LDAP Directory Integration for ISP's and Enterprises - Inet-tr

towerdevelopmentΔιαχείριση Δεδομένων

16 Δεκ 2012 (πριν από 4 χρόνια και 3 μήνες)

290 εμφανίσεις


-

1

-










LDAP Directory Integration

for ISP's and Enterprises






















Authors:


Nickolay Rashev, Bianor Ltd.

Kostadin Jordanov, Bianor Ltd.






November 2002




-

2

-


Contents


Abstract

................................
................................
................................
.......

3

What is a
d
irectory?

................................
................................
.......................

4

Directory clients and servers

................................
................................
...........

5

Directory securi
ty and management

................................
................................

5

Directory versus database

................................
................................
..............

7

The
d
irectory as infrastructure

................................
................................
........

8

The LDAP
d
irectory standard

................................
................................
...........

8

LDAP
d
irectory products

................................
................................
.................

8

V
alue

for the enterprise: short
-
term, long
-
term benefits, and RO
I

.......................

9

Short
-
term benefits

................................
................................
....................

9

Long
-
term benefits

................................
................................
...................

10

Security Management

................................
................................
...............

10

Network Management

................................
................................
...............

10

Systems Management

................................
................................
...............

11

E
-
commerce and business p
rocess applications

................................
............

11

Competitive Advantage

................................
................................
.............

11

Directory ROI

................................
................................
...........................

11

Direc
tory service integration for ISP's and Hosting companies



a case study

......

12

Key features and advantages of WireFlame Web Hosting

...............................

12

F
or Hosting Providers

................................
................................
................

13

For Technical Staff

................................
................................
....................

13

For End
-
users
................................
................................
...........................

13

Conclu
sion

................................
................................
................................
..

14

Con
tacts

................................
...........................

Error! Bookmark not defined.



-

3

-

Abstract

The directory project analysis includes both the short
-
term and long
-
term benefits of
a directory infrastructure. The short
-
term ben
efits are related to administrative
overhead and the quality of directory information. Managing multiple directories that
contain similar information escalates administrative costs and reduces the quality of
information in the directory.


For ISP’s and ho
sting companies, integrated web hosting system saves valuable
management resources by automating the time consuming aspects of web hosting.
Such a system provides a simple, integrated, and easy to use web interface that
allows both client's and provider's
technical staff to easily maintain all clients and
accounts. Using a directory
-
centric hosting system insures that a manageable,
secure, and scalable solution is in place to support the need for business growth.


The benefits of an enterprise directory dep
loyment far outweigh the costs of
maintaining multiple directories. Companies can get a return of approximately five
times their directory investment, depending on how many directories they integrate.
That return will manifest itself in administrative and
support cost savings related to
directory management.


It’s more difficult to measure the long
-
term benefits, but they’re equally important.
Over the long term, the directory will become an essential part of the enterprise
computing infrastructure, providi
ng the foundation for a variety of applications and
services. E
-
commerce, extranet, and other distributed applications will not scale
without a solid directory foundation. Policy
-
based management systems will use the
directory to reduce the costs of managi
ng desktop computers, network devices, and
other systems. They’ll also increase the efficiency of the network, allowing managers
to personalize the network to fit the needs of individuals, groups, and applications.


This combination of short
-
term and long
-
term benefits clearly justifies a directory
investment on the part of organizations that are trying to simplify their internal
network environments while simultaneously trying to extend their networks to
support extranet and e
-
commerce applications.




-

4

-

Wha
t is a
d
irectory?

A directory is a listing of information about objects arranged in some order and that
gives details about each object. Common examples are a city telephone directory
and a library card catalog. For a telephone directory, the objects liste
d are people;
the names are arranged alphabetically, and the details given about each person are
address and telephone number.


In computer terms, a directory is a specialized database, also called a data
repository, that stores typed and ordered informat
ion about objects.
Today, almost
every application that involves communication comes with some kind of directory.
Human Resources and Enterprise Resource Planning (ERP) applications such as
PeopleSoft and SAP are becoming critical in large organizations.


Without realizing it, we all use directory services, whether on the Internet or at work
when we need to get some information. When you type in a URL on a web browser,
such as
http://www.bianor.com
, this must be translated into an IP address via the
Domain

Name System (DNS). Thus, DNS is a directory that you use.




One example that has generated a lot of interest is Directory
-
Enabled Network. This
is an example of LDAP being viewed as a factor in easing the management of many
different components of distr
ibuted systems. It may also provide the capability to
centralize the management of these distributed systems without reducing security or
increasing complexity.


