Bringing Active Directory under Control

Introduction:

For 10 years of its existence Active Directory has been developed to the level where a thorough and accurate planning is vital. User provisioning is an important component of everyday IT administrator routine and sometimes we face the fact that AD native management tools cover just a few of many user provisioning tasks. The situation becomes complicated when the enterprise network contains several AD domains or forests and is furnished with different resource management systems for HR, e-mail, etc. Right here we realize that there is need for a third-party solution capable of coping with all this mess. Below you can find some considerations about Adaxes, an Active Directory management solution developed by Softerra.

The tool suits just great for day-to-day management of Active Directory services and automation of user provisioning actions. The functionality of the product is focused on mapping security roles, provisioning AD users, and ensuring the workflow compliance. Due to the available features the product can be placed somewhere between advanced Active Directory management solutions and big resource provisioning systems.

Software installation and features:

Like in many other programs, the work of this software begins with its deployment and initial configuration. The installation was fast and easy though the product has a multi-component structure. After the installation you get a management console, a web interface and the provider that exposes SPML for third-party SPML-enabled provisioning software. This allows Adaxes to be integrated with external provisioning systems and lets users develop own applications for AD objects administration on the basis of SPML protocol.

Property Patterns allow you to create a consistent Active Directory environment with objects that correspond to the defined standards. With their help you can create formats and possible values of object properties and also automatically generate the necessary properties avoiding data re-entry.



Business Rules allow automating and standardizing actions run on objects. When a user performs a specific operation on certain resources, Business Rules are triggered. For example, after creation of a user account, a home folder can be established for this user and connected as a network drive.



Also, I would like to mention Basket and Business Units, virtual containers for bulk management of Active Directory objects. Basket helps collect objects from different organizational units and manage them simultaneously (change properties, send mass e-mail, move, etc.). Business Units let you collectively view, organize, and manage objects from distributed domains.



When using Adaxes for managing Active Directory, you will be able to grant access permissions based on the role-based access control and view history of all operations performed on objects.

Pros:

• automation of everyday maintenance tasks,


• use of Business Units to group objects,


• workflow and approvals,


• role-based security,


• high usability.

These features improve the management of AD objects, reduce time needed for administration, and tight security of AD. Workflow automation is achieved by using of Business Rules, Approval Requests, and Property Templates of Active Directory objects.

Cons:

• No queues and schedulers for provisioning actions. Having a really big number of distributed data objects, you can face synchronization and performance problems. In this case they often use queues and schedulers, which helps split resource-intensive operations chronologically.


• No e-mail notifications available. Such feature would be very helpful to promptly control all changes made in a system.


• No import and export of objects from CSV files. Lists of object also cannot be exported to a text file as it can be done in MMC console.


• Quite high price.

Summary:

Softerra Adaxes (http://www.adaxes.com) is useful software for account administrators in many SMB and large-scale enterprises that are willing to use a comprehensive provisioning system. In my opinion, the Softerra team can move on developing Adaxes with the focus on the functionality both of a large provisioning system and applications providing AD maintenance (backup, bulk management, integration with third-party catalogues/provisioning systems).

LDAP Servers

What is LDAP server?



Directory service (LDAP server) is a software system that stores, organizes and provides access to information in a directory; a shared information infrastructure for locating, managing, administering, and organizing common items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects.
To access directories servers and clients interact in the model of client/server communication. The process of directory access happens in the following way: a directory client calls API (application programming interface) to access a directory for reading or writing the information. The client call accesses the information in the directory on behalf of the requesting client via TCP/IP (the default LDAP TCP/IP ports – 636 for secure communications, 389 for unencrypted communications). The results of the action are returned to the client then.
Servers provide a specific service to LDAP clients. Sometimes directory servers may become the clients of other servers to collect the necessary information for request processing.

LDAP server performs the following basic operations:

• Search entries;


• Compare entries;


• Add entries;


• Delete entries;


• Modify entries;


• Move entries;


• Rename entries;


• Extended operation;


• Authentication.

According to X.500 standard, servers can be connected into a hierarchical structure. That is why users can proceed from one server to another while searching the necessary information. Web interface is widely used for server administration including remote administration.

Directory services can be used for:

• Locating and providing information about people (address books, yellow pages, white pages) and distributed resources like printers;


• User authentication and authorization for Web servers or other LDAP-enabled applications;


• Policies that are shared by multiple applications or application instances.

Directory server main components are:

• A front-end (handles LDAP client operations coming into the server over TCP/IP connection);


• A database back-end (handles stores and retrieves directory objects from relational database).

Some researchers and professionals highlight the best LDAP servers from the number of open source and commercial ones:

Open source LDAP servers include:

• Red Hat Directory Server/Fedora Directory Server. Red Hat Directory Server was initially bought from Netscape Security Solutions as a commercial product for Red Hat Enterprise Linux. Nowadays it is produced by Red Hat with name Red Hat Directory Server. Following its policy Red Hat produced version for Fedora Core also. It is called Fedora Directory Server that is perfect for distributives on the basis of RedHat. Codes of these servers coincide greatly because of the common root. Unlike OpenLDAP Fedora/Red Hat directory servers have good documentation.


