LINSOL.ORG Red Hat Enterprise Linux Variants  Server:  Red Hat Enterprise Linux Advanced Platform  Red Hat Enterprise Linux  Client:  Red Hat Enterprise Linux Desktop  with Workstation option  with Multi-OS option  with Workstation and Multi-OS options

LINSOL.ORG Red Hat Network  A comprehensive software delivery, system management, and monitoring framework  Update Module: Provides software updates Included with all Red Hat Enterprise Linux subscriptions  Management Module: Extended capabilities for large deployments  Provisioning Module: Bare-metal installation, configuration management, and multi-state configuration rollback capabilities  Monitoring Module provides infrastructure health mon~Loring of network's, systems, applications, etc.

LINSOL.ORG Other Red Hat Supported Software  Red Hat Application Stack  JBoss Enterprise Middleware Suite  Red Hat Directory Server  Red Hat Certificate System  Red Hat Global File System

LINSOL.ORG Objectives of RH423 Develop skills required to manage and deploy directory services on Red Hat Enterprise Linux systems Develop skills required to manage and deploy directory services on Red Hat Enterprise Linux systems  Gain a better understanding of PAM and user authentication on Red Hat Enterprise Linux

LINSOL.ORG Audience and Prerequisites  Audience: Senior Red Hat Linux and Red Hat Enterprise Linux system administrators and other IT professionals who need to provide enterprise-wide authentication or information services  Prerequisites: RHCE certification or comparable skills and knowledge

LINSOL.ORG Classroom Network Classroom Network  example.com network ( /24)‏  serveri.example.com (192.l6e.o.254)‏  Main classroom server: Provides DHCF, DNS, routing and other services  stationx.example.com ( x)‏  Student systems  serverx-i-100.example.com ( x+ioo)‏  virtual server hosted on student stations  serverx-r200.example.com ( X.i-200)‏  Secondary virtual server hosted on student stations

LINSOL.ORG Notes on Internationalization  Red Hat Enterprise Linux supports nineteen languages  Default language can be selected:  During installation  With system-config-language  System->Administration-~Language  Alternate languages can be used on a per-command basis: $ LANG=en_US.OTFS date $ LANG=en_US.OTFS date  Language settings are stored in /etc/sysconfig

LINSOL.ORG Objectives Upon completion of this unit, you should be able to:  Explain what a directory service is  Explain the history of LDAP and X500  Understand the LDAP information model  Read and write simple LDIF  Explore issues

LINSOL.ORG What is a Directory?  A directory is a specialized database that normally stores small pieces of information  Special-purpose directories are common:  A telephone book is a directory of names to telephone numbers  DNS is a directory of host names to IP addresses  NIS is a directory of system information; username to password file data, name to alias, mount point to device, and so on

LINSOL.ORG Ideal Directory Data  Small pieces of information will be stored  Potentially many small pieces of information  Potentially many small pieces of information  Data will be frequently read but rarely written  Individual entries are based on collections of attributes (phone number, address, etc.)‏  Information will need to be searched for or looked up by multiple client users

LINSOL.ORG Uses of a Directory  Look up addresses and contact information in mail clients and web browsers  Manage and synchronize user authentication centrally from a network server  Centrally coordinate informational databases used by various network services  Store and search for arbitrary data

LINSOL.ORG X.500 Directory Service  General-purpose directory service designed by ISO and CCITT starting in the 1980s  The Directory: a fully-connected global directory, information organized in a tree  Flexible information model  Intended for "white pages" telephone and X.400 directories, OSI name service  DAP: clientlserver communication protocol  DAP: clientlserver communication protocol

LINSOL.ORG X.500 Problems X.500 (and DAP) is complex and resource hungry to implement X.500 (and DAP) is complex and resource hungry to implement  The standards process did not require test implementations to prove feasibility!  Early implementations were slow, buggy, and did not interoperate well  X.500 is tied to the OSI network model  The Internet is based on TCP/IP, not OSI  The Internet is based on TCP/IP, not OSI  Deployment was therefore slow

LINSOL.ORG  Lightweight Directory Access Protocol Originally for use by desktop computer clients  LDAP improves X.500 DAP in several ways: Uses TOP transport in place of 051 networking Simplifies protocol to nine basic operations Uses a subset of X.500 message encoding rules Data elements are simple text strings

LINSOL.ORG LDAP Directory Service  Initial ldapd daemon acted as a gateway  In 1995, UMich LDAP group realized over 99% of X.500 queries came through ldapci  A standalone LDAP daemon (slapd) replaced ldapd and the X.500 service  Removed overhead of LOAP-to-DAP translation  Improved performance and reduced directory service complexity

