CIT 470: Advanced Network and System Administration Accounts and Namespaces CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration Topics Namespaces Policies: selection, lifetime, scope, security User Accounts Directories LDAP CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration Namespaces A namespace consists of A set of unique keys A set of attributes associated with each key Example Key = Username Attributes GECOS Homedir Shell Password CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration Namespaces Systems include many namespaces User account names. E-mail addresses. Filesystem pathnames. Hostnames. IP addresses. Printer names. Service names. CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration Types of Namespaces Flat No duplicates may exist. Ex: usernames in /etc/passwd. Hierarchical Tree-structured namespace like DNS. Duplicates can exist. Ex: www.nku.edu and www.google.com CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration Namespace Problems How to select names? How to avoid name collisions? How to ensure consistency? How to distribute names? CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration Name Selection Functional Names mail hostname, /cit/470, student account Descriptive names geographic, print type, customer type Formula-based Names cvg0141 hostname, student0148 account Themed Names constellations (orion, ursa, etc.) No Standard CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration Name Lifetime When are names removed? Immediately after PC, user leaves org. Set time after resource is no longer in use. When are names re-used? Immediately: functional names. Never. After a set time: usernames, email addresses. CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration Namespace Scope Geographical scopes Local machine. (e.g., /etc/passwd.) Local network. Organization. Global (e.g., DNS.) Service scopes Single username for UNIX, NT, RADIUS, e-mail, VPN? Transferring scopes Difficult without advance planning. Some names may have to change. CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration Namespace Security What are you trying to protect names from and why? Do the names need to be protected or just the attributes? Who can add, change, or delete records? Can the owner of a record change fields within the record? CIT 470: Advanced Network and System Administration
Example Namespace: Usernames Selection policies Descriptive: waldenj, jwalden Decriptive + formulaic: waldenj1, jwalden0002 Scope Use for every campus (avoids collisions.) Use for every service (avoids collisions.) Lifetime Do not reuse until 1 year has passed since email addresses derive from usernames. CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration One Big Database Centralize namespace in one big database. Use SQL or LDAP to store entire namespace. Derive other namespaces from database. Program to generate UNIX accounts. Program to generate NT accounts. etc. Advantages Consistency Ease of making changes, additions, deletions. CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration User Account Types OS files UNIX /etc/{passwd,shadow} Windows SAM Network service NIS LDAP Kerberos Active Directory RADIUS CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration UNIX Accounts Account Components Username UID Password Home directory Account Files /etc/passwd /etc/shadow /etc/group Account Management Adding users Removing and disabling users Account/password policies CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration /etc/{passwd,shadow} Central file(s) describing UNIX user accounts. /etc/passwd Username UID Default GID GCOS Home directory Login shell /etc/shadow Username Encrypted password Date of last pw change. Days ‘til change allowed. Days `til change required. Expiration warning time. Expiration date. student:x:1000:1000:Example User,,555-1212,:/home/student:/bin/bash student:$1$w/UuKtLF$otSSvXtSN/xJzUOGFElNz0:13226:0:99999:7::: CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration Username Syntax Each username must be unique. Length limits (8 chars on old systems) Any character except : or \n. Issues Naming standards. How to ensure that usernames are unique? System uses UIDs internally. CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration UIDs UIDs are 32-bit non-negative integers. Standards Root is UID 0. System accounts have low UIDs (<= 500) Uniqueness Multiple usernames can have same UID! Re-using UIDs may give away files to new user. Distributed systems may require unique UIDs across organizational boundaries. CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration Password Syntax Length: unlimited (MD5,SHA1), 8 chars (crypt) Chars: anything except \n, though certain control chars may be interpreted by system. Stored in “encrypted” format. Hashed: crypt, MD5, SHA1 Salted: 12-bit salt means 4096 different hashes for each password CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration GID GIDs are 32-bit non-negative integers. Each user has a default GID. File group ownership set to default GID. Temporarily change default GID: newgrp. Groups are described in /etc/group Users may belong to multiple groups. Format: group name, pw, GID, user list. wheel:x:10:root,waldenj,bergs CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration GECOS Original use Data for General Electric Comprehensive OS Current use User information. Full name, location, phone number, e-mail. CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration Home Directory User’s CWD at login time. Typically where user stores all files. CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration Login Shell Process started when user logs in. Typically a shell like bash, tcsh, ksh, or zsh. System users may be different. Disabled accounts have a noshell program. CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration Adding a User Create account with adduser. Lock account until user arrives. User signs account agreement. Set passwd with passwd. CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration Adding a User Edit /etc/{passwd,shadow} with vipw. Set passwd with passwd command. Edit /etc/group to add groups. Create user home directory. mkdir /home/studenta chown studenta.student /home/studenta chmod 755 /home/studenta Copy default files from /etc/skel .bashrc, .Xdefaults, .xsession, etc. Set e-mail aliases, disk quotas, etc. Verify that the account works. CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration Disabling an Account Edit account configuration: Place * in front of encrypted password. Replace shell with nologin program. Kill active logins and processes. CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration Removing a User Disable account. Change shared passwords (root, etc.) Kill active logins and processes. Remove from local databases/files. Remove from e-mail aliases. Remove mail spool (backup first.) Remove crontabs and pending jobs. Remove temporary files. Remove home directory (backup first.) Remove from passwd, shadow, and group. CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration What is a Directory? Directory: A collection of information that is primarily searched and read, rarely modified. Directory Service: Provides access to directory information. Directory Server: Application that provides a directory service. CIT 470: Advanced Network and System Administration
