DOCSLIB.ORG

Directory Services

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Directory Services PRINCIPLES – NIS – LDAP – DNS Labs and deadlines n AMD ->Intel n Just nu uppgraderar vi kernel o Hoppas det löser interupts ->slött nätverk n Deadlines o http://www.ida.liu.se/~TDDI41/timetable/index.en.shtml n Om jag glömmer (vilket jag gör) säg till mig om att lägga ut föreläsningsslides What is a directory? Fundamental properties n Maps keys to values n Relatively frequent lookups n Relatively infrequent updates Examples n Phone book n Office directory n User database n List of contacts Directories in Linux User database Service names n /etc/passwd, /etc/shadow n /etc/services Group database RPC program numbers n /etc/group n /etc/rpc Host names Known ethernet addresses n /etc/hosts n /etc/ethers Network names Automount maps n /etc/network n /etc/auto.master Protocol names n /etc/protocols Standard implementation: local files The scalability problem Example n 13000 users and 5000 hosts n Passwords valid for 30 days n 50% of changes made at 8-10 à One change every 28.8 seconds à Propagation time: 0.00567s Problems n Performance issues n Hosts that are down n Other propagation failures n Simultaneous updates What is a directory service A specialized database n Attribute-value type information n More reads than updates n Consistency problems are sometimes OK n No transactions or rollback n Support for distribution and replication n Clear patterns to searches Directory services Components Common directory services n A data model n DNS n A protocol for searching n X.500 Directory Service n A protocol for reading n Network Information Service n A protocol for updating n NIS+ n Methods for replication n Active Directory (Windows NT) n Methods for distribution n NDS (Novell Directory Service) n LDAP (Lightweight X.500) Directory services Global directory service Local directory service n Context: entire network or entire n Context: intranet or smaller internet n Namespace: non-uniform n Namespace: uniform n Examples: NIS, local files n Distribution: usually n Examples: DNS, X.500, NIS+, LDAP Directory services in Linux Alias: name services n /etc/nsswitch.conf selects service n Several services per directory n Modular design/implementation Examples from /etc/nsswitch.conf users files,nis users nis[notfound=return],files hosts dns,files NIS, NIS+, LDAP Network Information Service Domain (NIS domain) n Systems administered with NIS ida.liu.se n No connection to DNS domain NIS server n Server that has information accessible through NIS n Serves one or more domains NIS client n Host that uses NIS as a directory service for something fo.ida.liu.se NIS Protocol Data model n RPC based n Directories known as maps n No security n Simple key-value mapping n No updates n Values have no structure n Replication support passwd.bynamearjle 1001:adFrl Replication donkn 1002:*:203 n Master/slave servers johne 1003:trzQw alatu 2031:kprrT johmc 2032:bRelZ Distribution edwyo 2033:*:204 n No distribution support! ricst 2034:vvldk petde 2232:*:204 larwa 3021:*:204 NIS Master server Processes/commands n Maps built from text files n ypserv Server process n Maps in /var/yp n ypbind Client process n Maps built with make n ypcatTo view maps n Maps stored in binary form n ypmatch To search maps n Replication to slaves with n ypwhich Show status yppush n yppasswdd Change password Slave servers n Receive data from master n Load balancing and failover NIS NIS Client Portmapper NIS Server NIS client n Knows its NIS domain GETPORT n Binds to a NIS server Two options DOMAIN_NONACK n Broadcast n Hard coded NIS-server n ypbind BIND NIS Scalability problems Primitive protocol n Flat namespace n No updates n No distribution o Hack for password change n Search only on key Security problems n Primitive data model n No access control n Broadcast for binding n Patched as an afterthought Solution: NIS+ NIS+ Scalability New protocol n Hierarchical namespace n Updates through NIS+ n Distributed administration n General searches n Data model with real tables Security n Authentication of server, client and user n Access control on per-cell level So why is NIS+ not used? LDAP Protocol Data model n TCP-based n Based on X.500 n Fine-grained access control n Object-oriented n Support for updates n Objects can be extended freely n Flexible search protocol n Attribute-based data model n Hierarchical namespace Replication n Replication is possible Distribution n Distributed management is possible Example of user NIS+ table ”passwd.org_dir.example.com” name passwd uid gid gecos home shell davby *LK* 1211 1200 David /home/davby /bin/sh fsmith 3x1231v76T89N 1329 1200 Fran /home/fsmith /bin/sh NIS table passwd.byname (user name as key): davby davby:*:1211:1200:David:/home/davby:/bin/sh