ISBG May LDAP: It s Time. Gabriella Davis - Technical Director The Turtle Partnership

Transcription

1 ISBG May 2015 LDAP: It s Time Gabriella Davis - Technical Director The Turtle Partnership gabriella@turtlepartnership.com

2 What Is LDAP? Lightweight Directory Access Protocol Standard language for reading and writing to directories Adopted as a directory protocol by most large providers IBM Tivoli Directory Server Sun One Novell edirectory Microsoft Active Directory If you want to connect two systems together and use a single directory, you will be using LDAP If you want to have a central directory used by many different systems, you will be using LDAP

3 Why Do We Need LDAP? Directories are central to everything we do They identify people and things that exist in our world and what they do They identify the hierarchy of those people and things Without a directory we would have no audience for our applications everyone would be anonymous If everyone is anonymous, then everyone is also identical and we can t create a custom experience

4 LDAP Queries and How They Work In most cases, the client will be a server acting on behalf of a user of its software

5 LDAP Behavior What happens when a client performs an LDAP query? The client asks for the directory by hostname E.g., LDAP.isbg.com Connect to the directory over TCP LDAP uses port 389 by default, which is unsecured, or port 636 secured Search the directory for the directory entries you need E.g., all people with a last name of davis Take the values from those directory entries E.g., give me the address of everyone you found

6 Terms That Come Up a Lot When Working with LDAP LDAP Server host server Directory Services Agent the service you connect to Bind how you connect to the directory, using what credentials and over what port Schema the definition of the directory and the objects within it Directory information tree. Think of this as the design. Directory entries these could be people, servers, printers, etc. Think of these as documents Attribute defined in the schema, a directory entry contains attributes that themselves hold values Think of these as fields

7 What Is Bind? Assuming we know where the server is (its hostname) To connect to the LDAP server we need to know how How consists of: What port is the server listening on How to use a certificate if one is needed for security What identity is going to be used to access the directory You can configure an LDAP server to allow anonymous access and not need to supply any name or password But it s a directory and has valuable information in it. In the majority of cases, we want it secured. The name and password is that of a directory entry in the LDAP directory These are called the bind credentials

8 Bind Credentials When you bind using credentials to an LDAP server, you are gaining access to anything in the directory those credentials can see More on this later in security The LDAP administrator can assign credentials that themselves have access to only a limited part of the directory For example the credentials salesldap bind may have access to only the Sales part of the directory Any search done with those credentials would only find matching entries within Sales Bind credentials should be Unique across all directories Have a complex non-expiring password Not used for anything else

9 Searching Every LDAP query starts with a search, otherwise how do we find the right people? Searches are constructed strictly according to the schema Although LDAP is a common protocol, each server will have its own schema and so its own search syntax The syntax for searching Active Directory is different from that used to search Domino for instance The good news is that most IBM software has pre-defined search strings to suit the most common LDAP servers

10 Constructing a Search The realities of searching are that in large directories you want your search to: Be efficient Be accurate Return as few entries as possible If we search only for last name is davis we will find both Gabriella Davis and Tim Davis Expanding the search to include first name would help with that Tim Davis in marketing needs a different kind of search than Tim Davis in sales We could choose to include department in our search filter, if that information is available It would be more efficient to choose to search in only a specific part of the hierarchy, such as looking for Tim Davis only within the sales part of our directory

11 Constructing a Search (cont.) To focus our search on a specific part of the directory, we use a baseobject or base_dn. This is the name of the part of the directory we want to search. Examples: AD: base_dn=ou=sales,ou=europe,dc=theview,dc=com Domino: base_dn=ou=sales,ou=europe,o=theview This tells the search to look only in that part of the directory for any results. It makes the search more efficient and prevents any false positives. scope is a search parameter that tells the search how many levels down in the directory from the base_dn it should look singlelevel means search only ou=sales wholesubtree means search ou=sales and anything beneath that part of the directory

12 In Short We connect to a host server and create a search based on the schema to pull the values we want from attributes in matching directory entries

