Directory Interoperability: Requirements, Standards and Conformance (or, PICS )

Transcription

1 Directory Interoperability: Requirements, Standards and Conformance (or, PICS ) Sandi Miklos, Technical Director Security Management Infrastructure National Security Agency samiklo@missi.ncsc.mil 14 January 1999

2 Directory Domains Domain A Domain E Domain B Domain D Bridge CA Domain Domain C

3 Fundamental Premise: NO Client accesses between domains - DOES THIS INCLUDE THE BRIDGE CA? Domain A Domain B Client (B) To Other Clients and Servers Client Access Protocols Client (A) DSA (A) Server to Server Protocols Border DSA* (A) Server to Server Protocols Border DSA* (B) DSA (B) Client (B) DSA (A) To Other Clients and Servers Client (A) Border DSA* ADUA Bridge CA Domain * A Border DSA will provide access to only a subset of the DIB held by its domain, and may support multiple security mechanisms.

4 Domain Directory Common space Import Synchronise Address Book Work Group Database NOS Directory

5 Chaining DSA-2 DUA DSA-1 DSA-3

6 Referrals DSA-1 DUA DSA-2

7 KNOWLEDGE REFERENCES Superior Reference Subordinate Reference Immediate Superior Reference Consumer Reference Supplier Reference Cross reference Non Specific Subordinate Reference

8 Shadowing Update Authority Master DSA Replication Protocols Shadow Consumer DSA Shadow Consumer & Supplier DSA Shadow Consumer DSA Directory user Directory user Directory user

9 preferchaining chainingprohibited* localscope dontusecopy* dontdereferencealiases subentries copyshalldo priority timelimit* sizelimit* scopeofreferral attributesizelimit Service Controls

10 Shadowing agreements Made between DSA administrators May be activated by a shadowing operational binding or they may be made via a method outside the scope of the standard Required before shadowed information may be shared between any pair of DSAs Establishes technical parameters of the agreement update frequency replicated area information to be shadowed

11 Updating the shadowed information Synchronizing the DSAs Coordination of Update operation Requesting Update operation Transferring the Shadowed Information What s reliability criteria that transfer as well as database update occurred? Types of updates Incremental refresh/delta changes only Total refresh/ all shadowed information sent again

12 Example: subtree specification Administrative point Administrative point 1 3 OU=X OU=X 2 Subtree Specification base is OU=x Administrative point OU=X 4 Subtree Specification base is OU = x chop minimum is 1 chop maximum is 3 Administrative point Subtree Specification chop after OU=x Subtree Specification filter on object class = organizationalperson Copyright D.W. Chadwick and Chapman & Hall, Understanding X.500 The Directory

13 Various views of a DSE s attributes DSE Directory Entry User Attributes Directory Operational Attributes DSA Shared Attributes DSA Specific Attributes DSA Administrator s View Directory User s View Directory Administrator s View Copyright D.W. Chadwick and Chapman & Hall, Understanding X.500 The Directory

14 root glue cp entry alias subr nssr supr xr admpoint subentry shadow immsupr rhob sa DSE types root DSA knowledge of a name only context prefix object entry alias entry subordinate reference non-specific subordinate reference superior reference cross reference administrative point subentry shadow copy immediate superior reference relevant hierarchical operational binding information subordinate reference to alias entry

15 Operational attributes Attributes representing operational or administrative information; not normally visible to the user Examples: Creation Timestamp records when the entry was first created Modify Timestamp records when the entry was last modified Creator s Name distinguished name of user that created the entry Modifier s Name distinguished name of user that last modified the entry EntryACI access control information that applies to this entry only

16 Directory Information Tree (DIT) C=US O=U.S. Government OU=DoD OU= Contractor OU=OSD OU=JCS OU=Army OU=Navy OU=AF OU=USMC OU=DFAS OU=Defense Nuclear Agency OU=DIA OU=Defense Logistics Agency OU=Defense Mapping Agency OU=DISA OU=JSF OU=GENSER PLAs OU=SI PLAs OU=ACOM OU= CENTCOM OU=EUCOM OU=PACOM OU= SPACECOM OU=SOCOM OU= SOUTHCOM OU= STRATCOM OU= TRANSCOM

17 Naming Context entry Part of a DIT showing allowed subtrees or naming contexts.

18 Distinguished Name (DN) and Relative Distinguished Name (RDN) RDN DN Root {} Country C=US {C=US} People Org Org Unit O=Corporation (OU=SALES, L=San Jose) CN=John L Smith {C=US, O=Corporation} { C=US, O=Corporation, ( OU=SALES, L=San Jose )} { C=US, O=Corporation, ( OU=SALES, L=San Jose ), CN=John L Smith }

