Post on 30-Dec-2015
transcript
LINSOL.ORGLINSOL.ORG
Red Hat Enterprise Linux VariantsRed Hat Enterprise Linux Variants
Server:Server:
Red Hat Enterprise Linux Advanced PlatformRed Hat Enterprise Linux Advanced Platform
Red Hat Enterprise LinuxRed Hat Enterprise Linux
Client:Client:
Red Hat Enterprise Linux DesktopRed Hat Enterprise Linux Desktop
with Workstation optionwith Workstation option
with Multi-OS optionwith Multi-OS option
with Workstation and Multi-OS optionswith Workstation and Multi-OS options
LINSOL.ORGLINSOL.ORG
Red Hat NetworkRed Hat Network
A comprehensive software delivery, system management, and A comprehensive software delivery, system management, and
monitoring frameworkmonitoring framework
Update Module: Update Module: Provides software updates Included with all Provides software updates Included with all
Red Hat Enterprise Linux subscriptionsRed Hat Enterprise Linux subscriptions
Management Module: Management Module: Extended capabilities for large Extended capabilities for large
deploymentsdeployments
Provisioning Module: Provisioning Module: Bare-metal installation, configuration Bare-metal installation, configuration
management, and multi-state configuration rollback management, and multi-state configuration rollback
capabilitiescapabilities
Monitoring Module Monitoring Module provides infrastructure health mon~Loring of provides infrastructure health mon~Loring of
network's, systems, applications, etc.network's, systems, applications, etc.
LINSOL.ORGLINSOL.ORG
Other Red Hat Supported SoftwareOther Red Hat Supported Software
Red Hat Application StackRed Hat Application Stack
JBoss Enterprise Middleware SuiteJBoss Enterprise Middleware Suite
Red Hat Directory ServerRed Hat Directory Server
Red Hat Certificate SystemRed Hat Certificate System
Red Hat Global File SystemRed Hat Global File System
LINSOL.ORGLINSOL.ORG
Objectives of RH423Objectives of RH423
Develop skills required to manage and deploy directory services Develop skills required to manage and deploy directory services
on Red Hat Enterprise Linux systemson Red Hat Enterprise Linux systems
Gain a better understanding of PAM and user authentication on Gain a better understanding of PAM and user authentication on
Red Hat Enterprise LinuxRed Hat Enterprise Linux
LINSOL.ORGLINSOL.ORG
Audience and PrerequisitesAudience and Prerequisites
Audience: Senior Red Hat Linux and Red Hat Enterprise Linux Audience: Senior Red Hat Linux and Red Hat Enterprise Linux
system administrators and other IT professionals who need to system administrators and other IT professionals who need to
provide enterprise-wide authentication or information servicesprovide enterprise-wide authentication or information services
Prerequisites: RHCE certification or comparable skills and Prerequisites: RHCE certification or comparable skills and
knowledgeknowledge
LINSOL.ORGLINSOL.ORG
Classroom NetworkClassroom Network
example.com network (192 . 168 .0. 0/24)example.com network (192 . 168 .0. 0/24)
serveri .example.com (192.l6e.o.254)serveri .example.com (192.l6e.o.254)
Main classroom server: Provides DHCF, DNS, routing and other Main classroom server: Provides DHCF, DNS, routing and other
servicesservices
stationx.example.com (192.168.0 .x)stationx.example.com (192.168.0 .x)
Student systemsStudent systems
serverx-i-100.example.com (192. 168 .0 serverx-i-100.example.com (192. 168 .0 .x+ioo).x+ioo)
virtual server hosted on student stationsvirtual server hosted on student stations
serverx-r200.example.com (192 .168 .0. serverx-r200.example.com (192 .168 .0. X.i-200)X.i-200)
Secondary virtual server hosted on student stationsSecondary virtual server hosted on student stations
LINSOL.ORGLINSOL.ORG
Notes on InternationalizationNotes on Internationalization
Red Hat Enterprise Linux supports nineteen languagesRed Hat Enterprise Linux supports nineteen languages
Default language can be selected:Default language can be selected:
During installationDuring installation
With system-config-languageWith system-config-language
System->Administration-~LanguageSystem->Administration-~Language
Alternate languages can be used on a per-command basis:Alternate languages can be used on a per-command basis:
$ LANG=en_US.OTFS date$ LANG=en_US.OTFS date
Language settings are stored in /etc/sysconfigLanguage settings are stored in /etc/sysconfig
LINSOL.ORGLINSOL.ORG
ObjectivesObjectives
Upon completion of this unit, you should be able to:Upon completion of this unit, you should be able to:
Explain what a directory service isExplain what a directory service is
Explain the history of LDAP and X500Explain the history of LDAP and X500
Understand the LDAP information modelUnderstand the LDAP information model
Read and write simple LDIFRead and write simple LDIF
Explore issuesExplore issues
LINSOL.ORGLINSOL.ORG
What is a Directory?What is a Directory?