fsmith fsmith:*:1329:1200:Fran:/home/fsmith:/bin/sh Example of user dn: uid=fsmith,ou=employees,dc=example,dc=com objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson uid: fsmith givenname: Fran sn: Smith cn: Fran Smith cn: Frances Smith telephonenumber: 510-555-1234 roomnumber: 122G o: Example Corporation International mailRoutingAddress: [email protected] mailhost: mail.example.com userpassword: {crypt}3x1231v76T89N uidnumber: 1329 gidnumber: 1200 homedirectory: /home/fsmith loginshell: /bin/sh LDAP The future LDAP is taking over n NIS is too insecure, doesn’t scale and is inflexible n NIS+ is hard to implement and doesn’t exist on many OSes n X.500 is too complex and has a bad reputation n Other options have similar problems DNS DNS: Data model n Functional: NAME à { TYPE à RDATA } n Relational: (NAME, TYPE, RDATA) NAME TYPE RDATA ida.liu.se A 130.236.177.25 ida.liu.se MX 0 ida.liu.se ida.liu.se NS ns.ida.liu.se ida.liu.se NS ns1.liu.se ida.liu.se NS ns2.liu.se ida.liu.se NS nsauth.isy.liu.se DNS: TYPE & RDATA TYPE RDATA n SOA – Start of authority n Binary data, hardcoded format n NS – Name server n TYPE determines format n MX – Mail exchanger n A – Address n AAAA – IPv6 address n PTR – Domain name pointer n CNAME – Canonical name n TXT – Text … and many more DNS: Namespace Names Namespace n Dot-separated parts n Global and hierarchical o one.part.after.another <root> FQDN n Fully Qualified Domain Name com net org se n Complete name n Always ends in a dot google ibm ibm liu Partial name n Suffix of name implicit www www www ida tfk n Does not end in a dot www DNS: Replication Secondary/slave Example nameserver sysi-00:~# host -t ns ida.liu.se ida.liu.se NS nsauth.isy.liu.se n Indicated by NS RR ida.liu.se NS ns.ida.liu.se n Data transfer with AXFR/IXFR ida.liu.se NS ns1.liu.se Rule of thumb Questions n Every zone needs at least two nameservers n How does a slave NS know when there is new information? n How often should a slave NS attempt to update? n How long is replicated data valid? DNS: Distribution Delegation n A NS can delegate responsibility for a subtree to another NS <root> .se zone n Only entire subtrees can be delegated com net org se Zone n The part of the namespace google ibm ibm liu that a NS is authoritative for n Defined by SOA and NS www www www ida tfk Domain n A subtree of the namespace .com domain www DNS: Delegation Delegating NS Example n NS record for delegated zone a.example.com NS ns2.x.com n A record (glue) for NS when b.x.com NS ns.b.x.com needed ns.b.x.com A 10.1.2.3 Delegated-to NS n SOA record for the zone b.x.com SOA ( ns.b.x.com dns.x.com 20040909001 24H 2H 1W 2D ) DNS: Delegation Format of SOA SERIAL n MNAME Master NS n Increase for every update n RNAME Responsible n Date format common (email) o 2004090901 n SERIAL Serial number n REFRESH Refresh interval REFRESH/RETRY n RETRY Retry interval n How often secondary NS n MINIMUM TTL for negative updates the zone reply MINIMUM n How long to cache NXDOMAIN DNS: Cacheing Cacheing creates scalability Cache parameters n Cacheing reduces tree traversal n TTL – Set per RR n Cacheing of A and PTR reduce n Negative TTL – Set in duplicate DNS queries SOA Example $TTL 4H SOA ( MNAME RNAME SERIAL REFRESH Choosing good cache RETRY 1H ) 24H NS ns parameters is vital ns 24H A 10.1.2.3 DNS: The server Recursive/iterative Review n Does the server offer recursion? n Recursive: the nameserver n To which clients is it offered? gives a definite answer, but may ask other nameservers in order Authoritative/nonauthorit to generate it … n Iterative: the nameserver gives n Authoritative: first-hand a definite answer only for information locally known information; n Otherwise: cached information otherwise it generates a referral DNS: The client Client requirements Partially qualified names n Use a recursive NS (resolver) n Add suffix if there are fewer n Use partially qualified names than n dots in the name (ndots) Name server (resolver) n Specified in /etc/resolv.conf APP libc Example: /etc/resolv.conf nsswitch.conf nss search ida.liu.se nameserver ns.ida.liu.se ndots 2 libnss_dns.so Iterative NS resolv.conf Iterative NS Resolver library Recursive NS Iterative NS Iterative NS DNS: Root Name Server Handles the root zone n Data generated by ICANN Why no more than 13? n Data distributed by Verisign n Distribution from hidden master Thirteen services n Some are anycast n Over 60 servers Operator Locations A VeriSign Dulles VA B ISI Marina Del Rey CA C Cogent Communications Herndon VA; Los Angeles; New York City; Chicago D University of Maryland College Park MD E NASA Ames Mountain View CA F Internet Systems Ottawa; Palo Alto; San Jose, CA; New York City; San Francisco; Consortium, Inc.
Recommended publications
  • Open Directory & Openldap

