I A M305Developing to Novell eDirectory

Novell® eDirectory™

Event System and Developing to Novell eDirectory

Nachiappan PalaniappanSoftware Consultantnpalaniappan@novell.com

Jim SchnitterSenior Support Engineerjschnitter@novell.com

Agenda

• Novell® eDirectory™ Event System

• LDAP Auditing

• Event Filtering

• Demonstration

– LDAP Auditing

– Event Filtering

• Developing to Novell eDirectory using Perl

Novell® eDirectory™ – Event System

Novell® eDirectory™ events

• Enables applications to monitor Novell eDirectory activity

• Helps in reporting operation specific data• Currently supports 270 events• Event Classification

– Entry Events– Value Events– General DS Events– Security Equivalence Events– LDAP Events etc

Novell® eDirectory™ events

• Types of event handlers– Journal

– Inline

– Work

• Ways through which you can access the event system– LDAP

> LDAP Extension, Psearch Control

– iMonitor

– Novell eDirectory Instrumentation

– SNMP

Design

LDAP Server

eDirectory™

user add 3

Notify 4Subscribe 2

DS Event SystemRegister

Notify

Register 1

Notify 5

eDirectory Client

Sentinel App

LDAP App

Event Monitoring - Novell® Sentinel™

• iManager as the configuration interface– Novell Audit Plugin needs to be installed and configured

• Novell eDirectory™ instrumentation acts as the interface to Novell eDirectory

– Bundled with Novell eDirectory

– Needs to be installed and configured manually

• Novell Audit Platform Agent interacts with Novell Sentinel

– Bundled with Novell eDirectory

– Needs to be installed manually

iManager Configuration

Event Monitoring – LDAP Extension

• Novell® LDAP events extension allows an LDAP client to be notified of the occurrence of various events on a Novell eDirectory™ server

– Utilizes the LDAP v3-extended operation extension mechanism

– Novell Specific

• Each event is identified by an unique integer

• Available as part of the SDK “LDAP Libraries for C”

• An application registers to monitor one or more events by calling ldap_monitor_event API

– int ldap_monitor_event( LDAP *ld, NDSEventSpecifier[] events, int *msgId)

> Events[] - contains an array of structures describing the events the application wishes to monitor

– behaves similar to the NetWare® API NWDSRegisterForEvent

#include <ldapx.h>

#include <ldap_events.h>

EVT_EntryInfo *entryInfo;

EVT_EventSpecifier events[] = { { EVT_CREATE_ENTRY, EVT_STATUS_ALL },

{ EVT_DELETE_ENTRY, EVT_STATUS_ALL } };

• The following example monitors the CREATE_ENTRY and DELETE_ENTRY events through the LDAP extension

• Event Specifiers

• ldap_monitor_events - LDAP Extension API

if ( (rc = ldap_monitor_events ( ld, eventCount, events, &msgID )) != LDAP_SUCCESS ) {

printf("ldap_monitor_event : %s\n", ldap_err2string( rc )); ldap_unbind_s( ld ); return ( rc );}

• Get LDAP result

timeOut.tv_sec = 5L; timeOut.tv_usec = 0L;

startTime = time(NULL); /* record the start time */ printf("Monitoring events for %d minutes.\n", EXECUTE_TIME/60); finished = 0; while ( 0 == finished ) { result = NULL;

rc = ldap_result( ld, msgID, LDAP_MSG_ONE, &timeOut, &result );

..... }

• Error Cases

switch ( rc ){ case -1: /* some error occurred */ ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER,

&errorCode); printf("Error in ldap_result: %s\n", ldap_err2string( errorCode ));

finished = 1; /* terminate polling loop */ break;

case 0: /* Timed out, no result yet. */ break;

• Look for extended results case LDAP_RES_EXTENDED: /* Monitor Events failure */ parse_rc = ldap_parse_monitor_events_response(ld, result, &resultCode, &errorMsg, &badEventCount, &badEvents, 0); if (parse_rc != LDAP_SUCCESS)

printf("Error: ldap_parse_monitor_events_response:%d", parse_rc); else { switch (resultCode) { case LDAP_OPERATIONS_ERROR: printf("Server operations error.\n"); break; case LDAP_ADMINLIMIT_EXCEEDED: printf("Maximum number of active event monitors exceeded.\n"); break;

• Watch out for errors case LDAP_PROTOCOL_ERROR: printf("Protocol error.\n"); break;

case LDAP_UNWILLING_TO_PERFORM: printf("Extension is currently disabled\n"); break;

default: printf("Unexpected result: %d, %s\n", resultCode, errorMsg);

}if (NULL != badEvents) { for (i=0; i<badEventCount; i++) { printf("Bad Event ID: %d\n", badEvents[i].eventType); }}}finished = 1;break;

• Get the intermediate result

case LDAP_RES_INTERMEDIATE : /* An event notification */parse_rc = ldap_parse_ds_event(ld,

result, &eventType, &eventResult, &eventData, 0 ); /* don't free result */

if ( parse_rc != LDAP_SUCCESS ) printf("Error in ldap_parse_ds_event: %s\n", ldap_err2string( parse_rc ));

