Introduction - Northern Kentucky University

Download Report

Transcript Introduction - Northern Kentucky University

CIT 470: Advanced Network and
System Administration
Directories
CIT 470: Advanced Network and System Administration
Slide #1
Topics
1.
2.
3.
4.
5.
6.
Directories
LDAP Structure
LDIF
Distinguished Names
Replication
OpenLDAP Configuration
CIT 470: Advanced Network and System Administration
Slide #2
What is a Directory?
Directory: A collection of
information that is primarily
searched and read, rarely modified.
Directory Service: Provides access
to directory information.
Directory Server: Application that
provides a directory service.
CIT 470: Advanced Network and System Administration
Slide #3
Directories vs. Databases
Directories are optimized for reading.
– Databases balanced for read and write.
Directories are tree-structured.
– Databases typically have relational structure.
Directories are usually replicated.
– Databases can be replicated too.
Both are extensible data storage systems.
Both have advanced search capabilities.
CIT 470: Advanced Network and System Administration
Slide #4
System Administration Directories
Types of directory data
–
–
–
–
–
–
Accounts
Mail aliases and lists (address book)
Cryptographic keys
IP addresses
Hostnames
Printers
Common directory services
– DNS, LDAP, NIS
CIT 470: Advanced Network and System Administration
Slide #5
Advantages of Directories
Make administration easier.
– Change data only once: people, accounts, hosts.
Unify access to network resources.
– Single sign on.
– Single place for users to search (address book)
Improve data management
– Improve consistency (one location vs many)
– Secure data through only one server.
CIT 470: Advanced Network and System Administration
Slide #6
NIS: Network Information Service
Originally called Sun Yellow Pages
– Clients run ypbind.
– Servers run ypserv.
– Data stored under /var/yp on server.
Server shares NIS maps with clients
– Each UNIX file may provide multiple NIS maps.
– NIS maps map keys like UID, username to data.
– passwd: passwd.byname, passwd.byuid
Slave servers replicate master server content.
Easy to use, but insecure, difficult to extend.
CIT 470: Advanced Network and System Administration
Slide #7
LDAP
Lightweight Directory Access Protocol
– Lightweight compared to X.500 directories.
– Directory, not a database, service.
– Access Protocol, not a directory itself.
CIT 470: Advanced Network and System Administration
Slide #8
LDAP Clients and Servers
LDAP Clients
– Standalone directory browsers.
– Embedded clients (mail clients, logins, etc.)
– Cfg /etc/nsswitch.conf on UNIX to use LDAP.
Common LDAP servers
CIT 470: Advanced Network and System Administration
Slide #9
LDAP Structure
An LDAP directory is made of entries.
– Entries may be employee records, hosts, etc.
Each entries consists of attributes.
– Attributes can be names, phone numbers, etc.
– objectClass attribute identifies entry type.
Each attribute is a type / value pair.
– Type is a label for the information stored (name)
– Value is value for the attribute in this entry.
– Attributes can be multi-valued.
CIT 470: Advanced Network and System Administration
Slide #10
Tree-structure of LDAP Directories
CIT 470: Advanced Network and System Administration
Slide #11
LDAP Schemas
Schemas specify allowed objectClasses and attributes.
CIT 470: Advanced Network and System Administration
Slide #12
LDIF
LDAP Interchange Format.
– Standard text format for storing LDAP configuration
data and directory contents.
LDIF Files
– Collection of entries separated by blank lines.
– Mapping of attribute names to values.
Uses
– Import new data into directory.
– Export directory to LDIF files for backups.
CIT 470: Advanced Network and System Administration
Slide #13
LDIF Output Example
CIT 470: Advanced Network and System Administration
Slide #14
LDIF Backups and Restores
Backing up an LDAP directory
slapcat > backup.ldif
OR to do a daily backup use date in name
slapcat > backup-`date +%F`.ldif
Restoring an LDAP directory
service ldap stop
rm -rf /var/lib/ldap/*
slapadd < backup.ldif
service ldap start
CIT 470: Advanced Network and System Administration
Slide #15
Distinguished Names
Distinguished Names (DNs)
–
–
–
–
Uniquely identify an LDAP entry.
Provides path from LDAP root to the named entry.
Similar to an absolute pathname.
dn:cn=Jeff Foo,ou=Sales,dc=plainjoe,dc=org