Today, the developers of directory
-
enabled applications are faced with a problem.
What if the
y cannot assume that a directory service will exist in all environments? If
there is a directory service, it might be specific to a certain operating environment or
e
-
mail system, making the application non
-
portable. Can the existing directory

-

5

-

service be e
xtended to store the type of information needed by all applications?
Because of these concerns, application developers often take the approach of
developing their own application
-
specific directory. To avoid this obvious waste of
time and energy (by reinve
nting the wheel on every application), directory standards
were created by international bodies like ISO, CCITT, ITU
-
T.


Directory clients and servers

Directories are usually accessed using the client/server model of communication. An
application that want
s to read or write information in a directory does not access the
directory directly. Instead, it calls a function or application programming interface
(API) that causes a message to be sent to another process. This second process
accesses the information
in the directory on behalf of the requesting application.




The request is performed by the directory client, and the process that maintains and
looks up information in the directory is called the directory server. In general,
servers provide a specific

service to clients. Sometimes, a server might become the
client of other servers in order to gather the information necessary to process a
request.


Directory security and management

The security of information stored in a directory is a major considerati
on. Some
directories are meant to be accessed publicly on the Internet, but any user should
not necessarily be able to perform any operation. A company’s directory servicing its
intranet can be stored behind a firewall to keep the general public from acces
sing it,
but more security control is needed within the intranet itself.


For example, anybody should be able to look up an employee’s e
-
mail address, but
only the employee or a system administrator should be able to change it. Members
of the personnel dep
artment might have permission to look up an employee’s home

-

6

-

telephone number, but their co
-
workers might not. Perhaps information needs to be
encrypted before being transmitted over the network. A security policy defines who
has what type of access to what

information. The security policy is defined by the
organization that maintains the directory.


Herein we focus on the three aspects of directory security: authentication, integrity
and confidentiality. There are several methods that can be used for this p
urpose; the
most important ones are discussed here. These are:


No authentication


This is the simplest way, one that obviously does not need to be explained in much
detail. This method should only be used when data security is not an issue and when
no spe
cial access control permissions are involved. This could be the case, for
example, when your directory is an address book browsable by anybody.


Basic authentication


Beside the option of using no authentication at all, the most simple security
mechanism
in LDAP is called basic authentication. When using basic authentication
with LDAP, the client identifies itself to the server by means of an ID and a password
that are sent in the clear over the network. It is a relatively simple encryption, and
therefore
it is not hard to break once one has captured the data on the network.


Simple Authentication and Security Layer (SASL)


SASL is a framework for adding additional authentication mechanisms to connection
-
oriented protocols. The SASL security mechanism negot
iation between client and
server is done in the clear. Once the client and the server have agreed on a common
mechanism, the connection is secure against modifying the authentication identities.


SSL and its successor, TLS, are the mechanisms commonly use
d in LDAP. The
Secure Socket Layer (SSL) protocol was devised to provide both authentication and
data security. It encapsulates the TCP/IP socket so that basically every TCP/IP
application can use it to secure its communication.




-

7

-

SSL/TLS supports server
authentication (client authenticates server), client
authentication (server authenticates client), or mutual authentication. In addition, it
provides for privacy by encrypting data sent over the network.


SSL/TLS uses a public key method to secure the com
munication and to authenticate
the counterparts of the session. This is achieved with a public/private key pair.


The simplified interchange between a client and a server negotiating an SSL/TLS
connection is illustrated here:




SSL/TLS is used to authen
ticate a server to a client using its certificate and its
private key and to negotiate a secret key later on used for data encryption.


Directory versus database

A directory is often described as a database, but it is a specialized database that has
charac
teristics that set it apart from, for example, general
-
purpose relational
databases. One special characteristic of directories is that in general they are
accessed (read or searched) much more often than they are updated (written).
Hundreds of people might

look up an individual’s phone number, or thousands of
print clients might look up the characteristics of a particular printer. But the phone
number or printer characteristics rarely change.


Directories must be able to support high volumes of read request
s, so they are
typically optimized for read access. Write access might be limited to system
administrators or to the owner of each piece of information. A general
-
purpose
database, on the other hand, needs to support applications such as airline
reservatio
ns and banking with high update volumes.



-

8

-

The
d
irectory as infrastructure

A directory that is accessible by all applications is a vital part of the infrastructure
supporting a distributed system. A directory service provides a single logical view of
the u
sers, resources, and other objects that make up a distributed system. This
allows users and applications to access network resources transparently. That is, the
system is perceived as an integrated whole, not a collection of independent parts.
Objects can
be accessed by name or function without knowing low
-
level identifiers
such as host addresses, file server names, and e
-
mail addresses.