A directory is a specialized database that normally stores small A directory is a specialized database that normally stores small
pieces of informationpieces of information
Special-purpose directories are common:Special-purpose directories are common:
A telephone book is a directory of names to telephone numbersA telephone book is a directory of names to telephone numbers
DNS is a directory of host names to IP addressesDNS is a directory of host names to IP addresses
NIS is a directory of system information; username to password NIS is a directory of system information; username to password
file data, name to e-mail alias, mount point to device, and so onfile data, name to e-mail alias, mount point to device, and so on
LINSOL.ORGLINSOL.ORG
Ideal Directory DataIdeal Directory Data
Small pieces of information will be storedSmall pieces of information will be stored
Potentially Potentially many many small pieces of information small pieces of information
Data will be frequently read but rarely writtenData will be frequently read but rarely written
Individual entries are based on collections of attributes (phone Individual entries are based on collections of attributes (phone
number, address, etc.)number, address, etc.)
Information will need to be searched for or looked up by multiple Information will need to be searched for or looked up by multiple
client usersclient users
LINSOL.ORGLINSOL.ORG
Uses of a DirectoryUses of a Directory
Look up e-mail addresses and contact information in mail clients Look up e-mail addresses and contact information in mail clients
and web browsersand web browsers
Manage and synchronize user authentication centrally from a Manage and synchronize user authentication centrally from a
network servernetwork server
Centrally coordinate informational databases used by various Centrally coordinate informational databases used by various
network servicesnetwork services
Store and search for arbitrary dataStore and search for arbitrary data
LINSOL.ORGLINSOL.ORG
X.500 Directory ServiceX.500 Directory Service
General-purpose directory service designed by ISO and CCITT General-purpose directory service designed by ISO and CCITT
starting in the 1980sstarting in the 1980s
The Directory: a The Directory: a fully-connected global directory, information fully-connected global directory, information
organized in aorganized in a treetree
Flexible information modelFlexible information model
Intended for "white pages" telephone and X.400 e-mail Intended for "white pages" telephone and X.400 e-mail
directories, OSI name servicedirectories, OSI name service
DAP: clientlserver communication protocolDAP: clientlserver communication protocol
LINSOL.ORGLINSOL.ORG
X.500 ProblemsX.500 Problems
X.500 (and DAP) is complex and resource hungry to X.500 (and DAP) is complex and resource hungry to
implementimplement
The standards process did not require test The standards process did not require test
implementations to prove feasibility!implementations to prove feasibility!
