1 / 28

CIT 470: Advanced Network and System Administration

CIT 470: Advanced Network and System Administration. Directories. Topics. Directories LDAP Structure LDIF Distinguished Names Replication OpenLDAP Configuration. What is a Directory?. Directory : A collection of information that is primarily searched and read, rarely modified.

jack-stephenson
Download Presentation

CIT 470: Advanced Network and System Administration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIT 470: Advanced Network and System Administration Directories CIT 470: Advanced Network and System Administration

  2. Topics • Directories • LDAP Structure • LDIF • Distinguished Names • Replication • OpenLDAP Configuration CIT 470: Advanced Network and System Administration

  3. What is a Directory? Directory: A collection of information that is primarily searched and read, rarely modified. Directory Service: Provides access to directory information. Directory Server: Application that provides a directory service. CIT 470: Advanced Network and System Administration

  4. Directories vs. Databases Directories are optimized for reading. • Databases balanced for read and write. Directories are tree-structured. • Databases typically have relational structure. Directories are usually replicated. • Databases can be replicated too. Both are extensible data storage systems. Both have advanced search capabilities. CIT 470: Advanced Network and System Administration

  5. System Administration Directories Types of directory data • Accounts • Mail aliases and lists (address book) • Cryptographic keys • IP addresses • Hostnames • Printers Common directory services • DNS, LDAP, NIS CIT 470: Advanced Network and System Administration

  6. Advantages of Directories Make administration easier. • Change data only once: people, accounts, hosts. Unify access to network resources. • Single sign on. • Single place for users to search (address book) Improve data management • Improve consistency (one location vs many) • Secure data through only one server. CIT 470: Advanced Network and System Administration

  7. NIS: Network Information Service Originally called Sun Yellow Pages • Clients run ypbind. • Servers run ypserv. • Data stored under /var/yp on server. Server shares NIS maps with clients • Each UNIX file may provide multiple NIS maps. • NIS maps map keys like UID, username to data. • passwd: passwd.byname, passwd.byuid Slave servers replicate master server content. Easy to use, but insecure, difficult to extend. CIT 470: Advanced Network and System Administration

  8. LDAP Lightweight Directory Access Protocol • Lightweight compared to X.500 directories. • Directory, not a database, service. • Access Protocol, not a directory itself. CIT 470: Advanced Network and System Administration

  9. LDAP Clients and Servers LDAP Clients • Standalone directory browsers. • Embedded clients (mail clients, logins, etc.) • Cfg/etc/nsswitch.conf on UNIX to use LDAP. Common LDAP servers CIT 470: Advanced Network and System Administration

  10. LDAP Structure An LDAP directory is made of entries. • Entries may be employee records, hosts, etc. Each entries consists of attributes. • Attributes can be names, phone numbers, etc. • objectClass attribute identifies entry type. Each attribute is a type / value pair. • Type is a label for the information stored (name) • Value is value for the attribute in this entry. • Attributes can be multi-valued. CIT 470: Advanced Network and System Administration

  11. Tree-structure of LDAP Directories CIT 470: Advanced Network and System Administration

  12. LDAP Schemas Schemas specify allowed objectClasses and attributes. CIT 470: Advanced Network and System Administration

  13. LDIF LDAP Interchange Format. • Standard text format for storing LDAP configuration data and directory contents. LDIF Files • Collection of entries separated by blank lines. • Mapping of attribute names to values. Uses • Import new data into directory. • Export directory to LDIF files for backups. CIT 470: Advanced Network and System Administration

  14. LDIF Output Example CIT 470: Advanced Network and System Administration

  15. LDIF Backups and Restores Backing up an LDAP directory slapcat > backup.ldif OR to do a daily backup use date in name slapcat > backup-`date +%F`.ldif Restoring an LDAP directory service ldap stop rm -rf /var/lib/ldap/* slapadd < backup.ldif service ldap start CIT 470: Advanced Network and System Administration

  16. Distinguished Names Distinguished Names (DNs) • Uniquely identify an LDAP entry. • Provides path from LDAP root to the named entry. • Similar to an absolute pathname. • dn:cn=Jeff Foo,ou=Sales,dc=plainjoe,dc=org Relative DNs (RDNs) • Any unique attribute pair in directory’s container. • ex: cn=Jeff Foo OR username=fooj • Similar to a relative pathname. • Except may have multiple components. • cn=Jane Smith+ou=Sales • cn=Jane Smith+ou=Engineering CIT 470: Advanced Network and System Administration

