410 likes | 628 Views
SPARCS 10 이대 근 (harry). LDAP. Contents. Directory Service What is LDAP? Installation Configuration ldap-utils User authentication with LDAP. Question. How can an organization keep one centralized up-to-date phone book that everybody has access to ?
E N D
Contents • Directory Service • What is LDAP? • Installation • Configuration • ldap-utils • User authentication with LDAP
Question • How can an organization keep one centralized up-to-date phone book that everybody has access to? • How can SPARCS share login information among all servers?
Directory • A directory is a map of the differences between names and values • More than directories of file system
Directory: examples Dictionary Telephone directory DNS Word Name Domain name Definition Phone number IP address
Directory service • The software system that stores, organizes and provides access to information in a directory
Directory service vs RDBMS • Be read more often • Data may be redundant if it helps performance • Must • May • Namespace • Be written more often • Data must be unique (in most case) • Not null • Nullable Directory service Relational DBMS
X.500 • A series of computer networking standards covering electronic directory services • Protocols • DAP: Directory Access Protocol • DSP: Directory System Protocol • DISP: Directory Information Shadowing Protocol • DOP: Directory Operational Bindings Management Protocol
LDAP • Lightweight Directory Access Protocol • i.e., Lightweight DAP • A protocol to access directory service through TCP/IP • Designed at the University of Michigan
Directory structure File system
Directory structure LDAP
Installation • Server • apt-get install slapd • Client • apt-get install ldap-utils
/etc/ldap/ldap.conf include /etc/ldap/schema/core.schema schemacheck on pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd.args loglevel 0 database bdb suffix "dc=sparcs,dc=net" rootdn "cn=DsnManager,dc=sparcs,dc=net" rootpw {SSHA}8DihK78pIOVntXZftMugdq4rxhYat03R
slappasswd • Nice tool to generate hashed password • Sample output: {SSHA}8DihK78pIOVntXZftMugdq4rxhYat03R • You just need to copy&paste the output to configuration file
Access Control List • access to <ENTRY> by <DN> <PERMISSION> [ by <DN> <PERMISSION> … ]
Access Control List: Example defaultaccess none access to * by self write by dn=“.+” read by dn=“^$$” read by * none #No permission by default #Granting permission for all entries #A user entry can modify itself #An authenticated user can read #An anonymous user can read #Else granting no permission
Access Control List: Example access to dn=“.*,dc=(.*),dc=(.*),dc=net”attrs=children,entry,uid by dn=“cn=Administrator,dc=$1,dc=$2” write
Caution • No blank around separator(,) • dn=“dc=example,dc=com” (O) • dn=“dc=example, dc=com” (X) • ACL is not overridden • Details should precede the general configs • The more complicated ACL, the slower search results
ldap-utils • Common usage <command> –D <Base DN> –W –f <LDIF_FILE_PATH>
ldapadd • Define which schema is used objectclass: dcobject • Describe all ‘Must’ attributes dn: dc=mydomain,dc=com dc: database
ldapadd: example objectclass: dcobject dn: dc=mydomain,dc=com dc: database
ldapsearch: filters • (cn=harry) • (cn=h*) • (cn~=pipe) • (cn>=harry) • (&(cn=h*)(cn=*y)) • (|(cn=h*)(cn=*y)) • (!(cn=harry))
ldapsearch: example sn=Daniels givenname=Charlene
ldapmodify • Declare which entry you want to modify • dn: cn=harry,dc=sparcs,dc=org • State what kind of change will occur • changetype: modify / add / delete • (if changetype: modify)State what kind of modification will occur • replace: cn • add: sn • delete: sn • Enter the value of the attribute if necessary • cn: hodduc
ldapmodify: example dn: cn=harry,dc=sparcs,dc=org changetype: modify replace: cn cn: hodduc
ldapmodrdn • Declare which entry you want to modify • Enter new RDN
ldapmodrdn: example cn=harry,dc=sparcs,dc=org cn=noname
Client • apt-get install libnss-ldaplibpam-ldapnss-updatedbnscdldap-auth-client • Configuration files • /etc/ldap.conf • /etc/auth-client-config/profile.d/ldap-auth-config • /etc/pam.d/ • /etc/nssswitch.conf
Server • Automatic migration tools • apt-get install migrationtools
Web sites & Documentations • http://wiki.kldp.org/wiki.php/LDAP-Tips • Nice KOREAN document explaining how to configure for LDAP authentication • http://50001.com/sub/down/ldap.doc • Also nice Korean document explaining general usage of LDAP
I’m very sleepy Thank you