LINSOL.ORG LDAP Models LDAP Models  Information Model How individual entries in the directory are structured  Naming Model Where entries are stored in the hierarchical directory tree  Functional Model What operations can be performed on the directory  Security Model How directory information is protected from unauthorized access

LINSOL.ORG Information Model  An entry stores information about an object of interest in the directory  The basic unit of information storage  Each entry is made up of attributes which describe characteristics of the object  Each attribute in an entry has a type and takes one or more values  The unique distinguished name of an entry is based on one of its attributes

LINSOL.ORG Directory Schema  The schema defines rules on what attributes can be used in which entries and how their values are formatted and compared  Keeps directory data consistent and useful  Reduces redundant or inappropriate information stored in entries  Constraints on size and format help avoid bogus data values being assigned to attributes

LINSOL.ORG Commonly Seen Attributes d.nThe unique DN identifying the entry cnThe entry 1 s common name (full name)‏ snThe surname (last name) of a user uid Login name cTwo letter country code oName of an organization ou Name of an organizational unit mail Internet address

LINSOL.ORG Object Classes An object class groups related information  Defines which attributes are mandatory and which are permitted in an entry  obj ectclass attributes specify which object classes an entry belongs to  There are different kinds of object classes  An entry trust have one structural object class  An entry may add one or more additional aux//iaty object classes

LINSOL.ORG Derived Object Classes An object class may be a subclass derived from another object class  The derived class inherits the required and optional attribute lists from its superclass  The derived class may then add additional required and optional attributes

LINSOL.ORG Sample Entry in LDIF Form dn: dc=ds,dc=nust,dc=com objectclass: dcObject objectclass: top dc: ds dn: ou=People,dc=ds,dc=nust,dc=com objectclass: organizationalUnit objectclass: top ou: People

LINSOL.ORG Troubleshooting an LDIF Entry  Does the RDN match an attribute-value pair?  Is there exactly one structural class, not counting parent superclasses?  Do all mandatory attributes have a value?  Are there any attributes set which the object class or classes for this entry do not allow?  Do any single-value attributes have multiple values?

LINSOL.ORG Managing Directory Data  What attributes do your applications need?  Are they hard-wired to use a particular schema?  Do applications have conflicting needs?  Correct object class selection is important  Helps avoid poor quality or badly formatted data  An entry cannot change its structural object class after creation!

LINSOL.ORG Managing Directory Data  Use standard schema definitions if possible  Auxiliary classes may help  Avoid storing identical or redundant data in multiple attributes  Otherwise, ensure the values stay synchronized  Plan for change  What attributes might you need in the future?  How will current data be kept up to date?

LINSOL.ORG Developing a Data Policy Developing a Data Policy  What data will and will not be stored in the directory service  Who has the ability to modify which entries  Who has the ability to access which entries  Legal considerations affecting the above  How exceptions may be made if needed

LINSOL.ORG Unit 2 The LDAP Naming Model

LINSOL.ORG Objectives Upon completion of this unit, you should be able to:  Use the LDAP naming model  Use and construct LDAP distinguished names (DNs)‏  Interpret directory suffixes  Organize entries in the directory  Define a name space in LDIF

LINSOL.ORG LDAP Naming Model  The naming model defines how entries are organized and identified in the directory  Every entry must have a unique name that may be referenced unambiguously  The distinguished name or DN  A well-designed name space is critical  Easier retrieval and maintenance of data  Easier to apply access control policies

LINSOL.ORG The Directory Information Tree  Directory entries are arranged in a hierarchy  The directory information tree, or DIT  Similar to a file system or DNS hierarchy  Each entry has one parent entry  An entry may have any number of children  The DN of an entry specifies its position in the directory hierarchy  uid=lee,ou=sales,dc=foo,dc=com

LINSOL.ORG Distinguished Names  The leftmost component of the DN is the relative distinguished name, or RDN  The RDN must be Selected from the attributes of the entry   Unique among entries that share the same immediate parent entry   Two entries may have the same RDN if they have different parent entries (and therefore their full DNS are different)‏

LINSOL.ORG Escaped Characters  Some characters must be escaped with a backslash (\) if they appear in a component of a cTh attribute  Comma, pius, double quote, backslash, less-than, greater-than, or semicolon at the start of a component  White space at the start or end of a component  dn: o=Example\, Inc.,st=Delaware,c=us

LINSOL.ORG The Directory Suffix  The global LDAP name space IS distributed among multiple directory partitions  The suffix is the DN of the highest entry in the LDAP directory hierarchy which is stored in a directory partition  The node below which your name space lives  The DNS of all entries in that directory partition end with the suffix

