Preparing Your Directory Infrastructure for the Internet Age Vikas Mahajan Senior Consultant PriceWaterhouseCoopers [email protected]

www.novell.com

Preparing Your Directory Infrastructure for the Internet Age

Preparing Your Directory Infrastructure for the Internet Age

Vikas MahajanSenior [email protected]

Overview

• Overview PwC “DNA” of Identity Management Different spaces for different directories What LDAP is and isn’t Directories and databases Using directories in the Internet space Directory design for the Internet Directory management considerations Meta-directory Identity management

PwC “DNA” of Identity Management

WorkfloWorkfloww

WorkfloWorkfloww

PermissioPermission & Policy n & Policy

ManagemManagem

entent


ManagemManagem

entent StrongStrong

Authen-Authen-ticationtication

StrongStrong


User User ProvisioninProvisioningg

User User ProvisioninProvisioningg

EnterprisEnterprise e

DirectorDirectoryy

EnterprisEnterprise e

DirectorDirectoryy

Aw

areness &

Trainin

g Tech

nic

al S

tandar

ds

Management Commitment

Com

pliance

Pro

cedure

Intrusion Detection

O/S

Secu

rity

Network Security Dat

abas

e S

ecu

rity

Applicatio

n S

ecurity

Audit Trails

Policy

Business Objectives

Enablers

Enterprise Directory—Identity Management Infrastructure

EnterpriseEnterprise

DirectoryDirectory

EnterpriseEnterprise

DirectoryDirectory

Business Issues

Solution

• What content should be stored in my directory verses other repositories?

• How do I unify and consolidate my user repositories?• How do I determine authoritative sources and ensure ongoing data

quality? • How do I manage the user information for multiple user communities

(e.g., business partners, customers, vendors, and employees)?

Enterprise directories have become the industry standard for accessing common user directory information. LDAP has been embraced and implemented in most network-oriented middleware. As an open, vendor-neutral standard, LDAP provides an extendable architecture for centralized storage and management of information that needs to be available for today's distributed systems and services.

Technical Issues

• To be discussed in this presentation

Directory Spaces

• Not all directories are alike• Many are suited to particular services or apps• While it may technically be possible to use

any LDAP compliant directory, consider the strength and weakness of each directory and their suitability to roles in spaces where they do not have a strong presence

• There will always be more than one directory in your environment

Directory Spaces Defined

• NOS (Network Operating System) Directories that are tied to an operating system

and provide client/server directory access• Desktop authentication for file/print services• Application distribution• Desktop management• Network infrastructure management

• Messaging A directory service primarily serving as the user

repository for a messaging/e-mail/groupware application

Directory Spaces Defined (cont.)

• Internet Directories that are primarily used for

authentication, authorization, and personalization of Internet based applications and services

Applications include Portals, B2B, B2C, and B2E, “eBusiness”

Emphasis on speed and scalability

Directory Spaces and Vendors

LDAP—What You Need to Know

• Lightweight Directory Access Protocol LDAP is a IETF ratified standard protocol for

accessing data stored in X.500 like directory databases

If a product can accept LDAP protocol based requests, the vendor may call it LDAP compliant

The more accepted understanding of LDAP includes several IETF standards that define additional features including a file exchange format (LDIF) and certain object class and attribute definitions (inetOrgPerson)

LDAP—What You Need to Know (cont.)

• When choosing a directory product Ensure that it complies with all LDAP standards to ensure

compatibility with LDAP compliant Directory enabled Applications

Remember that LDAP standards do not specify the database to be used as the data repository

LDAP standards do not address a wide variety of directory/database components and features:• Partitioning and replication• Indexing• Backup• Referrals

LDAP—What You Need to Know (cont.)

• When choosing a directory product Examine the underlying data store to ensure the

database has the features you need (partitioning, replication, referential integrity, scalability, data integrity, performance, etc.)

