Transcript Directory

CIT 470: Advanced Network and
System Administration
Directories
CIT 470: Advanced Network and System Administration
Slide #1
Topics
1.
2.
3.
4.
5.
6.
Directories
LDAP Structure
LDIF
Distinguished Names
Replication
OpenLDAP Configuration
CIT 470: Advanced Network and System Administration
Slide #2
What is a Directory?
Directory: A collection of
information that is primarily
searched and read, rarely modified.
Directory Service: Provides access
to directory information.
Directory Server: Application that
provides a directory service.
CIT 470: Advanced Network and System Administration
Slide #3
Directories vs. Databases
Directories are optimized for reading.
– Databases balanced for read and write.
Directories are tree-structured.
– Databases typically have relational structure.
Directories are usually replicated.
– Databases can be replicated too.
Both are extensible data storage systems.
Both have advanced search capabilities.
CIT 470: Advanced Network and System Administration
Slide #4
System Administration Directories
Types of directory data
–
–
–
–
–
–
Accounts
Mail aliases and lists (address book)
Cryptographic keys
IP addresses
Hostnames
Printers
Common directory services
– DNS, LDAP, NIS
CIT 470: Advanced Network and System Administration
Slide #5
Advantages of Directories
Make administration easier.
– Change data only once: people, accounts, hosts.
Unify access to network resources.
– Single sign on.
– Single place for users to search (address book)
Improve data management
– Improve consistency (one location vs many)
– Secure data through only one server.
CIT 470: Advanced Network and System Administration
Slide #6
NIS: Network Information Service
Originally called Sun Yellow Pages
– Clients run ypbind.
– Servers run ypserv.
– Data stored under /var/yp on server.
Server shares NIS maps with clients
– Each UNIX file may provide multiple NIS maps.
– NIS maps map keys like UID, username to data.
– passwd: passwd.byname, passwd.byuid
Slave servers replicate master server content.
Easy to use, but insecure, difficult to extend.
CIT 470: Advanced Network and System Administration
Slide #7
LDAP
Lightweight Directory Access Protocol
– Lightweight compared to X.500 directories.
– Directory, not a database, service.
– Access Protocol, not a directory itself.
CIT 470: Advanced Network and System Administration
Slide #8
LDAP Clients and Servers
LDAP Clients
– Standalone directory browsers.
– Embedded clients (mail clients, logins, etc.)
– Cfg /etc/nsswitch.conf on UNIX to use LDAP.
Common LDAP servers
CIT 470: Advanced Network and System Administration
Slide #9
LDAP Structure
An LDAP directory is made of entries.
– Entries may be employee records, hosts, etc.
Each entries consists of attributes.
– Attributes can be names, phone numbers, etc.
– objectClass attribute identifies entry type.
Each attribute is a type / value pair.
– Type is a label for the information stored (name)
– Value is value for the attribute in this entry.
– Attributes can be multi-valued.
CIT 470: Advanced Network and System Administration
Slide #10
Tree-structure of LDAP Directories
CIT 470: Advanced Network and System Administration
Slide #11
LDAP Schemas
Schemas specify allowed objectClasses and attributes.
CIT 470: Advanced Network and System Administration
Slide #12
LDIF
LDAP Interchange Format.
– Standard text format for storing LDAP configuration
data and directory contents.
LDIF Files
– Collection of entries separated by blank lines.
– Mapping of attribute names to values.
Uses
– Import new data into directory.
– Export directory to LDIF files for backups.
CIT 470: Advanced Network and System Administration
Slide #13
LDIF Output Example
CIT 470: Advanced Network and System Administration
Slide #14
LDIF Backups and Restores
Backing up an LDAP directory
slapcat > backup.ldif
OR to do a daily backup use date in name
slapcat > backup-`date +%F`.ldif
Restoring an LDAP directory
service ldap stop
rm -rf /var/lib/ldap/*
slapadd < backup.ldif
service ldap start
CIT 470: Advanced Network and System Administration
Slide #15
Distinguished Names
Distinguished Names (DNs)
–
–
–
–
Uniquely identify an LDAP entry.
Provides path from LDAP root to the named entry.
Similar to an absolute pathname.
dn:cn=Jeff Foo,ou=Sales,dc=plainjoe,dc=org
Relative DNs (RDNs)
–
–
–
–
–
–
Any unique attribute pair in directory’s container.
ex: cn=Jeff Foo OR username=fooj
Similar to a relative pathname.
Except may have multiple components.
cn=Jane Smith+ou=Sales
cn=Jane Smith+ou=Engineering
CIT 470: Advanced Network and System Administration
Slide #16
(R)DN Example #1
CIT 470: Advanced Network and System Administration
Slide #17
(R)DN Example #2
CIT 470: Advanced Network and System Administration
Slide #18
ldapsearch
Options
-LLL removes comments and LDAP version info.
-b base supplies base DN (uses ldap.conf if no -b.)
-x uses simple authentication instead of SASL.
-H ldap://your.server.edu accesses that server.
If -H not specified, uses ldap.conf to find server.