  17. (R)DN Example #1 CIT 470: Advanced Network and System Administration

  18. (R)DN Example #2 CIT 470: Advanced Network and System Administration

  19. ldapsearch Options -LLL removes comments and LDAP version info. -b base supplies base DN (uses ldap.conf if no -b.) -x uses simple authentication instead of SASL. -H ldap://your.server.edu accesses that server. If -H not specified, uses ldap.conf to find server. Search for all elements ldapsearch -LLL -x -b "dc=gkar,dc=nku,dc=edu" "(objectclass=*)" CIT 470: Advanced Network and System Administration

  20. ldapsearch -LLL -x "(DN)" > ldapsearch -LLL -x "(uid=fooj)" dn: uid=fooj,ou=People,dc=gkar,dc=nku,dc=edu objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount uid: fooj uidNumber: 10101 cn: fooj homeDirectory: /home/c/fooj loginShell: /bin/bash gidNumber: 10101 CIT 470: Advanced Network and System Administration

  21. ldapsearch -LLL -x "(DN)" > ldapsearch -LLL -x "(uidNumber=10101)" dn: uid=fooj,ou=People,dc=gkar,dc=nku,dc=edu objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount uid: fooj uidNumber: 10101 cn: fooj homeDirectory: /home/c/fooj loginShell: /bin/bash gidNumber: 10101 CIT 470: Advanced Network and System Administration

  22. Multiple Record Matches > ldapsearch -LLL -x "(loginShell=/bin/bash)" dn: uid=fooj,ou=People,dc=gkar,dc=nku,dc=edu objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount uid: fooj uidNumber: 10101 cn: fooj homeDirectory: /home/b/fooj loginShell: /bin/bash ... Size limit exceeded (4) CIT 470: Advanced Network and System Administration

  23. Wildcard Matches > ldapsearch -LLL -x "(uid=smith*)" dn: uid=smitha,ou=People,dc=gkar,dc=nku,dc=edu uid: smitha uidNumber: 10221 cn: smitha homeDirectory: /home/f/smitha loginShell: /bin/bash ... dn: uid: smithj uidNumber: 12302 cn: smithj homeDirectory: /home/g/smithj CIT 470: Advanced Network and System Administration

  24. Open source LDAPv3 server. • LDAP server: slapd • Client commands: ldapadd, ldapsearch • Backend storage: BerkeleyDB • Backend commands: slapadd, slapcat • Schemas: /etc/openldap/schema • Data: /var/lib/ldap Configuration files • Client: /etc/openldap/ldap.conf • Server: /etc/openldap/slapd.conf CIT 470: Advanced Network and System Administration

  25. Building an OpenLDAP Server • Install OpenLDAP. • Configure LDAP for your domain. Edit slapd.conf OR use Run Time Configuration (RTC) • Start server Immediate: service ldap start Permanent: chkconfig --level 35 ldap on • Add data with ldapadd. • Verify functionality with ldapsearch. CIT 470: Advanced Network and System Administration

  26. slapd.conf (Server) File Locations (usually accept defaults) Schema files Configuration files Database directory Database suffix = DN of topmost node in directory rootdn = DN of LDAP administrative user rootpw = Password of LDAP administrator Access Control CIT 470: Advanced Network and System Administration

  27. ldap.conf (Client) # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com (match suffix in slapd.conf) #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never CIT 470: Advanced Network and System Administration

  28. References • Brian Arkills, LDAP Directories Explained: An Introduction and Analysis, Addison-Wesley, 2003. • Gerald Carter, LDAP System Administration, O’Reilly, 2003. • LDAP Howtos, Links, and Whitepapers, http://www.bind9.net/ldap/, 2005. • http://www.ldapman.org/, 2005. • LDAP for Rocket Scientists, http://www.zytrax.com/books/ldap/, 2009. • Thomas Limoncelli, Christine Hogan, Strata Chalup, The Practice of System and Network Administration, 2nd ed, Limoncelli and Hogan, Addison-Wesley, 2007. • Luiz Malere, “Linux LDAP HOWTO,” http://www.tldp.org/HOWTO/LDAP-HOWTO/, 2004. • Evi Nemeth et al, UNIX System Administration Handbook, 3rd edition, Prentice Hall, 2001. • OpenLDAP, OpenLDAP Administrator’s Guide, http://www.openldap.org/devel/admin/, 2005. CIT 470: Advanced Network and System Administration

More Related