Scribd Logo
Upload

Welcome to Scribd!

  • 44 views

    Advanced Network and System Administration

    Uploaded by

    push5
    This document provides an overview of directory services and LDAP. It defines what a directory is and compares directories to databases. It describes common directory services like NIS and LDAP. It explains the structure and components of LDAP, including entries, attributes, schemas, and distinguished names. It also provides information on OpenLDAP, including how to configure and use an OpenLDAP server.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Advanced Network and System Administration

    Uploaded by

    push5
    44 views23 pages
    This document provides an overview of directory services and LDAP. It defines what a directory is and compares directories to databases. It describes common directory services like NIS and LDAP. It explains the structure and components of LDAP, including entries, attributes, schemas, and distinguished names. It also provides information on OpenLDAP, including how to configure and use an OpenLDAP server.

    Original Description:

    LDAP diagram

    Original Title

    15_LDAP

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides an overview of directory services and LDAP. It defines what a directory is and compares directories to databases. It describes common directory services like NIS and LDAP. It explains the structure and components of LDAP, including entries, attributes, schemas, and distinguished names. It also provides information on OpenLDAP, including how to configure and use an OpenLDAP server.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    44 views23 pages

    Advanced Network and System Administration

    Uploaded by

    push5
    This document provides an overview of directory services and LDAP. It defines what a directory is and compares directories to databases. It describes common directory services like NIS and LDAP. It explains the structure and components of LDAP, including entries, attributes, schemas, and distinguished names. It also provides information on OpenLDAP, including how to configure and use an OpenLDAP server.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 23

    Advanced Network and

    System Administration
    Accounts and
    Namespaces

    1
    Topics

    1. What is a directory?
    2. NIS
    3. LDAP
    4. OpenLDAP
    5. LDAP Authentication

    2
    What is a Directory?

    Directory: A collection of information that is


    primarily searched and read, rarely modified.

    Directory Service: Provides access to


    directory information.

    Directory Server: Application that provides a


    directory service.

    3
    Directories vs. Databases
    Directories are optimized for reading.
    Databases balanced for read and write.
    Directories are tree-structured.
    Databases typically have relational structure.
    Directories are usually replicated.
    Databases can be replicated too.
    Both are extensible data storage systems.
    Both have advanced search capabilities.

    4
    System Administration Directories

    Types of directory data


    Accounts
    Mail aliases and lists (address book)
    Cryptographic keys
    IP addresses
    Hostnames
    Printers
    Common directory services
    DNS, LDAP, NIS
    5
    Advantages of Directories
    Make administration easier.
    Change data only once: people, accounts, hosts.
    Unify access to network resources.
    Single sign on.
    Single place for users to search (address book)
    Improve data management
    Improve consistency (one location vs many)
    Secure data through only one server.

    6
    NIS: Network Information Service
    Originally called Sun Yellow Pages
    Clients run ypbind
    Servers run ypserv
    Data stored under /var/yp on server.
    Server shares NIS maps with clients
    Each UNIX file may provide multiple maps
    passwd: passwd.byname, passwd.byuid
    Slave servers replicate master server content.
    Easy to use, but insecure, difficult to extend.

    7
    LDAP
    Lightweight Directory Access Protocol
    Lightweight compared to X.500 directories.
    Directory, not a database.
    Access Protocol, not a directory itself.

    8
    LDAP Clients and Servers
    LDAP Clients
    Standalone directory browsers.
    Embedded clients (mail clients, logins, etc.)
    Cfg /etc/nsswitch.conf on UNIX to use LDAP.
    Common LDAP servers
    OpenLDAP
    Fedora Directory Server (formerly Sun, Netscape)
    Mac Open Directory
    Microsoft ActiveDirectory
    Novell eDirectory (NDS)

    9
    LDAP Structure
    An LDAP directory is made of entries.
    Entries may be employee records, hosts, etc.
    Each entries consists of attributes.
    Attributes can be names, phone numbers, etc.
    objectClass attribute identifies entry type.
    Each attribute is a type / value pair.
    Type is a label for the information stored (name)
    Value is value for the attribute in this entry.
    Attributes can be multi-valued.

    10
    Tree-structure of LDAP Directories

    11
    LDAP Schemas

    Schemas specify allowed objectClasses and attributes.


