CIT 470: Advanced Network and System Administration

CIT 470: Advanced Network and System Administration Slide #1

CIT 470: Advanced Network and System Administration

Directories

Topics

1. Directories

2. LDAP Structure

3. LDIF

4. Distinguished Names

5. Replication

6. OpenLDAP Configuration



What is a Directory?

Directory: A collection of information that is primarily searched and read, rarely modified.

Directory Service: Provides access to directory information.

Directory Server: Application that provides a directory service.


Directories vs. Databases

Directories are optimized for reading.– Databases balanced for read and write.

Directories are tree-structured.– Databases typically have relational structure.

Directories are usually replicated.– Databases can be replicated too.

Both are extensible data storage systems.

Both have advanced search capabilities.


System Administration Directories

Types of directory data– Accounts– Mail aliases and lists (address book)– Cryptographic keys– IP addresses– Hostnames– Printers

Common directory services– DNS, LDAP, NIS


Advantages of Directories

Make administration easier.– Change data only once: people, accounts, hosts.

Unify access to network resources.– Single sign on.– Single place for users to search (address book)

Improve data management– Improve consistency (one location vs many)– Secure data through only one server.


NIS: Network Information Service

Originally called Sun Yellow Pages– Clients run ypbind.– Servers run ypserv.– Data stored under /var/yp on server.

Server shares NIS maps with clients– Each UNIX file may provide multiple NIS maps.– NIS maps map keys like UID, username to data.– passwd: passwd.byname, passwd.byuid

Slave servers replicate master server content.Easy to use, but insecure, difficult to extend.


LDAP

Lightweight Directory Access Protocol– Lightweight compared to X.500 directories.– Directory, not a database, service.– Access Protocol, not a directory itself.


LDAP Clients and ServersLDAP Clients

– Standalone directory browsers.– Embedded clients (mail clients, logins, etc.)– Cfg /etc/nsswitch.conf on UNIX to use LDAP.

Common LDAP servers


LDAP Structure

An LDAP directory is made of entries.– Entries may be employee records, hosts, etc.

Each entries consists of attributes.– Attributes can be names, phone numbers, etc.– objectClass attribute identifies entry type.

Each attribute is a type / value pair.– Type is a label for the information stored (name)– Value is value for the attribute in this entry.– Attributes can be multi-valued.


Tree-structure of LDAP Directories


LDAP SchemasSchemas specify allowed objectClasses and attributes.


LDIF

LDAP Interchange Format.– Standard text format for storing LDAP configuration

data and directory contents.

LDIF Files– Collection of entries separated by blank lines.– Mapping of attribute names to values.

Uses– Import new data into directory.– Export directory to LDIF files for backups.


LDIF Output Example

LDIF Backups and Restores

Backing up an LDAP directoryslapcat > backup.ldif

OR to do a daily backup use date in name

slapcat > backup-`date +%F`.ldif

Restoring an LDAP directoryservice ldap stop

rm -rf /var/lib/ldap/*

slapadd < backup.ldif

service ldap start



Distinguished Names

Distinguished Names (DNs)– Uniquely identify an LDAP entry.– Provides path from LDAP root to the named entry.– Similar to an absolute pathname.– dn:cn=Jeff Foo,ou=Sales,dc=plainjoe,dc=org

Relative DNs (RDNs)– Any unique attribute pair in directory’s container.– ex: cn=Jeff Foo OR username=fooj– Similar to a relative pathname.– Except may have multiple components.– cn=Jane Smith+ou=Sales– cn=Jane Smith+ou=Engineering

(R)DN Example #1


(R)DN Example #2


ldapsearch

Options-LLL removes comments and LDAP version info.

-b base supplies base DN (uses ldap.conf if no -b.)

-x uses simple authentication instead of SASL.

-H ldap://your.server.edu accesses that server.

If -H not specified, uses ldap.conf to find server.

