Presentation is loading. Please wait.

Presentation is loading. Please wait.

Getting started Identity Management ● What is identity management ● Local files ● Network Information Service ● Lightweight Directory Access Protocol ●

Published byPoppy Johnston Modified over 8 years ago

Similar presentations

Presentation on theme: "Getting started Identity Management ● What is identity management ● Local files ● Network Information Service ● Lightweight Directory Access Protocol ●"— Presentation transcript:

1 Getting started Identity Management ● What is identity management ● Local files ● Network Information Service ● Lightweight Directory Access Protocol ● Winbind

2 You probably have used ldap before Active Directory (AD) is LDAP under the hood...

3 LDAP ● http://en.wikipedia.org/wiki/Ldap http://en.wikipedia.org/wiki/Ldap ● http://www.openldap.org http://www.openldap.org ● LDAP Data Interchange Format (LDIF) ● Distinguished Name (DN) ● LDAP is not a relational database ● LDAP directories are optimized for read performance

4 LDAP Objects

5 Think tree structure

6 What tree structure should you use? ● Base DN in X.500 format ● o="Example, Inc.", c=US ● Base DN derived from the Internet presence ● o=example.com ● base DN derived from the DNS domain components ● dc=example, dc=com

7 Layout method for users ● Login based ● uid=jdoe,ou=people,dc=example,dc=com ● Name based cn=John Doe,ou=users,dc=example,dc=com

8 OpenLDAP Server Config Schema Cert Info Referrals Overlays Database Index ACL Replication

9 include /etc/openldap/schema/core.schema include /etc/openldap/schema/inetorgperson.schema database bdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" rootpw password directory /var/lib/ldap index uid pres,eq index cn,sn,uid pres,eq,approx,sub access to * by * read OpenLDAP 2.3.X slapd.conf

10 OpenLDAP 2.4.X Upgrade: slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

11 example.com LDIF dn: dc=example,dc=com objectClass: dcObject objectClass: organization description: The Example Corporation o: Example Corporation dc: example dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=Group,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: Group dn: ou=People,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: People

12 Adding a user account dn: uid=test,ou=People,dc=example,dc=com uid: test cn: test objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 12102 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/test userPassword: {crypt}$1$gZddl90v$YJFih6/ftT3IcnCsdVmHs1 dn: cn=test,ou=Group,dc=example,dc=com objectClass: posixGroup objectClass: top cn: test userPassword: {crypt}x gidNumber: 1000 memberUid: test

13 Import the ldif ● /usr/share/openldap/migration/migrate_*.sh ● Offline Add ● slapadd < example.ldif ● chown ldap:ldap -R /var/lib/ldap/ ● chmod 660 -R /var/lib/ldap/* ● start openldap server ● Online Add ● Start openldap server ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f example.ldif ● Did it work ● ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'

14 GUI Tools

15 Backups,Backups,Backups ● Plain text backup ● slapcat > example.com.ldif ● ldapsearch -b dc=example,dc=com -x -D cn=Manager,dc=example,dc=com -w password > example.com.ldif ● Binary backup ● tar cjf ldap-bdb-backup.tar.bz2 /var/lib/ldap/ ● Replication != backup

16 Client Setup 1. /etc/nsswitch.conf 2. /etc/*ldap.conf 3. /etc/pam.d/XXX ● Setup tools ● Debian: auth-client-config ● Red Hat: system-config-authentication or authconfig

17 /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap /etc/*ldap.conf base dc=example,dc=com uri ldap://ldap.example.com/ # Optional: default is to bind anonymously. #binddn cn=proxyuser,dc=example,dc=com #bindpw secret ssl no

18 PAM /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so

19 Client Testing ● id ● # id jagee ● uid=60001(jagee) gid=60000(domusers) groups=60001(domadmins),60005(fileserv),60007(incoming),60000(domusers) context=root:system_r:unconfined_t:SystemLow-SystemHigh ● getent passwd ● # getent passwd jagee ● jagee:x:60001:60000:Jeremy Agee:/home/jagee:/bin/bash ● getnet group ● # getent group incoming ● incoming:*:60007:jagee,hellanzb,hannah

20 Client Cache ● Need caching support on your client? ● NSCD - Name Service Cache Daemon ● NSLCD - local LDAP name service daemon. ● Need caching and offline support on your client? ● SSSD - System Security Services Daemon

21 Faster client failover /etc/ldap.conf All ldap servers offline nss_reconnect_tries 2 nss_reconnect_sleeptime 1 nss_reconnect_maxsleeptime 1 nss_reconnect_maxconntries 1 Speed up failover for servers in the uri or host list. timelimit 5 bind_timelimit 2 bind_policy soft /etc/resolv.conf options timeout:1 attempts:1 nameserver xxx.xxx.xxx.xxx nss_ldap-253/ldap-nss.h: #define LDAP_NSS_TRIES 5 /* number of sleeping reconnect attempts */ #define LDAP_NSS_SLEEPTIME 4 /* seconds to sleep; doubled until max */ #define LDAP_NSS_MAXSLEEPTIME 64 /* maximum seconds to sleep */ #define LDAP_NSS_MAXCONNTRIES 2 /* reconnect attempts before sleeping */ 4+8+16+32+64 = 124 seconds per try, and 2 tries by default. 248 seconds per login attempt - approx 4 minutes.