• Check the return value of intermediate result

else { if (EVT_CREATE_ENTRY == eventType){ entryInfo = (EVT_EntryInfo *)eventData; printf("Added new entry: %s\n", entryInfo->entryDN); } else if (EVT_DELETE_ENTRY == eventType){ entryInfo = (EVT_EntryInfo *)eventData; printf("Deleted entry: %s\n", entryInfo->entryDN); } else printf("Unexpected event notification: %d\n", eventType);

ldap_event_free(eventData); } break;

Novell® eDirectory™ – LDAP Auditing

Business Need

• To support the use case of instrumenting the LDAP traffic (for operations like LDAP bind, LDAP add etc) and audit them

• To provide the details and statistics of the LDAP operations happening on the Novell® eDirectory™ server

Overview

• Introduced LDAP events in Novell® eDirectory™ 8.8 SP3 release

• Integration of LDAP events with sentinel in 8.8 SP3

• All LDAP operations can be monitored

• Widely used by LDAP Applications

Internals

• LDAP Event Reporting System

– LDAP server produces event data

• Can be exercised through the SDK “LDAP Libraries for C”

• API

– ldap_monitor_event is used for monitoring the events with the LDAP event Ids

> EVT_LDAP_ADD

> EVT_LDAP_EXTOP etc

LDAP Data

• Information reported as part of the LDAP events

– Client's connection information

– Protocol data

– LDAP message ID

– LDAP result code

– LDAP operation data like ldap search parameters

– LDAP control ID

– LDAP authentication data

Design

LDAP Server

eDirectory™

LDAP add 3

Notify 5Subscribe 2

DS Event System

register

notify

Register 1

Notify 6

LDAP Client

Sentinel App

LDAP AppLDAP Event Producer

Novell® eDirectory™ – Event Filtering

Business Need

• Novell® eDirectory™ internally generates its own events

• To help the applications by providing the option to filter out the unwanted events

• To monitor specific changes happening in the server (eg. Password modifications)

• To bring down the client work load of filtering event data on its own

Overview

• Will be available as part of Novell® eDirectory™ 8.8 SP6• Will be available on all applicable platforms• Internal interface to Novell eDirectory

– Novell eDirectory Instrumentation

• Configuration Interface– iManager

• Reduces the load on monitoring applications and there by improves performance

Event Filtering

• Limited Filtering provided

• Filtering options

– Attribute based filtering

– Object Class based filtering

• Applicable to selected events

– Commonly used value and entry events

DemonstrationNovell® eDirectory™ LDAP Auditing

DemonstrationNovell® eDirectory™ Event Filtering

Developing to Novell® eDirectory™

Why should a developer use Perl?

• Well suited to small, discrete tasks

– Provisioning in Domain Services for Windows

• Provides a framework for user extensions

– Privileged User Management

• Customers can find AND fix their own problems

How do you get LDAP to work with Perl?• Use system call, LDAP commands and ldif files

– Good for tasks that are constantly repeated and need little input

– Example: populate missing uids

• Use the CPAN LDAP module

– Object Oriented Interface

– Good for more complex data manipulation

– Example: LDAP2CSV

$ldapsearch -h host

dn: cn=jim,o=novell

$ldapmodify -h host -f ldif

dn: cn=jim,o=novell changtype: modify add: uid uid: jim

Populate Missing Uids

ldapsearch -b o=novell '(&(objectclass=user)(!(uid=*)))'• LDIF file created from this search # jeffsmith, novelldn: cn=jeffsmith,o=novellsn: smithobjectClass: inetOrgPersoncn: jeffsmith

# jsmith, people, novelldn: cn=jsmith,ou=people,o=novellsn: smithobjectClass: inetOrgPersoncn: jsmith

• Format of an LDIF file to add uids

dn: cn=jeffsmith,o=novellchangetype: modifyadd: uiduid: jeffsmith

dn: cn=jsmith,ou=people,o=novellchangetype: modifyadd: uiduid: jsmith

• Get input file and open output file

#!/usr/bin/perl

if (@ARGV == 1) { $in = $ARGV[0];} else { die "\nUsage: uid.pl <input ldif>\n\n";}

open (IN, $in) or die "\nCan't open $in\n\n";open (OUT, ">uid.ldif");

• Build the LDIF file

while ($line = <IN>) { chomp $line; if ($line =~ m/dn: cn=(.*?),/) { print OUT "$line\n"; print OUT "changetype: modify\n"; print OUT "add: uid\n"; print OUT "uid: $1\n\n"; }}

print "\nCreated uid.ldif to add uids\n\n";

Make the program bullet proof

• Put the ldapsearch and ldapmodify commands inside the Perl program

• System() subroutine allows a Perl program to run any command that can be done in the shell

