LDAP Directory Integration for ISP's and Enterprises
Total Page:16
File Type:pdf, Size:1020Kb
LDAP Directory Integration for ISP's and Enterprises
Authors:
Nickolay Rashev, Bianor Ltd. Kostadin Jordanov, Bianor Ltd.
November 2002
- 1 - Contents
Abstract...... 3 What is a directory?...... 4 Directory clients and servers...... 5 Directory security and management...... 5 Directory versus database...... 7 The directory as infrastructure...... 8 The LDAP directory standard...... 8 LDAP directory products...... 8 Value for the enterprise: short-term, long-term benefits, and ROI...... 9 Short-term benefits...... 9 Long-term benefits...... 10 Security Management...... 10 Network Management...... 10 Systems Management...... 11 E-commerce and business process applications...... 11 Competitive Advantage...... 11 Directory ROI...... 11 Directory service integration for ISP's and Hosting companies – a case study...... 12 Key features and advantages of WireFlame Web Hosting...... 12 For Hosting Providers...... 13 For Technical Staff...... 13 For End-users...... 13 Conclusion...... 14 Contacts...... 14
- 2 - Abstract
The directory project analysis includes both the short-term and long-term benefits of a directory infrastructure. The short-term benefits are related to administrative overhead and the quality of directory information. Managing multiple directories that contain similar information escalates administrative costs and reduces the quality of information in the directory.
For ISP’s and hosting companies, integrated web hosting system saves valuable management resources by automating the time consuming aspects of web hosting. Such a system provides a simple, integrated, and easy to use web interface that allows both client's and provider's technical staff to easily maintain all clients and accounts. Using a directory-centric hosting system insures that a manageable, secure, and scalable solution is in place to support the need for business growth.
The benefits of an enterprise directory deployment far outweigh the costs of maintaining multiple directories. Companies can get a return of approximately five times their directory investment, depending on how many directories they integrate. That return will manifest itself in administrative and support cost savings related to directory management.
It’s more difficult to measure the long-term benefits, but they’re equally important. Over the long term, the directory will become an essential part of the enterprise computing infrastructure, providing the foundation for a variety of applications and services. E-commerce, extranet, and other distributed applications will not scale without a solid directory foundation. Policy-based management systems will use the directory to reduce the costs of managing desktop computers, network devices, and other systems. They’ll also increase the efficiency of the network, allowing managers to personalize the network to fit the needs of individuals, groups, and applications.
This combination of short-term and long-term benefits clearly justifies a directory investment on the part of organizations that are trying to simplify their internal network environments while simultaneously trying to extend their networks to support extranet and e-commerce applications.
- 3 - What is a directory?
A directory is a listing of information about objects arranged in some order and that gives details about each object. Common examples are a city telephone directory and a library card catalog. For a telephone directory, the objects listed are people; the names are arranged alphabetically, and the details given about each person are address and telephone number.
In computer terms, a directory is a specialized database, also called a data repository, that stores typed and ordered information about objects. Today, almost every application that involves communication comes with some kind of directory. Human Resources and Enterprise Resource Planning (ERP) applications such as PeopleSoft and SAP are becoming critical in large organizations.
Without realizing it, we all use directory services, whether on the Internet or at work when we need to get some information. When you type in a URL on a web browser, such as http://www.bianor.com, this must be translated into an IP address via the Domain Name System (DNS). Thus, DNS is a directory that you use.
One example that has generated a lot of interest is Directory-Enabled Network. This is an example of LDAP being viewed as a factor in easing the management of many different components of distributed systems. It may also provide the capability to centralize the management of these distributed systems without reducing security or increasing complexity.
Today, the developers of directory-enabled applications are faced with a problem. What if they cannot assume that a directory service will exist in all environments? If there is a directory service, it might be specific to a certain operating environment or e-mail system, making the application non-portable. Can the existing directory
- 4 - service be extended to store the type of information needed by all applications? Because of these concerns, application developers often take the approach of developing their own application-specific directory. To avoid this obvious waste of time and energy (by reinventing the wheel on every application), directory standards were created by international bodies like ISO, CCITT, ITU-T.