Directories vs. Databases Directories are optimized for reading. Databases balanced for read and write. Directories are tree-structured. Databases typically have relational structure. Directories are usually replicated. Databases can be replicated too. Both are extensible data storage systems. Both have advanced search capabilities. CIT 470: Advanced Network and System Administration
System Administration Directories Types of directory data Accounts Mail aliases and lists (address book) Cryptographic keys IP addresses Hostnames Printers Common directory services DNS, LDAP, NIS CIT 470: Advanced Network and System Administration
Advantages of Directories Make administration easier. Change data only once: people, accounts, hosts. Unify access to network resources. Single sign on. Single place for users to search (address book) Improve data management Improve consistency (one location vs many) Secure data through only one server. CIT 470: Advanced Network and System Administration
NIS: Network Information Service Originally called Sun Yellow Pages Clients run ypbind Servers run ypserv Data stored under /var/yp on server. Server shares NIS maps with clients Each UNIX file may provide multiple maps passwd: passwd.byname, passwd.byuid Slave servers replicate master server content. Easy to use, but insecure, difficult to extend. CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration LDAP Lightweight Directory Access Protocol Lightweight compared to X.500 directories. Directory, not a database, service. Access Protocol, not a directory itself. CIT 470: Advanced Network and System Administration
LDAP Clients and Servers Standalone directory browsers. Embedded clients (mail clients, logins, etc.) Cfg /etc/nsswitch.conf on UNIX to use LDAP. Common LDAP servers OpenLDAP Fedora Directory Server (formerly Sun, Netscape) Mac Open Directory Microsoft ActiveDirectory Novell eDirectory (NDS) CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration LDAP Structure An LDAP directory is made of entries. Entries may be employee records, hosts, etc. Each entries consists of attributes. Attributes can be names, phone numbers, etc. objectClass attribute identifies entry type. Each attribute is a type / value pair. Type is a label for the information stored (name) Value is value for the attribute in this entry. Attributes can be multi-valued. CIT 470: Advanced Network and System Administration
Tree-structure of LDAP Directories CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration LDAP Schemas Schemas specify allowed objectClasses and attributes. CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration LDIF LDAP Interchange Format. Standard text format for storing LDAP configuration data and directory contents. LDIF Files Collection of entries separated by blank lines. Mapping of attribute names to values. Uses Import new data into directory. Export directory to LDIF files for backups. CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration LDIF Output Example CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration Distinguished Names Distinguished Names (DNs) Uniquely identify an LDAP entry. Provides path from LDAP root to the named entry. Similar to an absolute pathname. dn:cn=Jeff Foo,ou=Sales,dc=plainjoe,dc=org Relative DNs (RDNs) Any unique attribute pair in directory’s container. ex: cn=Jeff Foo OR username=fooj Similar to a relative pathname. Except may have multiple components. cn=Jane Smith+ou=Sales cn=Jane Smith+ou=Engineering CIT 470: Advanced Network and System Administration
LDAP Client/Server Interaction Client requests to bind to server. Server accepts/denies bind request. Client sends search request. Server returns zero or more dir entries. Server sends result code with any errors. Client sends an unbind request. Server sends result code and closes socket. CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration LDAP Operations Client Session Operations Bind, unbind, and abandon Query and Retrieval Operations Search and compare Modification Operations Add, modify, modifyRDN, and delete CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration Authentication Anonymous Authentication Binds with empty DN and password. Simple Authentication Binds with DN and password. Cleartext. Simple Authentication over SSL/TLS Use SSL to encrypt simple authentication. Simple Authentication and Security Layer SASL is an extensible security scheme. SASL mechanisms: Kerberos, GSSAPI, SKEY CIT 470: Advanced Network and System Administration
Distributed Directories Use multiple LDAP servers. Why distribute? Throughput More servers can reduce load on any single server. Latency Have local server serve local data to LAN. Only use WAN for non-local data on other servers. Administrative Boundaries Let each side administrate their own directory. CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration OpenLDAP Open source LDAPv3 server. LDAP server: slapd Client commands: ldapadd, ldapsearch Backend storage: BerkeleyDB Backend commands: slapadd, slapcat Schemas: /etc/openldap/schema Data: /var/lib/ldap Configuration files Client: /etc/openldap/ldap.conf Server: /etc/openldap/slapd.conf CIT 470: Advanced Network and System Administration
Building an OpenLDAP Server Install OpenLDAP. Configure LDAP for your domain. Change suffix, rootdn, rootpw options. vim /etc/openldap/slapd.conf Start server Immediate: /sbin/service ldap start Permanent: /sbin/chkconfig --level 35 ldap on Add data with ldapadd Verify functionality with ldapsearch CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration LDAP Authentication Configure server with schema + user data. Point clients to hostname and rootDN of svr. /etc/ldap.conf and /etc/openldap/ldap.conf Verify server access with ldapsearch Configure clients to use LDAP auth /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap CIT 470: Advanced Network and System Administration
CIT 470: Advanced Network and System Administration References Brian Arkills, LDAP Directories Explained: An Introduction and Analysis, Addison-Wesley, 2003. Gerald Carter, LDAP System Administration, O’Reilly, 2003. J. Heiss, “Replacing NIS with Kerberos and LDAP,” http://www.ofb.net/~jheiss/krbldap/, 2004. LDAP Howtos, Links, and Whitepapers, http://www.bind9.net/ldap/, 2005. http://www.ldapman.org/, 2005. Luiz Malere, “Linux LDAP HOWTO,” http://www.tldp.org/HOWTO/LDAP-HOWTO/, 2004. OpenLDAP, OpenLDAP Administrator’s Guide, http://www.openldap.org/devel/admin/, 2005. RedHat, Red Hat Enterprise Linux 4 Reference Guide, Chapter 13, http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/, 2005. CIT 470: Advanced Network and System Administration