1 / 47

OpenLDAP Directory Administration Replacing NIS

OpenLDAP Directory Administration Replacing NIS. Table of Contents. Introduction More about NIS Schemas for Information Services Information Migration The pam_ldap Module The nss_ldap Module OpenSSH, PAM, and NSS Authorizing Through PAM Netgroups Security Automount Maps

sonel
Download Presentation

OpenLDAP Directory Administration Replacing NIS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OpenLDAP Directory AdministrationReplacing NIS

  2. Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway

  3. Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway

  4. Introduction • This chapter: how to replace Sun's Network Information Service (NIS) with LDAP • NIS, used for centralized management of: • user information • Passwords • Hostnames • IP addresses • Automount maps (control mounting of remote filesystems) • Other administrative information • Note that there are alternatives to NIS and LDAP • General approach: • Get information you want to share in the directory • Get clients to use the directory • Disable old information-sharing mechanism

  5. Introduction (cont.) • Two fundamental strategies: • Setting up an NIS/LDAP gateway • An NIS server that accepts NIS queries • Retrieves answers from an LDAP directory • No client modifications required • Making a complete transition to LDAP • Install LDAP libraries and modules on all clients • Disable all NIS lookups on clients • eg. PAM and NSS LDAP modules released by PADL Software under LGPL • Either way, we need to define the attribute types and object classes needed to move the information served by NIS into an LDAP directory • PAM and NSS allow for transparent upgrades from NIS to LDAP

  6. Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway

  7. More about NIS • Most commonly used to distribute system password and account maps to client machines • Other files: also possible (/etc/hosts, /etc/services, /etc/group, /etc/networks, ...) • Master copy of any shared data always resides on a master server, and is distributed to slave servers • NIS master acts as directory system agent (DSA) • Flat namespace, eg. passwd.byname map • To work around this: group machines into NIS domains • Different NIS domains are different directories, but may be served by the same server • LDAP: hierarchical namespace

  8. More about NIS (cont.) Comparing Namespaces YP:domain1.com jerry:##:... LDAP namespace YP:domain2.com jerry:##:... dc=plainjoe,dc=org NIS namespace ou=sales ou=engr uid=jerry, ou=sales... uid=jerry, ou=engr...

  9. Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway

  10. Schemas for Information Services RFC 2307 - “An Approach for Using LDAP as a Network Information Service” • Note:has recently been updated in an Internet-Draft by LDAPbis working group • Defines attribute types and object classes needed to use an LDAP directory as a replacement for NIS • Despite experimental status, supported by many vendors: Sun, OpenLDAP, Apple, HP, PADL • Lengthy list of attribute types and object classes

  11. Schemas for Information Services (cont.) How to migrate all user accounts and groups into OpenLDAP: (slapd.conf) include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema pidfile var/run/slapd.pid argsfile /usr/run/slapd.args loglevel 256 TLSCipherSuite 3DES:RC4:EXPORT40 TLSCertificateFile /usr/local/etc/openldap/slapd-cert.pem TLSCertificateKeyFile /usr/local/etc/openldap/slapd-private-key.pem database bdb suffix “dc=plainjoe,dc=org” rootdn “cn=Manager,dc=plainjoe,dc=org” rootpw {SSHA}2aksIaicAvwc+DhCrXUFlhgWsbBJPLxy directory /var/ldap/plainjoe.org mode 0600 index objectClass eq index cn,uid eq index uidNumber eq index gidNumber eq

  12. Schemas for Information Services (cont.) Relationships between posixAccount Object Class and an Entry from the /etc/passwd File /bin/bash gcarter: KpP.s/mnFoEoI: Gerald Carter: /home/gcarter: 780:100: required attributes objectClass:posixAccount cn: uid: uidNumber: gidNumber: homeDirectory: userPassword: gecos: loginShell: description: optional attributes

  13. Schemas for Information Services (cont.) Relationships between posixGroup Object Class and an Entry from the /etc/group File admin: *:101: gcarter required attributes objectClass:posixGroup cn: gidNumber: userPassword: memberUid: description: optional attributes