Early implementations were slow, buggy, and did not Early implementations were slow, buggy, and did not
interoperate wellinteroperate well
X.500 is tied to the OSI network modelX.500 is tied to the OSI network model
The Internet is based on TCP/IP, not OSI The Internet is based on TCP/IP, not OSI
Deployment was therefore slowDeployment was therefore slow
LINSOL.ORGLINSOL.ORG
Lightweight Directory Access Protocol Lightweight Directory Access Protocol
Originally for use by desktop computer clientsOriginally for use by desktop computer clients
LDAP improves X.500 DAP in several ways:LDAP improves X.500 DAP in several ways:
Uses TOP transport in place of 051 networkingUses TOP transport in place of 051 networking
Simplifies protocol to nine basic operationsSimplifies protocol to nine basic operations
Uses a subset of X.500 message encoding rulesUses a subset of X.500 message encoding rules
Data elements are simple text stringsData elements are simple text strings
LINSOL.ORGLINSOL.ORG
LDAP Directory ServiceLDAP Directory Service
Initial ldapd daemon acted as a gatewayInitial ldapd daemon acted as a gateway
In 1995, UMich LDAP group realized over 99% of X.500 queries came In 1995, UMich LDAP group realized over 99% of X.500 queries came
through ldapcithrough ldapci
A standalone LDAP daemon (slapd) replaced ldapd and theA standalone LDAP daemon (slapd) replaced ldapd and the
X.500 serviceX.500 service
Removed overhead of LOAP-to-DAP translationRemoved overhead of LOAP-to-DAP translation
Improved performance and reduced directory service complexityImproved performance and reduced directory service complexity
LINSOL.ORGLINSOL.ORG
LDAP ModelsLDAP Models
Information ModelInformation Model
How individual entries in the directory are structuredHow individual entries in the directory are structured
Naming ModelNaming Model
Where entries are stored in the hierarchical directory treeWhere entries are stored in the hierarchical directory tree
Functional ModelFunctional Model
What operations can be performed on the directoryWhat operations can be performed on the directory
Security ModelSecurity Model
How directory information is protected from unauthorized accessHow directory information is protected from unauthorized access
LINSOL.ORGLINSOL.ORG
Information ModelInformation Model
An An entry entry stores information about an object of interest in the stores information about an object of interest in the
directorydirectory
The basic unit of information storageThe basic unit of information storage
Each entry is made up of Each entry is made up of attributes attributes which describewhich describe
characteristics of the objectcharacteristics of the object
Each attribute in an entry has a Each attribute in an entry has a type type and takes one or more and takes one or more
valuesvalues
The unique The unique distinguished name distinguished name of an entry is based on one of its of an entry is based on one of its
attributesattributes
LINSOL.ORGLINSOL.ORG
Directory SchemaDirectory Schema
The The schema schema defines rules on what attributes can be used in defines rules on what attributes can be used in
which entries and how their values are formatted and comparedwhich entries and how their values are formatted and compared
Keeps directory data consistent and usefulKeeps directory data consistent and useful
Reduces redundant or inappropriate information stored in Reduces redundant or inappropriate information stored in
entriesentries
Constraints on size and format help avoid bogus data values Constraints on size and format help avoid bogus data values
being assigned to attributesbeing assigned to attributes
LINSOL.ORGLINSOL.ORG
Commonly Seen AttributesCommonly Seen Attributes
d.nd.n The unique DN identifying the entryThe unique DN identifying the entry
cncn The entryThe entry11s common name (full name)s common name (full name)
snsn The surname (last name) of a user uid Login nameThe surname (last name) of a user uid Login name
cc Two letter country codeTwo letter country code
oo Name of an organization ou Name of an organizational unit mail Name of an organization ou Name of an organizational unit mail
Internet e-mail addressInternet e-mail address
LINSOL.ORGLINSOL.ORG
Object ClassesObject Classes
An An object class object class groups related informationgroups related information
Defines which attributes are mandatory and which are permitted Defines which attributes are mandatory and which are permitted
in an entryin an entry
obj ectclass attributes specify which object classes an entry obj ectclass attributes specify which object classes an entry
belongs tobelongs to
There are different kinds of object classesThere are different kinds of object classes
An entry trust have one An entry trust have one structural structural object classobject class
An entry may add one or more additional aux//iaty object classesAn entry may add one or more additional aux//iaty object classes
LINSOL.ORGLINSOL.ORG
Derived Object ClassesDerived Object Classes
An object class may be a subclass derived from another object An object class may be a subclass derived from another object
classclass
The derived class inherits the required and optional attribute The derived class inherits the required and optional attribute
lists from its superclasslists from its superclass
The derived class may then add additional required and optional The derived class may then add additional required and optional
attributesattributes
LINSOL.ORGLINSOL.ORG
Sample Entry in LDIF FormSample Entry in LDIF Form
dn: dc=ds,dc=nust,dc=comdn: dc=ds,dc=nust,dc=com
objectclass: dcObjectobjectclass: dcObject
objectclass: topobjectclass: top
dc: dsdc: ds
dn: ou=People,dc=ds,dc=nust,dc=comdn: ou=People,dc=ds,dc=nust,dc=com
objectclass: organizationalUnitobjectclass: organizationalUnit
objectclass: topobjectclass: top
ou: Peopleou: People
LINSOL.ORGLINSOL.ORG
Troubleshooting an LDIF EntryTroubleshooting an LDIF Entry
Does the RDN match an attribute-value pair?Does the RDN match an attribute-value pair?