Search for all elements
ldapsearch -LLL -x -b "dc=gkar,dc=nku,dc=edu"
"(objectclass=*)"
CIT 470: Advanced Network and System Administration
Slide #19
ldapsearch -LLL -x "(DN)"
> ldapsearch -LLL -x "(uid=fooj)"
dn: uid=fooj,ou=People,dc=gkar,dc=nku,dc=edu
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
uid: fooj
uidNumber: 10101
cn: fooj
homeDirectory: /home/c/fooj
loginShell: /bin/bash
gidNumber: 10101
CIT 470: Advanced Network and System Administration
Slide #20
ldapsearch -LLL -x "(DN)"
> ldapsearch -LLL -x "(uidNumber=10101)"
dn: uid=fooj,ou=People,dc=gkar,dc=nku,dc=edu
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
uid: fooj
uidNumber: 10101
cn: fooj
homeDirectory: /home/c/fooj
loginShell: /bin/bash
gidNumber: 10101
CIT 470: Advanced Network and System Administration
Slide #21
Multiple Record Matches
> ldapsearch -LLL -x "(loginShell=/bin/bash)"
dn: uid=fooj,ou=People,dc=gkar,dc=nku,dc=edu
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
uid: fooj
uidNumber: 10101
cn: fooj
homeDirectory: /home/b/fooj
loginShell: /bin/bash
...
Size limit exceeded (4)
CIT 470: Advanced Network and System Administration
Slide #22
Wildcard Matches
> ldapsearch -LLL -x "(uid=smith*)"
dn: uid=smitha,ou=People,dc=gkar,dc=nku,dc=edu
uid: smitha
uidNumber: 10221
cn: smitha
homeDirectory: /home/f/smitha
loginShell: /bin/bash
...
dn:
uid: smithj
uidNumber: 12302
cn: smithj
homeDirectory: /home/g/smithj
CIT 470: Advanced Network and System Administration
Slide #23
LDAP Client/Server Interaction
1.
2.
3.
4.
5.
6.
7.
Client requests to bind to server.
Server accepts/denies bind request.
Client sends search request.
Server returns zero or more dir entries.
Server sends result code with any errors.
Client sends an unbind request.
Server sends result code and closes socket.
CIT 470: Advanced Network and System Administration
Slide #24
LDAP Operations
Client Session Operations
– Bind, unbind, and abandon
Query and Retrieval Operations
– Search and compare
Modification Operations
– Add, modify, modifyRDN, and delete
CIT 470: Advanced Network and System Administration
Slide #25
Authentication
Anonymous Authentication
Binds with empty DN and password.
Simple Authentication
Binds with DN and password. Cleartext.
Simple Authentication over SSL/TLS
Use SSL to encrypt simple authentication.
Simple Authentication and Security Layer
SASL is an extensible security scheme.
SASL mechanisms: Kerberos, GSSAPI, SKEY
CIT 470: Advanced Network and System Administration
Slide #26
Distributed Directories
Use multiple LDAP servers.
Provider: master server provides LDIF to
Consumers: provide LDAP access to clients.
Why distribute?
Throughput
More servers can reduce load on any single server.
Latency
Have local server serve local data to LAN.
Only use WAN for non-local data on other servers.
Administrative Boundaries
Let each side administrate their own directory.
CIT 470: Advanced Network and System Administration
Slide #27
Open source LDAPv3 server.
–
–
–
–
–
–
LDAP server: slapd
Client commands: ldapadd, ldapsearch
Backend storage: BerkeleyDB
Backend commands: slapadd, slapcat
Schemas: /etc/openldap/schema
Data: /var/lib/ldap
Configuration files
– Client: /etc/openldap/ldap.conf
– Server: /etc/openldap/slapd.conf
CIT 470: Advanced Network and System Administration
Slide #28
Building an OpenLDAP Server
1. Install OpenLDAP.
2. Configure LDAP for your domain.
Edit slapd.conf
OR use Run Time Configuration (RTC)
3. Start server
Immediate: service ldap start
Permanent: chkconfig --level 35 ldap on
4. Add data with ldapadd.
5. Verify functionality with ldapsearch.
CIT 470: Advanced Network and System Administration
Slide #29
slapd.conf (Server)
File Locations (usually accept defaults)
Schema files
Configuration files
Database directory
Database
suffix = DN of topmost node in directory
rootdn = DN of LDAP administrative user
rootpw = Password of LDAP administrator
Access Control
CIT 470: Advanced Network and System Administration
Slide #30
ldap.conf (Client)
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world
writable.
#BASE
dc=example,dc=com (match suffix in slapd.conf)
#URI
ldap://ldap.example.com ldap://ldapmaster.example.com:666
#SIZELIMIT
#TIMELIMIT
#DEREF
12
15
never
CIT 470: Advanced Network and System Administration
Slide #31
References
1.
2.
3.
4.
5.
6.
7.
8.
9.
Brian Arkills, LDAP Directories Explained: An Introduction and
Analysis, Addison-Wesley, 2003.
Gerald Carter, LDAP System Administration, O’Reilly, 2003.
LDAP Howtos, Links, and Whitepapers, http://www.bind9.net/ldap/,
2005.
http://www.ldapman.org/, 2005.
LDAP for Rocket Scientists, http://www.zytrax.com/books/ldap/,
2009.
Thomas Limoncelli, Christine Hogan, Strata Chalup, The Practice of
System and Network Administration, 2nd ed, Limoncelli and Hogan,
Addison-Wesley, 2007.
Luiz Malere, “Linux LDAP HOWTO,”
http://www.tldp.org/HOWTO/LDAP-HOWTO/, 2004.
Evi Nemeth et al, UNIX System Administration Handbook, 3rd
edition, Prentice Hall, 2001.
OpenLDAP, OpenLDAP Administrator’s Guide,
http://www.openldap.org/devel/admin/, 2005.
CIT 470: Advanced Network and System Administration
Slide #32