LINSOL.ORG Choosing a Suffix  LDAP does not place restrictions on the suffix you may use or the structure of your directory  Your suffix should be unique in case your server ever needs to coexist with others  There are two standard approaches  The X.500 naming model  The Internet domain naming model

LINSOL.ORG X.500 Suffixes X.500 Suffixes  X.500-style suffixes are geographically and organizationally based  o=Example\, Inc.,st=Delaware,c=US  Useful if X.500(93) compatibility is needed  In practice, it has proved hard to find and manage names using this naming scheme

LINSOL.ORG Internet Domain Suffixes  The preferred method is to use components of the organization t s DNS domain  For example.com: dc=exarnple, dc=com  Since we know the DNS domain is unique, then the LDAP suffix is also unique  Can simplify deployment and configuration  Easier to manage in the long term

LINSOL.ORG Structure of the Name Space  After selecting the suffix, the structure of the directory name space must be designed  At one extreme is a flat name space containing all entries directly under the suffix uid=raoit, dc=nust, dc=com  At the other is a deep name space dividing entries into fine categories uid=raoit, ou=seecs, ou=it, dc=nust, dc=corn

LINSOL.ORG Flat Name Space dc=nust,dc=comuid=raoitI~mCa~I~zng'Sa.uici=jbrown FU 9 Brown 'S inS uid=jvedder Icn=Jetfvedderl Resources

LINSOL.ORG Flat Name Space Issues  Advantages  Advantages  Names do not need to change when job roles change or the organization changes  Names do not need to change when job roles change or the organization changes  Simple design avoids need to object categorization by directory administrators  Simple design avoids need to object categorization by directory administrators  Disadvantages  Disadvantages  Hard to partition the directory later if needed  Hard to partition the directory later if needed  May be hard to maintain unique DNs  May be hard to maintain unique DNs

LINSOL.ORG Deep Name Space A dc=exI do—corn dc=exI do—corn lFMi~l=North~gierica lFMi~l=North~gierica ou=People ou=People ou=Sales ou=Devel uid=joe uid=rnara ou=Sales ou=Devel uid=joe uid=rnara ou=People ou=People ounSales ounSales uld—jeanne uld—jeanne ounPeople ounPeople ou=Sales ou=Sales uidnpete uidnpete

LINSOL.ORG Designing the Name Space  There is no name space design that is ideal for all situations  There is no name space design that is ideal for all situations  May help to think about how you planned the DNS name space of hosts and subdomains  May help to think about how you planned the DNS name space of hosts and subdomains  Try to keep the hierarchy fairly flat  Try to keep the hierarchy fairly flat  Simpler management, good for small directories  Simpler management, good for small directories  Depth is useful for  Depth is useful for  Avoidance of naming collisions  Avoidance of naming collisions  Dividing up directory management  Dividing up directory management

LINSOL.ORG One Compromise Name Space dc=exa dc=exa dc-corn dc-corn i=Nort..~urica i=Nort..~urica I=EuroDe I=EuroDe uidnpete uidnpete ou=Sales ou=Sales  Set the ou attribute on entries  Set the ou attribute on entries  Can still search based on ou  Can still search based on ou  changing ou just affects one entry, not directory hierarchy  changing ou just affects one entry, not directory hierarchy

LINSOL.ORG Designing the Name Space  Place entries in subtrees based on the type of entry, not just by organizational structure or geography  Place entries in subtrees based on the type of entry, not just by organizational structure or geography  For example:  For example:  inetoryPerson entries under ounPeople  inetoryPerson entries under ounPeople  Entries for groups under ou=Groups  Entries for groups under ou=Groups  Entries for machines under ou=Hosts  Entries for machines under ou=Hosts  Can use in addition to other schemes  Can use in addition to other schemes

LINSOL.ORG Defining the Name Space  The LDAP server will need to have your name space input in LDIF format  The LDAP server will need to have your name space input in LDIF format  You will need an entry for your root node  You will need an entry for your root node  You will need entries for any nodes which act only as containers for other entries  You will need entries for any nodes which act only as containers for other entries  Various object classes are useful  Various object classes are useful  domain, dcobject, country, locality, organization, organizationalunit  domain, dcobject, country, locality, organization, organizationalunit

LINSOL.ORG

Planning the Directory  A well-designed directory tree can make directory management much simpler  A well-designed directory tree can make directory management much simpler  Additional references which may be useful:  Additional references which may be useful:  Red Hat Directory Administrator's Guide  Red Hat Directory Administrator's Guide  Understanding and Dep/oying LDAP Directory Services by Timothy Howes, Mark Smith, and Gordon Good.  Understanding and Dep/oying LDAP Directory Services by Timothy Howes, Mark Smith, and Gordon Good.