home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Network Supervisor's Toolkit
/
Network Supervisor's Toolkit.iso
/
novell
/
nw386
/
bind-6.386
< prev
next >
Wrap
Text File
|
1996-07-10
|
8KB
|
265 lines
Chapter 6
Bindery
The NetWare 386 bindery is a database that contains
information about resources such as file servers, print
servers, and database servers and about the users who
access and use those resources. For example, a print
server that advertises its services on the internet is
a resource and has its name and internetwork address
stored in the bindery of every file server on the
internet. (Because of this, the bindery can also be used
as a resource directory where clients can extract a
listing of all resources available on the network.) The
bindery also contains information on each client and is
the basis on which NetWare login security mechanisms are
built, including password protection, client accounting,
and client restrictions. The following sections are
discussed:
■ Bindery Files
■ Bindery Components
■ Bindery Security
Bindery Files
The implementation of the NetWare 386 bindery consists
of three files located in the SYS:SYSTEM directory: one
file for bindery objects, one for properties, and one for
property data sets. The bindery supports up to 16,777,216
objects and 16,777,216 properties. A bindery object name
appears in a 48-byte field, one length byte followed by
1 to 47 bytes for characters.Like directories and files, the bindery supports multi-
byte character sets and two-byte wildcard searching. The
implementation of the bindery under NetWare 386 as
contrasted to its implementation under 286 is shown
below.
------------------------------------------------------------
Changes To The Bindery
Netware 386 Bindery Netware 286 (v2.1x) Bindery
Max Number of Objects Max Number of Objects
16,777,216 65,536
(Number of Properties % 2)
Max Number of Properties Max Number of Properties
16,777,216 131,072
(Number of Objects x 2)
Bindery Files Bindery Files
NET$OBJ.SYS NET$BIND.SYS
NET$PROP.SYS NET$BVAL.SYS
NET$VAL.SYS
------------------------------------------------------------
Bindery Components
The bindery is comprised of components called objects and
properties. An object can be a user, user group, file
server, print server, or any other logical or physical
entity on the network that has been given a name. Each
object also has associated with it a set of
characteristics called properties, and each property has
a property value.
Property values fall into one of two categories: set
properties or item properties. A set property has
associated with it a list or set of object IDs that are
contained in the property's value. An item property has
associated with it a property value that can contain any
type of data; typically it contains a numeric value, a
string, or a structure. These bindery components are
shown in the following graphic.
Each object can have multiple properties associated with
it. For example, a user's set of properties may include
a password, an account balance, and a list of groups the
user is a member of. A server, rather than having
multiple properties, might have just one property that
contains its network address.
The property's value contains the actual data that is
associated with the property. A user's password, for
example, is stored in the property value associated with
the password property, a user's account balance in the
property value associated with the account balance
property, and so on. Although a property can only have
one value, the value can contain multiple segments, each
segment being 128 bytes long. An example bindery object
with its associated properties and their values is shown
in the following figure.
Bindery Security
Each server
administers the security for its local resources,
services, and client accounts through its bindery. The
bindery's security and the file system's security are
independent. The bindery does not store any of the file
system's directory trustee information. Directory
trustees are stored in directory entries which are an
integral part of the NetWare physical directory
structure. The only relationship between the bindery and
the file system is that the file system stores each
directory's trustee in the form of an object ID. For more
information on file system security and directory
trustees, refer to Chapter 5, File and Directory
Security.The bindery provides a flexible yet secure operating
environment through several security measures, as shown
below.
-----------------------------
Bindery Security Measures
* Security Access Levels
* Privileges
* Encrypted Passwords
-----------------------------
Security Access Levels
Each object and property in the bindery has a security
access level associated with it which controls the read
and write access to a bindery object and its properties.
The object security and the property security are each
two nibbles; the low-order nibble controls the read
security and the high-order nibble controls the write
security. The following values are defined for each
nibble:
Privileges
The bindery of each server also enforces security by
supporting various degrees of privileges: Supervisors,
Workgroup Managers, Users.
Each bindery has a SUPERVISOR object that is granted
special bindery security privileges. The supervisor is
allowed to grant special administrative privileges to
other objects through the security equivalence feature.
The security equivalence feature allows a bindery object
to be granted the same access rights as another object.
The security equivalence feature is also useful in
defining user groups. User groups are a means of
logically organizing users into workgroups so that the
system supervisor can simplify the security process.
NetWare 386 supports two new properties called the
WG_MANAGER and OBJ_SUPERVISOR properties. WG_MANAGER is
a set property associated with object SUPERVISOR.
Supervisors can create this property with the SYSCON
utility and thus give limited supervisory privileges to
one or more individuals that are designated as workgroup
managers.
If an object's ID appears in WG_MANAGER's data set, the
object (a workgroup manager) can create new bindery
objects. In the figure below, for example, Ed's object
ID is in the supervisor's WG_MANAGER's data set;
therefore, Ed is a workgroup manager and can create new
bindery objects.
Any objects that a workgroup manager creates have
associated with them an OBJ_SUPERVISOR set property that
includes the creating workgroup manager's object ID. For
example, if Ed creates a user, Robert, Ed's object ID is
in the OBJ_SUPERVISOR set property associated with
Robert.
It is also important to note that if object Ed's ID
appears in object Robert's OBJ_SUPERVISOR's data set,
object Ed has all rights to object Robert, whether or not
object Ed's ID appears in the SUPERVISOR's WG_MANAGER's
data set.
Encrypted Passwords
In addition to the security access levels and the
SUPERVISOR object and WG_MANAGER property, the bindery
provides login security with the password property. With
NetWare 386, the bindery supports encrypted passwords at
the workstation and on the wire. You can also disable
password protection if you desire.