Advanced Network and System Administration. Accounts and Namespaces

Transcription

1 Advanced Network and System Administration Accounts and Namespaces 1

2 Topics 1. What is a directory? 2. NIS 3. LDAP 4. OpenLDAP 5. LDAP Authentication 2

3 What is a Directory? Directory: A collection of information that is primarily searched and read, rarely modified. Directory Service: Provides access to directory information. Directory Server: Application that provides a directory service. 3

4 Directories vs. Databases Directories are optimized for reading. Databases balanced for read and write. Directories are tree-structured. Databases typically have relational structure. Directories are usually replicated. Databases can be replicated too. Both are extensible data storage systems. Both have advanced search capabilities. 4

5 System Administration Directories Types of directory data Accounts Mail aliases and lists (address book) Cryptographic keys IP addresses Hostnames Printers Common directory services DNS, LDAP, NIS 5

6 Advantages of Directories Make administration easier. Change data only once: people, accounts, hosts. Unify access to network resources. Single sign on. Single place for users to search (address book) Improve data management Improve consistency (one location vs many) Secure data through only one server. 6

7 NIS: Network Information Service Originally called Sun Yellow Pages Clients run ypbind Servers run ypserv Data stored under /var/yp on server. Server shares NIS maps with clients Each UNIX file may provide multiple maps passwd: passwd.byname, passwd.byuid Slave servers replicate master server content. Easy to use, but insecure, difficult to extend. 7

8 LDAP Lightweight Directory Access Protocol Lightweight compared to X.500 directories. Directory, not a database. Access Protocol, not a directory itself. 8

9 LDAP Clients and Servers LDAP Clients Standalone directory browsers. Embedded clients (mail clients, logins, etc.) Cfg /etc/nsswitch.conf on UNIX to use LDAP. Common LDAP servers OpenLDAP Fedora Directory Server (formerly Sun, Netscape) Mac Open Directory Microsoft ActiveDirectory Novell edirectory (NDS) 9

10 LDAP Structure An LDAP directory is made of entries. Entries may be employee records, hosts, etc. Each entries consists of attributes. Attributes can be names, phone numbers, etc. objectclass attribute identifies entry type. Each attribute is a type / value pair. Type is a label for the information stored (name) Value is value for the attribute in this entry. Attributes can be multi-valued. 10

11 Tree-structure of LDAP Directories 11

12 LDAP Schemas Schemas specify allowed objectclasses and attributes. 12

13 LDIF LDAP Interchange Format. Standard text format for storing LDAP configuration data and directory contents. LDIF Files Uses Collection of entries separated by blank lines. Mapping of attribute names to values. Import new data into directory. Export directory to LDIF files for backups. 13

14 LDIF Output Example 14

15 Distinguished Names Distinguished Names (DNs) Uniquely identify an LDAP entry. Provides path from LDAP root to the named entry. Similar to an absolute pathname. dn:cn=jeff Foo,ou=Sales,dc=plainjoe,dc=org Relative DNs (RDNs) Any unique attribute pair in directory s container. ex: cn=jeff Foo OR username=fooj Similar to a relative pathname. Except may have multiple components. cn=jane Smith+ou=Sales cn=jane Smith+ou=Engineering 15

16 LDAP Client/Server Interaction 1. Client requests to bind to server. 2. Server accepts/denies bind request. 3. Client sends search request. 4. Server returns zero or more dir entries. 5. Server sends result code with any errors. 6. Client sends an unbind request. 7. Server sends result code and closes socket. 16

17 LDAP Operations Client Session Operations Bind, unbind, and abandon Query and Retrieval Operations Search and compare Modification Operations Add, modify, modifyrdn, and delete 17

18 Authentication Anonymous Authentication Binds with empty DN and password. Simple Authentication Binds with DN and password. Cleartext. Simple Authentication over SSL/TLS Use SSL to encrypt simple authentication. Simple Authentication and Security Layer SASL is an extensible security scheme. SASL mechanisms: Kerberos, GSSAPI, SKEY 18

19 Distributed Directories Use multiple LDAP servers. Why distribute? Throughput More servers can reduce load on any single server. Latency Have local server serve local data to LAN. Only use WAN for non-local data on other servers. Administrative Boundaries Let each side administrate their own directory. 19

20 OpenLDAP Open source LDAPv3 server. LDAP server: slapd Client commands: ldapadd, ldapsearch Backend storage: BerkeleyDB Backend commands: slapadd, slapcat Schemas: /etc/openldap/schema Data: /var/lib/ldap Configuration files Client: /etc/openldap/ldap.conf Server: /etc/openldap/slapd.conf 20

21 Building an OpenLDAP Server 1. Install OpenLDAP. 2. Configure LDAP for your domain. Change suffix, rootdn, rootpw options. vim /etc/openldap/slapd.conf 1. Start server Immediate: /sbin/service ldap start Permanent: /sbin/chkconfig level 35 ldap on 1. Add data with ldapadd 2. Verify functionality with ldapsearch 21

22 LDAP Authentication 1. Configure server with schema + user data. 2. Point clients to hostname and rootdn of svr. /etc/ldap.conf and /etc/openldap/ldap.conf 1. Verify server access with ldapsearch 2. Configure clients to use LDAP auth /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap 22

23 References 1. Brian Arkills, LDAP Directories Explained: An Introduction and Analysis, Addison-Wesley, Gerald Carter, LDAP System Administration, O Reilly, J. Heiss, Replacing NIS with Kerberos and LDAP, LDAP Howtos, Links, and Whitepapers, Luiz Malere, Linux LDAP HOWTO, OpenLDAP, OpenLDAP Administrator s Guide, RedHat, Red Hat Enterprise Linux 4 Reference Guide, Chapter 13,