13 Domino and LDAP Domino s directory format for names.nsf is not LDAP by default Domino uses its own protocol to read and manage its primary directory This is consistent across all Domino servers so any other Domino server can read any Domino directory But no non-domino server can read a Domino directory without having it translated The LDAP task, when run on a Domino server, makes the names.nsf available to any LDAP query If you use Directory Assistance, this can also apply to other directories your server can see

14 LDAP Task Load LDAP on the Domino Server Loads by default on Domino servers now Spawns two separate tasks LDAP listener for handling inbound connections LDAP utility for building and propagating the schema Runs the LDAP protocol which can make names.nsf and other directories available for LDAP searches LDAP is specific to each server, so running it on Server A does not grant access to Server B

15 Schema.nsf The LDAP task uses the database schema.nsf on each server to determine how to translate Domino object references into LDAP object references Schema.nsf is created automatically by the Administration server of your Domino domain the first time LDAP is loaded on that server For LDAP to work anywhere in your organization, you must first create schema.nsf by loading LDAP on your administration server A replica of schema.nsf is automatically pushed from the administration server the first time you Load LDAP on any other server in your domain Any server in your domain that runs, or has ever run, the LDAP task will have a replica of schema.nsf in place Once schema.nsf is created, you don t have to keep LDAP running on the Administration server if you don t need it

16 Schema Template You should never need to manually create a schema.nsf but any databases that do exist should be based on the schema template Template name is StdDominoLDAPSchema (schema.ntf) If you do manually create one for whatever reason, don t call it anything other than schema.nsf

17 Domino Attributes in the Schema Open schema.nsf on your server Go to the view LDAP Attribute Types Review list of notes field names and matching LDAP attribute names

18 LDAP Configuration Document LDAP configuration is available only from a global configuration document in the names.nsf The global configuration document is the one marked for [All Servers]

19 Configuring LDAP in Domino On a Global Configuration document, there is a new page called LDAP This is not visible on any other configuration document On the LDAP page, you can configure how LDAP behaves on every server in your organization There can be only one Global Configuration Document per domain so the configuration applies to all servers running the LDAP task The default LDAP settings will work in most cases, but you should always review these carefully to ensure you are configuring for best security and performance

20 Exposing Domino Data to Anonymous Users

21 LDAP Options Affecting Domino Performance Allow LDAP users write access Do you want LDAP clients to be able to make changes to your Domino Directories? This doesn t override directory ACL or roles Timeout How many seconds before a search is cancelled? Don t leave it as zero, which means indefinite. Maximum number of entries returned When doing an LDAP search against a large directory, you can restrict the number of results returned Minimum characters for wildcard search Do you really want people searching for the letter S if they are looking for Smith or even Sm Allow Alternate Language Information processing

22 LDAP Options Affecting Domino Performance (cont.) Rules to follow when this directory is the primary directory, and there are multiple matches on the distinguished name being compared/modified Don t modify any/modify first match/modify all matches? Automatically Full Text Index Domino Directory? Improves performance of searches against Domino Directory, but use only if you are performing high demand searches against a large Directory Enforce schema? If the LDAP user has write access to the Domino Directory, can they write or change attributes that aren t defined in the Domino schema? DN Required on Bind? Require fully distinguished name for security

23 LDAP Options Affecting Domino Performance (cont.) Encode results in UTF8 for LDAPv2 clients? This is about the formatting of results for older LDAP client queries Maximum number of referrals An LDAP query against a server can return a referral to yet another LDAP server, how many layers down are you happy for these referrals to go? Activity Logging truncation size Allow dereferencing of aliases on search requests? Instructs Domino to return search values that correspond to aliases matched by a search

24 Setting Up the LDAP Task LDAP should be configured as an Internet Site Document You can configure it directly in the server document under Internet Protocols LDAP But this is less secure than using Internet site documents

25 Setting Up the LDAP Port You configure the LDAP overall port and behavior under ports internet ports directory Enforce server access settings control whether Domino will enforce server document security settings

