Service Service Service
Directory Service A is similar to a dictionary, it manages names and the information associated with this names. A directory service is a software system that stores, organizes and provides access to information in a directory. The core standard for directory services is X.500 released in 1980s by the ITU and ISO. Today, many people speak about LDAP Servers or LDAP Clients. This refers to directory servers implementing the Lightweight Directory Access Protocol.
Directory Service Referrals are links within and among directory servers. Directory Server 1 Directory Server 2 dn: ou=grpa,dc=example,dc=com objectclass: referral objectclass: extensibleobject ou: gruppea ref: ldap://ldap-grpa.example.com/ou=grpa,dc=example,dc=com
Directory Service dc=com dc=com dc=example dc=example ou=emea ou=emea ou=networks ou=protocols ou=hosts ou=services ou=people ou=groups ou=depa ou=depb ou=networks ou=protocols ou=hosts ou=services ou=people ou=groups ou=depb
Directory Service Optimized for massive parallel read access Can be extended by custom schemata to store more than accounts, policies and names service information Supported by all major operating systems for example IBM AIX, Linux, BSD, IBM z/os, Microsoft Windows Supported by wide range of application software for example IBM WebSphere, IBM DB2, Pluggable Authentication Module System Problem: since LDAP is a plaintext protocol, additional encryption is needed, by TLS for example
Kerberos Service Kerberos is a distributed service for authentication and not a account management system like a directory service. Server, User and Services are authenticated by tickets instead of passwords. It's a ring of trust among them and the Kerberos server. Kerberos was developed by Steve Miller and Clifford Neuman 1978 RFC 4120 and RFC 1510 are the standard documents. The current version is Kerebros 5.
Kerberos Service AS (1) Authentification with Password Ticket Granting Ticket TGS Service Ticket (2) (3) User Service Access to Service with Service Ticket = Kerberos Dienst
Kerberos Service Service Service Service
Kerberos Service Kerberos Service ServiceA user@service admin@service TGT ServiceB STA STB
Kerberos Service Common, stable and reliable protocol Data transport is encrypted by design All major operating systems provide support for example IBM AIX, Linux, BSD, Windows Many applications support Kerberos by default for example OpenSSH, telnet, rlogin, rsh, IBM WebSphere, IBM DB2, Mozilla Firefox Browser, Microsoft Internet Explorer Problem: many custom application developers do not know or understand Kerberos and therefore they do not provide support for this protocol
Kerberos Service Backend: Files Kerberos Service Backend: Directory Server LDAP DB
Example Constraints Compliance: - logging of all logins - mapping of functional user accounts to human user accounts - company wide lock for accounts on all systems/services (even system administrators) High-availability by data replication Load balancing with multiple server and strict data consistency SingleSignOn for all major services Critical functional user accounts (root/hscroot) only accessible via preauthentification as human user Establish shared filesystem security by direct user mapping
Replication Company Master DS Access Master DS Master DS Slave DS 1 Slave DS 2 Slave DS 1 Slave DS 2 Master KDC Slave KDC Master KDC Slave KDC
Master DS Master DS Slave DS 2 Slave KDC Slave DS 2 Slave KDC Slave DS 1 Master KDC Slave DS 1 Master KDC Client Client
Directory Server Userprofile Kerberos Server Authentication
Master to Master Master to Replica
Master to Master Master to Replica
Points to ponder UID and GID mapping across operating system boundaries Global versus Local Accounts Global versus Local Groups How to handle functional users, for example sapadm Establish proper audit logging on the systems itself Extend custom software with Kerberos/LDAP support