  14. Schemas for Information Services (cont.) Relationships between posixGroup Object Class and an Entry from the /etc/group File gcarter: LnMJ/n2rQsR.c: 11276: 0: 99999: 7: -1: -1: 134540300 required attributes objectClass:shadowAccount uid: userPassword: shadowLastChange: shadowMin: shadowMax: shadowWarning: shadowInactive: shadowExpire: shadowFlag: description: optional attributes

  15. Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway

  16. Information Migration • PADL Software has a set of Perl scripts designed to convert various /etc/ system files into LDIF format • http://www.padl.com/OSS/MigrationTools.html • Customize the migrate_common.ph script to fit your network settings eg. $DEFAULT_BASE variable • eg. • Currently supported: /etc/fstab (ou=Mounts) /etc/hosts (ou=Hosts) /etc/group (ou=Group) /etc/protocols (ou=Protocols) /etc/passwd & /etc/shadow (ou=People) # ./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif /etc/rpc (ou=Rpc) /etc/services (ou=Services) /etc/networks (ou=Networks) netgroups (ou=Netgroups)

  17. Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway

  18. The pam_ldap Module • Pluggable Authentication Modules are implemented as shared libraries that distance applications from the details of account data storage, mechanisms used to authenticate users, and service authorization processes • pam_ldap module developed by PADL Software • Supported on Linux, FreeBSD, HP-UX, Mac OS 10.2, Solaris • http://www.padl.com/OSS/pam_ldap • Compilation not discussed here • Makes use of configuration parameters in /etc/ldap.conf

  19. The pam_ldap Module (cont.) ldap.conf Parameters Shared by pam_ldap & nss_ldap

  20. The pam_ldap Module (cont.) ldap.conf Parameters Used by pam_ldap

  21. The pam_ldap Module (cont.) • pam_ldap module must be able to locate the directory server • Must be specified in /etc/ldap.conf • (nss_ldap can also do a DNS query – see later) • Example /etc/ldap.conf: • Results in this search: (&(objectClass=posixAccount)(uid=gcarter)) uri ldap://ldap.plainjoe.org/ ldap_version 3 base dc=plainjoe,dc=org scope sub timelimit 30 # binddn # bindpw pam_login_attribute uid pam_filter_filter objectclass=posixAccount

  22. Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway

  23. The nss_ldap Module • Name Service Switch (NSS) is similar to PAM except it only provides a mechanism for information retrieval • PADL Software's nss_ldap module • Supported on AIX, HP-UX, Linux and Solaris, not on FreeBSD and Mac OS 10.2 (unlike pam_ldap module) • Compilation of module not discussed here • /lib/libnss_ldap.so on Linux • /lib/nss_ldap.so on Solaris • Uses /etc/ldap.conf configuration file, so must be readable by processes (dangerous when it contains binddn & bindpw information) • To configure NSS to use LDAP, add the keyword ldap to the appropriate lines in /etc/nsswitch.conf

  24. The nss_ldap Module (cont.) • Currently supported: passwd group hosts services networks protocols rpc ethers netgroups • Currently unsupported netmasks bootparms publickey automount

  25. The nss_ldap Module (cont.) • Example /etc/nsswitch.conf file: • Parameters (ldap.conf) that affect load on LDAP servers: • Testing configuration: passwd: files ldap shadow: files ldap group: files ldap nss_base_passwd ou=people,dc=plainjoe,dc=org?one nss_base_shadow ou=people,dc=plainjoe,dc=org?one nss_base_group ou=group,dc=plainjoe,dc=org?one $ getent passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: ... gcarter:x:780:100:G. Carter:/home/queso/gcarter:/bin/bash jerry:x:782:782:Jerry Carter:/home/queso/jerry:/bin/bash This output is retrieved from the LDAP server

