April 23,2001LDAP as replacement for NIS1 LDAP as a replacement for NIS Wolfgang Friebel DESY Zeuthen.

Slides:



Advertisements
Similar presentations
Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.
Advertisements

Objektorienteret Middleware Presentation 2: Distributed Systems – A brush up, and relations to Middleware, Heterogeneity & Transparency.
HEPNT/HEPiX meeting Oct 6, Securing mail access with Kerberos and SSL Wolfgang Friebel DESY.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
Low level CASE: Source Code Management. Source Code Management  Also known as Configuration Management  Source Code Managers are tools that: –Archive.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA.
Source Code Management Or Configuration Management: How I learned to Stop Worrying and Hate My Co-workers Less.
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.
CIT 470: Advanced Network and System Administration
1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
NovaBACKUP 10 xSP Technical Training By: Nathan Fouarge
Chapter 11: Directory Services. Directory Services A directory service is a database that contains information about all objects on the network. Directory.
BZUPAGES.COM An Introduction to. BZUPAGES.COM Introduction Large corporations today face the following problems Finding a certain file. Seeing everything.
Configuring CIFS Upon completion of this module, you should be able to: Configure the Data Mover for a Windows environment Create and Join a CIFS Server.
BASIC NETWORK CONCEPTS (PART 6). Network Operating Systems NNow that you have a general idea of the network topologies, cable types, and network architectures,
Lecture – Single Login NIS and Winbind. NIS Network Information Service (NIS) is the traditional directory service on UNIX platforms Still widely used.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 4 Manage Software for SUSE Linux Enterprise Server.
Introduction To OpenLDAP Directory Services. What is a Directory Service? A specialized database optimized for reading, browsing, and searching. No complicated.
SPARCS 10 이대근 (harry). Contents  Directory Service  What is LDAP?  Installation  Configuration  ldap-utils  User authentication with LDAP.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.
Distributed File Systems
1 Lecture 19 Configuration Management Software Engineering.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 4: Active Directory Architecture.
Handling of Unix Application Software Stephan Wiesand DESY -DV - May 25, 2004.
9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.
Windows 2000 Operating System -- Active Directory Service COSC 516 Yuan YAO 08/29/2000.
Nov 1, 2000Site report DESY1 DESY Site Report Wolfgang Friebel DESY Nov 1, 2000 HEPiX Fall
Hour 7 The Application Layer 1. What Is the Application Layer? The Application layer is the top layer in TCP/IP's protocol suite Some of the components.
NIS overview Centralized user/password pool Before LDAP. NIS: ypcat passwd reveals shadow password to “John the dictionary cracker”. NIS OK in a trusted.
Copyright © 2015 – Curt Hill Version Control Systems Why use? What systems? What functions?
New SA Training Topic 6: Service Management Our organization takes advantage of many service type to provide functionality to users and ease management.
1 Administering Shared Folders Understanding Shared Folders Planning Shared Folders Sharing Folders Combining Shared Folder Permissions and NTFS Permissions.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
LDAP (Lightweight Directory Access Protocol ) Speaker: Chang-Yu Wu Adviser: Quincy Wu Date:2007/08/22.
Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.
2.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 2: Examining.
August 28, 1998Handling requests with a trouble ticket system at DESY Zeuthen1 Wolfgang Friebel Motivation The req/reqng request tracking system Enhancements.
Hands-On Microsoft Windows Server 2008 Chapter 4-Part 1 Introduction to Active Directory and Account Manager.
1 Network Information System (NIS). 2 Module – Network Information System (NIS) ♦ Overview This module focuses on configuring and managing Network Information.
DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.
CMap Version 0.16 Ben Faga. CMap CMap Version 0.16 Bug fixes and code optimizations More intuitive menu system Asynchronous loading of comparative map.
LDAP (Lightweight Directory Access Protocol)
Linux Operations and Administration
1 CMPT 471 Networking II DNS © Janice Regan,
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 6: Planning, Configuring, And Troubleshooting WINS.
Lightweight Directory Access Protocol Objectives –This chapter will first show you how to install and use LDAP Contents –The LDAP Database Structure –Scenario.
SSSD System Security Services Daemon. 2 Manages communication with centralized identity and authentication stores Provides robust, predictable caching.
LDAP Overview Kevin Moseley Server Team Manager Walgreen Co.
Migrating to LDAP What is LDAP? Fedora Directory Server LdapImport
Windows interoperability with Unix/Linux
File System Implementation
Global Catalog and Flexible Single Master Operations (FSMO) Roles
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 6: Planning, Configuring, And Troubleshooting WINS.
BDII Performance Tests
CHAPTER 3 Architectures for Distributed Systems
Implementation and configuration of LDAP
Net 323 D: Networks Protocols
Chapter 2: Operating-System Structures
Chapter 15: File System Internals
Chapter 2: Operating-System Structures
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL
Windows Networking ICCM 2004 Tim Young
Presentation transcript:

April 23,2001LDAP as replacement for NIS1 LDAP as a replacement for NIS Wolfgang Friebel DESY Zeuthen

April 23,2001LDAP as replacement for NIS2 Contents n Motivation n The LDAP server n The LDAP client n Maintaining the system n Performance tuning n Experiences

April 23,2001LDAP as replacement for NIS3 Why LDAP as a NIS replacement? n Central maintenance of UNIX accounts and groups, hosts,... In addition to or as replacement of maintenance local to a machine made NIS a successful concept n Netgroups can be used to structure accounts, hosts etc. u Example: netgroup linux contains linux hosts, l3 contains l3 users n NIS is one of the more frequent causes for instability under Linux u fallback to other NIS masters sometimes fails when ypserv crashes u varying temporary problems (timeout etc.) in daily use n Modification of NIS contents only locally on master u LDAP allows modification from remote sites after authentication n LDAP is better suited for integration with other services than NIS n Hope for a more scalable and less resource intense service

April 23,2001LDAP as replacement for NIS4 LDAP Server Installation n Any server should work, but we tested only OpenLDAP n We installed OpenLDAP u LDAP version 3 protocol u Backend Database Berkeley DB (Sleepycat Version 3 recommended) u For NIS functionality authorization required for content updates only F all queries done unauthenticated u Compiled on a Linux SuSE 6.3 system F successful tests also with OpenLDAP 1.x on Solaris 2.6 F precompiled RPM's should be o.k. as well n Make sure you use recent versions of OpenLDAP and Berkeley DB

April 23,2001LDAP as replacement for NIS5 LDAP Server Configuration (OpenLDAP) Specify proper backend, define subtree and directory for that tree databaseldbm suffix"dc=IFH, dc=DE" directory/var/openldap/db/nis Define columns to be indexed (very important for performance) index cn,sn,uid,givennamepres,eq,sub index objectclasspres,eq indexuidNumber,gidNumber,memberUideq indexoncRpcNumber,ipServicePorteq indexipNetworkNumber,ipHostNumbereq n Too few indexes reduce search performance n Too much indexes reduce write performance

April 23,2001LDAP as replacement for NIS6 Population of LDAP Server with data n Loading of data relevant for NIS usually done with MigrationTools from (current version is 37 or above) u collection of shell and perl scripts for populating a running server or for creation of ldif files, that can be loaded later using ldapadd u only support for initial loading of LDAP server, no tools provided for modification of LDAP server contents afterwards (can be done with commandline tool ldapmodify or graphical LDAP frontends) n Loading of data with tool ldapsync developed at DESY Zeuthen (ftp://ftp.ifh.de/pub/unix/networking/ldapsync) more flexible u does almost precisely what MigrationTools-37 would do (single script) u produces ldif data (running unauthenticated) or otherwise updates server u can be applied several times, resyncs LDAP and NIS information u allows for longer migration period from NIS to LDAP

April 23,2001LDAP as replacement for NIS7 ldapsync n Still in test phase u works at DESY, but untested at other sites u configuration info is partly still contained in script, i.e. to adapt the script to other sites a change of source code might be required u update process scales only to a few thousand items contained in LDAP due to principal limitations of LDAP (no directory browsing !!!). Could be changed, but then ldapsync has to run locally on LDAP server host u still room for optimization

April 23,2001LDAP as replacement for NIS8 Verifying the LDAP server installation n Do queries that are relevant for the NIS functionality  ldapsearch -h ldap.ifh.de -x -b "dc=ifh,dc=de" -s base dn: dc=ifh,dc=de objectClass: domain objectClass: top objectClass: domainRelatedObject dc: ifh associatedDomain: ifh.de  ldapsearch -h ldap.ifh.de -x -b "dc=ifh,dc=de" "uid=friebel" dn: uid=friebel,ou=People,dc=ifh,dc=de uid: friebel cn: Wolfgang Friebel uidNumber:...