LDAP is the protocol to be used to access this common directory infrastructure. Like
HTTP (hypertext transfer protocol)
and FTP (file transfer protocol), LDAP is becoming
an indispensable part of the Internet’s protocol suite.


When applications access a standard common directory that is designed in a proper
way, rather than using application
-
specific directories, redundant

and costly
administration can be eliminated, and security risks are more controllable. The
calendar, mail, and operator notification applications can all access the same
directory to retrieve an email address. New uses for directory information will be
re
alized, and a synergy will develop as more applications take advantage of the
common directory.


The LDAP
d
irectory standard

LDAP defines the communication protocol between the directory client and server,
but does not define a programming interface for th
e client. A standardized protocol
and the availability of a common API on different platforms are the major reasons for
the wide acceptance of LDAP.


LDAP has evolved to meet the need of providing access to a common directory
infrastructure. LDAP is an ope
n industry standard that is supported by many system
vendors on a variety of platforms. It is being incorporated into software products and
is quickly becoming the directory access protocol of choice. LDAP allows products
from different vendors on differen
t platforms to interoperate and provide a global
directory infrastructure, much like HTTP enabled the deployment of the World Wide
Web.


A common directory infrastructure encourages new uses. The Directory Enabled
Networks (DEN) Initiative is a proposal to

allow information about network
configuration, protocol information, router characteristics, and so on to be stored in
an LDAP directory. The availability of this information in a common format from
many equipment vendors will allow the intelligent manage
ment and provisioning of
network resources. These examples show the diverse uses of directory
-
enabled
applications supported by a common directory infrastructure accessed with LDAP.


LDAP
d
irectory products

Novell, eDirectory

Sun, Sun ONE Directory Server


-

9

-

Netscape Directory Server

Oracle, Oracle Internet Directory

Microsoft, Active Directory

IBM, Directory Server

Open LDAP, Open LDAP

Apple Open Directory


V
alue

for the enterprise: short
-
term, long
-
term benefits, and
ROI

Short
-
term benefits

The short
-
term
benefits of directory deployments are related primarily to
administrative overhead and information quality. The fact that most enterprises have
multiple directories is no surprise, but many companies haven’t really examined how
much it costs to maintain th
ose directories or the overall impact of inaccurate
information. The need to manage multiple directories

most of which contain the
same user and resource information

creates significant costs related to the
duplication of effort and the inaccuracy of direc
tory information. Simply put,
companies want a single, authoritative source of accurate information. While they
can’t reduce the number of directories they have to just one, IT managers can
reduce the duplication of effort and increase the accuracy of dire
ctory information
through integration and unification efforts, which in turn save money.


Each directory a company has to maintain comes with its own setup, administration,
training, support, and maintenance operations. IT departments must hire and train
p
eople to run those directories, and end users must access them. In other words,
each directory has its associated costs, and reducing the number of directories that
an organization has to manage can reduce costs.


A few simple calculations illustrate thes
e savings. A company having an annual
administration costs of $360,000, if it is supporting seven directories and 35,000
individual record changes occurring annually, and if it takes an average of 15
minutes to change a directory record, can reduce the cos
t of directory changes to
$52,000 by consolidating its directories.


In comparison with most enterprise environments, this example is relatively simple.
It’s safe to say that all large enterprises have more than five directories. If we
consider between 15
and 30 directories, which isn’t out of line with the reality most
companies face, we get dramatically higher savings. Therefore, our example clearly
illustrates that even in a simple environment, the cost savings that a directory
integration project yield
are significant. Enterprise customers can use similar
techniques to calculate the costs of maintaining the status quo, and estimating the
cost savings that they can realize from implementing an integrated enterprise
directory in their own environment. By c
omparing those two numbers and illustrating
the return on the directory investment, a directory proposal can usually gain
widespread support within an organization due to the significant cost savings even a
conservative estimate promises.


-

10

-


Long
-
term benefi
ts

Using an enterprise directory integration project to reduce administration costs
allows an organization to lay the foundation for long
-
term benefits that are harder to
quantify, but are of equal importance. As already said, directories become as
importa
nt as fundamental protocols like TCP/IP. They provide the foundation for a
new generation of applications that support e
-
commerce, extranet communications,
intranet collaboration, and other functions that transform business processes.
Directories also beco
me the coordinating element in managing distributed systems
based on policies, which managers will apply and administer via the directory.
Specifically, directories will enable managers to create clear relationships between
basic user administration and po
licies for security, network, and systems
management, as well as business processes, allowing them to manage the whole
network environment.


