i a m305developing to novell edirectory

Novell® eDirectory™

Event System and Developing to Novell eDirectory

Nachiappan PalaniappanSoftware [email protected]

Jim SchnitterSenior Support [email protected]

mailto:[email protected]

mailto:[email protected]

© Novell, Inc. All rights reserved.2

Agenda

• Novell® eDirectory™ Event System

• LDAP Auditing

• Event Filtering

• Demonstration

– LDAP Auditing

– Event Filtering

• Developing to Novell eDirectory using Perl

Novell® eDirectory™ – Event System


Novell® eDirectory™ events

• Enables applications to monitor Novell eDirectory activity

• Helps in reporting operation specific data• Currently supports 270 events• Event Classification

– Entry Events– Value Events– General DS Events– Security Equivalence Events– LDAP Events etc


Novell® eDirectory™ events

• Types of event handlers– Journal

– Inline

– Work

• Ways through which you can access the event system– LDAP

> LDAP Extension, Psearch Control

– iMonitor

– Novell eDirectory Instrumentation

– SNMP


Design

LDAP Server

DS

eDirectory™

user add 3

Notify 4Subscribe 2

DS Event SystemRegister

Notify

Register 1

Notify 5

eDirectory Client

Sentinel App

LDAP App


Event Monitoring - Novell® Sentinel™

• iManager as the configuration interface– Novell Audit Plugin needs to be installed and configured

• Novell eDirectory™ instrumentation acts as the interface to Novell eDirectory

– Bundled with Novell eDirectory

– Needs to be installed and configured manually

• Novell Audit Platform Agent interacts with Novell Sentinel

– Bundled with Novell eDirectory

– Needs to be installed manually


iManager Configuration


Event Monitoring – LDAP Extension

• Novell® LDAP events extension allows an LDAP client to be notified of the occurrence of various events on a Novell eDirectory™ server

– Utilizes the LDAP v3-extended operation extension mechanism

– Novell Specific

• Each event is identified by an unique integer



• Available as part of the SDK “LDAP Libraries for C”

• An application registers to monitor one or more events by calling ldap_monitor_event API

– int ldap_monitor_event( LDAP *ld, NDSEventSpecifier[] events, int *msgId)

> Events[] - contains an array of structures describing the events the application wishes to monitor

– behaves similar to the NetWare® API NWDSRegisterForEvent



#include <ldapx.h>

#include <ldap_events.h>

...

EVT_EntryInfo *entryInfo;

EVT_EventSpecifier events[] = { { EVT_CREATE_ENTRY, EVT_STATUS_ALL },

{ EVT_DELETE_ENTRY, EVT_STATUS_ALL } };

• The following example monitors the CREATE_ENTRY and DELETE_ENTRY events through the LDAP extension

• Event Specifiers



• ldap_monitor_events - LDAP Extension API

if ( (rc = ldap_monitor_events ( ld, eventCount, events, &msgID )) != LDAP_SUCCESS ) {

printf("ldap_monitor_event : %s\n", ldap_err2string( rc )); ldap_unbind_s( ld ); return ( rc );}



• Get LDAP result

timeOut.tv_sec = 5L; timeOut.tv_usec = 0L;

startTime = time(NULL); /* record the start time */ printf("Monitoring events for %d minutes.\n", EXECUTE_TIME/60); finished = 0; while ( 0 == finished ) { result = NULL;

rc = ldap_result( ld, msgID, LDAP_MSG_ONE, &timeOut, &result );

..... }



• Error Cases

switch ( rc ){ case -1: /* some error occurred */ ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER,

&errorCode); printf("Error in ldap_result: %s\n", ldap_err2string( errorCode ));

finished = 1; /* terminate polling loop */ break;

case 0: /* Timed out, no result yet. */ break;