Directory clients and servers
Directories are usually accessed using the client/server model of communication. An application that wants to read or write information in a directory does not access the directory directly. Instead, it calls a function or application programming interface (API) that causes a message to be sent to another process. This second process accesses the information in the directory on behalf of the requesting application.
The request is performed by the directory client, and the process that maintains and looks up information in the directory is called the directory server. In general, servers provide a specific service to clients. Sometimes, a server might become the client of other servers in order to gather the information necessary to process a request.
Directory security and management
The security of information stored in a directory is a major consideration. Some directories are meant to be accessed publicly on the Internet, but any user should not necessarily be able to perform any operation. A company’s directory servicing its intranet can be stored behind a firewall to keep the general public from accessing it, but more security control is needed within the intranet itself.
For example, anybody should be able to look up an employee’s e-mail address, but only the employee or a system administrator should be able to change it. Members of the personnel department might have permission to look up an employee’s home
- 5 - telephone number, but their co-workers might not. Perhaps information needs to be encrypted before being transmitted over the network. A security policy defines who has what type of access to what information. The security policy is defined by the organization that maintains the directory.
Herein we focus on the three aspects of directory security: authentication, integrity and confidentiality. There are several methods that can be used for this purpose; the most important ones are discussed here. These are:
No authentication
This is the simplest way, one that obviously does not need to be explained in much detail. This method should only be used when data security is not an issue and when no special access control permissions are involved. This could be the case, for example, when your directory is an address book browsable by anybody.
Basic authentication
Beside the option of using no authentication at all, the most simple security mechanism in LDAP is called basic authentication. When using basic authentication with LDAP, the client identifies itself to the server by means of an ID and a password that are sent in the clear over the network. It is a relatively simple encryption, and therefore it is not hard to break once one has captured the data on the network.
Simple Authentication and Security Layer (SASL)
SASL is a framework for adding additional authentication mechanisms to connection- oriented protocols. The SASL security mechanism negotiation between client and server is done in the clear. Once the client and the server have agreed on a common mechanism, the connection is secure against modifying the authentication identities.
SSL and its successor, TLS, are the mechanisms commonly used in LDAP. The Secure Socket Layer (SSL) protocol was devised to provide both authentication and data security. It encapsulates the TCP/IP socket so that basically every TCP/IP application can use it to secure its communication.
- 6 - SSL/TLS supports server authentication (client authenticates server), client authentication (server authenticates client), or mutual authentication. In addition, it provides for privacy by encrypting data sent over the network.
SSL/TLS uses a public key method to secure the communication and to authenticate the counterparts of the session. This is achieved with a public/private key pair.
The simplified interchange between a client and a server negotiating an SSL/TLS connection is illustrated here:
SSL/TLS is used to authenticate a server to a client using its certificate and its private key and to negotiate a secret key later on used for data encryption.
Directory versus database
A directory is often described as a database, but it is a specialized database that has characteristics that set it apart from, for example, general-purpose relational databases. One special characteristic of directories is that in general they are accessed (read or searched) much more often than they are updated (written). Hundreds of people might look up an individual’s phone number, or thousands of print clients might look up the characteristics of a particular printer. But the phone number or printer characteristics rarely change.
Directories must be able to support high volumes of read requests, so they are typically optimized for read access. Write access might be limited to system administrators or to the owner of each piece of information. A general-purpose database, on the other hand, needs to support applications such as airline reservations and banking with high update volumes.
- 7 - The directory as infrastructure
A directory that is accessible by all applications is a vital part of the infrastructure supporting a distributed system. A directory service provides a single logical view of the users, resources, and other objects that make up a distributed system. This allows users and applications to access network resources transparently. That is, the system is perceived as an integrated whole, not a collection of independent parts. Objects can be accessed by name or function without knowing low-level identifiers such as host addresses, file server names, and e-mail addresses.
LDAP is the protocol to be used to access this common directory infrastructure. Like HTTP (hypertext transfer protocol) and FTP (file transfer protocol), LDAP is becoming an indispensable part of the Internet’s protocol suite.