• Variable substitution is still done

$ldapsearch -h host

dn: cn=jim,o=novell

$ldapmodify -h host -f ldif

dn: cn=jim,o=novell changtype: modify add: uid uid: jim

• Don't prompt for input file any more #!/usr/bin/perl

$in = "/tmp/input.ldif";

system ("ldapsearch -x -D cn=admin,o=novell -w novell -b o=novell -h host '(&(objectclass=user)(!(uid=*)))' > $in");

open (IN, $in) or die "\nCan't open $in\n\n";open (OUT, ">uid.ldif");

• Add the uids from the program system ("ldapmodify -x -h host -D cn=admin,o=novell -w novell -f uid.ldif");

print "\nUids have been added\n\n";

close IN;close OUT;

Make the program more secure

• Don't use any more temporary files

• Data manipulation can be done in memory

• Perl modules allow programs to reuse code

– Don't depend on utilities being installed

– Modules are generally cross platform

use Net::LDAP;$attrs = [ 'cn' ];$searchString = "(&(objectclass=user)(!(uid=*)))";$result = $ldap->search ( base => "o=novell", filter => "$searchString", scope => "sub", attrs => $attrs );if ($result->code) { die ("\nCan't search $base (LDAP Error: ", $result-

>code, ")\n\n");}

@entries = $result->entries;

foreach $entr ( @entries ) { $dn = $entr->dn; $cn = $entr->get_value(“cn”); print "\nModifying: $dn\n"; $result = $ldap->modify($dn, add => { uid => $cn} ); if ($result->code) { die ("Error - Can't modify (LDAP Error: ", $result->code, ")\n\n"); }}

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

I A M305Developing to Novell eDirectory

Documents

Transcript of I A M305Developing to Novell eDirectory

Essential The Guide - Techhosteddocs.ittoolbox.com/Essential_Guide_NDS_AD_Migration.pdf · Key Feature Novell Directory Services/eDirectory Active Directory Computer Account Only

Chapter Two: Implementing eDirectory Services Hands-On Novell NetWare 6.0/6.5, Enhanced Edition.

NDK: LDAP and eDirectory Integration - novell.com · 3 LDAP Event Services 53 ... LDAP and eDirectory Integration LDAP Return Codes ... statements to access eDirectory or Novell Directory

Apache LDAP Configurationlawrencekearney.com/files/TTP_APAC_2013_Apache_LDAP... · 2013-12-17 · Managing an Enterprise Series Apache LDAP Configuration using Novell Edirectory®

Novell eDirectory 8.8 Installation Guide · Novell ® novdocx (en) 22 June 2009 AUTHORIZED DOCUMENTATION Novell eDirectory 8.8 Installation Guide eDirectory TM 8.8 SP5 December 02,

Novell eDirectory 8.7.3 Installation Guide...“Forcing the Backlink Process to Run” on page 7 “Updating the eDirectory Schema for NetWare” on page 7 “Installing or Upgrading

Www.novell.com Integrating Novell eDirectory ™ with SAP R/3 and MySAPPortal Matt Graves eBusiness Consultant Novell, Inc. mgraves@novell.com John Ovali.

Novell eDirectory 8.8 Administration Guide · novdocx (ENU) 01 February 2006 5 About This Guide This guide describes how to manage and configure Novell® eDirectoryTM 8.8. • Chapter

Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for

Oracle Identity Manager Connector Guide for Novell eDirectory · Connector Guide for Novell eDirectory Release 9.0.2 B32161-01 September 2006. ... Oracle Identity Manager Connector

tips and tricks for Novell eDirectory - Hewlett Packardh10032. · tips and tricks for Novell eDirectory introduction Novell eDirectory is the access point for identity management

Novell iPrint and PaperCut Comprehensive Enterprise Print ... · print management by directly integrating with Novell iPrint and providing native support for Novell eDirectory LDAP

Novell eDirectory 8.7 Consensus Baseline Security Security Settings · 2017-04-25 · 7 Introduction Novell’s eDirectory is a cross-platform directory based off the Novell Directory

Www.novell.com Tips and Tricks for Using Novell eDirectory ™ Utilities Roger G. Harrison Manager, Software Engineering Novell, Inc. roger_harrison@novell.com.

Novell DNS/DHCP Services · Novell® DNS/DHCP Services in NetWare® 6 integrates the Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) into the eDirectory database.

Apache LDAP Configurationlawrencekearney.com/files/SUSECON_2013_Apache_LDAP_Configuration_for... · Apache LDAP Configuration using Novell Edirectory® and Microsoft Active Directory®

Novell eDirectory on Linux · Novell eDirectory on Linux Lab Guide 14 4. Go to the setup script directory, then enter ./nds-install to run the install script. 5. After the introduction

OES 11 SP1: Upgrading to OES—Best Practices Guidedocs.huihoo.com/novell/open-enterprise-server/11/upgrade_to_oes_lx/... · 3.2 Planning Your eDirectory Upgrade ... B.1 Novell iManager

Www.novell.com Novell eDirectory ™ Administration and Management Using iManager Sophia K Johnson Software Engineering Manager Novell, Inc. skjohnson@novell.com.

IBM€¦ · Novell eDirectory ................................30 ............................30 Tivoli Access Manager Base .........................31 Tivoli Access Manager Web ...