Look at ALL the protocols, languages and standards the directory supports—LDAP may not be enough for your needs• X.500• XML/DSML—Directory Services Markup Language• ODBC/SQL• Other protocols/languages used by your developers

Directories and Databases

• Directories Read-optimized Store relatively static data Object-oriented Hierarchical Distributed Support multi-valued attributes Support replication Extensible schema

Directories and Databases (cont.)

• Relational databases Designed for write-intensive operations Either storing data in flux or historical data Application-specific schema Support complex data models Data integrity a top consideration ACID transaction—Atomic, Consistent, Isolated,

Durable


• Directories and databases—complementary Each is suited for particular types of tasks Directories are perfect for authentication,

authorization, storing personal information that is relatively static and used by a variety of applications

Databases perform transactions, store application-specific data, store BLOB data

Directories and databases work together to solve business problems


• A Directory on top of a database? Some directory vendors have built LDAP

compliant directory applications on top of an RDBMS—IETF standards do not dictate a data store for LDAP directories

Note that database vendors have therefore embraced and adopted directory technology

Think of the RDBMS as just another platform upon which your directory can sit; some sit on top of a particular OS, others on top of a particular RDBMS


• A Directory on top of a database? Realize there are many challenges to implementing

a directory on top of an RDBMS—overcoming those challenges requires careful examination of• Performance• Partition/replication/distribution• Security• Schema extensibility• Support for hierarchy• Translation of LDAP queries to SQL• Support for multi-valued attributes

Directories and the Internet

• Directories in the Internet space Authentication

• Provide verification of your identity Authorization

• What you are entitled to see or do Personalization

• Pieces of data specific to you—identification, preferences, tastes, etc.

Directory Design

Old Rules • Users with the same CN

existing in different parts of the tree

• Your tree was hierarchical, designed for efficient WAN performance

• Only minimum required attributes had values

New Rules• Unique Object Names;

every object should have a unique CN or UID

• Your tree may be flat or hierarchical, but is likely to be centralized or distributed over high-speed links

• There will be many attributes with values

Directory Design (cont.)

Old Rules • One tree• Upgrade DS with the

OS• Never extend the

schema on your own• Directory servers same

as File/Print servers

New Rules• More than one directory• DS upgrade independent

of OS, determined by application support

• Extend the schema to provide new attributes and object classes

• Dedicated directory servers


Can you use your existing tree?• Do your users have unique IDs (unique CN)?• Are you running eDirectory 8.5 or higher? Is the same

version of the DS database used across all servers? • Are there servers that hold all user replicas?• Do you want to use DNS Federation?• Are you using Delegated Administration? If so, are

you comfortable with others (inside or outside your company) managing users and groups within your tree?

• Can your current directory infrastructure handle replication traffic for many new attributes?


• B2E TreePARENTCO

POLICIESPORTAL

GROUPS CHILDRELATIONS PARENTRELATIONS

portalgroup1 portalgroup1portalgroup1

DIVISION1

User1

DIVISION2

User2

DIVISION3

User3

USERS


• B2E Tree• Users exist under a common location,

subdivided by business divisions• Ideal for delegating administration,

replicating based on division• Portal specific objects in one container• Security policies for a security application in

a special container (policy store)


• B2B Tree

divisonXdivisionY

groups

groups people

people

user3user4

group1group2

Parent Company B

division1division2

groupsgroups people

people

user1user2

group1group2

Parent Company A

PortalGroup1

Portal Groups

Yourcompany

customersapps

application1


• B2B Tree• Hierarchy reflecting business relationships—parent

company, followed by divisions• Designed for delegated administration by each

company or division—reduce administration overhead

• Permissions to applications provided by your company controlled by application groups

• Use “nested groups”—Division A DA adds user to group1 under division A and this group is a member of application 1, so users automatically get appropriate permission to access applications


• B2C Tree

yourcompany

people groups

user1

user2

group1


• B2C Tree• Self-registration• Simple to setup and maintain—best to use if

you don’t have data that will allow you to organize users

• Ensures unique names for all users

Guidelines for Extending the Schema Analysis

• Examine the data—store relatively static data in the directory and avoid BLOB data

• How is the data used or accessed—What question is being asked of the directory?