26 Directory Assistance and LDAP Directory Assistance can be used to configure additional directories for your Domino server to use when authenticating access or sending mail An additional directory can be Domino or LDAP If you choose to add an LDAP directory to Directory Assistance you need to configure the document

27 DA Basics Tab Configuration Multiple directories in DA can be prioritized in search order Determines which client types this directory can be accessed by Don t use this directory for mail addressing or lookups

28 Directory Assistance LDAP Configuration Each step of the LDAP configuration can be tested and verified before saving

29 DA Naming Contexts Configuration Configure to Trusted for Credentials as you re going to use this LDAP source for authentication

30 Testing Directory Assistance Configuration From the server console, type sh xdir This shows all directories configured on that server and whether they are LDAP

31 Ldapsearch Search utility that ships with Domino and Notes Found in the Domino or Notes program directory Used for searching any LDAP server ldapsearch [parameters to connect] [searchfilter to find correct entries] [attributes to return] No searchfilter will be a request for all entries No attributes specified will be an instruction to return all attributes Certain parameters such as hostname are required

32 Ldapsearch Parameters -h hostname to connect to e.g. ldap1.theview.com -b -D -w -p -? base_dn. Many servers will require you to specify a base_dn for your query and won t accept a query that doesn t have one bind name, if you aren t using anonymous access bind password to go with D port to connect to usually 636 for secured or 389 for unsecured to see the full list of parameters

33 Ldapsearch Search Filter Search filters are to limit the results of an LDAP query to just those directory entries you are interested in The format for a search filter is <attribute> <operator> <value> e.g. sn=davis (lastname is Davis) Use operators and brackets to nest together search attributes Use * for wildcards in values & AND OR! Not equal to = equal to

34 Search Filter Examples Any entry with first name of Gabriella and last name of Davis (&(givenname=gabriella)(sn=davis)) Any entry with first name of Gabriella and last name of Davis or Davies (&(givenname=gabriella)(!(sn=davis)(sn=davies)) Any entry with mail address containing theview.com (mail=*theview.com)

35 Search Filter Examples (cont.) Search for anyone with the last name Davis and return their common name ldapsearch h ldap1.theview.com p 389 D ldaplogin w passwordforldap (sn=davis) cn Search anonymously for anyone with a mail address containing theview.com and return their name ldapsearch h ldap1.theview.com p 389 (mail=*theview.com) cn Search the marketing division on a secure Active Directory server to find the Marketing Director and return all their details ldapsearch h ldap1.theview.com p 636 b cn=marketing,ou=global,dc=theview,dc=com D ldaplogin w passwordforldap (Title=Marketing Director)

36 Softerra s LDAP Browser Free, powerful GUI interface for performing LDAP queries and searches Does not allow modifications to LDAP entries For that you need to purchase their LDAP administrator Very useful for understanding the schema of a directory Especially if you re new to Domino LDAP. You can use Softerra to see what Domino looks like to an LDAP client. Always test your LDAP assumptions, hostname, port, credentials and attributes using something like LDAP Browser before assuming they are correct

37 LDAP Browser Demo Working with servers List of configured LDAP servers softerra can access

38 LDAP Browser Adding Profiles Define the LDAP server s location, connection and bind credentials in the Softerra profile

39 LDIF LDAP Data Interchange Format Used for importing, exporting and updating LDAP contents Standard format Ldapsearch to export ldap content to an LDIF file Ldapadd to update an LDAP directory with entries from an LDIF Ldapmodify to modify an LDAP directory with change records from an LDIF Lots of tools available to work with LDIFs including native Windows tools and Domino Migrate Users

40 LDIF Example Snippet dn: CN=Gabriella Davis,CN=Users,DC=int,DC=turtlepartnership,DC=com objectclass: top objectclass: person objectclass: organizationalperson objectclass: user cn: Gabriella Davis sn: Davis givenname: Gabriella distinguishedname: CN=Gabriella Davis,CN=Users,DC=int,DC=turtlepartnership,DC=com displayname: Gabriella Davis samaccounttype: userprincipalname: CN=Person,CN=Schema,CN=Configuration,DC=int,DC=turtlepartnership,DC=com