• OpenLDAP. OpenLDAP is the further development of the original slapd. It is widely distributed and used on many platforms like Linux, FreeBSD, Windows and MacOS X. Documentation containing on the website is quite obsolete, but there are many useful step-by-step instructions. OpenLDAP is time-tested. Its functionality is practically identical to RedHat directory server.

Commercial LDAP Servers are:

• Novell eDirectory. All products are free for higher educational establishments. It works with the help of the following operational systems: Novell Netware, Windows (NT), Linux (SUSE Enterprise, or RedHat), Solaris, AIX, HP-UX. You have everything in one product – all the necessary programs are given at once. Installation and customization are easy. Advantages - exclusive documentation and affordable price, technical support for registered users and cross-platform function. Disadvantage – closed source files.


• Microsoft Active Directory. It is a part of Windows Server family. It’s a perfect solution for MS networks. Advantages – perfect integration into the system, highly qualified documentation.


• Sun Java System Directory Server. Sun merged with IPlanet Company and created its new product – Sun ONE, renamed afterwards to Sun Java System Directory Server. It is not a standalone product, but just a part of Java Enterprise System. System requirements: Solaris 10, Solaris 9, Solaris 8 (only for SPARC), Red Hat Enterprise Linux 2.1 and 3.1, HP-UX 11i, Microsoft Windows 2000, XP, 2003. You can not buy it apart from Java Enterprise System. But if you decide to use complex solution from Sun, you won’t have any problems. Sun engineers will help you to install and configure it according to your requirements.


• IBM Tivoli Directory Server. LDAP-solution from IBM. It is supported by the following operational systems: AIX, Solaris, Microsoft Windows 2000, HP-UX, and also Linux for Intel and IBM eServer iSeries, pSeries and zSeries. Advantage – qualified, open and free for all documentation.

LDAP servers cannot access directories without LDAP clients. Some of them are presented below:

Microsoft Windows:

• Softerra LDAP Administrator/LDAP Browser;


• LDAPSoft LDAP Browser/LDAP Admin Tool;


• LDAPAdmin;


• MaXware Directory Explorer;


• Active Directory Explorer

Linux/UNIX

• Evolution;


• KAddressBook;


• LDAPSoft LDAP Browser/Administrator.

Mac OS X

• Address Book;


• Directory Access;


• Workgroup Manager.

Cross-platform:

• Apache Directory Studio;


• Ekiga (formerly GnomeMeeting);


• Mozilla Thunderbird;


• Novell Evolution;


• phpLDAPadmin.

Storing data in a directory and sharing it amongst applications saves you time and money by keeping administration effort and system resources down.

LDAP Administrator & Browser

Directory Services. Introduction to LDAP

When information systems became widely distributed and hierarchically complicated, appeared the necessity of special tool creation that helps to easily view and modify the structured data. After more than 70 years of producing and managing telephone directories, telecommunication companies introduced the concept of directory services. Directories became the optimal solution of the stored information searching and retrieving. For managing directories directory services software is used that helps to store, organize and give access to the stored information.

The main differences between directories and databases:

- directories are commonly networked / databases are commonly stored on one machine;

- directories are commonly widely distributed / classical databases are usually heterogeneous;

- directory client does not use full-fledged language as a part of its communication with a server / for data queries and manipulation databases often have complex query languages;

- directories are built of tree-like informational structures / databases usually are not structured hierarchically;

- directories are commonly widely read but not edited / databases are often supplemented with new information.

Standardization:

When the necessity of common and generally used certified standard creation appeared, X.500 suite protocol was created. Its primary concept is that there is a hierarchical organization of entries, Directory Information Tree that is distributed across one or more servers. This is a kind of general suite for all network protocols. Its final conception is very difficult and almost impossible to use for custom needs that is why appeared a necessity of alternative lightweight directory protocols creation. The most widespread of them is the alternative to DAP (Directory Access Protocol) – LDAP (Lightweight Directory Access Protocol).

Lightweight Directory Access Protocol:

Though LDAP is based on X.500 standard, it is simplified and adapted to custom needs. There are lots of advantages of LDAP using. It offers system administrators a way to centralize and make available all sorts of infrastructure information. It is widely supported and can be immediately available to many clients, libraries and web applications. Many e-mail clients support LDAP lookup.

Every entry in LDAP directory has a set of attributes and a distinguished name (DN). Every attribute has a name and single or multiple values. Generally LDAP supports the following operations: start, bind, search, compare, add/delete/modify an entry, abandon, extended operation, unbind. Among large variety of LDAP Software Softerra LDAP Administrator holds its leadership for years already.

Why using Softerra LDAP Administrator?

- It is Explorer-like LDAP-client designed especially for Windows;

- It supports OpenLDAP, Netscape/iPlanet, Novell eDirectory, Oracle Internet Directory, Lotus Domino, Microsoft Active Directory, Fedora/Red Hat, ApacheDS, OpenDS.

- It helps to visually modify an LDAP directory without using command line utilities but still using Windows GUI;

- It is very simple for management and navigation throughout a directory no matter how large or hierarchically complex it is;

- It offers LDIF import and export functionality for maintenance to eliminate all sorts of data corruption risks.

Directory service software helps to store, access and organize the information that is contained in directories. After networking standards creation the X.500 suite appeared that gave way to LDAP directory and afterwards Active Directory creation. For LDAP entries viewing LDAP browser is used. Softerra LDAP Administrator is an essential tool to modify the entries in a directory.