22 Securing the environment ● Tighten ACL's ● Configure DNS ● Create a Certificate Authority ● Enable TLS/SSL ● tls port 389 ● ssl port 636

23 ACL's http://www.openldap.org/doc/admin24/access-control.html access: to attrs=userPassword by self write by anonymous auth by dn.base="cn=phpldapadmin,dc=example,dc=com" write by * none access: to * by self write by dn.base="cn=phpldapadmin,dc=example,dc=com" write by * read

24 DNS ● Needed when creating a Certificate Authority or using Kerberos ● Bind - File Based ● Bind - Standard Database Backend ● LDAP ● SQL http://mysql-bind.sourceforge.net/docs.php http://bind9-ldap.bayour.com/

25 zone "home.lan" { type master; database "ldap ldap://127.0.0.1/dc=home,dc=lan,o=DNS,dc=home,dc=lan 86400"; }; zone "0.0.10.in-addr.arpa" { type master; database "ldap ldap://127.0.0.1/dc=0,dc=0,dc=10,dc=in-addr,dc=arpa,o=DNS,dc=home,dc=lan 86400"; };

26 Chain of Trust

27 Certificate Authority 1. How to create my own CA with openssl? 2.http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29 3. Distro specific pki method ● Red Hat ● /etc/pki/tls/misc/CA ● /etc/pki/tls/misc/CA.pl (openssl-perl) ● Ubuntu/Debian ● https://help.ubuntu.com/community/OpenSSL https://help.ubuntu.com/community/OpenSSL

28 ➔ cd /etc/pki/tls/misc/ ➔./CA -newca Note: The Common Name (CN) of the CA cert must NOT match any server name or else a naming collision will occur. Ex: CN=”example.com CA” You can create a request on the CA server itself or on a different client. ➔./CA -newreq Sign a cert ➔./CA -signreq You will have three files in /etc/pki/tls/misc/ newcert.pem, newkey.pem, and newreq.pem. The newcert and newkey files are the public cert and the privet key. You dont need to keep the cert request file newreq.pem. To remove the password from the privet key ➔ openssl rsa -in newkey.pem -out newkey.pem.insecure Setup Certificate Authority

29 Adding tls/ssl Server side: /etc/openldap/slapd.conf TLSRandFile /dev/random TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/openldap/cacerts/myca.crt TLSCertificateFile /etc/openldap/server.example.com.crt TLSCertificateKeyFile /etc/openldap/server.example.com.key Client Side: /etc/*ldap.conf TLS over post 389: uri ldap://ldap.example.com/ ssl start_tls tls_cacertdir /etc/openldap/cacerts SSL over port 636: uri ldaps://ldap.example.com/ ssl on tls_cacertdir /etc/openldap/cacerts

30 Overlays Audit Logging http://www.openldap.org/doc/admin24/overlays.html#Audit Logging Password Policies http://www.openldap.org/doc/admin24/overlays.html#Password Policies

31 Database Topology

32 Replication http://www.openldap.org/doc/admin24/replication.html

Download ppt "Getting started Identity Management ● What is identity management ● Local files ● Network Information Service ● Lightweight Directory Access Protocol ●"

Similar presentations

What’s New in Windows Server 2008 AD?

What’s New in Windows Server 2008 AD?
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
OpenLDAP Installation & Configuration June 2010 Penguins Unbound By Loren Cahlander 1 Copyright 2010 Syntactica.

OpenLDAP Installation & Configuration June 2010 Penguins Unbound By Loren Cahlander 1 Copyright 2010 Syntactica.
LDAP and Kerberos: An Overview Leveraging services provided by Active Directory for Unix/Linux authentication, authorization and name services Jason Testart.

LDAP and Kerberos: An Overview Leveraging services provided by Active Directory for Unix/Linux authentication, authorization and name services Jason Testart.
Lightweight Directory Access Protocol (LDAP) By Raghavendra Aekka Professor Dr. Ravi Mukkamala.

Lightweight Directory Access Protocol (LDAP) By Raghavendra Aekka Professor Dr. Ravi Mukkamala.
LDAP Lightweight Directory Access Protocol LDAP.

LDAP Lightweight Directory Access Protocol LDAP.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA.

LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA.
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.

LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.
Kerberos and LDAP Jason Heiss February 2002. Why is everybody still using NIS? NIS is easy to setup Easy to administer Scales fairly well Widely supported.

Kerberos and LDAP Jason Heiss February Why is everybody still using NIS? NIS is easy to setup Easy to administer Scales fairly well Widely supported.
Authenticating REST/Mobile clients using LDAP and OERealm

Authenticating REST/Mobile clients using LDAP and OERealm
CIT 470: Advanced Network and System Administration

CIT 470: Advanced Network and System Administration
© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.
Lecture – Single Login NIS and Winbind. NIS Network Information Service (NIS) is the traditional directory service on UNIX platforms Still widely used.

Lecture – Single Login NIS and Winbind. NIS Network Information Service (NIS) is the traditional directory service on UNIX platforms Still widely used.
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
Directory Server Campus Booster ID: 351 www.supinfo.com Copyright © SUPINFO. All rights reserved OpenLDAP.

Directory Server Campus Booster ID: Copyright © SUPINFO. All rights reserved OpenLDAP.
Bynari, Inc. Sharing made easy Doug Finch Director of Technical Support Bynari, Inc.

Bynari, Inc. Sharing made easy Doug Finch Director of Technical Support Bynari, Inc.
Building a KDC. Kerberos Implementations RedHat 5 comes with MIT Kerberos 1.6 Ubuntu 10.04 LTS comes with MIT Kerberos 1.8.1 Admin through CLI, but from.

Building a KDC. Kerberos Implementations RedHat 5 comes with MIT Kerberos 1.6 Ubuntu LTS comes with MIT Kerberos Admin through CLI, but from.
SPARCS 10 이대근 (harry). Contents  Directory Service  What is LDAP?  Installation  Configuration  ldap-utils  User authentication with LDAP.

SPARCS 10 이대근 (harry). Contents  Directory Service  What is LDAP?  Installation  Configuration  ldap-utils  User authentication with LDAP.
Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.

Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.

Similar presentations

Ads by Google