  26. The nss_ldap Module (cont.) ldap.conf Parameters Used by nss_ldap

  27. The nss_ldap Module (cont.) LDIF listing for gcarter: • Because of the shadowAccount object class, the getent returns a “x” for the shadow password • Without the presence of this class, the second field of the getent output would have been the password hash (assuming the directory would have returned this) dn: uid=gcarter,ou=People,dc=plainjoe,dc=org uid: gcarter cn: Gerald (Jerry) Carter objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount loginShell: /bin/bash uidNumber: 780 gidNumber: 100 homeDirectory: /home/queso/gcarter userPassword: {crypt}GoYLwzMD6cuZE

  28. Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway

  29. OpenSSH, PAM, and NSS • Once pam_ldap and nss_ldap have been installed and /etc/ldap.conf has been configured, we can configure individual services to use LDAP • We will cover OpenSSH as an example • /etc/pam.d/sshd (session module is ignored by pam_ldap): auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_unix.so shadow nullok use_first_pass account sufficient /lib/security/pam_ldap.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_unix.so nullok use_authok shadow session required /lib/security/pam_unix.so session optional /lib/security/pam_console.so

  30. Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway

  31. Authorizing Through PAM • Two means of restricting access to a host, independent of any other PAM modules (eg. pam_nologin.so) • One host and a group of users • Specify a group of users who are allowed to use a particular host • One user and a group of hosts • Specify the machines that any given use is allowed to access

  32. Authorizing Through PAM (cont.) One Host and a Group of Users • Specify a group of users who are allowed to use a particular host • Host entry for the machine can be extended to include a list of DNs for users (member) that are authorized to log in via pam_ldap • eg. LDIF: • Needed in /etc/ldap.conf: dn: cn=pogo,ou=hosts,dc=plainjoe,dc=org objectClass: ipHost objectClass: device objectClass: extensibleObject ipHostNumber: 192.168.1.75 cn: pogo.plainjoe.org cn: pogo member: uid=gcarter,ou=people,dc=plainjoe,dc=org member: uid=kristi,ou=people,dc=plainjoe,dc=org member: uid=deryck,ou=people,dc=plainjoe,dc=org pam_groupdn cn=pogo,ou=hosts,dc=plainjoe,dc=org pam_member_attribute member

  33. Authorizing Through PAM (cont.) One User and a Group of Hosts • Specify the machines that any given use is allowed to access • Structural account object class must be present (done by PADL migration scripts) • Only one attribute required (uid), host attribute determines access required attributes objectClass:account uid: description: localityName: seeAlso: o: ou: host: optional attributes

  34. Authorizing Through PAM (cont.) One User and a Group of Hosts (cont.) • LDIF: • This must be enabled in /etc/ldap.conf: dn: uid=gcarter,ou=people,dc=plainjoe,dc=org uid: gcarter cn: Gerald (Jerry) Carter objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: /bin/bash uidNumber: 780 gidNumber: 100 homeDirectory: /home/queso/gcarter userPassword: {crypt}GoYLwzMD6cuZE host: queso.plainjoe.org host: pogo.plainjoe.org host: tumnus.plainjoe.org pam_check_host_attr yes

  35. Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway

  36. Netgroups • Allow machines and/or users to be collected together for various administrative tasks, eg. • Grouping machines for use in tcp_wrappers file (/etc/hosts.allow & /etc/hosts.deny) • eg. hosts.deny • eg. hosts.allow • Example netgroups: • RFC2307 describes structural nisNetgroup object class • Note: testing via “getent netgroup groupname” sshd: ALL sshd: @sysadmin sysadmin (garion.plainjoe.org,-,-)(silk.plainjoe.org,-,-) all_sysadmins sysadmin secure_clients

  37. Netgroups (cont.) The nisNetGroup Object Class Next Steps • Before adding any netgroups, we must create the container ou=netgroup required attributes objectClass:nisNetGroup cn: nisNetGroupTriple: memberNisNetgroup: description: optional attributes dn: ou=netgroup,dc=plainjoe,dc=org objectClass: organizationalUnit ou: netgroup

