and-touse-an-ldap-directory
Summary
LDAP is a standard protocol for directories used by all the major directory providers so in
general, no matter the provider, all LDAP servers are equal
Many software products that do not have their own directories require connection to an LDAP
source of some kind
Using LDAP allows you to connect multiple systems together all using the same directory source
Domino can be an LDAP server, making its own directories available over the LDAP protocol to
other clients and programs
Domino can also connect to other LDAP servers using a Directory Assistance document
Many IBM products now require or recommend the use of an LDAP directory including
Sametime, Connections, and Quickr
Integrating LDAP into your solution can have a significant performance and security impact
which must be managed