490 likes | 684 Views
CIT 470: Advanced Network and System Administration. Accounts and Namespaces . Topics. Namespaces Policies: selection, lifetime, scope, security User Accounts Directories LDAP. Namespaces. A namespace consists of A set of unique keys A set of attributes associated with each key Example
E N D
CIT 470: Advanced Network and System Administration Accounts and Namespaces CIT 470: Advanced Network and System Administration
Topics • Namespaces • Policies: selection, lifetime, scope, security • User Accounts • Directories • LDAP CIT 470: Advanced Network and System Administration
Namespaces A namespace consists of • A set of unique keys • A set of attributes associated with each key Example • Key = Username • Attributes • GECOS • Homedir • Shell • Password CIT 470: Advanced Network and System Administration
Namespaces Systems include many namespaces User account names. E-mail addresses. Filesystem pathnames. Hostnames. IP addresses. Printer names. Service names. CIT 470: Advanced Network and System Administration
Types of Namespaces Flat No duplicates may exist. Ex: usernames in /etc/passwd. Hierarchical Tree-structured namespace like DNS. Duplicates can exist. Ex: www.nku.edu and www.google.com CIT 470: Advanced Network and System Administration
Namespace Problems • How to select names? • How to avoid name collisions? • How to ensure consistency? • How to distribute names? CIT 470: Advanced Network and System Administration
Name Selection Functional Names mail hostname, /cit/470, student account Descriptive names geographic, print type, customer type Formula-based Names cvg0141 hostname, student0148 account Themed Names constellations (orion, ursa, etc.) No Standard CIT 470: Advanced Network and System Administration
Name Lifetime When are names removed? Immediately after PC, user leaves org. Set time after resource is no longer in use. When are names re-used? Immediately: functional names. Never. After a set time: usernames, email addresses. CIT 470: Advanced Network and System Administration
Namespace Scope Geographical scopes • Local machine. (e.g., /etc/passwd.) • Local network. • Organization. • Global (e.g., DNS.) Service scopes • Single username for UNIX, NT, RADIUS, e-mail, VPN? Transferring scopes • Difficult without advance planning. • Some names may have to change. CIT 470: Advanced Network and System Administration
Namespace Security • What are you trying to protect names from and why? • Do the names need to be protected or just the attributes? • Who can add, change, or delete records? • Can the owner of a record change fields within the record? CIT 470: Advanced Network and System Administration
Example Namespace: Usernames Selection policies • Descriptive: waldenj, jwalden • Decriptive + formulaic: waldenj1, jwalden0002 Scope • Use for every campus (avoids collisions.) • Use for every service (avoids collisions.) Lifetime • Do not reuse until 1 year has passed since email addresses derive from usernames. CIT 470: Advanced Network and System Administration
One Big Database Centralize namespace in one big database. • Use SQL or LDAP to store entire namespace. Derive other namespaces from database. • Program to generate UNIX accounts. • Program to generate NT accounts. • etc. Advantages • Consistency • Ease of making changes, additions, deletions. CIT 470: Advanced Network and System Administration
User Account Types OS files • UNIX /etc/{passwd,shadow} • Windows SAM Network service • NIS • LDAP • Kerberos • Active Directory • RADIUS CIT 470: Advanced Network and System Administration
Account Components Username UID Password Home directory Account Files /etc/passwd /etc/shadow /etc/group UNIX Accounts • Account Management • Adding users • Removing and disabling users • Account/password policies CIT 470: Advanced Network and System Administration
/etc/passwd Username UID Default GID GCOS Home directory Login shell /etc/shadow Username Encrypted password Date of last pw change. Days ‘til change allowed. Days `til change required. Expiration warning time. Expiration date. /etc/{passwd,shadow} Central file(s) describing UNIX user accounts. student:x:1000:1000:Example User,,555-1212,:/home/student:/bin/bash student:$1$w/UuKtLF$otSSvXtSN/xJzUOGFElNz0:13226:0:99999:7::: CIT 470: Advanced Network and System Administration
Username Syntax • Each username must be unique. • Length limits (8 chars on old systems) • Any character except : or \n. • Issues • Naming standards. • How to ensure that usernames are unique? • System uses UIDs internally. CIT 470: Advanced Network and System Administration
UIDs • UIDs are 32-bit non-negative integers. • Standards • Root is UID 0. • System accounts have low UIDs (<= 500) • Uniqueness • Multiple usernames can have same UID! • Re-using UIDs may give away files to new user. • Distributed systems may require unique UIDs across organizational boundaries. CIT 470: Advanced Network and System Administration
