Chapter 1   Introducing iPlanet Directory Server Access Management Edition


iPlanet Directory Server Access Management Edition (DSAME) is an enterprise infrastructure solution. It's the key to all your business relationships, all your services, all your data, and who has access to what. DSAME enables you to get your customers, your employees, your partners and suppliers into one online directory. It also provides a means for establishing policies and permissions regarding who has access to which information in your enterprise. DSAME is designed to meet the challenges of businesses with growing extranets or hosting services. This chapter provides an introduction to the DSAME solution.

Topics in this chapter include:

• iPlanet Products Form the DSAME Solution

• Key Features and Benefits

iPlanet Products Form the DSAME Solution

---

DSAME is composed of iPlanet servers, services, and agents. It extends the basic functionality of iPlanet Directory Server. DSAME consolidates user data, services data, and access policies so that all of these can all be managed efficiently under one console. You can use DSAME to define and enforce role-based policies that control access to web resources in your enterprise. These DSAME roles and policies also provide the means for delegating user account management—to administrators as well as non-administrators. The DSAME pluggable architecture makes it relatively easy to add new services and to customize their configuration for users and policies.

When you purchase DSAME, you receive a full complement of iPlanet servers, services, and agents which together form the DSAME solution. The product CD includes the following:

• Directory Server

• Management service

• Policy service

• URL Policy Agent

Directory Server

iPlanet Directory Server is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). In a DSAME deployment, Directory Server is the central repository for user data, services data, and access policies. This allows a variety of servers and applications to share a consistent set of data.

Figure 1-1    The Big Picture.

Policy Service

The Policy service is made up of four smaller, specialized services: Authentication, Single Sign-On, Logging, and Session. Together, these services provide the means for enforcing access rules. Access rules combine to form the policies which allow or deny a user to log in to an application.

Authentication

The Authentication service verifies the identities of users trying to access applications. Authentication is implemented through six pluggable modules that validate a user's credentials at login.

Single Sign-On

The Single Sign-On (SSO) service uses tokens for storing and transporting user information between applications. This makes it possible for users to log in to the enterprise once, and access multiple web-based applications in a single session—without having to re-authenticate for each application. The service provides Java interfaces for validating SSO tokens.

Logging

The Logging service writes log information to log files or to a log database. The log data is used by Authentication modules and by the DSAME administration console.

Session

The Session service maintains user session information. The session information is used to validate Single Sign-On tokens.

Figure 1-2    DSAME Architecture.

Management Service

The Management service is made up of three services: Policy Management, Identity Management, and Service Management. These three services are consolidated in the DSAME administration console, providing a single point for enterprise management. When you use Management service to make changes, the changes are automatically made in Directory Server.

Policy Management

The Policy Management service provides a means for creating, modifying and deleting access rules and policies for organizations and sub-organizations.

Identity Management

The Identity Management service is also referred to as User Management service. It provides the means for creating and managing users, roles, groups, people containers, organizations, organization units and sub-organizations.

Service Management

The Service Management service provides the means for registering and de-registering services, and for managing service attributes assigned to objects in the directory.

Web Server

iPlanet Web Server, although not included on the product CD as a stand-alone product, is an integral part of the DSAME solution. It is automatically installed and configured for you when you install the Policy and Management services. Working behind the scenes, this dedicated instance of Web Server provides the engine for policy enforcement, identity management, and service management. It also serves the graphical user interface.

URL Policy Agent

The DSAME URL Policy agent can be installed on iPlanet Web Servers installed in your enterprise. The agent enforces access rules and policies that are set on specific pages stored on the server. The agent intercepts each request received by a configured Web Server and communicates with the Policy service. The Policy service authenticates the user's credentials against Directory Server, and then examines the user's roles and policies. If the user has the proper credentials and policy assignment, the agents allow the user to access the URL over HTTP.

---

Note

Although the URL Policy Agent comes with the Solaris version of DSAME, new versions of the URL Policy Agent—that can be used on the Windows 2000 Server platform as well as on Solaris—can be downloaded from this location: http://www.iplanet.com/downloads/developer/5167.html .iPlanet strongly recommends that you use the new versions. Follow the instructions that come with the product.

---

Key Features and Benefits

---

As a business grows, its networking needs change. Efficiency, extensibility, rapid deployment of services, and maintained security become key factors in keeping its enterprise running smoothly and with minimum down-time. DSAME offers the following features to meet the challenges of growing enterprises.

Administration Console

A graphical interface that consolidates Identity, Service, and Policy management. Allows users—administrators as well as non-administrators—to create and manage users accounts, service attributes, and access rules in Directory Server using one interface and without having to know LDAP.

Policy Management

A means for creating and enforcing access rules. Grants or denies users' access to resources based on their credentials and based on the rules and policies you create.

Service Management

A means for registering services and service attributes. Allows you to assign service attributes to organizations, groups, or individual users from the same console that you use to perform user management.

Identity Management

A framework that supports several pre-defined administrator roles. Provides a means for creating, modifying, or deleting organizations, groups, and users. Automatically creates appropriate administrator entries, roles, and ACIs each time you create a new organization or managed group.

Authentication

A framework and a number of modules for verifying user identities. Provides security by requiring users to present credentials in order to log in to applications in the enterprise. The plug-in architecture makes it possible for iPlanet customers to write and use their own modules with DSAME. The following Authentication modules come with DSAME:

• LDAP

• RADIUS

• Membership

• Anonymous

• Certificate-based

Web-based Single Sign-On

A mechanism that uses tokens to store and transport user information between applications. Enables a user to access multiple web-based applications during a single session without having to re-authentication for each application.

URL Policy Agent

A mechanism that enforces access rules and policies that protect web resources. Provides security by requiring additional identification from users who attempt to access protected files or pages in a web server.

Secure Socket Layer (SSL)

A transport protocol that encrypts and secures communications over a network. Ensures that communications over the network can not be viewed by unauthorized individuals.

Directory Replication Support

DSAME works with multi-master replications of Directory Server to provide a highly available directory service for both read and write operations.

Roles and Class of Service Support

DSAME works with Directory Server to provide a flexible mechanism for grouping and sharing attributes among entries. Allows you to dynamically change a large number of user, group, or organization entries by making a single change to a role or attribute.

Load-balancing Applications Support

DSAME works with load-balancing applications such as iPlanet Directory Access Router (iPlanet DAR), to provide high availability and firewall-like security.