• User attribute vs. Group object

Guidelines for Extending the Schema Design

• Use existing attributes Few custom attributes—map to existing

attributes Many new attributes—create new attributes,

define new object class Inherit from existing object classes

• Class types Effective (structural) Ineffective (abstract) Auxiliary

Directory Management Staffing Considerations

• The directory is an application• Many applications depend on the directory• Consider hiring a full-time directory staff person• Directory experts need to understand LDAP

standards, tree design, data synchronization, meta-directory, security, and the applications that utilize the directory

• They need to work with application developers, DBAs, security staff, network infrastructure, Human Resources, software vendors

Directory Management Duties

• Determine where to store data—directory or database• Determine how to store data—attribute vs. group vs.

OU• Determine where and how to get the data• Cleanse and import data• Synchronize/maintain data• Secure the directory and the data• Integrate applications• Replication/partitioning/fault tolerance/backup• Multi-directory management• Single sign-on• Provisioning

Meta-Directories

• Applications designed to allow different repositories of user information to share data

• Help to ensure data is consistent and accurate across the enterprise

• Can be used to automate account creation/deletion

• Synchronize data without compromising authoritative sources of information

• Enforce standards—naming standards, data formatting standards, etc.

Meta-Directories

• Some meta-directories have a centralized data repository

This may be a directory you already have or a new directory created by the meta-directory software

• Some meta-directories use no directory at all— “Virtual Directory”

• Meta-directories are NOT password synchronization or SSO solutions

PwC “DNA” of Identity Management

WorkfloWorkfloww

WorkfloWorkfloww


ManagemManagem

entent


ManagemManagem

entent StrongStrong


StrongStrong


User User ProvisioniProvisioningng

User User ProvisioniProvisioningng

EnterpriEnterprise se

DirectorDirectoryy

EnterpriEnterprise se

DirectorDirectoryy

Aw

areness &

Trainin

g Tech

nic

al S

tandar

ds


Com

pliance

Pro

cedure

Intrusion Detection

O/S

Secu

rity


abas

e S

ecu

rity

Applicatio

n S

ecurity

Audit Trails

Policy

Business Objectives

Enablers

PwC Approach—Identity Management Infrastructure

Permission Permission & Policy & Policy

ManagemeManagementnt


ManagemeManagementnt

• How do I solve multiple authentication requirements for my web apps?

• How do I deploy a common authorization and entitlements model?

• How do I create a redundant, highly scalable web SSO architecture?

• How do I open up access to my corporate intranet for my business partner network?

• How do I create a secure Employee Self Services model for my employees?

Business issues

Privilege Management Infrastructure engines are security solutions for integrating single sign-on, user authentication/ authorization/ entitlements, and application personalization within HTTP environments. These products can integrate with standards-based user directories making it possible to manage a significant portion of your web access control components from a single console. Most security middleware engines are fully redundant, allowing for massive scalability and high availability.

Solution

PwC Approach—Identity Management Infrastructure (cont.)

Business issues

Solution

•How do I authenticate a web user using a two-factor authentication model?

•How do I manage and operate my SA infrastructure?

•How do I integrate SA into my overall identity management infrastructure?

Strong authentication mechanisms combine multi-factor techniques

to validate an individual’s identity A tiered approach to strong authentication can include a combination of:

User ID and password

Challenge response

Hardware/software tokens

Digital certificates

Biometrics

Strong

Authentication

Strong

Authentication

PwC Approach—Identity Management Infrastructure (cont.)

Business issues

Solution

User User ProvisioniProvisioni

ngng

User User ProvisioniProvisioni

ngng

WorkflowWorkflowWorkflowWorkflow

• How do I manage the multitude of user accounts for my employees, customers, business partners?