41 Notes As an LDAP Client Regardless of your Domino server configuration, Notes itself can act as an LDAP client performing queries against other servers Configured as an account in the user s local names.nsf

42 Searching LDAP Directories from Within Notes LDAP directories will not show in their entirety in Notes You have to search for what you need You can do either a simple or advanced search

43 LDAP and Other IBM Lotus Products Many of the extended IBM Lotus products now require an LDAP server be defined as the Directory source This allows multiple servers to share a common directory with a common protocol regardless of their own platform Connections and Sametime use WebSphere Application Server (WAS) as a platform, but WAS doesn t have a directory of its own it must use an external LDAP directory Within WAS, you can define multiple LDAP sources to act as a single directory much like Directory Assistance in Domino The is called federating the directories

44 WAS LDAP Configuration Login to the Integrated Solutions Console (or Sametime System Console) and choose Security Global Security

45 Viewing Federated Repositories The list of federated repositories shown here comprises what WAS considers to be its directory

46 Configuring Each LDAP Source

47 Testing LDAP Configuration in WAS

48 LDAP Sources As we ve seen, Domino can act as an LDAP server and could therefore be used in configuring a product like Sametime Sametime instant messaging is still based on the Domino platform but you cannot use that same Domino server as your LDAP server Otherwise you are telling the Sametime Community Server to use itself as an external LDAP reference

49 LDAP Security Risks Exposing a directory to anonymous queries, allowing for harvesting of corporate information Not providing secure enough bind credentials so they can be potentially hacked Not connecting using SSL, which means your connection isn t encrypted and bind credentials are sent in clear text Trusting users from another LDAP source you don t control to authenticate onto your servers Does the password quality for users on the external LDAP source match that for your own users Once you have trusted an entire directory, your own directory security is lowered to the level of that uncontrolled source

50 LDAP Security Mitigation Ensure you are only exposing the LDAP entries and attributes you need to Use an LDAP tool to connect to your own server with the bind credentials you are making available to see what others see If you are adding an LDAP server to Directory Assistance in Domino and are trusting it for authentication purposes, ensure you lock down Default access to databases in your environment Use catalog.nsf and DDM to find potential problem areas Never let anyone connect to your directory using credentials without enabling SSL

51 LDAP Performance Tuning Several things impact LDAP performance on any LDAP server Size of directory Using a base_dn limits the search scope for queries and is required for efficiency in very large directories Number of search results returned for a query Length of search string Don t force the server to search as each character is entered Nested groups or dereferencing Anything that causes a lookup to generate another lookup, then another, has a big performance impact

52 LDAP Performance Searching Searching for a user to authenticate when someone logs in requires a directory lookup Most LDAP servers are optimized to find entries if you re using a login name or address If you re using a special or non-standard attribute for login then that may affect performance Domino LDAP uses predefined views if you are allowing logins by name In most cases, you would want to full text index the directory on your Domino LDAP server for performance Many LDAP servers such as Active Directory have strict default limits on LDAP search timeouts and size of search results returned for both performance and security reasons These can always be modified

53 LDAP and DDM If your Domino server is configured to use another LDAP directory in Directory Assistance you can monitor that via a DDM probe Configured in events4.nsf Reported into ddm.nsf on your Domino server

54 Summary LDAP is a standard protocol for directories used by all the major directory providers so in general, no matter the provider, all LDAP servers are equal Many software products that do not have their own directories require connection to an LDAP source of some kind Using LDAP allows you to connect multiple systems together all using the same directory source Domino can be an LDAP server, making its own directories available over the LDAP protocol to other clients and programs Domino can also connect to other LDAP servers using a Directory Assistance document Many IBM products now require or recommend the use of an LDAP directory including Sametime, Connections, and Quickr Integrating LDAP into your solution can have a significant performance and security impact which must be managed

55 Questions How to contact me: Gabriella Davis Twitter: gabturtle