Search for all elementsldapsearch -LLL -x -b "dc=gkar,dc=nku,dc=edu"

"(objectclass=*)"


ldapsearch -LLL -x "(DN)"> ldapsearch -LLL -x "(uid=fooj)"

dn: uid=fooj,ou=People,dc=gkar,dc=nku,dc=edu

objectClass: top

objectClass: account

objectClass: posixAccount

objectClass: shadowAccount

uid: fooj

uidNumber: 10101

cn: fooj

homeDirectory: /home/c/fooj

loginShell: /bin/bash

gidNumber: 10101


ldapsearch -LLL -x "(DN)"> ldapsearch -LLL -x "(uidNumber=10101)"


objectClass: top




uid: fooj

uidNumber: 10101

cn: fooj

homeDirectory: /home/c/fooj


gidNumber: 10101


Multiple Record Matches> ldapsearch -LLL -x "(loginShell=/bin/bash)"


objectClass: top




uid: fooj

uidNumber: 10101

cn: fooj

homeDirectory: /home/b/fooj


...

Size limit exceeded (4)


Wildcard Matches> ldapsearch -LLL -x "(uid=smith*)"

dn: uid=smitha,ou=People,dc=gkar,dc=nku,dc=edu

uid: smitha

uidNumber: 10221

cn: smitha

homeDirectory: /home/f/smitha


...

dn:

uid: smithj

uidNumber: 12302

cn: smithj

homeDirectory: /home/g/smithj



Open source LDAPv3 server.– LDAP server: slapd– Client commands: ldapadd, ldapsearch– Backend storage: BerkeleyDB– Backend commands: slapadd, slapcat– Schemas: /etc/openldap/schema– Data: /var/lib/ldap

Configuration files– Client: /etc/openldap/ldap.conf– Server: /etc/openldap/slapd.conf


Building an OpenLDAP Server

1. Install OpenLDAP.2. Configure LDAP for your domain.

Edit slapd.conf OR use Run Time Configuration (RTC)

3. Start serverImmediate: service ldap startPermanent: chkconfig --level 35 ldap on

4. Add data with ldapadd.5. Verify functionality with ldapsearch.

slapd.conf (Server)

File Locations (usually accept defaults)Schema files

Configuration files

Database directory

Databasesuffix = DN of topmost node in directory

rootdn = DN of LDAP administrative user

rootpw = Password of LDAP administrator

Access ControlCIT 470: Advanced Network and System Administration Slide #26

ldap.conf (Client)## LDAP Defaults#

# See ldap.conf(5) for details# This file should be world readable but not world

writable.

#BASE dc=example,dc=com (match suffix in slapd.conf)#URI ldap://ldap.example.com ldap://ldap-

master.example.com:666

#SIZELIMIT 12#TIMELIMIT 15#DEREF never



References1. Brian Arkills, LDAP Directories Explained: An Introduction and

Analysis, Addison-Wesley, 2003.2. Gerald Carter, LDAP System Administration, O’Reilly, 2003.3. LDAP Howtos, Links, and Whitepapers, http://www.bind9.net/ldap/,

2005.4. http://www.ldapman.org/, 2005.5. LDAP for Rocket Scientists, http://www.zytrax.com/books/ldap/,

2009.6. Thomas Limoncelli, Christine Hogan, Strata Chalup, The Practice of

System and Network Administration, 2nd ed, Limoncelli and Hogan, Addison-Wesley, 2007.

7. Luiz Malere, “Linux LDAP HOWTO,” http://www.tldp.org/HOWTO/LDAP-HOWTO/, 2004.

8. Evi Nemeth et al, UNIX System Administration Handbook, 3rd edition, Prentice Hall, 2001.

9. OpenLDAP, OpenLDAP Administrator’s Guide, http://www.openldap.org/devel/admin/, 2005.

http://www.bind9.net/ldap/

http://www.ldapman.org/

http://www.tldp.org/HOWTO/LDAP-HOWTO/

http://www.openldap.org/devel/admin/

Date post:	03-Jan-2016
Category:	Documents
Upload:	jack-stephenson
View:	26 times
Download:	1 times

CIT 470: Advanced Network and System Administration

Documents