    12
    LDIF
    LDAP Interchange Format.
    Standard text format for storing LDAP
    configuration data and directory contents.
    LDIF Files
    Collection of entries separated by blank lines.
    Mapping of attribute names to values.
    Uses
    Import new data into directory.
    Export directory to LDIF files for backups.
    13
    LDIF Output Example

    14
    Distinguished Names
    Distinguished Names (DNs)
    Uniquely identify an LDAP entry.
    Provides path from LDAP root to the named entry.
    Similar to an absolute pathname.
    dn:cn=Jeff Foo,ou=Sales,dc=plainjoe,dc=org
    Relative DNs (RDNs)
    Any unique attribute pair in directorys container.
    ex: cn=Jeff Foo OR username=fooj
    Similar to a relative pathname.
    Except may have multiple components.
    cn=Jane Smith+ou=Sales
    cn=Jane Smith+ou=Engineering

    15
    LDAP Client/Server Interaction

    1. Client requests to bind to server.


    2. Server accepts/denies bind request.
    3. Client sends search request.
    4. Server returns zero or more dir entries.
    5. Server sends result code with any errors.
    6. Client sends an unbind request.
    7. Server sends result code and closes socket.

    16
    LDAP Operations
    Client Session Operations
    Bind, unbind, and abandon
    Query and Retrieval Operations
    Search and compare
    Modification Operations
    Add, modify, modifyRDN, and delete

    17
    Authentication
    Anonymous Authentication
    Binds with empty DN and password.
    Simple Authentication
    Binds with DN and password. Cleartext.
    Simple Authentication over SSL/TLS
    Use SSL to encrypt simple authentication.
    Simple Authentication and Security Layer
    SASL is an extensible security scheme.
    SASL mechanisms: Kerberos, GSSAPI, SKEY

    18
    Distributed Directories
    Use multiple LDAP servers.
    Why distribute?
    Throughput
    More servers can reduce load on any single server.
    Latency
    Have local server serve local data to LAN.
    Only use WAN for non-local data on other servers.
    Administrative Boundaries
    Let each side administrate their own directory.

    19
    OpenLDAP
    Open source LDAPv3 server.
    LDAP server: slapd
    Client commands: ldapadd, ldapsearch
    Backend storage: BerkeleyDB
    Backend commands: slapadd, slapcat
    Schemas: /etc/openldap/schema
    Data: /var/lib/ldap
    Configuration files
    Client: /etc/openldap/ldap.conf
    Server: /etc/openldap/slapd.conf

    20
    Building an OpenLDAP Server
    1. Install OpenLDAP.
    2. Configure LDAP for your domain.
    Change suffix, rootdn, rootpw options.
    vim /etc/openldap/slapd.conf
    1. Start server
    Immediate: /sbin/service ldap start
    Permanent: /sbin/chkconfig level 35 ldap on
    1. Add data with ldapadd
    2. Verify functionality with ldapsearch
    21
    LDAP Authentication
    1. Configure server with schema + user data.
    2. Point clients to hostname and rootDN of svr.
    /etc/ldap.conf and
    /etc/openldap/ldap.conf
    1. Verify server access with ldapsearch
    2. Configure clients to use LDAP auth
    /etc/nsswitch.conf
    passwd: files ldap
    shadow: files ldap
    group: files ldap

    22
    References
    1. Brian Arkills, LDAP Directories Explained: An Introduction and
    Analysis, Addison-Wesley, 2003.
    2. Gerald Carter, LDAP System Administration, OReilly, 2003.
    3. J. Heiss, Replacing NIS with Kerberos and LDAP,
    http://www.ofb.net/~jheiss/krbldap/, 2004.
    4. LDAP Howtos, Links, and Whitepapers, http://www.bind9.net/ldap/,
    2005.
    5. http://www.ldapman.org/, 2005.
    6. Luiz Malere, Linux LDAP HOWTO,
    http://www.tldp.org/HOWTO/LDAP-HOWTO/, 2004.
    7. OpenLDAP, OpenLDAP Administrators Guide,
    http://www.openldap.org/devel/admin/, 2005.
    8. RedHat, Red Hat Enterprise Linux 4 Reference Guide, Chapter 13,
    http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guid
    , 2005.

    23

    You might also like