    Open Directory & Openldap

    Open Directory & OpenLDAP David M. O’Rourke Engineering Manager Overview • Background on Apple’s Open Directory Technology (8 minutes) – What is it – What is Directory Services • How has Apple integrated OpenLDAP (20 minutes or less) – what has Apple added to OpenLDAP? • Questions and Answers (remaining time) Open Directory • Open Directory is a technology name – Covers both client access technologies and server technologies – Integrates and promotes industry standard technologies • Open Directory is built into Mac OS X & Mac OS X Server – Been there since 10.0 • Open Sourced as part of Darwin – http://developer.apple.com/darwin/projects/ opendirectory/ What Is Directory Services • Abstraction API for read/write access to system configuration and management data – Users, groups, mount records and others – Authentication abstraction Mac OS X Software Directory Services NetInfo LDAP BSD Files Other… Directory Services in 10.3 • Includes – LDAPv3 (read/write), Native Active Directory, NetInfo, NIS, BSD/etc files – Service Discovery: Rendezvous, SMB, AppleTalk, and SLP – LDAPv3 client support replication fail over • Documented Access API and plug-in API – SDK posted – Sample code, sample plug-in, notes – Directory Services Headers are installed in – /System/Library/Frameworks/DirectoryService.framework – Command line tool for directory editing ‘dscl’ 10.3 Usage of Directory Services • Login Window uses Directory Services for all user authentication – Managed Desktop • All Security Framework authentication uses Directory Services • Legacy Unix
  • AWS Directory Service Setup with Netapp Cloud Volumes Service for AWS Prabu Arjunan, Netapp August 2019

    AWS Directory Service Setup with Netapp Cloud Volumes Service for AWS Prabu Arjunan, Netapp August 2019

    AWS Directory service setup with NetApp Cloud Volumes Service for AWS Prabu Arjunan, NetApp August 2019 Abstract This document provides instructions to help users set up the AWS directory services environment for using NetApp® Cloud Volumes Service for Amazon Web Services (AWS). TABLE OF CONTENTS 1 Overview ................................................................................................................................................ 3 2 Requirements ........................................................................................................................................ 3 3 Creating the AWS Active Directory service ....................................................................................... 4 4 Adding the Active Directory server to Cloud Volumes Service ..................................................... 10 5 Creating a cloud volume that uses the Active Directory server .................................................... 12 Common errors messages....................................................................................................................... 14 References ................................................................................................................................................. 14 Version History ......................................................................................................................................... 14 2 AWS Directory service setup with NetApp Cloud Volume Service for AWS © 2019 NetApp, Inc. All rights reserved. 1 Overview
  • White Paper | September 2 0 1 7