Password Syntax • Length: unlimited (MD5,SHA1), 8 chars (crypt) • Chars: anything except \n, though certain control chars may be interpreted by system. Stored in “encrypted” format. • Hashed: crypt, MD5, SHA1 • Salted: 12-bit salt means 4096 different hashes for each password CIT 470: Advanced Network and System Administration
GID • GIDs are 32-bit non-negative integers. • Each user has a default GID. • File group ownership set to default GID. • Temporarily change default GID: newgrp. • Groups are described in /etc/group • Users may belong to multiple groups. • Format: group name, pw, GID, user list. • wheel:x:10:root,waldenj,bergs CIT 470: Advanced Network and System Administration
GECOS Original use • Data for General Electric Comprehensive OS Current use • User information. • Full name, location, phone number, e-mail. CIT 470: Advanced Network and System Administration
Home Directory • User’s CWD at login time. • Typically where user stores all files. CIT 470: Advanced Network and System Administration
Login Shell • Process started when user logs in. • Typically a shell like bash, tcsh, ksh, or zsh. • System users may be different. • Disabled accounts have a noshell program. CIT 470: Advanced Network and System Administration
Adding a User • Create account with adduser. • Lock account until user arrives. • User signs account agreement. • Set passwd with passwd. CIT 470: Advanced Network and System Administration
Adding a User • Edit /etc/{passwd,shadow} with vipw. • Set passwd with passwd command. • Edit /etc/group to add groups. • Create user home directory. • mkdir /home/studenta • chown studenta.student /home/studenta • chmod 755 /home/studenta • Copy default files from /etc/skel .bashrc, .Xdefaults, .xsession, etc. • Set e-mail aliases, disk quotas, etc. • Verify that the account works. CIT 470: Advanced Network and System Administration
Disabling an Account • Edit account configuration: • Place * in front of encrypted password. • Replace shell with nologin program. • Kill active logins and processes. CIT 470: Advanced Network and System Administration
Removing a User • Disable account. • Change shared passwords (root, etc.) • Kill active logins and processes. • Remove from local databases/files. • Remove from e-mail aliases. • Remove mail spool (backup first.) • Remove crontabs and pending jobs. • Remove temporary files. • Remove home directory (backup first.) • Remove from passwd, shadow, and group. CIT 470: Advanced Network and System Administration
What is a Directory? Directory: A collection of information that is primarily searched and read, rarely modified. Directory Service: Provides access to directory information. Directory Server: Application that provides a directory service. CIT 470: Advanced Network and System Administration
Directories vs. Databases Directories are optimized for reading. • Databases balanced for read and write. Directories are tree-structured. • Databases typically have relational structure. Directories are usually replicated. • Databases can be replicated too. Both are extensible data storage systems. Both have advanced search capabilities. CIT 470: Advanced Network and System Administration
System Administration Directories Types of directory data • Accounts • Mail aliases and lists (address book) • Cryptographic keys • IP addresses • Hostnames • Printers Common directory services • DNS, LDAP, NIS CIT 470: Advanced Network and System Administration
Advantages of Directories Make administration easier. • Change data only once: people, accounts, hosts. Unify access to network resources. • Single sign on. • Single place for users to search (address book) Improve data management • Improve consistency (one location vs many) • Secure data through only one server. CIT 470: Advanced Network and System Administration
NIS: Network Information Service Originally called Sun Yellow Pages • Clients run ypbind • Servers run ypserv • Data stored under /var/yp on server. Server shares NIS maps with clients • Each UNIX file may provide multiple maps • passwd: passwd.byname, passwd.byuid Slave servers replicate master server content. Easy to use, but insecure, difficult to extend. CIT 470: Advanced Network and System Administration
LDAP Lightweight Directory Access Protocol • Lightweight compared to X.500 directories. • Directory, not a database, service. • Access Protocol, not a directory itself. CIT 470: Advanced Network and System Administration
LDAP Clients and Servers LDAP Clients • Standalone directory browsers. • Embedded clients (mail clients, logins, etc.) • Cfg /etc/nsswitch.conf on UNIX to use LDAP. Common LDAP servers • OpenLDAP • Fedora Directory Server (formerly Sun, Netscape) • Mac Open Directory • Microsoft ActiveDirectory • Novell eDirectory (NDS) CIT 470: Advanced Network and System Administration
