1 / 26

LDAP

LINUX SYSTEM ADMINISTRATION AND SECURITY. LDAP. LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL. VINEET BHARDWAJ VINAY KUMAR THOTA. 03 AUGUST 2005. PRESENTATION OUTLINE. INTRODUCTION. INSTALLATION. CONFIGURATION. SECURITY ISSUES. CONCLUSION. INTRODUCTION. DIRECTORY SERVICE. LDAP.

jayme
Download Presentation

LDAP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. LINUX SYSTEM ADMINISTRATION AND SECURITY LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL VINEET BHARDWAJ VINAY KUMAR THOTA 03 AUGUST 2005

  2. PRESENTATION OUTLINE INTRODUCTION INSTALLATION CONFIGURATION SECURITY ISSUES CONCLUSION

  3. INTRODUCTION DIRECTORYSERVICE LDAP DESIGNED AT UNIVERSITY OF MICHIGAN EXIST AT THREE LEVELS BIG PUBLIC SERVERS LARGE ORGANIZATIONAL SERVERS SMALLER WORK GROUP SERVERS

  4. A Directory service structure for the internet. It has many features that make it ideal for providing network information services, including encryption support, access control lists, fast read access, etc.. LDAP will combine several systems that normally have to be maintained separately , such as NT authentication, UNIX authentication, MTA routing information, services/protocols/hosts information, network address books, etc. INFORMATION KIND ARRANGEMENT REFERENCE ACCESS

  5. Prerequisite Software Versions The structure of an LDAP directory tree LDAP directory servers store their data hierarchically. As with DNS host names, an LDAP directory record's Distinguished Name (DN for short) is read from the individual entry, backwards through the tree, up to the top level.

  6. A DIRECTORY TREE STRUCTURE COUNTRY STATE THE ORGANIZATION ORGANIZATIONAL UNIT PERSON

  7. HOW DOES LDAPWORK ???? CLIENT SERVER MODEL TCP/IP OR ANY OTHER CONNECTION ORIENTED X.500,THE OSI DIRECTORY SERVICE

  8. ABOUTSlapd Slurpd Slapd Supports strong authentication and data security SASL Transport layer security Topology control – TCP Wrappers Access Control Choice of database back ends

  9. Threads Replication Single Configuration file Slurpd Replicated service Failed requests

  10. Installing the LDAP Server Five steps are necessary to install the server: • Install the pre-required packages (if not already installed). • Download the server. • Unpack the software. • Configure the Makefiles. • Build the server.

  11. Installation contd. Downloading the package • There are two free distributed LDAP servers: University of Michigan LDAP server and Open LDAP server • It's latest tar gzipped version is available on the following address: http://www.openldap.org • If you want to get the latest version of University of Michigan Server, go to this address: ftp://terminator.rs.itd.umich.edu/ldap

  12. Installation contd. Unpacking the software • First copy the package to a desirable directory, for example /usr/local. Next use the following command: tar xvzf openldap-2.2.5.tgz • You can use this command too, as well: gunzip openldap-2.2.5.tgz | tar xvf –

  13. Installation contd. Configuring the software • Type the following command on the directory where you unpacked the software: ./configure --help This will print all options that you can customize with the configure script before you build the software. • Normally if you run configure without options, it will auto-detect the appropriate settings and prepare to build things on the default common location. So just type: ./configure

  14. Installation contd. Building the server • After configuring the software you can start building it. First build the dependencies, using the command: make depend • Build the server after that, using the command: make • To ensure a correct build, you should run the test suite make test • Now install the binaries and man pages. You may need to be superuser to do this (depending on where you are installing things): su root -c 'make install'

  15. Configuration • All slapd(LDAP directory server) runtime configuration is accomplished through the slapd.conffile, installed in the prefix directory one specifies in the configuration script or by default in /usr/local/etc/openldap • First create an /etc/openldap/slapd.confg file. You need to change the following line suffix “dc=mydomain, dc=com” rootdn “cn=admin, dc=mydomain, dc=com” rootpw {crypt}abjnggxhB/yWI

  16. Configuration contd. • The suffix is your “LDAP basename”. Common practice is to use your DNS domain name as your LDAP basename. • The rootdnis adminstrator’s name, and rootpw is administrator’s password. • You also need to change the /etc/ldap.conf and etc/openldap/ldap.conf to change the name of your LDAP server and your basename.

  17. Configuration contd. Populating your server The easiest way to populate your LDAP server is that Padl Software which provides a free set of Perl scripts that migrate existing flat files. They are available from www.padl.com/tools.html

  18. Configuration contd. Setting up a LDAP client • Edit the LDAP config files (/etc/ldap.confand etc/openldap/ldap.conf ) to specify the server and your site’s basename. • You can verify that you are connecting to the LDAP server correctly by running ldapsearch – x, which dumps the entire database. • Finally, change the appropriate lines in /etc/nsswitch.conf to use the LDAP server as a data source.

  19. SECURITY ISSUES USING LDAP CONNECTING LDAP SERVER LDAPS NORMAL LDAP CONNECTION WORKS BY THE PORT 389 NETWORKSECURITY DATA INTEGRITY AND CONFIDENTIALITY PROTECTION AUTHENTICATION METHODS

  20. NETWORKSECURITY SELECTIVE LISTENING IP FIREWALL TCP WRAPPERS DATA INTEGRITY AND CONFIDENTIALITY PROTECTION LDAPv3 AND TSL AUTHENTICATION METHODS SIMPLE AND SASL

  21. LDAPS VERIFICATION X.509 CERTIFICATES ALGORITHMS IN OPENSSL

  22. DATA INTEGRITY AND CONFIDENTIALITY PROTECTION LDAPv3 AND TLS RFC 2246 DESCRIBES TLS CLEANED UP AND STANDARDIZED VERSION OF SSL SWITCHING SECURITY STRENGHT FACTORS SSF

  23. AUTHENTICATION METHODS SIMPLE ANONYMOUS UNAUTHENTICATED AND USER/PASWORD AUTHENTICATED

  24. SASL AN AUTHENTICATION FRAME WORK SNIFFING MECHANISMS LIKE CRAM-MD5 AND EXTERNAL

  25. CONCLUSION LDAP has broader applications, such as looking up services and devices on the Internet (and intranets). Netscape Communicator can store user preferences and bookmarks on an LDAP server. There is even a plan for linking all LDAP servers into a worldwide hierarchy, all searchable from your client. LDAP promises to save users and administrators time and frustration, making it easy for everyone to connect with people without frustrating searches for email addresses and other trivia. The LDAP protocol is both cross-platform and standards-based Most LDAP servers are simple to install, easily maintained, and easily optimized

  26. LDAP is particularly useful for storing information that you wish to read from many locations, but update infrequently If the answer to each of the following questions is Yes, then storing your data in LDAP is a good idea. Would you like your data to be available cross-platform? Do you need to access this data from a number of computers or applications? Do the individual records you're storing change a few times a day or less, on average? Does it make sense to store this type of data in a flat database instead of a relational database? That is, could you effectively store all the data for a given item in a single record? THANK YOU

More Related