Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ldap2010

1,290 views

Published on

http://phorum.study-area.org/index.php/topic,62438.0.html

  • Be the first to comment

  • Be the first to like this

Ldap2010

  1. 1. LDAP 2010 <ul><li>About me
  2. 2. Scenario
  3. 3. Solution
  4. 4. Why LDAP ?
  5. 5. LDAP concept
  6. 6. Free LDAP solution
  7. 7. Non free LDAP solution
  8. 8. Q & A </li></ul>
  9. 9. About me <ul><li>Member of study area
  10. 10. It engineer
  11. 11. Not geek!!! </li></ul>
  12. 12. Scenario <ul><li>World wide enterprise
  13. 13. Staff from different location
  14. 14. Complex software environment
  15. 15. Complex hardware environment
  16. 16. Complex networking environment
  17. 17. Complex organization structure
  18. 18. Single user account and password </li></ul>
  19. 19. World wide branches
  20. 20. Organization Chart
  21. 21. Daily Jobs
  22. 22. Team Work
  23. 23. IT infrastructures <ul><li>Structure cabling & networking design
  24. 24. Standard data center
  25. 25. Security policy
  26. 26. Authentication center
  27. 27. Applications & communication platform </li></ul>
  28. 28. Solution
  29. 29. Solution
  30. 30. Solution
  31. 31. Why LDAP <ul><li>Simple , easy maintain
  32. 32. Loading balance , fault tolerance
  33. 33. Replication
  34. 34. Back end database switchable
  35. 35. Optimized for query
  36. 36. Cross platform
  37. 37. Unicode ready
  38. 38. Cost down </li></ul>
  39. 39. LDAP concept , tree
  40. 40. LDAP concept , tree
  41. 41. LDAP concept , linking list <ul><li>Call by value
  42. 42. Call by reference
  43. 43. Easy to search </li></ul>
  44. 44. LDAP concept , Protocol <ul><li>RFC 2251
  45. 45. RFC 3377
  46. 46. RFC 2253
  47. 47. LDAP V3 with UTF-8 ready , security enhanced </li></ul>
  48. 48. LDAP concept , database <ul><li>Schema
  49. 49. Database
  50. 50. Table
  51. 51. Data
  52. 52. Replication between db servers </li></ul>
  53. 53. LDAP concept , LDAP service <ul><li>Gateway, proxy
  54. 54. Openldap
  55. 55. Microsoft active directory
  56. 56. Other directory service provider </li></ul>
  57. 57. Free LDAP solution <ul><li>http://www.openldap.org/
  58. 58. Pam LDAP
  59. 59. Php LDAP
  60. 60. Single service support LDAP </li></ul>
  61. 61. Openldap <ul><li>Support LDAP V3
  62. 62. Build in with many Linux distribution
  63. 63. Support backend database
  64. 64. Support data replication
  65. 65. Support master slave structure </li></ul>
  66. 66. Pam LDAP
  67. 67. Pam LDAP
  68. 68. Service to LDAP
  69. 69. PAM or Service to LDAP <ul><li>System wide LDAP authentication
  70. 70. Single service LDAP authentication </li></ul>
  71. 71. Nscd <ul><li>Cache service for name based service
  72. 72. Cache service for LDAP authentication </li></ul>
  73. 73. Openldap management tools <ul><li>PhpLDAPadmin
  74. 74. LDAP Explorer Tool
  75. 75. Webmin LDAP module
  76. 76. Openldap client commands </li></ul>
  77. 77. Basic LDAP implementation <ul><li>LDAP address book
  78. 78. Authentication center
  79. 79. LDAP relay
  80. 80. DNS and LDAP
  81. 81. Switch LDAP DB to mysql or others </li></ul>
  82. 82. Non free LDAP solution <ul><li>Microsoft Active Directory
  83. 83. Microsoft Exchange
  84. 84. Any other alive ? </li></ul>
  85. 85. MS AD tree
  86. 86. DNS , AD
  87. 87. MS AD function
  88. 88. 5 roles for AD <ul><li>Flexible single master operations (FSMO)