    White Paper | September 2 0 1 7

    Oracle Directory Services Buyer’s Guide ORACLE WHITE PAPER | SEPTEMBER 2 0 1 7 Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. ORACLE DIRECTORY SERVICES – BUYER’S GUIDE Table of Contents Introduction 1 Business Drivers 2 Oracle Directory Services 3 Key Considerations for Some Popular Scenarios 4 Cloud 4 Mobile 4 Customer-Facing Internet 4 Employee-Facing Intranet 5 Directory Services Checklist 5 Conclusion 7 ORACLE DIRECTORY SERVICES – BUYER’S GUIDE Introduction In the late 1990s, directory servers were essentially designed as white-page applications for providing users with secure access to enterprise resources through authentication and authorization processes. Since then, their use has been extended to partners and customers, thus creating the need to support an increasing number of diverse users and communities. Today, directory services need to accommodate hundreds of millions of users and provide additional services to break identity silos. With the ubiquitous use of mobile devices as well as cloud deployments and the integration of social networks identities into the enterprise fabric, billions of objects are transacted everyday through directory services. Modern directory services now go beyond the initial capability to store objects in an identity repository. Directory solutions have evolved around three foundation services: » Storage: Persisting and maintaining entries representing identities.
  • The 12 Essential Tasks of Active Directory Domain Services

    The 12 Essential Tasks of Active Directory Domain Services

    WHITE PAPER ACTIVE DIRECTORY DOMAIN SERVICES The 12 Essential Tasks of Active Directory Domain Services Using the right tools and processes helps reduce administrative overhead and ensures directory service is always available By Nelson Ruest and Danielle Ruest Sponsored by WHITE PAPER ACTIVE DIRECTORY DOMAIN SERVICES ABSTRACT Active Directory Domain Services (AD DS) administration and management includes Sponsored by 12 major tasks. These tasks cover a wide breadth of business needs and are not all performed solely by AD DS administrators. In fact, administrators can and should delegate several tasks to other members of their technical community, technicians, help desk personnel, even users such as team managers and administrative assistants. While delegation is a way to reduce the amount of work administrators have to do when managing AD DS infrastructures, it really only addresses one or two of the 12 tasks, for example, user and group administration as well as end point device administration. The other ten tasks can be staggering in nature—security, networked service administration, OU-Specific Management, Group Policy Object management and many more—and because of this can take up inordinate amounts of time. You can rely on Microsoft’s built-in tools to reduce some of this workload, but are the native tools enough? Perhaps it’s time to reduce AD DS administration overhead by automating most tasks and tightening internal security. Address this by first, determining what the twelve essential labors of Active Directory are and then, see how you can reduce AD DS workloads through the implementation of proper management and administration tools.
  • [MS-DSSP]: Directory Services Setup Remote Protocol

    [MS-DSSP]: Directory Services Setup Remote Protocol

    [MS-DSSP]: Directory Services Setup Remote Protocol Intellectual Property Rights Notice for Open Specifications Documentation . Technical Documentation. Microsoft publishes Open Specifications documentation (“this documentation”) for protocols, file formats, data portability, computer languages, and standards support. Additionally, overview documents cover inter-protocol relationships and interactions. Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you can make copies of it in order to develop implementations of the technologies that are described in this documentation and can distribute portions of it in your implementations that use these technologies or in your documentation as necessary to properly document the implementation. You can also distribute in your implementation, with or without modification, any schemas, IDLs, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications documentation. No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation. Patents. Microsoft has patents that might cover your implementations of the technologies described in the Open Specifications documentation. Neither this notice nor Microsoft's delivery of this documentation grants any licenses under those patents or any other Microsoft patents. However, a given Open Specifications document might be covered by the Microsoft Open Specifications Promise or the Microsoft Community Promise. If you would prefer a written license, or if the technologies described in this documentation are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting [email protected].
  • Pingdirectory Administration Guide Version

    Pingdirectory Administration Guide Version

    Release 7.3.0.3 Server Administration Guide PingDirectory | Contents | ii Contents PingDirectory™ Product Documentation................................................ 20 Overview of the Server............................................................................. 20 Server Features.................................................................................................................................20 Administration Framework.................................................................................................................21 Server Tools Location....................................................................................................................... 22 Preparing Your Environment....................................................................22 Before You Begin.............................................................................................................................. 22 System requirements..............................................................................................................22 Installing Java......................................................................................................................... 23 Preparing the Operating System (Linux).......................................................................................... 24 Configuring the File Descriptor Limits.................................................................................... 24 File System Tuning.................................................................................................................25
  • Oracle Internet Directory 11G R1