• How do I quickly and efficiently remove a user’s access to all of the corporate systems that they have access to ?

• How do I approve a user’s access to several systems?

User provisioning automates many of the traditionally manual processes and procedures required to manage users access to resources across the enterprise.

Workflow is the process of automating the business rules and approval process required to grant users access to an organization’s resources. Combining the two allows an organization to automatically and quickly grant or deny access to users with a minimal of manual intervention or manual approvals.

PwC Approach—Identity Management Infrastructure

Define Overall IDM Blueprint and Integration Approach• Tech Arch/Infrastructure• Security • Directory Schema/DIT• User Mgt Model• Support

Design Communications

Methods

DevelopIDM StrategyDocuments & Presentation

Start UpStrategy & Architecture

Development

Transition and ImplementationEvaluate

Implement

Pro

jec

tG

ov

ern

an

ce

IDM

T

ec

hn

olo

gy

Pro

ce

ss

Pe

op

le

Iden

tify

Opp

ortu

nitie

s fo

r N

ext R

elea

se

La

un

ch

!

Define Work

Dev

elop

IDM

Vis

ion

and

Bui

ld T

eam

s

Define GovernanceModel

Manage Project and Project Scope- Program Office - Project Plan- Internal Project Communications - Success Measures

Communicate and market new IDM

Design Enabled User Mgt

Processes

Test Portal• System Integration Testing• Performance Testing• User Acceptance Testing

Design Application

Security Solution

Design User DirectorySolution

Develop Proof

of concept

Develop Infrastructure & Directory

Integrate Application(s) & Portal(s)

Create Integration Roadmap

Design Conversion and

Interfaces

Select EnablingTechnologies

Convert User Data

Design Ongoing Security Ops

Support

Assess Current Capabilities:• Competencies• Policies• Training

Technical Team Training

Implement Ongoing IDM Operations Support

Design & Pilot / Development

Plan Future Releases

Develop IDMDemo

Define Communications Strategy

Assess Current Landscape:• Network • WEB Apps• Legacy Apps• Security• Authoritative User Store(s)• User Roles and Security Profiles

As-Is Workshops

Define & Prioritize ApplicationIntegration Timeline

Customize Application Integration Toolkit

To-Be Workshops Im

plem

enta

tion

Str

ateg

y &

Impl

emen

tatio

n P

lan

Del

iver

able

s

Design Tech Arch

& Infrastructure

User Training

Define Testing Approach

Define Testing Scripts

Design Data MgtSolution

Develop User Mgt Applications

IDM Infrastructure Detailed Deployment Framework

Define Business CaseAnd ROI Models

Novell and PwC Strategy

WorkflowWorkflowWorkflowWorkflow


ManagemenManagementt


ManagemenManagementt

StrongStrong


StrongStrong


User User ProvisioningProvisioningUser User ProvisioningProvisioning DirectoriesDirectoriesDirectoriesDirectoriesA

wareness &

Training Tech

nica

l Sta

ndar

ds


Com

plia

nce P

rocedureIntrusion Detection

O/S

Sec

urity


abas

e S

ecur

ity

Application S

ecurity

Audit Trails

Policy

eDirectory

NMAS

MetastormeWork

DirXML™

eDirectory™NAM/NDSAS NAAS

eDirectoryNMAS

SecureLogin

SSL, BorderManager, iChain®

SecureLogin

BorderManager®

LDAPSSLXMLIP

XSLTPKIeDirectory

Novell/PwC Consulting

Novell EducationNovell/PwC Consulting ServicesNovell Technical Support

Novell LabsNovell Consulting Services

Novell’s One Net Strategy

Novell/PwC Consulting

PricewaterhouseCoopers Strategic Relationships and Technology Experiences

PricewaterhouseCoopers remains vendor independent in order to provide our customers with the most

up-to-date and flexible technology to fit the solution set that is most appropriate for their needs.

http://www.epicentric.com/index.jsp