Is there exactly one structural class, not counting parent Is there exactly one structural class, not counting parent
superclasses?superclasses?
Do all mandatory attributes have a value?Do all mandatory attributes have a value?
Are there any attributes set which the object class or classes for Are there any attributes set which the object class or classes for
this entry do not allow?this entry do not allow?
Do any single-value attributes have multiple values?Do any single-value attributes have multiple values?
LINSOL.ORGLINSOL.ORG
Managing Directory DataManaging Directory Data
What attributes do your applications need?What attributes do your applications need?
Are they hard-wired to use a particular schema?Are they hard-wired to use a particular schema?
Do applications have conflicting needs?Do applications have conflicting needs?
Correct object class selection is importantCorrect object class selection is important
Helps avoid poor quality or badly formatted dataHelps avoid poor quality or badly formatted data
An entry cannot change its structural object class after creation!An entry cannot change its structural object class after creation!
LINSOL.ORGLINSOL.ORG
Managing Directory DataManaging Directory Data
Use standard schema definitions if possibleUse standard schema definitions if possible
Auxiliary classes may helpAuxiliary classes may help
Avoid storing identical or redundant data in multiple attributesAvoid storing identical or redundant data in multiple attributes
Otherwise, ensure the values stay synchronizedOtherwise, ensure the values stay synchronized
Plan for changePlan for change
What attributes might you need in the future?What attributes might you need in the future?
How will current data be kept up to date?How will current data be kept up to date?
LINSOL.ORGLINSOL.ORG
Developing a Data PolicyDeveloping a Data Policy
What data will and will not be stored in the directory serviceWhat data will and will not be stored in the directory service
Who has the ability to modify which entriesWho has the ability to modify which entries
Who has the ability to access which entriesWho has the ability to access which entries
Legal considerations affecting the aboveLegal considerations affecting the above
How exceptions may be made if neededHow exceptions may be made if needed
LINSOL.ORGLINSOL.ORG
Unit 2Unit 2
The LDAP Naming ModelThe LDAP Naming Model
LINSOL.ORGLINSOL.ORG
ObjectivesObjectives
Upon completion of this unit, you should be able to:Upon completion of this unit, you should be able to:
Use the LDAP naming modelUse the LDAP naming model
Use and construct LDAP distinguished names (DNs)Use and construct LDAP distinguished names (DNs)
Interpret directory suffixesInterpret directory suffixes
Organize entries in the directoryOrganize entries in the directory
Define a name space in LDIFDefine a name space in LDIF
LINSOL.ORGLINSOL.ORG
LDAP Naming ModelLDAP Naming Model
The naming model defines how entries are organized and The naming model defines how entries are organized and
identified in the directoryidentified in the directory
Every entry must have a unique name that may be referenced Every entry must have a unique name that may be referenced
unambiguouslyunambiguously
The The distinguished name distinguished name or or DNDN
A well-designed name space is criticalA well-designed name space is critical
Easier retrieval and maintenance of dataEasier retrieval and maintenance of data
Easier to apply access control policiesEasier to apply access control policies
LINSOL.ORGLINSOL.ORG
The Directory Information TreeThe Directory Information Tree
Directory entries are arranged in a hierarchyDirectory entries are arranged in a hierarchy
The The directory information tree, directory information tree, or or DITDIT
Similar to a file system or DNS hierarchySimilar to a file system or DNS hierarchy
Each entry has one parent entryEach entry has one parent entry
An entry may have any number of childrenAn entry may have any number of children
The DN of an entry specifies its position in the directory hierarchyThe DN of an entry specifies its position in the directory hierarchy
uid=lee,ou=sales,dc=foo,dc=comuid=lee,ou=sales,dc=foo,dc=com
LINSOL.ORGLINSOL.ORG
Distinguished NamesDistinguished Names
The leftmost component of the DN is the The leftmost component of the DN is the relative distinguished name, relative distinguished name,