  89. 89. PDC emulator
  90. 90. RID master
  91. 91. Infrastructure master
  92. 92. Schema master
  93. 93. Domain naming master </li></ul>
  94. 94. Domain Controller <ul><li>AD database
  95. 95. CA server
  96. 96. Time server
  97. 97. AD DNS
  98. 98. LDAP server
  99. 99. GC server
  100. 100. Delivery GPO
  101. 101. Other roles </li></ul>
  102. 102. AD database <ul><li>Ad database partition
  103. 103. Data sync
  104. 104. Easy backup </li></ul>
  105. 105. CA server <ul><li>1. Client retrieves certificate policy from active directory
  106. 106. 2. Client submits certificate request to certificate server based on policy
  107. 107. 3. Certificate server retrieves user information from active directory
  108. 108. 4. Certificate server returns signed digital certificate to the client
  109. 109. Running on domain controller </li></ul>
  110. 110. Time Server <ul><li>Keep time sync in AD
  111. 111. Sync time with external NTP server
  112. 112. Running on PDC emulator </li></ul>
  113. 113. AD DNS <ul><li>How clients find DC ?
  114. 114. Query AD DNS
  115. 115. Broadcast
  116. 116. Running on domain controllers </li></ul>
  117. 117. LDAP service <ul><li>Resource share
  118. 118. Loading balance
  119. 119. Query AD database
  120. 120. Response with LDAP protocol
  121. 121. Running on domain controllers </li></ul>
  122. 122. GC server <ul><li>AD query proxy
  123. 123. Running on domain controllers </li></ul>
  124. 124. Query speed <ul><li>Global catalog server
  125. 125. Local cache
  126. 126. Rodc </li></ul>
  127. 127. Gpo <ul><li>Gpo template
  128. 128. Extendable
  129. 129. Executable on client
  130. 130. Client common settings </li></ul>
  131. 131. Single sign on <ul><li>Domain controller
  132. 132. Computer account
  133. 133. User account
  134. 134. Service account
  135. 135. Ou , container </li></ul>
  136. 136. Kerberos 5 <ul><li>Time sync in ad domain
  137. 137. Client to dc
  138. 138. Dc to dc
  139. 139. Member server to dc
  140. 140. Time gap must in 5 mins </li></ul>
  141. 141. Boot process <ul><li>Client boot into windows
  142. 142. Client get IP address
  143. 143. Client query IP address for DC
  144. 144. Client log on with computer account
  145. 145. Client download and execute GPO rules
  146. 146. Client running startup services
  147. 147. User interactive login </li></ul>
  148. 148. AD authentication <ul><li>Client input password (pw-a)
  149. 149. Pw-a hash with random number = pw-b
  150. 150. User or computer password in AD DB (pw-c)
  151. 151. Pw-c hash with random number = pw-d
  152. 152. Pw-b = pw-d , login successful
  153. 153. Pw-b == pw-d , login fail </li></ul>
  154. 154. Ad domain design <ul><li>Single
  155. 155. Sub domain
  156. 156. Site
  157. 157. Exchange service </li></ul>
  158. 158. Site <ul><li>Single domain
  159. 159. Site link
  160. 160. Data replication </li></ul>
  161. 161. Site & Exchange
  162. 162. Sub domain
  163. 163. Site or sub domain ? <ul><li>Depends on policy
  164. 164. OU delegate
  165. 165. It's better with single domain and sites </li></ul>
  166. 166. Exchange service <ul><li>Ad schema extension
  167. 167. Communication center in AD
  168. 168. Internet Intrusion Server required~~~~ </li></ul>
  169. 169. RODC <ul><li>Local cache service
  170. 170. Easy management
  171. 171. One way data sync </li></ul>
  172. 172. Q & A

×