Relative DNs (RDNs)
–
–
–
–
–
–
Any unique attribute pair in directory’s container.
ex: cn=Jeff Foo OR username=fooj
Similar to a relative pathname.
Except may have multiple components.
cn=Jane Smith+ou=Sales
cn=Jane Smith+ou=Engineering
CIT 470: Advanced Network and System Administration
Slide #16
(R)DN Example #1
CIT 470: Advanced Network and System Administration
Slide #17
(R)DN Example #2
CIT 470: Advanced Network and System Administration
Slide #18
ldapsearch
Options
-LLL removes comments and LDAP version info.
-b base supplies base DN (uses ldap.conf if no -b.)
-x uses simple authentication instead of SASL.
-H ldap://your.server.edu accesses that server.
If -H not specified, uses ldap.conf to find server.
Search for all elements
ldapsearch -LLL -x -b "dc=gkar,dc=nku,dc=edu"
"(objectclass=*)"
CIT 470: Advanced Network and System Administration
Slide #19
ldapsearch -LLL -x "(DN)"
> ldapsearch -LLL -x "(uid=fooj)"
dn: uid=fooj,ou=People,dc=gkar,dc=nku,dc=edu
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
uid: fooj
uidNumber: 10101
cn: fooj
homeDirectory: /home/c/fooj
loginShell: /bin/bash
gidNumber: 10101
CIT 470: Advanced Network and System Administration
Slide #20
ldapsearch -LLL -x "(DN)"
> ldapsearch -LLL -x "(uidNumber=10101)"
dn: uid=fooj,ou=People,dc=gkar,dc=nku,dc=edu
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
uid: fooj
uidNumber: 10101
cn: fooj
homeDirectory: /home/c/fooj
loginShell: /bin/bash
gidNumber: 10101
CIT 470: Advanced Network and System Administration
Slide #21
Multiple Record Matches
> ldapsearch -LLL -x "(loginShell=/bin/bash)"
dn: uid=fooj,ou=People,dc=gkar,dc=nku,dc=edu
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
uid: fooj
uidNumber: 10101
cn: fooj
homeDirectory: /home/b/fooj
loginShell: /bin/bash
...
Size limit exceeded (4)
CIT 470: Advanced Network and System Administration
Slide #22
Wildcard Matches
> ldapsearch -LLL -x "(uid=smith*)"
dn: uid=smitha,ou=People,dc=gkar,dc=nku,dc=edu
uid: smitha
uidNumber: 10221
cn: smitha
homeDirectory: /home/f/smitha
loginShell: /bin/bash
...
dn:
uid: smithj
uidNumber: 12302
cn: smithj
homeDirectory: /home/g/smithj
CIT 470: Advanced Network and System Administration
Slide #23
Open source LDAPv3 server.
–
–
–
–
–
–
LDAP server: slapd
Client commands: ldapadd, ldapsearch
Backend storage: BerkeleyDB
Backend commands: slapadd, slapcat
Schemas: /etc/openldap/schema
Data: /var/lib/ldap
Configuration files
– Client: /etc/openldap/ldap.conf
– Server: /etc/openldap/slapd.conf
CIT 470: Advanced Network and System Administration
Slide #24
Building an OpenLDAP Server
1. Install OpenLDAP.
2. Configure LDAP for your domain.
Edit slapd.conf
OR use Run Time Configuration (RTC)
3. Start server
Immediate: service ldap start
Permanent: chkconfig --level 35 ldap on
4. Add data with ldapadd.
5. Verify functionality with ldapsearch.
CIT 470: Advanced Network and System Administration
Slide #25
slapd.conf (Server)
File Locations (usually accept defaults)
Schema files
Configuration files
Database directory
Database
suffix = DN of topmost node in directory
rootdn = DN of LDAP administrative user
rootpw = Password of LDAP administrator
Access Control
CIT 470: Advanced Network and System Administration
Slide #26
ldap.conf (Client)
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world
writable.
#BASE
dc=example,dc=com (match suffix in slapd.conf)
#URI
ldap://ldap.example.com ldap://ldapmaster.example.com:666
#SIZELIMIT
#TIMELIMIT
#DEREF
12
15
never
CIT 470: Advanced Network and System Administration
Slide #27
References
1.
2.
3.
4.
5.
6.
7.
8.
9.
Brian Arkills, LDAP Directories Explained: An Introduction and
Analysis, Addison-Wesley, 2003.
Gerald Carter, LDAP System Administration, O’Reilly, 2003.
LDAP Howtos, Links, and Whitepapers, http://www.bind9.net/ldap/,
2005.
http://www.ldapman.org/, 2005.
LDAP for Rocket Scientists, http://www.zytrax.com/books/ldap/,
2009.
Thomas Limoncelli, Christine Hogan, Strata Chalup, The Practice of
System and Network Administration, 2nd ed, Limoncelli and Hogan,
Addison-Wesley, 2007.
Luiz Malere, “Linux LDAP HOWTO,”
http://www.tldp.org/HOWTO/LDAP-HOWTO/, 2004.
Evi Nemeth et al, UNIX System Administration Handbook, 3rd
edition, Prentice Hall, 2001.
OpenLDAP, OpenLDAP Administrator’s Guide,
http://www.openldap.org/devel/admin/, 2005.
CIT 470: Advanced Network and System Administration
Slide #28