or or RDNRDNThe RDN must be Selected from the attributes of the entryThe RDN must be Selected from the attributes of the entry
Unique among entries that share the same immediate parent entryUnique among entries that share the same immediate parent entry
Two entries may have the same RDN if they have different parent Two entries may have the same RDN if they have different parent
entries (and therefore their full DNS are different)entries (and therefore their full DNS are different)
LINSOL.ORGLINSOL.ORG
Escaped CharactersEscaped Characters
Some characters must be escaped with a backslash Some characters must be escaped with a backslash (\) (\) if they if they
appear in a component of a cTh attributeappear in a component of a cTh attribute
Comma, pius, double quote, backslash, less-than, greater-than, Comma, pius, double quote, backslash, less-than, greater-than,
or semicolon at the start of a componentor semicolon at the start of a component
White space at the start or end of a component White space at the start or end of a component
dn: o=Example\, Inc.,st=Delaware,c=usdn: o=Example\, Inc.,st=Delaware,c=us
LINSOL.ORGLINSOL.ORG
The Directory SuffixThe Directory Suffix
The global LDAP name space IS distributed among multiple The global LDAP name space IS distributed among multiple
directory partitionsdirectory partitions
The The suffix suffix is the DN of the highest entry in the LDAP directory is the DN of the highest entry in the LDAP directory
hierarchy which is stored in a directory partitionhierarchy which is stored in a directory partition
The node below which your name space livesThe node below which your name space lives
The DNS of all entries in that directory partition end with the The DNS of all entries in that directory partition end with the
suffixsuffix
LINSOL.ORGLINSOL.ORG
Choosing a SuffixChoosing a Suffix
LDAP does not place restrictions on the suffix you may use or the LDAP does not place restrictions on the suffix you may use or the
structure of your directorystructure of your directory
Your suffix should be unique in case your server ever needs to Your suffix should be unique in case your server ever needs to
coexist with otherscoexist with others
There are two standard approachesThere are two standard approaches
The X.500 naming modelThe X.500 naming model
The Internet domain naming modelThe Internet domain naming model
LINSOL.ORGLINSOL.ORG
X.500 SuffixesX.500 Suffixes
X.500-style suffixes are geographically and organizationally X.500-style suffixes are geographically and organizationally
basedbased
o=Example\, Inc. ,st=Delaware,c=USo=Example\, Inc. ,st=Delaware,c=US
Useful if X.500(93) compatibility is neededUseful if X.500(93) compatibility is needed
In practice, it has proved hard to find and manage names using In practice, it has proved hard to find and manage names using
this naming schemethis naming scheme
LINSOL.ORGLINSOL.ORG
Internet Domain SuffixesInternet Domain Suffixes
The preferred method is to use components of the organizationThe preferred method is to use components of the organization
tts s
DNS domainDNS domain
For example.com: dc=exarnple, dc=comFor example.com: dc=exarnple, dc=com
Since we know the DNS domain is unique, then the LDAP suffix is Since we know the DNS domain is unique, then the LDAP suffix is
also uniquealso unique
Can simplify deployment and configurationCan simplify deployment and configuration
Easier to manage in the long termEasier to manage in the long term
LINSOL.ORGLINSOL.ORG
Structure of the Name SpaceStructure of the Name Space
After selecting the suffix, the structure of the directory name After selecting the suffix, the structure of the directory name
space must be designedspace must be designed
At one extreme is a flat name space containing all entries At one extreme is a flat name space containing all entries
directly under the suffix uid=raoit, dc=nust, dc=comdirectly under the suffix uid=raoit, dc=nust, dc=com
At the other is a deep name space dividing entries into fine At the other is a deep name space dividing entries into fine
categories uid=raoit, ou=seecs, ou=it, dc=nust,categories uid=raoit, ou=seecs, ou=it, dc=nust, dc=corndc=corn
LINSOL.ORGLINSOL.ORG
Flat Name SpaceFlat Name Space
dc=nust,dc=comdc=nust,dc=com
uid=raoituid=raoit
I~mCa~II~mCa~I
~zng~zng
'S'S
a.a.
