• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
I A M305Developing to Novell eDirectory
 

I A M305Developing to Novell eDirectory

on

  • 1,883 views

Several recent changes in Novell eDirectory have been targeted to Novell Compliance...

Several recent changes in Novell eDirectory have been targeted to Novell Compliance
Management Platform.This session will discuss changes, such as improved logging and monitoring, that better support development efforts. The session will go into detail on directory schema and what is in the directory. You will also learn how to access eDirectory using standard LDAP tools, pull reports to monitor the directory for security and make mass updates to the directory using LDAP tools. By participating in this session you will be able to greatly increase your productivity.

Statistics

Views

Total Views
1,883
Views on SlideShare
1,879
Embed Views
4

Actions

Likes
0
Downloads
38
Comments
0

1 Embed 4

http://www.slideshare.net 4

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    I A M305Developing to Novell eDirectory I A M305Developing to Novell eDirectory Presentation Transcript

    • Novell eDirectory™ ® Event System and Developing to Novell eDirectory Nachiappan Palaniappan Jim Schnitter Software Consultant Senior Support Engineer npalaniappan@novell.com jschnitter@novell.com
    • Agenda • Novell eDirectory Event System ® ™ • LDAP Auditing • Event Filtering • Demonstration – LDAP Auditing – Event Filtering • Developing to Novell eDirectory using Perl 2 © Novell, Inc. All rights reserved.
    • Novell eDirectory – Event System ® ™
    • Novell eDirectory events® ™ • Enables applications to monitor Novell eDirectory activity • Helps in reporting operation specific data • Currently supports 270 events • Event Classification – Entry Events – Value Events – General DS Events – Security Equivalence Events – LDAP Events etc 4 © Novell, Inc. All rights reserved.
    • Novell eDirectory events® ™ • Types of event handlers – Journal – Inline – Work • Ways through which you can access the event system – LDAP > LDAP Extension, Psearch Control – iMonitor – Novell eDirectory Instrumentation – SNMP 5 © Novell, Inc. All rights reserved.
    • Design eDirectory ™ user add 3 eDirectory Client DS DS Event System Register Sentinel App Subscribe 2 Notify 4 Notify Register 1 LDAP Server LDAP App Notify 5 6 © Novell, Inc. All rights reserved.
    • Event Monitoring - Novell Sentinel ® ™ • iManager as the configuration interface – Novell Audit Plugin needs to be installed and configured • Novell eDirectory instrumentation acts as the interface ™ to Novell eDirectory – Bundled with Novell eDirectory – Needs to be installed and configured manually • Novell Audit Platform Agent interacts with Novell Sentinel – Bundled with Novell eDirectory – Needs to be installed manually 7 © Novell, Inc. All rights reserved.
    • iManager Configuration 8 © Novell, Inc. All rights reserved.
    • Event Monitoring – LDAP Extension • Novell LDAP events extension allows an LDAP client ® to be notified of the occurrence of various events on a Novell eDirectory server ™ – Utilizes the LDAP v3-extended operation extension mechanism – Novell Specific • Each event is identified by an unique integer 9 © Novell, Inc. All rights reserved.
    • Event Monitoring – LDAP Extension • Available as part of the SDK “LDAP Libraries for C” • An application registers to monitor one or more events by calling ldap_monitor_event API – int ldap_monitor_event( LDAP *ld, NDSEventSpecifier[] events, int *msgId) > Events[] - contains an array of structures describing the events the application wishes to monitor – behaves similar to the NetWare API NWDSRegisterForEvent ® 10 © Novell, Inc. All rights reserved.
    • Event Monitoring – LDAP Extension • The following example monitors the CREATE_ENTRY and DELETE_ENTRY events through the LDAP extension • Event Specifiers #include <ldapx.h> #include <ldap_events.h> ... EVT_EntryInfo *entryInfo; EVT_EventSpecifier events[] = { { EVT_CREATE_ENTRY, EVT_STATUS_ALL }, { EVT_DELETE_ENTRY, EVT_STATUS_ALL } }; 11 © Novell, Inc. All rights reserved.
    • Event Monitoring – LDAP Extension • ldap_monitor_events - LDAP Extension API if ( (rc = ldap_monitor_events ( ld, eventCount, events, &msgID )) != LDAP_SUCCESS ) { printf("ldap_monitor_event : %sn", ldap_err2string( rc )); ldap_unbind_s( ld ); return ( rc ); } 12 © Novell, Inc. All rights reserved.