• Look for extended results case LDAP_RES_EXTENDED: /* Monitor Events failure */ parse_rc = ldap_parse_monitor_events_response(ld, result, &resultCode, &errorMsg, &badEventCount, &badEvents, 0); if (parse_rc != LDAP_SUCCESS)

printf("Error: ldap_parse_monitor_events_response:%d", parse_rc); else { switch (resultCode) { case LDAP_OPERATIONS_ERROR: printf("Server operations error.\n"); break; case LDAP_ADMINLIMIT_EXCEEDED: printf("Maximum number of active event monitors exceeded.\n"); break;



• Watch out for errors case LDAP_PROTOCOL_ERROR: printf("Protocol error.\n"); break;

case LDAP_UNWILLING_TO_PERFORM: printf("Extension is currently disabled\n"); break;

default: printf("Unexpected result: %d, %s\n", resultCode, errorMsg);

}if (NULL != badEvents) { for (i=0; i<badEventCount; i++) { printf("Bad Event ID: %d\n", badEvents[i].eventType); }}}finished = 1;break;



• Get the intermediate result

case LDAP_RES_INTERMEDIATE : /* An event notification */parse_rc = ldap_parse_ds_event(ld,

result, &eventType, &eventResult, &eventData, 0 ); /* don't free result */

if ( parse_rc != LDAP_SUCCESS ) printf("Error in ldap_parse_ds_event: %s\n", ldap_err2string( parse_rc ));



• Check the return value of intermediate result

else { if (EVT_CREATE_ENTRY == eventType){ entryInfo = (EVT_EntryInfo *)eventData; printf("Added new entry: %s\n", entryInfo->entryDN); } else if (EVT_DELETE_ENTRY == eventType){ entryInfo = (EVT_EntryInfo *)eventData; printf("Deleted entry: %s\n", entryInfo->entryDN); } else printf("Unexpected event notification: %d\n", eventType);

ldap_event_free(eventData); } break;

Novell® eDirectory™ – LDAP Auditing


Business Need

• To support the use case of instrumenting the LDAP traffic (for operations like LDAP bind, LDAP add etc) and audit them

• To provide the details and statistics of the LDAP operations happening on the Novell® eDirectory™ server


Overview

• Introduced LDAP events in Novell® eDirectory™ 8.8 SP3 release

• Integration of LDAP events with sentinel in 8.8 SP3

• All LDAP operations can be monitored

• Widely used by LDAP Applications


Internals

• LDAP Event Reporting System

– LDAP server produces event data

• Can be exercised through the SDK “LDAP Libraries for C”

• API

– ldap_monitor_event is used for monitoring the events with the LDAP event Ids

> EVT_LDAP_ADD

> EVT_LDAP_EXTOP etc


LDAP Data

• Information reported as part of the LDAP events

– Client's connection information

– Protocol data

– LDAP message ID

– LDAP result code

– LDAP operation data like ldap search parameters

– LDAP control ID

– LDAP authentication data


Design

LDAP Server

DS

eDirectory™

LDAP add 3

Notify 5Subscribe 2

DS Event System

register

notify

Register 1

Notify 6

LDAP Client

Sentinel App

LDAP AppLDAP Event Producer

4

Novell® eDirectory™ – Event Filtering


Business Need

• Novell® eDirectory™ internally generates its own events

• To help the applications by providing the option to filter out the unwanted events

• To monitor specific changes happening in the server (eg. Password modifications)

• To bring down the client work load of filtering event data on its own


Overview

• Will be available as part of Novell® eDirectory™ 8.8 SP6• Will be available on all applicable platforms• Internal interface to Novell eDirectory

– Novell eDirectory Instrumentation

• Configuration Interface– iManager

• Reduces the load on monitoring applications and there by improves performance


Event Filtering

• Limited Filtering provided

• Filtering options

– Attribute based filtering

– Object Class based filtering

• Applicable to selected events

– Commonly used value and entry events

DemonstrationNovell® eDirectory™ LDAP Auditing

DemonstrationNovell® eDirectory™ Event Filtering

Developing to Novell® eDirectory™


Why should a developer use Perl?