uici=jbrown uici=jbrown
FUFU99
BrownBrown
'S 'S
inS inS
uid=jvedder uid=jvedder
Icn=Jetfvedderl ResourcesIcn=Jetfvedderl Resources
LINSOL.ORGLINSOL.ORG
Flat Name Space IssuesFlat Name Space Issues
AdvantagesAdvantages
Names do not need to change when job roles change or the Names do not need to change when job roles change or the
organization changesorganization changes
Simple design avoids need to object categorization by directory Simple design avoids need to object categorization by directory
administratorsadministrators
DisadvantagesDisadvantages
Hard to partition the directory later if neededHard to partition the directory later if needed
May be hard to maintain unique DNsMay be hard to maintain unique DNs
LINSOL.ORGLINSOL.ORG
Deep Name SpaceDeep Name Space
AA
dc=exdc=ex I do—cornI do—corn
lFMi~lFMi~ l=North~gierical=North~gierica
ou=Peopleou=People
ou=Sales ou=Devel uid=joe uid=rnaraou=Sales ou=Devel uid=joe uid=rnara
ou=People ou=People
ounSalesounSales
uld—jeanneuld—jeanne
ounPeopleounPeople
ou=Sales ou=Sales
uidnpeteuidnpete
LINSOL.ORGLINSOL.ORG
Designing the Name SpaceDesigning the Name Space
There is no name space design that is ideal for all situationsThere is no name space design that is ideal for all situations
May help to think about how you planned the DNS name May help to think about how you planned the DNS name
space of hosts and subdomainsspace of hosts and subdomains
Try to keep the hierarchy fairly flatTry to keep the hierarchy fairly flat
Simpler management, good for small directoriesSimpler management, good for small directories
Depth is useful forDepth is useful for
Avoidance of naming collisionsAvoidance of naming collisions
Dividing up directory managementDividing up directory management
LINSOL.ORGLINSOL.ORG
One Compromise Name SpaceOne Compromise Name Space
dc=exadc=exa
dc-corndc-corn
i=Nort..~uricai=Nort..~urica
I=EuroDeI=EuroDe
uidnpeteuidnpete
ou=Salesou=Sales
Set the ou attribute on entriesSet the ou attribute on entries
Can still search based on ouCan still search based on ou
changing ou just affects one entry, not directory hierarchychanging ou just affects one entry, not directory hierarchy
LINSOL.ORGLINSOL.ORG
Designing the Name SpaceDesigning the Name Space
Place entries in subtrees based on the type of entry, not just by Place entries in subtrees based on the type of entry, not just by
organizational structure or geographyorganizational structure or geography
For example:For example:
inetoryPerson entries under ounPeopleinetoryPerson entries under ounPeople
Entries for groups under ou=GroupsEntries for groups under ou=Groups
Entries for machines under ou=HostsEntries for machines under ou=Hosts
Can use in addition to other schemesCan use in addition to other schemes
LINSOL.ORGLINSOL.ORG
Defining the Name SpaceDefining the Name Space
The LDAP server will need to have your name space The LDAP server will need to have your name space
input in LDIF formatinput in LDIF format
You will need an entry for your root nodeYou will need an entry for your root node
You will need entries for any nodes which act only as You will need entries for any nodes which act only as
containers for other entriescontainers for other entries
Various object classes are usefulVarious object classes are useful
domain, dcobject, country, locality, organization, domain, dcobject, country, locality, organization,
organizationalunitorganizationalunit
LINSOL.ORGLINSOL.ORG
LINSOL.ORGLINSOL.ORG
Planning the DirectoryPlanning the Directory
A well-designed directory tree can make directory A well-designed directory tree can make directory
management much simplermanagement much simpler
Additional references which may be useful:Additional references which may be useful:
Red Hat Directory Administrator's GuideRed Hat Directory Administrator's Guide
Understanding and Dep/oying LDAP Directory Services Understanding and Dep/oying LDAP Directory Services
by Timothy Howes, Mark Smith, and Gordon Good.by Timothy Howes, Mark Smith, and Gordon Good.