CIT 470: Advanced Network and System Administration

transcript

CIT 470: Advanced Network and System Administration Slide #1

Accounts and Namespaces

Topics

1. Namespaces2. Policies: selection, lifetime, scope, security3. User Accounts4. Directories5. LDAP

NamespacesA namespace consists of

– A set of unique keys– A set of attributes associated with each key

Example– Key = Username– Attributes

• GECOS• Homedir• Shell• Password

Namespaces

Systems include many namespacesUser account names.E-mail addresses.Filesystem pathnames.Hostnames.IP addresses.Printer names.Service names.

Types of Namespaces

FlatNo duplicates may exist.Ex: usernames in /etc/passwd.

HierarchicalTree-structured namespace like DNS.Duplicates can exist.Ex: www.nku.edu and www.google.com

Namespace Problems

1. How to select names?2. How to avoid name collisions?3. How to ensure consistency?4. How to distribute names?

Name SelectionFunctional Names

mail hostname, /cit/470, student accountDescriptive names

geographic, print type, customer typeFormula-based Names

cvg0141 hostname, student0148 account Themed Names

constellations (orion, ursa, etc.)No Standard

Name Lifetime

When are names removed?Immediately after PC, user leaves org.Set time after resource is no longer in use.

When are names re-used?Immediately: functional names.Never.After a set time: usernames, email addresses.

Namespace ScopeGeographical scopes

– Local machine. (e.g., /etc/passwd.)– Local network.– Organization.– Global (e.g., DNS.)

Service scopes– Single username for UNIX, NT, RADIUS, e-mail, VPN?

Transferring scopes– Difficult without advance planning.– Some names may have to change.

Namespace Security

1. What are you trying to protect names from and why?

2. Do the names need to be protected or just the attributes?

3. Who can add, change, or delete records?4. Can the owner of a record change fields

within the record?

Example Namespace: Usernames

Selection policies– Descriptive: waldenj, jwalden– Decriptive + formulaic: waldenj1, jwalden0002

Scope– Use for every campus (avoids collisions.)– Use for every service (avoids collisions.)

Lifetime– Do not reuse until 1 year has passed since email

addresses derive from usernames.

One Big DatabaseCentralize namespace in one big database.

– Use SQL or LDAP to store entire namespace.Derive other namespaces from database.

– Program to generate UNIX accounts.– Program to generate NT accounts.– etc.

Advantages– Consistency– Ease of making changes, additions, deletions.

User Account Types

OS files– UNIX /etc/{passwd,shadow}– Windows SAM

Network service– NIS– LDAP– Kerberos– Active Directory– RADIUS

UNIX Accounts• Account Components

– Username– UID– Password– Home directory

• Account Files– /etc/passwd– /etc/shadow– /etc/group

• Account Management– Adding users– Removing and disabling users– Account/password policies

/etc/{passwd,shadow}

/etc/passwd– Username– UID– Default GID– GCOS– Home directory– Login shell

/etc/shadow– Username– Encrypted password– Date of last pw change.– Days ‘til change allowed.– Days `til change required.– Expiration warning time.– Expiration date.

Central file(s) describing UNIX user accounts.

student:x:1000:1000:Example User,,555-1212,:/home/student:/bin/bashstudent:$1$w/UuKtLF$otSSvXtSN/xJzUOGFElNz0:13226:0:99999:7:::

Username

Syntax– Each username must be unique.– Length limits (8 chars on old systems)– Any character except : or \n.

• Issues– Naming standards.– How to ensure that usernames are unique?– System uses UIDs internally.

UIDs• UIDs are 32-bit non-negative integers.• Standards

– Root is UID 0.– System accounts have low UIDs (<= 500)

• Uniqueness– Multiple usernames can have same UID!– Re-using UIDs may give away files to new user.– Distributed systems may require unique UIDs

across organizational boundaries.

Password

Syntax– Length: unlimited (MD5,SHA1), 8 chars (crypt)– Chars: anything except \n, though certain control

chars may be interpreted by system.