    • Event Monitoring – LDAP Extension • Get LDAP result timeOut.tv_sec = 5L; timeOut.tv_usec = 0L; startTime = time(NULL); /* record the start time */ printf("Monitoring events for %d minutes.n", EXECUTE_TIME/60); finished = 0; while ( 0 == finished ) { result = NULL; rc = ldap_result( ld, msgID, LDAP_MSG_ONE, &timeOut, &result ); ..... } 13 © Novell, Inc. All rights reserved.
    • Event Monitoring – LDAP Extension • Error Cases switch ( rc ) { case -1: /* some error occurred */ ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &errorCode); printf("Error in ldap_result: %sn", ldap_err2string( errorCode )); finished = 1; /* terminate polling loop */ break; case 0: /* Timed out, no result yet. */ break; 14 © Novell, Inc. All rights reserved.
    • Event Monitoring – LDAP Extension • Look for extended results case LDAP_RES_EXTENDED: /* Monitor Events failure */ parse_rc = ldap_parse_monitor_events_response(ld, result, &resultCode, &errorMsg, &badEventCount, &badEvents, 0); if (parse_rc != LDAP_SUCCESS) printf("Error: ldap_parse_monitor_events_response:%d", parse_rc); else { switch (resultCode) { case LDAP_OPERATIONS_ERROR: printf("Server operations error.n"); break; case LDAP_ADMINLIMIT_EXCEEDED: printf("Maximum number of active event monitors exceeded.n"); break; 15 © Novell, Inc. All rights reserved.
    • Event Monitoring – LDAP Extension • Watch out for errors case LDAP_PROTOCOL_ERROR: printf("Protocol error.n"); break; case LDAP_UNWILLING_TO_PERFORM: printf("Extension is currently disabledn"); break; default: printf("Unexpected result: %d, %sn", resultCode, errorMsg); } if (NULL != badEvents) { for (i=0; i<badEventCount; i++) { printf("Bad Event ID: %dn", badEvents[i].eventType); } } } finished = 1; break; 16 © Novell, Inc. All rights reserved.
    • Event Monitoring – LDAP Extension • Get the intermediate result case LDAP_RES_INTERMEDIATE : /* An event notification */ parse_rc = ldap_parse_ds_event(ld, result, &eventType, &eventResult, &eventData, 0 ); /* don't free result */ if ( parse_rc != LDAP_SUCCESS ) printf("Error in ldap_parse_ds_event: %sn", ldap_err2string( parse_rc )); 17 © Novell, Inc. All rights reserved.
    • Event Monitoring – LDAP Extension • Check the return value of intermediate result else { if (EVT_CREATE_ENTRY == eventType){ entryInfo = (EVT_EntryInfo *)eventData; printf("Added new entry: %sn", entryInfo->entryDN); } else if (EVT_DELETE_ENTRY == eventType){ entryInfo = (EVT_EntryInfo *)eventData; printf("Deleted entry: %sn", entryInfo->entryDN); } else printf("Unexpected event notification: %dn", eventType); ldap_event_free(eventData); } break; 18 © Novell, Inc. All rights reserved.
    • Novell eDirectory – LDAP Auditing ® ™
    • Business Need • To support the use case of instrumenting the LDAP traffic (for operations like LDAP bind, LDAP add etc) and audit them • To provide the details and statistics of the LDAP operations happening on the Novell eDirectory server ® ™ 20 © Novell, Inc. All rights reserved.
    • Overview • Introduced LDAP events in Novell eDirectory 8.8 ® ™ SP3 release • Integration of LDAP events with sentinel in 8.8 SP3 • All LDAP operations can be monitored • Widely used by LDAP Applications 21 © Novell, Inc. All rights reserved.
    • Internals • LDAP Event Reporting System – LDAP server produces event data • Can be exercised through the SDK “LDAP Libraries for C” • API – ldap_monitor_event is used for monitoring the events with the LDAP event Ids > EVT_LDAP_ADD > EVT_LDAP_EXTOP etc 22 © Novell, Inc. All rights reserved.
    • LDAP Data • Information reported as part of the LDAP events – Client's connection information – Protocol data – LDAP message ID – LDAP result code – LDAP operation data like ldap search parameters – LDAP control ID – LDAP authentication data 23 © Novell, Inc. All rights reserved.
    • Design eDirectory ™ register Sentinel App DS notify DS Event System Subscribe 2 Notify 5 4 Register 1 LDAP App LDAP Event Producer Notify 6 LDAP Server LDAP add 3 LDAP Client 24 © Novell, Inc. All rights reserved.
    • Novell eDirectory – Event Filtering ® ™
    • Business Need • Novell eDirectory internally generates its own events ® ™ • To help the applications by providing the option to filter out the unwanted events • To monitor specific changes happening in the server (eg. Password modifications) • To bring down the client work load of filtering event data on its own 26 © Novell, Inc. All rights reserved.
    • Overview • Will be available as part of Novell eDirectory 8.8 SP6 ® ™ • Will be available on all applicable platforms • Internal interface to Novell eDirectory – Novell eDirectory Instrumentation • Configuration Interface – iManager • Reduces the load on monitoring applications and there by improves performance 27 © Novell, Inc. All rights reserved.