19 Example:Alternate values of names Entry Attribute Attribute... Attribute Attribute Type Attribute Value(s) Defense Logistics Agency DLA

20 The structure of Directory entries Entry Entry DIB Entry Entry... Entry Root DIT Object Entry

21 13 Directory Information Base (DIB) DIB Entry Entry Entry Entry... Entry Attribute Attribute... Attribute Attribute Type Attribute Value(s) Distinguished Attribute Value Attribute Value... Attribute Value

22 Overview of the Directory schema uses Directory Schema Subschema DIT Structure Rule uses Name Form DIT Content Rule Object Class use Attribute Types use ASN.1 type Matching Rule rules for rules for rules for rules for rules for Directory Information Tree belongs to Subschema Administrative Areas Entries Entries belongs to belongs to Attributes Attributes Values belongs to

23 Object class for Certification Authority - X.521 certificationauthority OBJECT-CLASS ::={ SUBCLASS OF { top } KIND auxiliary MUST CONTAIN { cacertificate certificaterevocationlist authorityrevocationlist } MAY CONTAIN { crosscertificatepair } ID id-oc-certificationauthority } *note that v2 CA object class may contain Delta Revocation List attribute

24 Object class for Certification Authority - draft-ietf-pkix-ldapv2-schema-02.txt pkica OBJECT-CLASS ::= { SUBCLASS OF { top} KIND auxiliary MAY CONTAIN {cacertificate certificaterevocationlist authorityrevocationlist crosscertificatepair }} --ID { joint-iso-ccitt(2) ds(5) objectclass(6)pkica(22)}

25 Matching rules Rules to compare a value presented by a user with a value stored in the Directory Each matching rule states the attribute syntax that the matching rule applies to the syntax of a user-presented value how the comparison is performed under what conditions a match is found to be True Built-in matching rules present; equality; substrings; ordering; approximate

26 Security Control Model Access control information represented as a multi-valued operational attribute Subentry prescriptive access control information entry access control information Administrative Area *Presumption - anything that is in a Border DSA is read-only to any entity that has access to that network

27 ISO/ITU DIRECTORY STANDARDS Reflects X.500 Standard PICS More Restrictive Domain Profile More Restrictive ISP

28 Directory specifications Overview of Models, Concepts, and Services Models Authentication Framework Abstract Service Definition Procedures for Distributed Operation Protocol Specifications Selected Attribute Types Selected Object Classes Replication System Management ITU-T X.500 X.501 X.509 X.511 X.518 X.519 X.520 X.521 X.525 X.530 ISO/IEC

29 Protocol Implementation Conformance Statement (PICS) Used to evaluate conformance to the standard by a particular implementation Shows which capabilities and options have been implemented. One PICS associated with each X.500 protocol DAP, DSP, DOP, and DISP ITU - X.583, X.584, X.585, X.586 ISO - ISO/IEC , , , Available at URL: ftp://ftp.bull.com/pub/osidirectory/93specification/picsproforma

30 International Standardized Profiles (ISPs) Directory A-Profile Taxonomy A CO Applications ADY 93 Directory Services ADY 1 DUA Basic Functionality ADY 2 DSA Basic Functionality ADY 4 Security Capabilities ADY 5 Shadowing ADY 6 Adm inistrative M anagement ADY 7 D O P Capa bilities ADY 11 Dir Access Support ADY 12 Distributed operations Support ADY 21 Dir Access Support ADY 22 Distributed operations Support ADY 41 DUA Authentication as DAP Initiator ADY 42 DSA Authentication as DAP Responder ADY 43 DSA Authentication for DSP ADY 45 DSA Access Control ADY 51 Shadowing Using ROSE ADY 52 Shadowing Using RTSE ADY 53 Shadowing Subsets ADY 61 Administrative Areas ADY 62 Estab/Use of Shadowing Ag reements ADY 63 Schema Admin & Publication ADY 71 Shadowing Operational Binding ADY 72 Hierarchical Operational Binding ADY 73 Non-Specific HOB

31 ADY1-DUA Basic Functionality ADY 11 DUA Support of Directory Access Protocol, 16 Jun 98 ADY 12 DUA Support of Distributed Operations, 16 Jun 98 ADY2-DSA Basic Functionality ADY 21 DSA Support of Directory Access Protocol, 16 Jun 98 ADY 22 DSA Support of Distributed Operations, 20 Jan 97