When applications access a standard common directory that is designed in a proper way, rather than using application-specific directories, redundant and costly administration can be eliminated, and security risks are more controllable. The calendar, mail, and operator notification applications can all access the same directory to retrieve an email address. New uses for directory information will be realized, and a synergy will develop as more applications take advantage of the common directory.
The LDAP directory standard
LDAP defines the communication protocol between the directory client and server, but does not define a programming interface for the client. A standardized protocol and the availability of a common API on different platforms are the major reasons for the wide acceptance of LDAP.
LDAP has evolved to meet the need of providing access to a common directory infrastructure. LDAP is an open industry standard that is supported by many system vendors on a variety of platforms. It is being incorporated into software products and is quickly becoming the directory access protocol of choice. LDAP allows products from different vendors on different platforms to interoperate and provide a global directory infrastructure, much like HTTP enabled the deployment of the World Wide Web.
A common directory infrastructure encourages new uses. The Directory Enabled Networks (DEN) Initiative is a proposal to allow information about network configuration, protocol information, router characteristics, and so on to be stored in an LDAP directory. The availability of this information in a common format from many equipment vendors will allow the intelligent management and provisioning of network resources. These examples show the diverse uses of directory-enabled applications supported by a common directory infrastructure accessed with LDAP.
LDAP directory products
Novell, eDirectory Sun, Sun ONE Directory Server
- 8 - Netscape Directory Server Oracle, Oracle Internet Directory Microsoft, Active Directory IBM, Directory Server Open LDAP, Open LDAP Apple Open Directory
Value for the enterprise: short-term, long-term benefits, and ROI
Short-term benefits
The short-term benefits of directory deployments are related primarily to administrative overhead and information quality. The fact that most enterprises have multiple directories is no surprise, but many companies haven’t really examined how much it costs to maintain those directories or the overall impact of inaccurate information. The need to manage multiple directories—most of which contain the same user and resource information—creates significant costs related to the duplication of effort and the inaccuracy of directory information. Simply put, companies want a single, authoritative source of accurate information. While they can’t reduce the number of directories they have to just one, IT managers can reduce the duplication of effort and increase the accuracy of directory information through integration and unification efforts, which in turn save money.
Each directory a company has to maintain comes with its own setup, administration, training, support, and maintenance operations. IT departments must hire and train people to run those directories, and end users must access them. In other words, each directory has its associated costs, and reducing the number of directories that an organization has to manage can reduce costs.
A few simple calculations illustrate these savings. A company having an annual administration costs of $360,000, if it is supporting seven directories and 35,000 individual record changes occurring annually, and if it takes an average of 15 minutes to change a directory record, can reduce the cost of directory changes to $52,000 by consolidating its directories.
In comparison with most enterprise environments, this example is relatively simple. It’s safe to say that all large enterprises have more than five directories. If we consider between 15 and 30 directories, which isn’t out of line with the reality most companies face, we get dramatically higher savings. Therefore, our example clearly illustrates that even in a simple environment, the cost savings that a directory integration project yield are significant. Enterprise customers can use similar techniques to calculate the costs of maintaining the status quo, and estimating the cost savings that they can realize from implementing an integrated enterprise directory in their own environment. By comparing those two numbers and illustrating the return on the directory investment, a directory proposal can usually gain widespread support within an organization due to the significant cost savings even a conservative estimate promises.
- 9 - Long-term benefits
Using an enterprise directory integration project to reduce administration costs allows an organization to lay the foundation for long-term benefits that are harder to quantify, but are of equal importance. As already said, directories become as important as fundamental protocols like TCP/IP. They provide the foundation for a new generation of applications that support e-commerce, extranet communications, intranet collaboration, and other functions that transform business processes. Directories also become the coordinating element in managing distributed systems based on policies, which managers will apply and administer via the directory. Specifically, directories will enable managers to create clear relationships between basic user administration and policies for security, network, and systems management, as well as business processes, allowing them to manage the whole network environment.