LDAP Structure An LDAP directory is made of entries. • Entries may be employee records, hosts, etc. Each entries consists of attributes. • Attributes can be names, phone numbers, etc. • objectClass attribute identifies entry type. Each attribute is a type / value pair. • Type is a label for the information stored (name) • Value is value for the attribute in this entry. • Attributes can be multi-valued. CIT 470: Advanced Network and System Administration
Tree-structure of LDAP Directories CIT 470: Advanced Network and System Administration
LDAP Schemas Schemas specify allowed objectClasses and attributes. CIT 470: Advanced Network and System Administration
LDIF LDAP Interchange Format. • Standard text format for storing LDAP configuration data and directory contents. LDIF Files • Collection of entries separated by blank lines. • Mapping of attribute names to values. Uses • Import new data into directory. • Export directory to LDIF files for backups. CIT 470: Advanced Network and System Administration
LDIF Output Example CIT 470: Advanced Network and System Administration
Distinguished Names Distinguished Names (DNs) • Uniquely identify an LDAP entry. • Provides path from LDAP root to the named entry. • Similar to an absolute pathname. • dn:cn=Jeff Foo,ou=Sales,dc=plainjoe,dc=org Relative DNs (RDNs) • Any unique attribute pair in directory’s container. • ex: cn=Jeff Foo OR username=fooj • Similar to a relative pathname. • Except may have multiple components. • cn=Jane Smith+ou=Sales • cn=Jane Smith+ou=Engineering CIT 470: Advanced Network and System Administration
LDAP Client/Server Interaction • Client requests to bind to server. • Server accepts/denies bind request. • Client sends search request. • Server returns zero or more dir entries. • Server sends result code with any errors. • Client sends an unbind request. • Server sends result code and closes socket. CIT 470: Advanced Network and System Administration
LDAP Operations Client Session Operations • Bind, unbind, and abandon Query and Retrieval Operations • Search and compare Modification Operations • Add, modify, modifyRDN, and delete CIT 470: Advanced Network and System Administration
Authentication Anonymous Authentication Binds with empty DN and password. Simple Authentication Binds with DN and password. Cleartext. Simple Authentication over SSL/TLS Use SSL to encrypt simple authentication. Simple Authentication and Security Layer SASL is an extensible security scheme. SASL mechanisms: Kerberos, GSSAPI, SKEY CIT 470: Advanced Network and System Administration
Distributed Directories • Use multiple LDAP servers. • Why distribute? • Throughput • More servers can reduce load on any single server. • Latency • Have local server serve local data to LAN. • Only use WAN for non-local data on other servers. • Administrative Boundaries • Let each side administrate their own directory. CIT 470: Advanced Network and System Administration
OpenLDAP Open source LDAPv3 server. • LDAP server: slapd • Client commands: ldapadd, ldapsearch • Backend storage: BerkeleyDB • Backend commands: slapadd, slapcat • Schemas: /etc/openldap/schema • Data: /var/lib/ldap Configuration files • Client: /etc/openldap/ldap.conf • Server: /etc/openldap/slapd.conf CIT 470: Advanced Network and System Administration
Building an OpenLDAP Server • Install OpenLDAP. • Configure LDAP for your domain. Change suffix, rootdn, rootpw options. vim /etc/openldap/slapd.conf • Start server Immediate: /sbin/service ldap start Permanent: /sbin/chkconfig --level 35 ldap on • Add data with ldapadd • Verify functionality with ldapsearch CIT 470: Advanced Network and System Administration
LDAP Authentication • Configure server with schema + user data. • Point clients to hostname and rootDN of svr. /etc/ldap.conf and /etc/openldap/ldap.conf • Verify server access with ldapsearch • Configure clients to use LDAP auth /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap CIT 470: Advanced Network and System Administration
References • Brian Arkills, LDAP Directories Explained: An Introduction and Analysis, Addison-Wesley, 2003. • Gerald Carter, LDAP System Administration, O’Reilly, 2003. • J. Heiss, “Replacing NIS with Kerberos and LDAP,” http://www.ofb.net/~jheiss/krbldap/, 2004. • LDAP Howtos, Links, and Whitepapers, http://www.bind9.net/ldap/, 2005. • http://www.ldapman.org/, 2005. • Luiz Malere, “Linux LDAP HOWTO,” http://www.tldp.org/HOWTO/LDAP-HOWTO/, 2004. • OpenLDAP, OpenLDAP Administrator’s Guide, http://www.openldap.org/devel/admin/, 2005. • RedHat, Red Hat Enterprise Linux 4 Reference Guide, Chapter 13, http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/, 2005. CIT 470: Advanced Network and System Administration