  38. Netgroups (cont.) Next Steps (cont.) • sysadmin netgroup: • all_sysadmin netgroup: • Change required in /etc/ldap.conf: • /etc/nsswitch.conf: $ ./migrate_netgroup.pl /etc/netgroup dn: cn=sysadmin,ou=netgroup,dc=plainjoe,dc=org objectClass: nisNetgroup objectClass: top cn: sysadmin nisNetgroupTriple: (garion.plainjoe.org,-,-) nisNetgroupTriple: (silk.plainjoe.org,-,-) dn: cn=all_sysadmin,ou=netgroup,dc=plainjoe,dc=org objectClass: nisNetgroup objectClass: top cn: all_sysadmin memberNisNetgroup: sysadmin memberNisNetgroup: secure_clients nss_base_netgroup ou=netgroup,dc=plainjoe,dc=org netgroup: ldap

  39. Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway

  40. Security • Discusses how security issues are addressed in pam_ldap and nss_ldap • First, determine what level of security is desired • Protect passwords ? • Protect usernames as well ? • Clear-text passwords ? • Clear-text of the network ? • LDAPv3, two mechanisms to protect passwords: • Use of SASL tp support more secure methods of authentication (Kerberos-5, Digest-MD5) • Not currently supported by pam_ldap • Negotiate secure transport layer to protect information used in the bind request as well as other information • StartTLS & LDAPS support

  41. Security (cont.) • /etc/ldap.conf: • Check with tcpdump or ethereal (sniffers) • Other than encrypting the traffic, one must ensure that users have no access to obtain unauthorized information eg. userPassword attribute • Two ACEs: ssl start_tls access to dn=”.*,dc=plainjoe,dc=org” attr=userPassword by self write by * auth access to dn=”.*,dc=plainjoe,dc=org” by * read This is not the same as read access – client can never obtain the userPassword value

  42. Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway

  43. Automount Maps • Look at autodaemon support • Linux' kernel-based autofs ? • automount and automountMap object classes • However: Red Hat bases automounting on nisObject and nisMap classes described in RFC2307 • RFC2307bis will include new schema items • nisObject and nisMap object classes: required attributes required attributes objectClass:nisObject cn: nisMapEntry: nisMapName: description: objectClass:nisMap nisMapName: description: optional attributes optional attributes

  44. Automount Maps (cont.) • PADL's migration tools (migrate_automount.pl): • Informing the automounter (/etc/auto.master): $ grep src /etc/auto.opt src -rw,hard,intr queso.plainjoe.org:/export/u1/src $ ./migrate_automount.pl /etc/auto.opt /tmp/auto.opt.ldif $ cat /tmp/auto.opt.ldif dn: nisMapName=auto.opt,dc=plainjoe,dc=org objectClass: top objectClass: nisMap nisMapName: auto.opt dn: cn=src,nisMapName=auto.opt,dc=plainjoe,dc=org objectClass: nisObject cn: src nisMapEntry: -rw,hard,intr queso.plainjoe.org:/export/u1/src nisMapName: auto.opt /opt ldap:ldap1:nisMapName=auto.opt,dc=plainjoe,dc=org --timeout 300

  45. Table of Contents • Introduction • More about NIS • Schemas for Information Services • Information Migration • The pam_ldap Module • The nss_ldap Module • OpenSSH, PAM, and NSS • Authorizing Through PAM • Netgroups • Security • Automount Maps • PADL's NIS/LDAP Gateway

  46. PADL's NIS/LDAP Gateway • ypldapd daemon • From the manpage: • ypldapd emulates the equivalent process ypserv by providing an RFC call-compatible interface. Rather than consulting “map” files as ypserv does, however, ypldapd draws its data from LDAP databases • In theory, allows NIS domain to be replaced with a directory-based solution without any client machines being aware of the change • 30-day trial version available from PADL site (http://www.padl.com/) • PADL migration tools described earlier can be used for the migration

  47. PADL's NIS/LDAP Gateway (cont.) • Initial ypldapd.conf file: • ypldapd may require a special privileged DN to use when it binds to the LDAP server # NIS domain to server ypdomain yp.plainjoe.org # LDAP server ldaphost 192.168.1.77 # Search base basedn dc=plainjoe,dc=org # Enable caching caching on # Dump caches every half hour cache_dump_interval 30 # Use default naming context mappings namingcontexts namingcontexts.conf

More Related