Clearly, directories are evolving and cannot fully deliver on all of these promises in an enterprise-wide fashion today. Directory products, standards, and tools must mature to meet these goals. Developers must leverage directories more effectively in their applications, and customers must make progress in their directory deployments. But organizations can currently realize some of these benefits. The longer an organization waits to start building its directory infrastructure, the longer it will take to realize these benefits as they emerge over the next three to five years.
Security Management
Directories allow security managers to associate credentials from different authentication mechanisms with each user’s unique directory ID. Directories can associate both X.509 digital certificates and Kerberos passwords with a specific user, giving managers a single place to manage and integrate credentials and security policy. In addition, directories are the ideal foundation for single sign-on services. Likewise, Virtual Private Networks (VPNs), firewalls, and other security services can use the directory to authenticate users, store and apply access controls, and expose their services to other applications. As organizations centralize important security functions in the directory, they can save money and effort by minimizing administration overhead and decreasing risk.
Network Management
As the DEN initiative clearly demonstrates, directories will be the foundation for management tools that allocate bandwidth based on quality and class of service parameters (QoS/CoS). IT organizations will be able to provision and personalize network access using profiles and policies for groups and individual users. IT organizations can use these QoS/CoS services to meter services for charge back to internal customers, and to cost-justify network hardware upgrades. As organizations leverage policy-based management, they can save money by minimizing the effort it takes to manage the network while using corporate resources more efficiently.
- 10 - Systems Management
Increasingly, systems management tools will store policies for application and operating system configuration preferences in the directory. Directories will enable location independence, allowing users and applications to access resources, and get the appropriate class of service, wherever they are. These developments make it clear that it will be directories, not the network computer, that will rein in the costs of desktop systems management.
E-commerce and business process applications
Directory services will be the foundation for e-commerce and extranet applications that put business processes “in” the network. Directories will allow people to collaborate and share information, for example, both internally and externally. Applications will use the directories as the repository for roles and capabilities, allowing applications (and the people that use them) to find the resources they need. Directories will also allow applications to access naming, addressing, and routing information for the people and applications involved with any process. An enterprise directory will also enable trust relationships between partners, suppliers, and customers. Many enterprises will maintain extranet directories, hosting entries that describe their partners and customers through trading profiles and policies, including each partner’s digital certificates and other important attributes, such as capabilities, access rights, and appropriate contacts. Until global directory replication standards emerge, many directory managers will want to delegate the authority to manage these entries to their partners, ensuring a higher level of data integrity.
Many enterprises using extranets for business-to-business e-commerce will also have to issue certificates for their trading partners, especially in cases where a strong vertical electronic marketplace doesn’t exist. Thus, directories will support the centralized management of e-commerce applications and tight integration with corporate security, network, and systems management policies and systems. Without a solid directory foundation, commerce applications will not scale to the hundreds of thousands, if not millions, of users most enterprises want to serve.
Competitive Advantage
All of these long-term benefits translate to competitive advantage. Directories will make new applications easier to build, because they can leverage the directory and security infrastructure instead duplicating it. Thus, organizations can re-engineer their business processes with less pain and overhead. Lower administration costs free resources and enable investments in other developments that can improve the company’s business process and bottom line. Finally, the coordination of security, network, and systems management through policy will improve security, save money, and strengthen a company’s competitive capabilities.
Directory ROI
Organizations must consider both the short-term and long-term benefits of a directory strategy to assess accurately the return on investment. Simply put, the
- 11 - long-term directory payback comes by combining the short-term benefits of reduced administration costs with the long-term strategic benefits of a directory infrastructure.
In the initial term of a directory integration project, costs will increase as an organization invests in the directory infrastructure, cleans up and integrates corporate data, and takes on the hard work of directory integration and unification. But over the long term, costs will decrease as the integration pays off. The organization will have to manage fewer directories, and an increasing number of applications will leverage the directory infrastructure. Without such an integration effort, costs will rise exponentially as an organization maintains an increasing number of directories and fails to effectively leverage the overall strategic advantage of an enterprise-wide directory infrastructure.