Clearly, directories are evolving and cannot fully deliver on all of these promises in
an enterprise
-
wide fashion t
oday. Directory products, standards, and tools must
mature to meet these goals. Developers must leverage directories more effectively in
their applications, and customers must make progress in their directory
deployments. But organizations can currently re
alize some of these benefits. The
longer an organization waits to start building its directory infrastructure, the longer it
will take to realize these benefits as they emerge over the next three to five years.


Security Management

Directories allow securi
ty managers to associate credentials from different
authentication mechanisms with each user’s unique directory ID. Directories can
associate both X.509 digital certificates and Kerberos passwords with a specific user,
giving managers a single place to man
age and integrate credentials and security
policy. In addition, directories are the ideal foundation for single sign
-
on services.
Likewise, Virtual Private Networks (VPNs), firewalls, and other security services can
use the directory to authenticate users,

store and apply access controls, and expose
their services to other applications. As organizations centralize important security
functions in the directory, they can save money and effort by minimizing
administration overhead and decreasing risk.


Network

Management

As the DEN initiative clearly demonstrates, directories will be the foundation for
management tools that allocate bandwidth based on quality and class of service
parameters (QoS/CoS). IT organizations will be able to provision and personalize
n
etwork access using profiles and policies for groups and individual users. IT
organizations can use these QoS/CoS services to meter services for charge back to
internal customers, and to cost
-
justify network hardware upgrades. As organizations
leverage pol
icy
-
based management, they can save money by minimizing the effort it
takes to manage the network while using corporate resources more efficiently.



-

11

-

Systems Management

Increasingly, systems management tools will store policies for application and
operating

system configuration preferences in the directory. Directories will enable
location independence, allowing users and applications to access resources, and get
the appropriate class of service, wherever they are. These developments make it
clear that it wi
ll be directories, not the network computer, that will rein in the costs
of desktop systems management.


E
-
commerce and business process applications

Directory services will be the foundation for e
-
commerce and extranet applications
that put business proce
sses “in” the network. Directories will allow people to
collaborate and share information, for example, both internally and externally.
Applications will use the directories as the repository for roles and capabilities,
allowing applications (and the peopl
e that use them) to find the resources they need.
Directories will also allow applications to access naming, addressing, and routing
information for the people and applications involved with any process. An enterprise
directory will also enable trust relat
ionships between partners, suppliers, and
customers. Many enterprises will maintain extranet directories, hosting entries that
describe their partners and customers through trading profiles and policies, including
each partner’s digital certificates and ot
her important attributes, such as capabilities,
access rights, and appropriate contacts. Until global directory replication standards
emerge, many directory managers will want to delegate the authority to manage
these entries to their partners, ensuring a
higher level of data integrity.


Many enterprises using extranets for business
-
to
-
business e
-
commerce will also have
to issue certificates for their trading partners, especially in cases where a strong
vertical electronic marketplace doesn’t exist. Thus, d
irectories will support the
centralized management of e
-
commerce applications and tight integration with
corporate security, network, and systems management policies and systems.
Without a solid directory foundation, commerce applications will not scale to

the
hundreds of thousands, if not millions, of users most enterprises want to serve.


Competitive Advantage

All of these long
-
term benefits translate to competitive advantage. Directories will
make new applications easier to build, because they can levera
ge the directory and
security infrastructure instead duplicating it. Thus, organizations can re
-
engineer
their business processes with less pain and overhead. Lower administration costs
free resources and enable investments in other developments that can i
mprove the
company’s business process and bottom line. Finally, the coordination of security,
network, and systems management through policy will improve security, save
money, and strengthen a company’s competitive capabilities.


Directory

ROI

Organization
s must consider both the short
-
term and long
-
term benefits of a
directory strategy to assess accurately the return on investment. Simply put, the

-

12

-

long
-
term directory payback comes by combining the short
-
term benefits of reduced
administration costs with th
e long
-
term strategic benefits of a directory
infrastructure.


In the initial term of a directory integration project, costs will increase as an
organization invests in the directory infrastructure, cleans up and integrates
corporate data, and takes on the

hard work of directory integration and unification.
But over the long term, costs will decrease as the integration pays off. The
organization will have to manage fewer directories, and an increasing number of
applications will leverage the directory infra
structure. Without such an integration
effort, costs will rise exponentially as an organization maintains an increasing
number of directories and fails to effectively leverage the overall strategic advantage
of an enterprise
-
wide directory infrastructure.