    • Event Filtering • Limited Filtering provided • Filtering options – Attribute based filtering – Object Class based filtering • Applicable to selected events – Commonly used value and entry events 28 © Novell, Inc. All rights reserved.
    • Demonstration Novell eDirectory LDAP Auditing ® ™
    • Demonstration Novell eDirectory Event Filtering ® ™
    • Developing to Novell eDirectory ® ™
    • Why should a developer use Perl? • Well suited to small, discrete tasks – Provisioning in Domain Services for Windows • Provides a framework for user extensions – Privileged User Management • Customers can find AND fix their own problems 32 © Novell, Inc. All rights reserved.
    • How do you get LDAP to work with Perl? • Use system call, LDAP commands and ldif files – Good for tasks that are constantly repeated and need little input – Example: populate missing uids • Use the CPAN LDAP module – Object Oriented Interface – Good for more complex data manipulation – Example: LDAP2CSV 33 © Novell, Inc. All rights reserved.
    • $ldapsearch -h host $ldapmodify -h host -f ldif dn: cn=jim,o=novell dn: cn=jim,o=novell Perl changtype: modify add: uid uid: jim 34 © Novell, Inc. All rights reserved.
    • Populate Missing Uids ldapsearch -b o=novell '(&(objectclass=user)(!(uid=*)))' • LDIF file created from this search # jeffsmith, novell dn: cn=jeffsmith,o=novell sn: smith objectClass: inetOrgPerson cn: jeffsmith # jsmith, people, novell dn: cn=jsmith,ou=people,o=novell sn: smith objectClass: inetOrgPerson cn: jsmith 35 © Novell, Inc. All rights reserved.
    • Populate Missing Uids • Format of an LDIF file to add uids dn: cn=jeffsmith,o=novell changetype: modify add: uid uid: jeffsmith dn: cn=jsmith,ou=people,o=novell changetype: modify add: uid uid: jsmith 36 © Novell, Inc. All rights reserved.
    • Populate Missing Uids • Get input file and open output file #!/usr/bin/perl if (@ARGV == 1) { $in = $ARGV[0]; } else { die "nUsage: uid.pl <input ldif>nn"; } open (IN, $in) or die "nCan't open $innn"; open (OUT, ">uid.ldif"); 37 © Novell, Inc. All rights reserved.
    • Populate Missing Uids • Build the LDIF file while ($line = <IN>) { chomp $line; if ($line =~ m/dn: cn=(.*?),/) { print OUT "$linen"; print OUT "changetype: modifyn"; print OUT "add: uidn"; print OUT "uid: $1nn"; } } print "nCreated uid.ldif to add uidsnn"; 38 © Novell, Inc. All rights reserved.
    • Make the program bullet proof • Put the ldapsearch and ldapmodify commands inside the Perl program • System() subroutine allows a Perl program to run any command that can be done in the shell • Variable substitution is still done 39 © Novell, Inc. All rights reserved.
    • Perl $ldapsearch -h host $ldapmodify -h host -f ldif dn: cn=jim,o=novell changtype: modify dn: cn=jim,o=novell add: uid uid: jim 40 © Novell, Inc. All rights reserved.
    • Populate Missing Uids • Don't prompt for input file any more #!/usr/bin/perl $in = "/tmp/input.ldif"; system ("ldapsearch -x -D cn=admin,o=novell -w novell -b o=novell -h host '(&(objectclass=user)(! (uid=*)))' > $in"); open (IN, $in) or die "nCan't open $innn"; open (OUT, ">uid.ldif"); 41 © Novell, Inc. All rights reserved.
    • Populate Missing Uids • Add the uids from the program system ("ldapmodify -x -h host -D cn=admin,o=novell -w novell -f uid.ldif"); print "nUids have been addednn"; close IN; close OUT; 42 © Novell, Inc. All rights reserved.
    • Make the program more secure • Don't use any more temporary files • Data manipulation can be done in memory • Perl modules allow programs to reuse code – Don't depend on utilities being installed – Modules are generally cross platform 43 © Novell, Inc. All rights reserved.
    • Populate Missing Uids use Net::LDAP; $attrs = [ 'cn' ]; $searchString = "(&(objectclass=user)(!(uid=*)))"; $result = $ldap->search ( base => "o=novell", filter => "$searchString", scope => "sub", attrs => $attrs ); if ($result->code) { die ("nCan't search $base (LDAP Error: ", $result- >code, ")nn"); } 44 © Novell, Inc. All rights reserved.
    • Populate Missing Uids @entries = $result->entries; foreach $entr ( @entries ) { $dn = $entr->dn; $cn = $entr->get_value(“cn”); print "nModifying: $dnn"; $result = $ldap->modify($dn, add => { uid => $cn} ); if ($result->code) { die ("Error - Can't modify (LDAP Error: ", $result- >code, ")nn"); } } 45 © Novell, Inc. All rights reserved.
    • Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.