Directory service integration for ISP's and Hosting companies – a case study
A directory-integrated web hosting system aims to facilitate the every-day operations of hosting providers, ISPs, and their clients. It saves valuable management resources by automating the time-consuming aspects of web hosting, providing a simple and easy-to-use web interface that allows the client’s and provider’s technical staff to maintain web hosting system from any computer with Internet connection. Hosting providers are using enormous number of diverse web services and products provided by different vendors. If these services are not unified in one integrated solution, their management, control and monitoring turns into a hard and time- consuming task. Bianor’s WireFlame Integrated Web Hosting System enables ISP to finally get the features they need with enough performance to support tens of thousands of web sites, domains and users. WireFlame is an integrated web hosting system with two major components – a Server System, that provides different network services, such as email, custom web sites, file transfer, etc., and an Administration Interface, which is a unique management application for the sales people, technical staff, and end-users enabling them to centrally manage all their profiles and subordinates.
Key features and advantages of WireFlame Web Hosting
Robust system - built for growth above 100,000 mail accounts, tens of thousands of web sites, domains, and users Highly available and reliable - runs on a cluster of load-balanced PC servers Scalable - new machines can be easily added to the cluster Flexible and open to new functionalities - allows easy integration of new modules and third-party products Manageable - centralized directory for all services and products No additional license costs - integrates the best open-source proven products like Apache, qmail, etc.
- 12 - Based entirely on Linux - no additional license costs for middleware Multi-lingual support - English, Japanese, and other Remote management of accounts via secure web access High level of network security and monitoring Easy to support Low TOC (Total Cost of Ownership)
For Hosting Providers
WireFlame provides hosting provider's sales force a selection of predefined service packages, which they can easily offer to their clients. Hosting packages allow flexible customization of all features and aspects of a hosting plan, making it a swift to build a hosting offer that is perfectly suited for every individual client's need. The package is a kind of a wizard, which lowers creation and modification efforts by using predefined profiles while giving the means to add or remove services and change quotas through a simple point-and-click interface.
For Technical Staff
WireFlame integrated directory-based policy management controls which system users have access to different resources. Access rights are grouped by role name, and access to resources is restricted only to users who have been assigned a given role. For example, a user who is defined as a system administrator of a certain client's company can access only the company's properties and manage company's internal user profiles, details, and quotas in the range of resources generally provided to the company by the hosting provider.
For End-users
WireFlame Web Hosting System provides end-users with custom managed profiles, web sites, email, file exchange, FTP, WebDAV, DNS, SMTP, POP3, IMAP, web mail, mailing lists, CGI's, access management and usage statistics, network security, backup, real-time monitoring, and a number of other integrated products and services - sized for thousands of companies and hundreds of thousands users, centrally managed through a web interface for every single user.
WireFlame Server System provides the following basic functionalities and services to the Internet users, integrated through a central directory: Web server - User password-protected directories, SSL, Apache mod plug-ins DNS Sub domains File transfers – FTP, WebDAV, Web-based file exchange Multimedia capabilities
- 13 - Application environments – Java, XML, ASP, Perl, Python, PHP, C/C++, Standard CGI packages Email - SMTP, POP3, IMAP, WebMail Mail listings Anti-virus and spam control Database – MySQL, PostgreSQL, Oracle 9i, IBM DB2, and other E-shops and catalogs Interface to payment providers Administration Interface WireFlame is an open architecture system to which different software packages can be integrated according to hosting provider and customer’s needs. Herein, we present the basic functionality and packages of the system.
Conclusion
IT managers can demonstrate the value of, and the return on, an enterprise directory project by quantifying the short-term benefits in terms of dollars, and defining the long-term benefits in terms of strategic initiatives. With a well-executed implementation plan, enterprise customers can expect a return of approximately five times their ongoing investment, depending on the size of the network, the number of users in the directory, and the number of directories being integrated with the enterprise directory. Organizations can realize that return in cost savings in the millions of dollars, primarily in the areas of administration and support. But those savings will come only through the hard work, careful planning, and commitments that directory projects require.
Contacts
For more information please contact:
BIANOR 5 Stratsin Str. 1407 Sofia Bulgaria
Email: [email protected] Web: www.bianor.com
- 14 -