LDAP requirements analysis
In order to centralize management, facilitate maintenance and optimization, and reduce operation and maintenance costs, an increasing number of easily available LDAP client programs are used to access the LDAP directory on any computer platform, making it easier for customized applications and enterprises to reference the LDAP server.
The LDAP server can copy part or all of the data using the "push" or "pull" method. For example, the data can be "pushed" to a remote office to increase data security. Replication technology is built into the LDAP server and is easy to configure. If you want to use the same replication functionality in a DBMS, the database vendor will charge you extra and it will be difficult to manage. LDAP allows you to use ACI (commonly known as ACL or access control list) to control the permissions to read and write data as needed. For example, a facility administrator
may have permission to change an employee's work location and office number, but not other fields in the record. ACI can control access to data based on who accesses the data, what data is accessed, where the data is stored, and other aspects. Because this is all done by the LDAP directory server, there is no need to worry about whether to perform security checks on the client application.
LDAP is most useful for storing information where the data needs to be read from different locations, but does not need to be updated frequently. For example, it is very effective to store this information in an LDAP directory: company employee phone directories and organizational charts; customer contact information; information needed for computer management, including NIS mappings, email pseudonyms, etc.; software package configurations Information; public certificates and security keys.
LDAP overview
LDAP is the abbreviation of Lightweight Directory Access Protocol, which refers to the Lightweight Directory Access Protocol (this is mainly relative to another directory access protocol X.500); LDAP omits many less commonly used functions in x.500 and uses Based on the TCP/IP protocol, port 389 is generally used for data transmission. Directory services are used to store, organize and express data through key-value type formats. Generally speaking, directories are optimized for lookup, search and read operations. Therefore it is suitable for data that is frequently referenced but changes rarely.). Directory services are very similar to databases, but they are very different. The database is designed to facilitate reading and writing, but the directory service is specifically designed to be read-optimized, so it is not suitable for data storage with frequent write operations. LDAP is just a protocol
LDAP Overview - Basic Model
LDAP protocol analysis
AD requirement background
AD domain overview
The abbreviation of Active Directory, a directory service for Microsoft servers, a product under the LDAP protocol (Lightweight Directory Access Protocol). It provides a powerful means for users to manage the identification and relationships of various components of the network environment
. Active Directory stores information about network objects and allows administrators and users to easily find and use this information. Active Directory uses a structured data storage method as a basis for logically hierarchical organization of directory information. The directory database in the Active Directory domain is used to store objects such as user accounts, computer accounts, printers, and shared folders. The component that provides directory services is Active Directory Domain Service (AD DS). ), which is responsible for operations such as storage, addition, deletion, modification and query of the directory database.
AD domain features and common functions
1. Features
1) The biggest advantage of Microsoft's AD-based domain model is that it achieves centralized management.
2) Recover and manage the permissions of ordinary users on client computers.
3) AD is a large security boundary. As long as users verify their identity when logging in, all allowed access resources in this domain forest can be directly accessed,
without the need for identity verification, which also improves efficiency and reduces maintenance costs.
4) For user benefits, "My Documents" on all users' desktops can be redirected to the file server through folder redirection.
2. Commonly used functions
1) User account management
2) Permission management
3) Software/patch push
Domain trust relationship
Create a domain trust relationship.
Domain trust relationships are directional. If domain A trusts domain B, then the resources of domain A can be allocated to users of domain B; but the resources of domain B cannot be allocated to users of domain A. If you want to achieve For this purpose, domain B needs to trust domain A.
If domain A trusts domain B, then the domain controller of domain A will copy the user accounts of domain B to its own Active Directory, so that the resources in domain A can be allocated to users of domain B. Judging from this process, domain A trusting domain B first needs to obtain the consent of domain B, because domain A trusting domain B needs to first request resources from domain B.
The initiative of a domain's trust relationship is in the hands of the trusted domain rather than the trusting domain.
•Domain A trusts domain B, which means that there is a possibility that the resources of domain A will be allocated to users of domain B, but it is not inevitable! Without resource allocation, users in domain B cannot obtain any resources.
Domain Tree
Domain Tree is an important improvement of Active Directory over the traditional domain model of NT4. In the domain model of the NT4 era, each domain must use a NETBIOS name without a hierarchical structure, and there is a lack of association between domains, and only domain trust relationships that cannot be transitive can be created. This will cause many unfavorable factors in enterprise management:
first, it is difficult to judge the affiliation between domains based on domain names, such as the beijing domain and the shanghai domain;
secondly, because the trust relationship between domains is not transferable, when the number of domains is large, Oftentimes, creating full trust between domains takes a lot of time. Assuming there are 10 domains, we need to establish trust relationships 45 times between the 10 domains to make these domains fully trust each other. The domain tree solves the above problems very well. Since the clearly hierarchical DNS domain names are used between the parent domain and the sub-domain of the domain tree, we can judge the affiliation of the two domains based on the domain names. For example, there are two domains abc.com and test.abc.com, we can easily determine that the latter is a subdomain of the former.
Group Policy
Group Policy is an infrastructure that allows configuration to be performed on a user or computer.
In fact, in layman's terms, Group Policy is similar to the registry and is a technology that can modify user or computer settings.
What is the difference between Group Policy and the Registry?
The registry can only be set for one user or one computer;
Group Policy can be set for multiple users and multiple computers.
For example: In an enterprise with 1,000 users, if we use the registry for configuration, we may need to
modify the registry on 1,000 computers respectively. But if you use Group Policy instead, you only need to create the Group Policy and then
deploy it to 1,000 computers at an appropriate level.
Group Policy is used in conjunction with Active Directory and can be deployed at the OU, site and domain levels. Of course, it can also be deployed
on the local computer. However, deploying it on the local computer does not allow you to use all the functions in Group Policy. It can only be used in
conjunction with Active Directory. Group Policy can reach its full potential. The priorities of Group Policy deployment at different levels are different,
local computer < site < domain < OU. We can choose the appropriate deployment level for group policy based on management tasks.
What is a Group Policy Object?
Group policy is set through "Group Policy Object (GPO)". As long as the GPO is connected to the specified site, domain
or OU, the settings in the GPO will affect all the settings in the site, domain or OU. user on computer
Group Policy Management
Group Policy management can be done through the Group Policy Editor and the Group Policy Management Console (GPMC).
The Group Policy Editor is a Group Policy management tool that comes with the Windows operating system and can modify settings in GPOs.
GPMC is a more powerful group policy editing tool. GPMC can create, manage, and deploy GPOs. The latest GPMC can be
downloaded from the Microsoft website.
1. Account policy settings
• For example, set the length, complexity, usage period of user password, account locking policy, etc.
2. Setting of local policy
• For example, the setting of audit policies, assignment of user permissions, and security settings.
3. Deploy software
• The idea is to store the software to be deployed in the shared folder of the file server
• Then notify the user or computer through group policy that there is software to be installed in a certain folder of a certain server, and hurry up to download and install it.
• After setting the group policy, you can wait for the client computer to automatically install the software. There is no need to deploy it one by one on the client computer.