• Well suited to small, discrete tasks

– Provisioning in Domain Services for Windows

• Provides a framework for user extensions

– Privileged User Management

• Customers can find AND fix their own problems


How do you get LDAP to work with Perl?• Use system call, LDAP commands and ldif files

– Good for tasks that are constantly repeated and need little input

– Example: populate missing uids

• Use the CPAN LDAP module

– Object Oriented Interface

– Good for more complex data manipulation

– Example: LDAP2CSV


$ldapsearch -h host

dn: cn=jim,o=novell

$ldapmodify -h host -f ldif

dn: cn=jim,o=novell changtype: modify add: uid uid: jim

Perl


Populate Missing Uids

ldapsearch -b o=novell '(&(objectclass=user)(!(uid=*)))'• LDIF file created from this search # jeffsmith, novelldn: cn=jeffsmith,o=novellsn: smithobjectClass: inetOrgPersoncn: jeffsmith

# jsmith, people, novelldn: cn=jsmith,ou=people,o=novellsn: smithobjectClass: inetOrgPersoncn: jsmith



• Format of an LDIF file to add uids

dn: cn=jeffsmith,o=novellchangetype: modifyadd: uiduid: jeffsmith

dn: cn=jsmith,ou=people,o=novellchangetype: modifyadd: uiduid: jsmith



• Get input file and open output file

#!/usr/bin/perl

if (@ARGV == 1) { $in = $ARGV[0];} else { die "\nUsage: uid.pl <input ldif>\n\n";}

open (IN, $in) or die "\nCan't open $in\n\n";open (OUT, ">uid.ldif");



• Build the LDIF file

while ($line = <IN>) { chomp $line; if ($line =~ m/dn: cn=(.*?),/) { print OUT "$line\n"; print OUT "changetype: modify\n"; print OUT "add: uid\n"; print OUT "uid: $1\n\n"; }}

print "\nCreated uid.ldif to add uids\n\n";


Make the program bullet proof

• Put the ldapsearch and ldapmodify commands inside the Perl program

• System() subroutine allows a Perl program to run any command that can be done in the shell

• Variable substitution is still done


$ldapsearch -h host

dn: cn=jim,o=novell

$ldapmodify -h host -f ldif

dn: cn=jim,o=novell changtype: modify add: uid uid: jim

Perl



• Don't prompt for input file any more #!/usr/bin/perl

$in = "/tmp/input.ldif";

system ("ldapsearch -x -D cn=admin,o=novell -w novell -b o=novell -h host '(&(objectclass=user)(!(uid=*)))' > $in");

open (IN, $in) or die "\nCan't open $in\n\n";open (OUT, ">uid.ldif");



• Add the uids from the program system ("ldapmodify -x -h host -D cn=admin,o=novell -w novell -f uid.ldif");

print "\nUids have been added\n\n";

close IN;close OUT;


Make the program more secure

• Don't use any more temporary files

• Data manipulation can be done in memory

• Perl modules allow programs to reuse code

– Don't depend on utilities being installed

– Modules are generally cross platform



use Net::LDAP;$attrs = [ 'cn' ];$searchString = "(&(objectclass=user)(!(uid=*)))";$result = $ldap->search ( base => "o=novell", filter => "$searchString", scope => "sub", attrs => $attrs );if ($result->code) { die ("\nCan't search $base (LDAP Error: ", $result-

>code, ")\n\n");}



@entries = $result->entries;

foreach $entr ( @entries ) { $dn = $entr->dn; $cn = $entr->get_value(“cn”); print "\nModifying: $dn\n"; $result = $ldap->modify($dn, add => { uid => $cn} ); if ($result->code) { die ("Error - Can't modify (LDAP Error: ", $result->code, ")\n\n"); }}

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

i a m305developing to novell edirectory

Documents