    Oracle Internet Directory 11G R1

    2 3 Directory services are key building blocks for secure identity-enabled business applications and the underlying enterprise identity management (IdM) architecture. Well-structured and organized directory services are the foundation of efficient and effective security services. This is because all IDM applications and most commercial off the shelf (COTS) business applications that require a standard mechanism to access identity attributes, and the most common way to access identity attributes is using LDAP. Example identity attributes include user credentials, access privileges and profile information. Additionally the modern enterprise has different identity attribute needs than they did when LDAP servers first appeared on the market in the 1990s. This is because modern enterprises often have multiple LDAP storage-based servers as well as identity stored in non-LDAP repositories such as HR or CRM databases. Furthermore, new computing initiatives, such as mobile computing, cloud computing and social networking, require LDAP to manage extremely large number of objects, to deliver high performance to manage dynamic data like location and presence, and to be elastic to grow with the cloud. These requirements led to several challenges in deploying identity related applications within the enterprise: While Microsoft Active Directory is pervasive within enterprises, it does not provide the functionality to be a general purpose Enterprise Directory Service because of limitations imposed on it being the Network Operating System directory for Windows. To address Active Directory limitations, Microsoft provides Active Directory Lightweight Directory Services (AD LDS)1. However, due to AD LDS‟s application specific nature, the 1 AD LDS formerly known as Active Directory Application Mode (ADAM) 4 proliferation of AD LDS within enterprises is like weeds in a garden resulting in cost and manageability issues.
  • Open Directory Administration for Version 10.5 Leopard Second Edition

    Open Directory Administration for Version 10.5 Leopard Second Edition

    Mac OS X Server Open Directory Administration For Version 10.5 Leopard Second Edition Apple Inc. © 2008 Apple Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services. Every effort has been made to make sure that the information in this manual is correct. Apple Inc., is not responsible for printing or clerical errors. Apple 1 Infinite Loop Cupertino CA 95014-2084 www.apple.com The Apple logo is a trademark of Apple Inc., registered in the U.S. and other countries. Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Apple, the Apple logo, iCal, iChat, Leopard, Mac, Macintosh, QuickTime, Xgrid, and Xserve are trademarks of Apple Inc., registered in the U.S. and other countries. Finder is a trademark of Apple Inc. Adobe and PostScript are trademarks of Adobe Systems Incorporated. UNIX is a registered trademark of The Open Group. Other company and product names mentioned herein are trademarks of their respective companies. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the performance or use of these products.
  • Red Hat Enterprise Ipa

    Red Hat Enterprise Ipa

    RED HAT ENTERPRISE IPA INTRODUCTION Red Hat Enterprise IPA enables your organization to comply with regulations, reduce risk, and become more efficient. Simply and centrally manage your Linux/Unix users and their authentication today. And in the future, your Linux/Unix machines, services, policy, and audit information. Government and industry compliance regulations, as well as best practice risk reduction principles require an organization to establish: • the administrative users accessing machines and services on those machines • which machines and services users have accessed • the actions those users took • policies to control user access to particular machines and service • policies around password strength to protect against unauthorized access Establishing these things simply and centrally, in addition to the obvious security benefits, brings significant efficiencies such as: • reduced time and manual work in an internal or external audit • reduced time spent adjusting parameters and policies for individual machines • more rapid deployment and migration of workloads in the environment • increased ability to benefit from initiatives such as Red Hat Linux Automation www.dlt.com/redhat Red Hat Enterprise IPA | Karl Wirth EXISTING SOLUTIONS To solve these problems, organizations have essentially three options. Roll your own solution; purchase an expensive proprietary solution; or leverage an existing Microsoft Active Directory infrastructure for your Unix/Linux identity and policy. ROLL YOUR OWN For over a decade, organizations have used Sun’s Network Information Services (NIS) and NIS+ to provide central management of identity and policy for users and machines in the Linux and Unix environment. NIS has some serious weaknesses that could cause NIS to fail some security compliance audits.
  • Openls Directory Service Architectures and Implementation Based on Web-Service