April 23,2001LDAP as replacement for NIS9 LDAP Client installation n The LDAP Client requires the nsswitch mechanism u contained at least in Linux and Solaris u nsswitch.conf determines the method to fetch data (nis, ldap, file) u libnss_xxx.so provides the functionality for method xxx u vendors usually provide libnss_ldap.so n Source code to build a libnss_ldap.so library is available from (current version 150 or higher) u works at least for Linux and Solaris u we installed libnss_ldap.so from source (version 149) u recommended, as it might fix bugs that come with the vendor version n DESY Hamburg experiments with vendor supplied mechanisms on Solaris 2.8 and IRIX 6.5 (does work, little experience up to now)

April 23,2001LDAP as replacement for NIS10 LDAP Client configuration n The client requires the proper /etc/nsswitch.conf u we installed nsswitch.ldap and moved nsswitch.conf to nsswitch.nis u then we have a symlink nsswitch.conf to switch between NIS and LDAP n Our nsswitch.ldap contains (some entries left out) passwd:compat ldap group:files ldap hosts:files dns ldap services: files ldap netgroup: files nis n The library libnss_ldap needs additional info in /etc/ldap.conf u OpenLDAP clients expect the file in /etc/openldap, therefore symlink it u ldap.conf contains info on ldap servers, ldap version etc. u specifying more than one server makes the mechanism (more) failsafe

April 23,2001LDAP as replacement for NIS11 Our /etc/ldap.conf # ldap.ifh.de ldap2.ifh.de host # The distinguished name of the search base. base dc=ifh,dc=de # The LDAP version to use (defaults to 2) ldap_version 3

April 23,2001LDAP as replacement for NIS12 Testing the LDAP client n Activate the proper nsswitch.conf n For testing purposes shut down the name service cache daemon nscd n Issue commands that do name resolution u ls -l u id u if protocols and services are resolved by LDAP do further tests (ping,...) u The output should contain names, not numbers for user, group etc. u you can modify nsswitch.conf temporarily to force LDAP name resolution n Watch the activity on the LDAP server if possible

April 23,2001LDAP as replacement for NIS13 Maintaining the system n More than one LDAP server should be available n Do replication of the directory tree u setting up slurpd that propagates changes from the master server to replica server F advantages: consistency of data, use standard methods F disadvantage: still single point of failure - no updates, if master is down u using multiple master servers and keep them in sync F advantages: updates of data can be done as long as at least one server is up F disadvantages: additional mechanisms required to enforce data consistency n Maintenance software has to be integrated with LDAP u enhance your tools to also update the LDAP tree (ldapadd, ldapmodify,..) or u use ldapsync to maintain NIS as before and synchronize with LDAP

April 23,2001LDAP as replacement for NIS14 Performance tuning n Choice of platform and software influences performance u after initial tests with Solaris and LDAP v2 switched to Linux and v3 u easy access to fast PC's with large memory at DESY u impression from reading the mailing list: Linux is less problematic n Watch your server for resource usage u server forks additional processes for listening u server becomes slow when doing a lot of syslogging (especially on Linux), therefore we started slapd with -s 0 n Ensure that proper indexes requested and really been built u see also man slapindex n Make sure the name service caching daemon nscd is running

April 23,2001LDAP as replacement for NIS15 Experiences n Migration can be done without rebooting u ldconfig might be required however u if done with running nscd then LDAP lookups will not occur instantly n User does not notice change from NIS to LDAP u initially we had some problems due to missing entries in services and using "files ldap" instead of "compat ldap" in passwd resolution n As stated in the NEWS of the nss_ldap library netgroup name resolution is still missing, but "This is a lot easier now..."(to write) u until this is done either rely on NIS for netgroups or use /etc/netgroups n Some programs need recompilation (if linked against LDAP1.xx) u httpd(SuSE 6.3), maybe pine

April 23,2001LDAP as replacement for NIS16 Integration with Windows n Active directory could be used in principle to host the name service information, then a separate LDAP server would not be needed n To store the relevant data the scheme definitions need to be known to active directory. u Procedure for adding a new scheme fairly complicated u attributes and classes with the same name may have different definitions u attributes and classes with different names may mean the same u not managed to do this first step up to now n Given the above complications integrating LDAP for NIS with the Active directory seems not to be of advantage

April 23,2001LDAP as replacement for NIS17 Statistics n Primary LDAP server is on a 233Mhz Intel PIII machine running SuSE6.3 and kernel , a second server is also running n 85 Linux clients with LDAP use presently our primary server n load can be neglected (typically around 0.01) n total CPU time accumulated by slapd processes about 2 minutes/day (40 minutes during 20 days) n on average about established LDAP connections are served from up to 36 server processes simultaneously. n No difference in application speed as compared to NIS seen  ls -ld /afs/ifh.de/user/*/* took about 1.5s (around 1200 name lookups, both for NIS and LDAP with running nscd) n Very preliminary tests with Ultra1 Solaris machine in Hamburg were less promising

April 23,2001LDAP as replacement for NIS18 Outlook n We will continue to migrate from NIS to LDAP u 30 new clients added last week without any complications u could switch all Linux machines instantly (except web server), but we will look first for long term effects (months) before a full migration n Further services can make use of this LDAP branch, we will investigate whether this has advantages for us u mail aliases for mail server u automounter maps n Some day we will need to integrate the maintenance of the NIS data in LDAP into a central tool (that is not yet existing)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.