S 3.29 Training on the administration of Novell eDirectory

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator, Head of IT

Administration of an eDirectory directory service requires detailed knowledge of this product and its underlying principles. Otherwise it is easy to make mistakes in the configuration which can have serious security implications. It is therefore imperative that administrators are trained in this area.

A brief summary is provided below as to what subjects should be included in administrator training.

The eDirectory directory service has a hierarchical structure like a tree. The individual nodes in the directory tree consist of the container objects, which in turn can contain other objects, and the leaf objects, which constitute the end points (leaves) of the directory tree. Every object belongs to a unique object class. The object class defines the values, attributes and/or properties which can be assigned to an object of this object class. Hierarchical relationships are also defined in them, i.e. specifying potential parent and child objects. There are already a number of predefined object classes within eDirectory. The object class definitions are specified in the schema. If any changes are made to the definition of individual object classes, e.g. an attribute set is expanded, then this entails a change or extension of the schema. A schema change is to a certain extent the most sensitive operation that can be made to an eDirectory directory tree. The effects of this are felt on the entire tree, so that the previous design of the tree has to be rethought. Administration of the eDirectory schema therefore requires a high degree of competence in the eDirectory service and a very high awareness of security issues.

Rights of access to the individual attributes of the object can be granted to each individual object and each object class. The explicit assignment is effected via trustee relationships, i.e. the entry of trustees in the access control list (ACL). These rights range from Supervisor, i.e. full administration rights, through to Browse, which permits browsing through the relevant sections of the directory tree. Rights of access to objects are by default inherited from top to bottom in the tree hierarchy. However, it is possible to influence the inheritance process by introducing Inherited Rights Filters (IRF). With these filters, automatic inheritances can be explicitly concealed. It is also possible to define security equivalences between individual objects or object classes X and Y. All the trustees of object X are automatically passed on to be trustees of object Y, i.e. object Y possesses at least the same access possibilities as object X.

Finally, effective rights play a role in eDirectory access. These are the consequence of the rights assignment described above and are worked out dynamically during each individual access.

On the intranet, the users access eDirectory via suitable client software. Access to the directory service by clients is effected here using a proprietary protocol, in which the private key of the user who is logging on is sent encrypted from eDirectory to the client. The user password is involved in this encryption. If the user now enters his/her password, then the client can decrypt the private key, and a Challenge/Response authentication procedure now takes place between the client and the eDirectory server. Following successful authentication, the user possesses the rights of access to the eDirectory that have been defined for him/her.

Network applications and internet users normally access the eDirectory directory service with the LDAP protocol. There are three standard connection types available here: the anonymous bind, the proxy user anonymous bind and the NDS user bind. The default setting is that the anonymous login has the rights of the [public] object, which by default possesses the unrestricted browse right to the entire directory tree. The anonymous login does not require any authentication. For password authentication it is possible to configure whether the password may be sent in plain text or not. The SSL protocol is available for a protected connection over LDAP, and with either one-or two-sided authentication.

The eDirectory certificate server plays an important role in the assignment of rights and hence in the system security. Authentication in the network and also the establishment of an encrypted channel (via SSL) also depend on certificate management. It is therefore particularly important that the eDirectory certificate server is administered with care.

The eDirectory directory service allows partitioning of the directory database over several servers in order to improve scalability and performance. With regard to the partitioning of a directory tree, there are a number of rules that must be observed, details of which are provided in S 2.237 Planning of Partitioning and Replication in Novell eDirectory.

Like the predecessor products, eDirectory supports replicas to increase fault tolerance and system throughput. There are several types of replica here, namely master replica, read/write replica, read-only replica, filtered read/write replica, filtered read-only replica and subordinate reference replica. Detailed information on these can be found in S 2.237 Planning of Partitioning and Replication in Novell eDirectory.

eDirectory supports role-based administration and also the delegation of administrative tasks. In accordance with the decisions made during planning (see S 2.236 Planning the Use of Novell eDirectory and S 2.238 Specification of Security Guidelines for Novell eDirectory), the various administrators must be trained for their tasks. This applies particularly to the group of schema administrators who are in a position to alter the entire database design of the directory tree (see above).

Detailed knowledge of the configuration options available in the system is necessary to administer the eDirectory client software and LDAP access. The underlying operating system also plays a role here in the definition of a security environment, especially the file system security.

Furthermore, the administrators responsible for logging and monitoring must be carefully instructed in their tasks.

Contents of the training program

Depending on the size of the network, an eDirectory directory tree will generally not be administered by a single administrator but by a whole series of administrators with specific tasks and spheres of activity. To this extent it is not necessary for all the administrators of an eDirectory directory to undergo the same training. In the interests of secure operation, however, all administrators must possess sufficient basic knowledge to be able to put their own activities into an overall context.

Training content should in every case cover and explain the key points set out below. To what depth a given administrator needs to concern him/herself with each individual aspect will depend on his/her later area of activity.

Basic information

Directory service

Public Key Infrastructure (PKI)

Secure Socket Layer (SSL)

Lightweight Directory Access Protocol (LDAP)

Novell Client

These individual topics are explained in more detail below.

Schema administration

Normally it is not necessary for an administrator to make installation-specific changes to the eDirectory schema. To this extent training can be limited to the potential problems and effects of schema changes. If individual modifications need to be made to the schema, more advanced training on the internal workings of eDirectory is necessary.

Replication

Backup

Rights assignment in eDirectory

Even if role separation between administration of the eDirectory directory and the underlying operating system is in place, eDirectory administrators need to be taught a basic knowledge of the operating system. Otherwise it will be difficult to work together to resolve any problems.

Review questions:

© Federal Office for Information Security. All rights reserved.