Stored in “encrypted” format.– Hashed: crypt, MD5, SHA1– Salted: 12-bit salt means 4096 different hashes

for each password

GID• GIDs are 32-bit non-negative integers.• Each user has a default GID.

– File group ownership set to default GID.– Temporarily change default GID: newgrp.

• Groups are described in /etc/group– Users may belong to multiple groups.– Format: group name, pw, GID, user list.– wheel:x:10:root,waldenj,bergs

Original use– Data for General Electric Comprehensive OS

Current use– User information.– Full name, location, phone number, e-mail.

Home Directory• User’s CWD at login time.• Typically where user stores all files.

Login Shell• Process started when user logs in.• Typically a shell like bash, tcsh, ksh, or zsh.

– System users may be different.– Disabled accounts have a noshell program.

Adding a User

1. Create account with adduser.2. Lock account until user arrives.3. User signs account agreement.4. Set passwd with passwd.

Adding a User1. Edit /etc/{passwd,shadow} with vipw.2. Set passwd with passwd command.3. Edit /etc/group to add groups.4. Create user home directory.

1. mkdir /home/studenta2. chown studenta.student /home/studenta3. chmod 755 /home/studenta

5. Copy default files from /etc/skel.bashrc, .Xdefaults, .xsession, etc.

6. Set e-mail aliases, disk quotas, etc.7. Verify that the account works.

Disabling an Account• Edit account configuration:

– Place * in front of encrypted password.– Replace shell with nologin program.

• Kill active logins and processes.

Removing a User1. Disable account.2. Change shared passwords (root, etc.)3. Kill active logins and processes.4. Remove from local databases/files.5. Remove from e-mail aliases.6. Remove mail spool (backup first.)7. Remove crontabs and pending jobs.8. Remove temporary files.9. Remove home directory (backup first.)10. Remove from passwd, shadow, and group.

What is a Directory?

Directory: A collection of information that is primarily searched and read, rarely modified.

Directory Service: Provides access to directory information.

Directory Server: Application that provides a directory service.

Directories vs. Databases

Directories are optimized for reading.– Databases balanced for read and write.

Directories are tree-structured.– Databases typically have relational structure.

Directories are usually replicated.– Databases can be replicated too.

Both are extensible data storage systems.Both have advanced search capabilities.

System Administration Directories

Types of directory data– Accounts– Mail aliases and lists (address book)– Cryptographic keys– IP addresses– Hostnames– Printers

Common directory services– DNS, LDAP, NIS

Advantages of Directories

Make administration easier.– Change data only once: people, accounts, hosts.

Unify access to network resources.– Single sign on.– Single place for users to search (address book)

Improve data management– Improve consistency (one location vs many)– Secure data through only one server.

NIS: Network Information Service

Originally called Sun Yellow Pages– Clients run ypbind– Servers run ypserv– Data stored under /var/yp on server.

Server shares NIS maps with clients– Each UNIX file may provide multiple maps– passwd: passwd.byname, passwd.byuid

Slave servers replicate master server content.Easy to use, but insecure, difficult to extend.

LDAPLightweight Directory Access Protocol

– Lightweight compared to X.500 directories.– Directory, not a database, service.– Access Protocol, not a directory itself.

LDAP Clients and ServersLDAP Clients

– Standalone directory browsers.– Embedded clients (mail clients, logins, etc.)– Cfg /etc/nsswitch.conf on UNIX to use LDAP.

Common LDAP servers– OpenLDAP– Fedora Directory Server (formerly Sun, Netscape)– Mac Open Directory– Microsoft ActiveDirectory– Novell eDirectory (NDS)

LDAP StructureAn LDAP directory is made of entries.

– Entries may be employee records, hosts, etc.Each entries consists of attributes.

– Attributes can be names, phone numbers, etc.– objectClass attribute identifies entry type.

Each attribute is a type / value pair.– Type is a label for the information stored (name)– Value is value for the attribute in this entry.– Attributes can be multi-valued.