    Openls Directory Service Architectures and Implementation Based on Web-Service

    OpenLS Directory Service Architectures and Implementation based on Web-Service Jae-Chul Kim, Sung-Soo Kim, Tae-Wook Heo, Jong-Hyun Park LBS Team, Spatial Information Technology Center, ETRI 161 Kajong-Dong, Yusong-Gu, Daejon, Korea [email protected] Abstract: In this paper, we developed those Directory Services used to describe any kind of content in a structured way, based on the Web-Service, because Web-Service environments separated from its presentation to a specific device [2]. provide a suitable method to gather requested information in an SOAP (Simple Object Access Protocol) is a network, appropriate way. The proposed architecture cooperate with transport, and programming language-neutral protocol other OpenLS(Open Location Service) Core Services ( Location that allows a client to call a remote service. The message Utility Service and Router Determin ation service) and is an format is XML [3]. interoperability one — it identifies those global elements of the global Web-Services network that are required in order to en- WSDL (Web-services description language) is an sure interoperability between Web-Services. In this paper, a XML-based interface and implementation description new architecture of Directory Service with OpenLS Core Ser- language. The service provider uses a WSDL document vices is proposed and tested in OpenLS Core Services envi- in order to specify the operations a Web-Service pro- ronments. vides, as well as the parameters and data types of these Keywords: Web-Service, Directory service, OpenLS. operations. A WSDL document also contains the service access information [4]. UDDI (universal description, discovery, and integra- 1. Introduction tion) is both a client-side API and a SOAP-based server implementation that can be used to store and retrieve information on service providers and Web-Services [5].
  • Solaris™ Naming and Directory Service

    Solaris™ Naming and Directory Service

    SOLARIS™NAMING AND DIRECTORY SERVICE THE SOLARIS™ OPERATING ENVIRONMENT LDAP AS A NAMING SERVICE The Solaris™ 8 Operating Environment is the established OS leader Solaris 8 introduces support for LDAP as the access protocol for for availability, scalability, and security in the Internet age. In Solaris naming services. LDAP is a directory standard defined by the Internet 8 software, Sun delivers a trustworthy, universal platform to meet Engineering Task Force (IETF). The Solaris 8 Operating Environment the needs of .com businesses — from small startups to large lets you define information such as usernames, host names, Fortune 1000 enterprises. passwords, and other network resources on any directory server (for example, the iPlanet™ Directory Server) supporting the LDAP v3 It’s no surprise that the Solaris Operating Environment is the leading protocol. The LDAP server stores this information in a hierarchical UNIX® environment today. Solaris software was originally designed namespace called a Directory Information Tree (DIT). The DIT with the Internet in mind. TCP/IP, the central Internet protocol, has consists of entries that are composed of attribute-value pairs. been at the core of Solaris networking for more than 15 years. Each attribute has a type and can have one or more values. Through its time-tested design — a small, stable kernel, modular Naming information, such as host names and passwords, and extensible components, and well-defined interfaces — Solaris will be stored in these entries as attribute values. software delivers rock-solid stability and predictability for business- critical applications. And the Solaris 8 Operating Environment In the Solaris 8 Operating Environment, LDAP clients can use the provides complete compatibility with prior versions, so you can LDAP v3 protocol to access naming information from LDAP servers.
  • Freeipa-Manager

    Freeipa-Manager

    Masaryk University Faculty of Informatics freeipa-manager Bachelor’s Thesis Kristián Leško Brno, Fall 2019 Masaryk University Faculty of Informatics freeipa-manager Bachelor’s Thesis Kristián Leško Brno, Fall 2019 This is where a copy of the official signed thesis assignment and a copy ofthe Statement of an Author is located in the printed version of the document. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Kristián Leško Advisor: doc. RNDr. Vlastislav Dohnal, Ph.D. i Acknowledgement My gratitude goes to Michal "Blesk" Marciniszyn, the author of the original idea behind freeipa-manager, and to the rest of our team at GoodData for their patient guidance and support. iii Abstract The goal of this work is to facilitate an improvement in identity man- agement and access control processes in a corporate environment. The thesis implements a tooling for verification and application of access control structures in a FreeIPA server, providing a possibility of clean access rule design and better review and audit options. The implemented software serves for synchronization of access control entities between an authoritative configuration source and the server. iv Keywords FreeIPA, identity management, LDAP, RBAC, access control v Contents Introduction 1 1 Identity management (IdM) 3 1.1 Motivation ..........................3 1.2 Concepts ............................4 2 IdM technologies overview 5 2.1 Directory service .......................5 2.2 LDAP .............................6 2.3 Common IdM solutions ....................6 2.4 Existing solutions evaluation .................8 3 FreeIPA 9 3.1 Features ............................9 3.2 Entity representation ....................