IST346: Namespaces Directories Documentation Todays Agenda Namespaces what

IST346: Namespaces Directories Documentation Todays Agenda Namespaces what is a namespace? Why is it important? Examples of namespace policies Directories and Directory services LDAP lightweight directory access protocol Active Directory

Namespaces So, what is a namespace? 1. 2. 1. 2. A namespace consists of : A set of defined and named keys The attributes associated with each of the keys For example, the linux and windows user accounts weve created in our labs are namespaces The have defined names (the user accounts themselves) tom, dick, harry, etc Each account has attributes associated with it: password, home directory, default shell,

etc All sorts of namespaces: Comput er Names Email address es Printers User Account s Service Names IP Address es Two type of namespaces

Flat No duplicates can exist in a flat namespace. SU NetID is a flat namespace: no two people have the named key: mafudge, sjrieks, mrwunder User accounts are a flat namespace. Hierarchical Namespace is organized in a tree Duplicates can exist at nodes in the tree, but the overall name is globally unique. DNS is an example of such a namespace:

www.syr.edu www.microsoft.com [email protected] [email protected] Namespace Policy Consistent namespaces make everyones job easier. Helps your users and admins find resources A well-governed policy is the key to a consistent and reliable namespace. The policy should have collision prevention for flat namespaces.

Once you decide on a naming convention, it is difficult to change it. If theres one thing you should do by committee, its namespace policy creation! IST-Printer-H010-DELL5310C Issues Surrounding Namespaces Does the namespace contain sensitive data? Longevit y Naming Conventi on How does one formulate the named keys? Protectio n Scope

How long should entries remain? When should they be removed? Where should they be used? Naming Conventions Formulaic Themeatic

By location, resource, type, device class How SU names its objects in Active Directory. No Method Name matches function smtp-host.syr.edu, help.syr.edu, clock.syr.edu Descriptive

Planets, Constellations, Cartoon charaters Gamera.syr.edu, rodan.syr.edu Functional Based on an algorithm, generic look and feel Student001, student1002, server0001 Everyone picks their own, first come first serve. This is how DNS registrars allocate names on the Internet. Applied uses are usually a combination of multiple approaches. Some Examples of namespaces. And their naming conventions Example namespace: NetID

What is it? Rules and Constraints: Legacy systems require the account to be no more than 8 characters. Flat namespace for all users associated with SU. No two people can have the same NetID Convention: Represents accounts for all users on campus

Named keys are created via a combination of formulaic and functional approaches Examples: Michael A Fudge - mafudge Peggy M Brown pmbro01 iSchool Workstation Naming (AD) What is it? Rules and Constraints

For legacy windows computers, 15 characters maximum Must begin with IST- to avoid conflicts with other organizations on campus (flat namespace) Convention: The method the iSchool uses to identify user workstations Named keys are created from the users netid and machine type (fac/staff desktop/laptop) Examples: IST-SD-MAFUDGE IST-FL-DJMOLTA DNS Namespace

What is it? Rules and Constrains Used for registering names of computers on the internet. www.syr.edu [email protected] Except for .edu, .gov and.mil there arent any DNS is a heirarchy, duplicates allowed within different contexts, but not globally. www.syr.edu www.syracuse.com www.google.com

Convention Top level, org level, hostname Top level: http://www.iana.org/gtld/gtld.htm DNS Hierarchy www.syr.edu www host Syr domain Edu gtld Descriptive Namespaces

Descriptive names are the friendliest namespace. They are usually self-explanatory The should be governed carefully within the organization, for obvious reasons. Examples: [email protected] forwards email to user barak.obama [email protected] forwards email to user ncantor http://printing.google.com gives you information about all the printers in google The wireless networks AirOrangeHelp, AirOrange, AirOrangeX Managing Namespaces

Lets suppose your organization has 10 Linux,10 windows servers, and 100s of workstations. 100s of Users An established a naming convention for user accounts and computers. How can you: Avoid collisions of named keys? Manage the user and computer namespaces so that your system admins follow the conventions?

E.g. mafudge = Mary Alice Fudge on a Linux host, Michael A Fudge on a Windows host. Create user fudgema, instead of mafudge for example. These are real-world issues ideas? Meta-Directory A Meta-Directory is a unified database of your namespaces. To create a named key for a namespace, such as a new user: The information is added to the meta-directory

The account is provisioned from the metadirectory to the resource itself. (Account created on the Windows or Linux Server or both) Meta-Directories are namespace management. You can buy identity management software to implement a meta-directory or build your own. These solutions require a lot of planning, design and testing. Directories Directories offer a database for your namespaces. Directories 101 Directory

Directory Service Provides access to directory information. Directory Server A collection of information that is primarily searched and read, but rarely modified. Named keys from namespaces are ideal storage candidates for directories. Application that provides a directory service. Note:

Directories are not Meta-directories. Directories store named keys, but do not provision them. Advantages of Directories Make administration easier. Change data only once: people, accounts, hosts. Unify access to network resources. Single sign on. Single place for users to search (address book) Improve

data management Improve consistency (one location vs many) Secure data through only one server. LDAP Lightweight Directory Access Protocol Lightweight version of the DAP based on X.500 directories. http://www.x500standard.com/ Just an Access protocol, not a directory itself. The directory must be implemented on the server end. Directory

services which implement LDAP OpenLDAP Fedora Directory Server (formerly Sun, Netscape) Mac Open Directory Microsoft Active Directory Novell eDirectory (NDS) LDAP Structure Hierarchal structure An LDAP directory is made of entries.

Entries may be employee records, hosts, accounts etc. Each entry consists of attributes. Containers are called organizational units Attributes can be names, phone numbers, etc. objectClass attribute identifies entry type, or schema Schema determines the available attributes for the entry Each attribute is a type / value pair. Type is a label for the information stored (name)

Value is value for the attribute in this entry. Attributes can be multi-valued. LDAP DN The DN, or distinguished name represents the dc=syr, dc=edu path from the root of the directory to the ou=IS entry. T (In this example the rectangle is a user cn=istobjectClass, and the cn=maufgd sde mafudge trapezoid is a computer Dn: cn=mafudge,ou=IST,dc=syr,dc=edu my account objectClass)

ou=WHI T cn=jadaley Dn: cn=ist-s-mafudge,ou=IST,dc=syr,dc=edu my computer LDAP Authentication Anonymous Binds with empty DN and password. Simple Authentication Binds with DN and password. Cleartext. Bad. Simple

Authentication Authentication over SSL/TLS Use SSL to encrypt simple authentication. Simple Layer Authentication and Security SASL is an extensible security scheme. SASL mechanisms: Kerberos, GSSAPI, SKEY Active Directory

Microsofts Directory service Used to manage users and computers in the enterprise. Hierarchy: Forest, Trees, Domains The Namespace is flat at the domain level AD Implemented using LDAP + DNS + Kerberos LDAP used for user, group, computer, policies and more. Kerberos used for computers on the domain and user logons Active Directory and LDAP demos Questions?