What are Directory Entries and Attributes?
Note For an introduction to directories and directory servers, see What are Node Types?
on page 51.
A directory is a centrally-managed, hierarchical repository of data. The data in a directory can be drawn from a variety of systems, applications, and databases on a network.
Any type of data can be stored in a directory. However, directories are typically used to store information that remains relatively constant over time. For example, directories commonly store:
l Personal information (such as people’s names, e-mail addresses, and phone numbers)
l User account credentials (such as user names and passwords)
l Network resources (such as the configurations of computers and other devices on a network)
An entry is a record within a directory, and an attribute is a property of an entry. For example, the entries in a directory may represent user accounts. For each of those entries, the associated attributes may consist of the user’s name, phone number, and e-mail address.
Each attribute consists of two components:
l The attribute name is a label for the attribute.
l The attribute value is the actual data being stored by the attribute. The attribute value may consist of either text or binary data, and a single attribute can have one or more values.
For example,cn=Monica Combsis an attribute name/value pair, where:
cnis the attribute name, and Monica Combsis the attribute value.
Table 30 (below)identifies some common attribute names used in directories.
Attribute Name Used for ...
cn ... common names of entities
ou ... organizational units that reflect the structure of a network or organization dc ... components of a domain name (domain components)
Table 30. Common attribute names
What are Object Classes and Schemas?
Each attribute in an entry is either required or optional. However, theobjectClassattribute is a special attribute that is required for all entries. TheobjectClass attribute identifies the object classes that apply to each entry. An object class is a collection of definitions that applies to one or more entries; for example:
l Definitions dictating the required and optional attributes for each entry in the object class
l Definitions determining the directory location(s) in which the object class’ entries may be created
The available object classes are defined in the directory’s schema. When an entry is added to a directory, the system checks the entry against the definitions associated with the entry’s object class. If the entry does not satisfy all of the definitions for the object class, the addition will fail. For instance, if the entry lacks a required attribute, the entry is incomplete and, therefore, disallowed by the schema.
How are Directories Organized?
Four types of entries comprise a directory:
l The root DSE (Directory Systems Agent Specific Entry) is a special entry that defines the capabilities of the directory server itself. For example, the root DSE identifies the directory protocols that are compatible with the directory.
l A container entry is an entry used to organize other entries in parent/child relationships.
As with a folder in a file system, a container can have entries and/or other containers as children, but a child entry can only have a single container as a parent. An entry becomes a container when other entries (children) are placed under it.
l Listed in the root DSE, a naming context is a container entry that has no parent entry.
l Under a naming context, a leaf entry is an entry that does not contain other entries.
Figure 13 on the next pageprovides an example of a simplified directory.
l dc=mycompany,dc=comis the naming context for the directory hierarchy.
l Directly beneath that, two container entries have been created:ou=Computersand ou=People.
l In one of the container entries (ou=People), two leaf entries exist. The leaf entries are records for two people (Cindy Davis and Bill Long).
l TheobjectClass(person) identifies two required attributes (snandemail) that must be associated with each leaf entry.
Note The root DSE is not depicted inFigure 13.
Tripwire Enterprise 8.2 User Guide 91 Chapter 3. Terms, Concepts, and Functions
In a directory, each entry is uniquely identified by a distinguished name (DN). A DN refers to a specific entry in a directory, and clearly indicates the location of the entry.
Figure 13. Example of a directory hierarchy
Each distinguished name is an ordered list of attribute-value pairs that are read from right to left.
To identify an entry, a DN adds a unique attribute to the DN of the entry’s parent. In our example (Figure 13), the DN for the Bill Long entry is:
cn=Bill Long,ou=People,dc=mycompany,dc=com
Among the children of the parent entry (ou=People), thecnattribute (cn=Bill Long) is unique.
The other components of the DN (ou=People,dc=mycompany, anddc=com) represent attribute-value pairs positioned above thecn attribute in the directory hierarchy.
For more information about directory servers, see:
LDAP Directories Explained, Brian Arkills (Addison-Wesley, 2003)
Note Although eDirectory does not natively use the X.500 naming scheme, Tripwire Enterprise interfaces with eDirectories via Novell’s LDAP module. Therefore, you must use the X.500 naming scheme (described above) when specifying entries in an eDirectory.
About Directory Rules
In Tripwire Enterprise, a directory rule identifies entries and attributes in a directory (see Table 22 on page 78for a list of directory rule types).Table 31defines the components that may be assigned to a directory rule. Start points and stop points determine exactly which entries and attributes are identified by a directory rule.
Component Description start
points
A start point specifies an entry, as well as one or more attributes of the entry to be monitored by the rule. If a start point specifies a container entry, the entry’s children will also be identified by the rule.
Note: TheobjectClassattribute determines which attributes are available with each entry (seeHow are Directories Organized? on page 91).
stop points A stop point specifies an entry to be excluded from operations run with the rule. If a stop point specifies a container entry, you can also exclude the entry’s children.
actions An action initiates a response if the rule identifies a monitored object for which a change version is created. For more information, seeWhat are Actions and Action Types? on page 110.
Table 31. Components of a directory rule
To create a new directory rule, seeCreating a Directory Rule on page 436.
Tip-s
For your convenience, Tripwire provides a collection of default directory rules on the Tripwire Web site. For more information, seeWhat are Pre-Configured Rules and Policies? on page 215.
For a list of directory products officially supported by Tripwire Enterprise, see:
http://www.tripwire.com/it-compliance-products/te/supported-devices/
To optimize system performance, you should avoid using a single directory rule to monitor all entries in a directory. Instead, Tripwire recommends the use of multiple directory rules that identify different entries and attributes. By using multiple
directory rules (as opposed to a single rule), you can significantly reduce the amount of bandwidth and memory required to baseline or version check the directory.
Tripwire Enterprise 8.2 User Guide 93 Chapter 3. Terms, Concepts, and Functions
What are Binary Attributes and Security Attributes?
In a directory, attributes can be saved in a variety of formats. As appropriate, you can define the formats of specific attributes in the Settings Manager. By defining the formats of attributes, you explicitly instruct Tripwire Enterprise to process and save the data in a specific manner.
l When an attribute is defined as a binary attribute, Tripwire Enterprise treats the attribute’s value as binary data. As a result, the application saves the attribute’s value as an MD5 hash in new element versions.
l (Active Directory only) If you designate an attribute as a security attribute, Tripwire Enterprise will interpret the attribute’s value as a Windows security descriptor. As a result, new element versions will save the attribute’s value as four related attributes: a DACL, a SACL, an owner, and a group.
Note In an Active Directory, a Windows security descriptor is a binary data structure that identifies the users who have access to an entry. In addition, a Windows security descriptor defines the permissions granted to each user.
For further instructions, see:
l Setting LDAP Directory Preferences (on page 306)
l Setting Active Directory Preferences (on page 306)
l Setting Sun Directory Preferences (on page 307)
l Setting Novell eDirectory Preferences (on page 308)