Transcript Installing the LDAP Server

LINUX SYSTEM ADMINISTRATION AND SECURITY
03 AUGUST 2005
LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL
VINEET BHARDWAJ
VINAY KUMAR THOTA
INTRODUCTION
INSTALLATION
CONFIGURATION
SECURITY ISSUES
CONCLUSION
DIRECTORY SERVICE
LDAP
DESIGNED AT UNIVERSITY OF MICHIGAN
EXIST AT THREE LEVELS
BIG PUBLIC SERVERS
LARGE ORGANIZATIONAL SERVERS
SMALLER WORK GROUP SERVERS
A Directory service structure for the internet. It has many features that
make it ideal for providing network information services, including
encryption support, access control lists, fast read access, etc.. LDAP will
combine several systems that normally have to be maintained
separately , such as NT authentication, UNIX authentication, MTA
routing information, services/protocols/hosts information, network
address books, etc.
INFORMATION
KIND
ARRANGEMENT
REFERENCE
ACCESS
Prerequisite Software
Versions
The structure of an LDAP directory tree
LDAP directory servers store their data hierarchically.
As with DNS host names, an LDAP directory record's
Distinguished Name (DN for short) is read from the individual
entry, backwards through the tree, up to the top level.
A DIRECTORY TREE STRUCTURE
COUNTRY
STATE
THE ORGANIZATION
ORGANIZATIONAL UNIT
PERSON
HOW DOES LDAP WORK ????
CLIENT SERVER MODEL
TCP/IP OR ANY OTHER CONNECTION ORIENTED
X.500,THE OSI DIRECTORY SERVICE
ABOUT
Slapd Slurpd
Slapd
Supports
strong authentication and data security
SASL
Transport layer security
Topology control – TCP Wrappers
Access Control
Choice of database back ends
Threads
Replication
Single Configuration file
Slurpd
Replicated service
Failed requests
Installing the LDAP Server
Five steps are necessary to install the server:
• Install the pre-required packages (if not already
installed).
• Download the server.
• Unpack the software.
• Configure the Makefiles.
• Build the server.
Installation contd.
Downloading the package
• There are two free distributed LDAP servers:
University of Michigan LDAP server and Open
LDAP server
• It's latest tar gzipped version is available on the
following address:
http://www.openldap.org
• If you want to get the latest version of University
of Michigan Server, go to this address:
ftp://terminator.rs.itd.umich.edu/ldap
Installation contd.
Unpacking the software
• First copy the package to a desirable
directory, for example /usr/local. Next use
the following command:
tar xvzf openldap-2.2.5.tgz
• You can use this command too, as well:
gunzip openldap-2.2.5.tgz | tar xvf –
Installation contd.
Configuring the software
• Type the following command on the directory
where you unpacked the software:
./configure --help
This will print all options that you can customize
with the configure script before you build the
software.
• Normally if you run configure without options, it will
auto-detect the appropriate settings and prepare to
build things on the default common location. So
just type:
./configure
Installation contd.
Building the server
• After configuring the software you can start building it.
First build the dependencies, using the command:
make depend
• Build the server after that, using the command:
make
• To ensure a correct build, you should run the test suite
make test
• Now install the binaries and man pages. You may
need to be superuser to do this (depending on where
you are installing things):
su root -c 'make install'
Configuration
• All slapd (LDAP directory server) runtime
configuration is accomplished through the
slapd.conf file, installed in the prefix directory one
specifies in the configuration script or by default in
/usr/local/etc/openldap
• First create an /etc/openldap/slapd.confg file.
You need to change the following line
suffix “dc=mydomain, dc=com”
rootdn “cn=admin, dc=mydomain, dc=com”
rootpw {crypt}abjnggxhB/yWI
Configuration contd.
• The suffix is your “LDAP basename”. Common
practice is to use your DNS domain name as your
LDAP basename.
• The rootdn is adminstrator’s name, and rootpw
is administrator’s password.
• You also need to change the /etc/ldap.conf and
etc/openldap/ldap.conf to change the name of
your LDAP server and your basename.
Configuration contd.
Populating your server
The easiest way to populate your LDAP
server is that Padl Software which provides a
free set of Perl scripts that migrate existing
flat files. They are available from
www.padl.com/tools.html
Configuration contd.
Setting up a LDAP client
• Edit the LDAP config files (/etc/ldap.conf and
etc/openldap/ldap.conf ) to specify the server
and your site’s basename.
• You can verify that you are connecting to the
LDAP server correctly by running ldapsearch – x,
which dumps the entire database.
• Finally, change the appropriate lines in
/etc/nsswitch.conf to use the LDAP server as a
data source.
USING LDAP
CONNECTING LDAP SERVER
LDAPS
NORMAL LDAP CONNECTION WORKS BY THE PORT 389
NETWORK SECURITY
DATA INTEGRITY AND CONFIDENTIALITY PROTECTION
AUTHENTICATION METHODS
NETWORK SECURITY
SELECTIVE LISTENING
IP FIREWALL
TCP WRAPPERS
DATA INTEGRITY AND CONFIDENTIALITY PROTECTION
LDAPv3 AND TSL
AUTHENTICATION METHODS
SIMPLE AND SASL
LDAPS
VERIFICATION
X.509 CERTIFICATES
ALGORITHMS IN OPENSSL
DATA INTEGRITY AND CONFIDENTIALITY PROTECTION
LDAPv3 AND TLS
RFC 2246 DESCRIBES TLS
CLEANED UP AND STANDARDIZED VERSION OF SSL
SWITCHING
SECURITY STRENGHT FACTORS
SSF
AUTHENTICATION METHODS
SIMPLE
ANONYMOUS
UNAUTHENTICATED AND
USER/PASWORD AUTHENTICATED
SASL
AN AUTHENTICATION FRAME WORK
SNIFFING
MECHANISMS LIKE CRAM-MD5 AND EXTERNAL
LDAP has broader applications, such as looking up services and devices
on the Internet (and intranets). Netscape Communicator can store user
preferences and bookmarks on an LDAP server. There is even a plan for
linking all LDAP servers into a worldwide hierarchy, all searchable from
your client.
LDAP promises to save users and administrators time and frustration,
making it easy for everyone to connect with people without frustrating
searches for email addresses and other trivia.
The LDAP protocol is both cross-platform and standards-based
Most LDAP servers are simple to install, easily maintained, and easily optimized
LDAP is particularly useful for storing information that you wish to read from many
locations, but update infrequently
If the answer to each of the following questions is Yes, then
storing your data in LDAP is a good idea.
Would you like your data to be available cross-platform?
Do you need to access this data from a number of
computers or applications?
Do the individual records you're storing change a few times
a day or less, on average?
Does it make sense to store this type of data in a flat
database instead of a relational database? That is, could
you effectively store all the data for a given item in a single
record?