32 ADY4-Security Capabilities ADY 41 DUA Authentication as DAP Initiator, 19 Jun 98 ADY 42 DSA Authentication as DAP Responder, 19 Jun 98 ADY 43 DSA Authentication for DSP, 22 Jul 96 ADY 45 Simplified and Basic Access Control (combined 44 and 45), 12 Jul 98

33 ADY5-Shadowing ADY 51 Shadowing using ROSE, 12 Jul 96 ADY 52 Shadowing using RTSE, no editor ADY 53 Shadowing Subsets, 12 Jul 96 ADY6-Administration Management ADY 61 Administrative areas, 26 Jun 98 ADY 62 Establishment and Utilisation of Shadowing Agreements, 17 Jan 97 ADY 63 Schema Administration and Publication, 10 Jun 98

34 ADY7-DOP Capabilities ADY 71 Shadowing Operational Binding, 30 Jul 96 ADY 72 Hierarchical Operational Binding, Dec 97 - draft-ietf-ldapext-hobs-01.txt ADY 73 Non-specific Hierarchical Binding - no editor Functional Profiles FDY 11 Common Directory Use, 17 Jul 96 FDY 12 Directory System Schema, 17 Jul 96

35 Implementor s Guide Compilation of reported defects and their resolutions to the 1988 and 1993 editions of the ITU X.500 Recommendations and ISO/IEC 9594 standard ISO requires ballot on draft technical corrigenda Categories of defects editorial errors technical errors, such as omissions or inconsistencies ambiguities Version 10 - March 97 ftp://ftp.bull.com/pub/osidirectory/defectresolution/ ImplementorsGuide/V10/

36 LDAP V3 Core documents: RFC 2251 : Lightweight Directory Access Protocol (v3) RFC 2252 : Lightweight Directory Access Protocol (v3) : Attribute Syntax Definitions RFC 2253 : Lightweight Directory Access Protocol (v3) : UTF-8 String Representation of Distinguished Names RFC 2254 : The String Representation of LDAP Search Filters RFC 2255 : The LDAP URL Format RFC 2256 : A Summary of the X.500(96) User Schema for use with LDAPv3

37 LDAP Extensions documents draft-ietf-asid-ldapv3-simple-paged-03.txt draft-ietf-ldapext-sorting-01.txt draft-ietf-asid-ldapv3-dynamic-08.txt draft-ietf-ldapext-lang-01.txt draft-ietf-ldapext-ldapv3-tls-04.txt draft-ietf-ldapext-ldapv3-vlv-02.txt draft-ietf-ldapext-acl-reqts-01.txt draft-ietf-ldapext-authmeth-03.txt draft-ietf-ladapext-ldap-c-api-01.txt draft-ietf-ldapext-x509-sasl-00.txt draft-ietf-asid-ldap-domains-02.txt

38 LDAP Extensions documents, con t draft-ietf-ladpext-referral-00.txt draft-ietf-ldapext-acl-model-01.txt draft-ietf-ldapext-signops-03.txt draft-ietf-ldapext-psearch-01.txt draft-ietf-ldapext-java-api-02.txt draft-ietf-ldapext-trigger-01.txt draft-ietf-ldapext-c-api-vlv-01.txt draft-ietf-ldapext-c-api-psearch-oo.txt draft-ietf-ldapext-ldapv3-dupent-00.txt draft-ietf-ldapext-families-00.txt

39 Other Documents?? draft-good-ldap-changelog-00.txt draft-weiser-replica-req-01.txt draft-ietf-asid-ldap-mult-mast-rep-02.txt draft-ietf-asid-ldap-repl-info-01.txt draft-smith-ldap-inetorgperson-00.txt draft-ietf-asid-ldap-rpcschema-00.txt draft-ietf-asid-schema-pilot-00.txt draft-ietf-asid-nis-schema-01.txt draft-good-ldap-ldif-01.txt draft-ietf-lsd-ldapv3-wp-00.txt draft-ietf-asid-ldapv3-dynatt-01.txt draft-ietf-ldapext-ldapv3-txn-00.txt

40 Open Group LDAP V3 Profiles Defined LDAP V3 profiles for use within the LDAP V3 test suites ( Status of Base Documents, but are not yet Final Documents RO :Read-Only LDAP Server ( core documents) RW:Read-Write LDAP server ( core + referral + tls) CERT:Certification Application Profile (RW + pkix-ipkiopp) WP:White Pages Application Profile (CERT requirements + LIPS) SSO:Single Sign On Application LDAP Profile (very high level requirements)