Directory service integration for ISP's and Hosting companies



a case study

A directory
-
integrated web hosting system aims to facilitate the every
-
day
operations of hosting providers, ISPs, and their clients. It saves valuable
management resources by aut
omating the time
-
consuming aspects of web hosting,
providing a simple and easy
-
to
-
use web interface that allows the client’s and
provider’s technical staff to maintain web hosting system from any computer with
Internet connection.

Hosting providers are usi
ng enormous number of diverse web services and products
provided by different vendors. If these services are not unified in one integrated
solution, their management, control and monitoring turns into a hard and time
-
consuming task.

Bianor’s WireFlame Int
egrated Web Hosting System enables ISP to finally get the
features they need with enough performance to support tens of thousands of web
sites, domains and users.

WireFlame is an integrated web hosting system with two major components


a
Server System, th
at provides different network services, such as email, custom web
sites, file transfer, etc., and an Administration Interface, which is a unique
management application for the sales people, technical staff, and end
-
users enabling
them to centrally manage a
ll their profiles and subordinates.

Key features and advantages of WireFlame Web Hosting



Robust system
-

built for growth above 100,000 mail accounts, tens of
thousands of web sites, domains, and users



Highly available and reliable
-

runs on a cluster of
load
-
balanced PC servers



Scalable
-

new machines can be easily added to the cluster



Flexible and open to new functionalities
-

allows easy integration of new
modules and third
-
party products



Manageable
-

centralized directory for all services and produc
ts



No additional license costs
-

integrates the best open
-
source proven products
like Apache, qmail, etc.


-

13

-



Based entirely on Linux
-

no additional license costs for middleware



Multi
-
lingual support
-

English, Japanese, and other



Remote management of acc
ounts via secure web access



High level of network security and monitoring



Easy to support



Low TOC (Total Cost of Ownership)


For Hosting Providers

WireFlame provides hosting provider's sales force a selection of predefined service
packages, which they c
an easily offer to their clients. Hosting packages allow flexible
customization of all features and aspects of a hosting plan, making it a swift to build
a hosting offer that is perfectly suited for every individual client's need. The package
is a kind of
a wizard, which lowers creation and modification efforts by using
predefined profiles while giving the means to add or remove services and change
quotas through a simple point
-
and
-
click interface.


For Technical Staff

WireFlame integrated directory
-
based p
olicy management controls which system
users have access to different resources. Access rights are grouped by role name,
and access to resources is restricted only to users who have been assigned a given
role. For example, a user who is defined as a system

administrator of a certain
client's company can access only the company's properties and manage company's
internal user profiles, details, and quotas in the range of resources generally
provided to the company by the hosting provider.


For End
-
users

Wire
Flame Web Hosting System provides end
-
users with custom managed profiles,
web sites, email, file exchange, FTP, WebDAV, DNS, SMTP, POP3, IMAP, web mail,
mailing lists, CGI's, access management and usage statistics, network security,
backup, real
-
time monit
oring, and a number of other integrated products and
services
-

sized for thousands of companies and hundreds of thousands users,
centrally managed through a web interface for every single user.


WireFlame Server System provides the following basic functio
nalities and services to
the Internet users, integrated through a central directory:



Web server
-

User password
-
protected directories, SSL, Apache mod plug
-
ins



DNS



Sub domains



File transfers


FTP, WebDAV, Web
-
based file exchange



Multimedia capabilities


-

14

-



Ap
plication environments


Java, XML, ASP, Perl, Python, PHP, C/C++,
Standard CGI packages



Email
-

SMTP, POP3, IMAP, WebMail



Mail listings



Anti
-
virus and spam control



Database


MySQL, PostgreSQL, Oracle 9i, IBM DB2, and other



E
-
shops and catalogs



Interface

to payment providers



Administration Interface

WireFlame is an open architecture system to which different software packages can
be integrated according to hosting provider and customer’s needs. Herein, we
present the basic functionality and packages of th
e system.


Conclusion

IT managers can demonstrate the value of, and the return on, an enterprise
directory project by quantifying the short
-
term benefits in terms of dollars, and
defining the long
-
term benefits in terms of strategic initiatives. With a wel
l
-
executed
implementation plan, enterprise customers can expect a return of approximately five
times their ongoing investment, depending on the size of the network, the number of
users in the directory, and the number of directories being integrated with t
he
enterprise directory. Organizations can realize that return in cost savings in the
millions of dollars, primarily in the areas of administration and support. But those
savings will come only through the hard work, careful planning, and commitments
that
directory projects require.


Contacts

For more information please contact:


BIANOR

5 Stratsin Str.

1407 Sofia

Bulgaria


Email:
info@bianor.com

Web:
www.bianor.com