Tree-structure of LDAP Directories

LDAP SchemasSchemas specify allowed objectClasses and attributes.

LDAP Interchange Format.– Standard text format for storing LDAP

configuration data and directory contents.

LDIF Files– Collection of entries separated by blank lines.– Mapping of attribute names to values.

Uses– Import new data into directory.– Export directory to LDIF files for backups.

LDIF Output Example

Distinguished NamesDistinguished Names (DNs)

– Uniquely identify an LDAP entry.– Provides path from LDAP root to the named entry.– Similar to an absolute pathname.– dn:cn=Jeff Foo,ou=Sales,dc=plainjoe,dc=org

Relative DNs (RDNs)– Any unique attribute pair in directory’s container.– ex: cn=Jeff Foo OR username=fooj– Similar to a relative pathname.– Except may have multiple components.– cn=Jane Smith+ou=Sales– cn=Jane Smith+ou=Engineering

LDAP Client/Server Interaction

1. Client requests to bind to server.2. Server accepts/denies bind request.3. Client sends search request.4. Server returns zero or more dir entries.5. Server sends result code with any errors.6. Client sends an unbind request.7. Server sends result code and closes socket.

LDAP Operations

Client Session Operations– Bind, unbind, and abandon

Query and Retrieval Operations– Search and compare

Modification Operations– Add, modify, modifyRDN, and delete

AuthenticationAnonymous Authentication

Binds with empty DN and password.Simple Authentication

Binds with DN and password. Cleartext.Simple Authentication over SSL/TLS

Use SSL to encrypt simple authentication.Simple Authentication and Security Layer

SASL is an extensible security scheme.SASL mechanisms: Kerberos, GSSAPI, SKEY

Distributed Directories• Use multiple LDAP servers.• Why distribute?

– Throughput• More servers can reduce load on any single server.

– Latency• Have local server serve local data to LAN.• Only use WAN for non-local data on other servers.

– Administrative Boundaries• Let each side administrate their own directory.

OpenLDAPOpen source LDAPv3 server.

– LDAP server: slapd– Client commands: ldapadd, ldapsearch– Backend storage: BerkeleyDB– Backend commands: slapadd, slapcat– Schemas: /etc/openldap/schema– Data: /var/lib/ldap

Configuration files– Client: /etc/openldap/ldap.conf– Server: /etc/openldap/slapd.conf

Building an OpenLDAP Server1. Install OpenLDAP.2. Configure LDAP for your domain.

Change suffix, rootdn, rootpw options.vim /etc/openldap/slapd.conf

3. Start serverImmediate: /sbin/service ldap startPermanent: /sbin/chkconfig --level 35 ldap on

4. Add data with ldapadd5. Verify functionality with ldapsearch

LDAP Authentication1. Configure server with schema + user data.2. Point clients to hostname and rootDN of svr.

/etc/ldap.conf and /etc/openldap/ldap.conf

3. Verify server access with ldapsearch4. Configure clients to use LDAP auth

/etc/nsswitch.confpasswd: files ldap shadow: files ldap group: files ldap

References1. Brian Arkills, LDAP Directories Explained: An Introduction and

Analysis, Addison-Wesley, 2003.2. Gerald Carter, LDAP System Administration, O’Reilly, 2003.3. J. Heiss, “Replacing NIS with Kerberos and LDAP,”

http://www.ofb.net/~jheiss/krbldap/, 2004.4. LDAP Howtos, Links, and Whitepapers, http://www.bind9.net/ldap/,

2005.5. http://www.ldapman.org/, 2005.6. Luiz Malere, “Linux LDAP HOWTO,”

http://www.tldp.org/HOWTO/LDAP-HOWTO/, 2004.7. OpenLDAP, OpenLDAP Administrator’s Guide,

http://www.openldap.org/devel/admin/, 2005.8. RedHat, Red Hat Enterprise Linux 4 Reference Guide, Chapter 13,

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/, 2005.

CIT 470: Advanced Network and System Administration

Documents