Presentation is loading. Please wait.

Presentation is loading. Please wait.

Configuring LDAP-UX Module 13 H3065S F.00 [Course Title]

Published byHubert Short Modified over 6 years ago

Similar presentations

Presentation on theme: "Configuring LDAP-UX Module 13 H3065S F.00 [Course Title]"— Presentation transcript:

1 Configuring LDAP-UX Module 13 H3065S F.00 [Course Title]
[Module Title] Configuring LDAP-UX Module 13 H3065S F.00 [Rev. # or date]

2 Managing Users via /etc/passwd
The HP-UX operating system utilizes a variety of configuration files to manage users, groups, and other critical information. Traditionally, each HP-UX host on a network maintained an independent copy of /etc/passwd, /etc/group, /etc/hosts and other configuration files. As a result, adding a user, group, or host often required manual updates to multiple configuration files on multiple hosts. /etc/passwd /etc/group /etc/hosts /etc/passwd /etc/group /etc/hosts How can I ensure that all of my hosts are configured consistently? H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P.

3 Managing Users via NIS or LDAP
HP-UX now offers several alternative solutions for managing configuration information. Of these solutions, LDAP provides the greatest scalability, security, and flexibility. Solution Complexity Scalability Security Interoperability Local Config Files Low One Host High UNIX only NIS Medium Hundreds of Hosts LDAP Protocol Thousands of Hosts Most OSes Many Applications H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P.

4 © 2005 Hewlett-Packard Development Company, L.P.
How Does LDAP Work? A directory server maintains a database of user, group, and other information Clients use the LDAP protocol to issue queries to the directory server The directory server retrieves the requested information from the database The directory server sends a reply back to the client via the LDAP protocol What is user1’s UID? LDAP client Database Containing: User entries Group entries Other entries LDAP client Who belongs to the users group? LDAP client What is sanfran’s IP? Directory Server LDAP client What is telnet’s standard port#? LDAP Protocol Queries/Replies H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P.

5 © 2005 Hewlett-Packard Development Company, L.P.
[Course Title] [Module Title] Schema Multiple applications and operating systems utilize directory services Each application may need to store different types of information in the directory Directory schema determine what types of information may be stored in a directory Directory server schema are extensible, to support various clients and applications eg: RFC 2256 defines a schema for representing general information about individuals eg: RFC 2307 defines a schema for representing UNIX users, groups, hosts, etc. Stored in /var/opt/netscape/servers/slapd-sanfran/config/schema/ LDAP alternative to /etc/passwd LDAP alternative to /etc/group RFC 2307 Schema LDAP alternative to /etc/hosts LDAP alternative to /etc/services LDAP alternative to /etc/networks And others... H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. [Rev. # or date]

6 Object Classes and Attributes
Every schema defines one or more object classes Every object class includes one or more object attributes Some attributes are required Some attributes are optional Some attributes may be included in multiple object classes Schema, object classes, and attributes may be customized to meet your needs Schema Object Classes Attributes RFC 2307 posixAccount uidNumber posixGroup gidNumber ipHost gecos ipService homeDirectory ipNetwork loginShell and others.. and others... H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P.

7 © 2005 Hewlett-Packard Development Company, L.P.
Directory Entries A directory server database contains one or more directory entries Each entry contains a list of object classes Each entry’s object class(es) determines which attributes are allowed in the entry Each attribute has one or more values A sample abbreviated directory entry for user1: objectClass: top objectClass: account objectClass: posixAccount cn: user1 uid: user1 uidNumber: 101 gidNumber: 101 homeDirectory: /home/user1 loginShell: /usr/bin/sh H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P.

8 Directory Information Trees
Directory servers organize entries in a hierarchical Directory Information Tree (DIT) A directory’s tree structure may be customized as desired o=hp.com ou=western ou=eastern ou=people ou=groups ou=people ou=groups uid=user1 uid=user2 cn=users cn=adm entry for uid=user1 uid=user1 uidNumber= uid=user3 uid=user4 cn=users cn=adm entry for uid=user3 uid=user3 uidNumber= H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P.

9 © 2005 Hewlett-Packard Development Company, L.P.
DNs and RDNs Every entry in a DIT is identified by a Relative Distinguished Name (RDN) An RDN consists of one or more attribute/value pairs from the entry An entry’s RDN must distinguish the entry from other entries in the local subtree Every entry in a DIT also has a Distinguished Name (DN) An entry’s DN is a concatenation of RDNs leading to the entry An entry’s DN must be globally unique across the entire tree o=hp.com Common RDN attributes: c = country st = state or province l = locality (county or city) dc = DNS domain component o = organization ou = organizational unit uid = user ID cn = common name ou=western ou=eastern ou=people ou=groups uid=user1 uid=user2 cn=users cn=admins RDN: uid=user1 DN: uid=user1, ou=people, ou=western, o=hp.com H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P.

10 © 2005 Hewlett-Packard Development Company, L.P.
LDIF Files Directory entries are commonly displayed, edited, imported, and exported using Lightweight Data Interchange Format (LDIF) files. The first line in the LDIF identifies the entry’s globally unique DN The next few lines identify the object classes represented in the entry The remaining lines list the entry’s attribute/value pairs /tmp/user1.ldif dn: uid=user1, ou=people, ou=western, o=hp.com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount uid: user1 cn: Darren Miller sn: Miller givenName: Darren continued at right  uidNumber: 101 gidNumber: 101 homeDirectory: /home/user1 loginShell: /usr/bin/sh gecos: Instructor telephoneNumber: mail: H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P.

11 Servers, Replicas, and LDAP Clients
A host may play one of several roles in an LDAP implementation A master server maintains the master copy of the directory database One or more replica servers may be configured for load balancing and redundancy LDAP Clients query directory servers via the LDAP protocol Replica Server Master Directory Server Replica Server Updates Updates Clients Clients Clients H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P.

12 © 2005 Hewlett-Packard Development Company, L.P.
Referrals In smaller organizations, the organization’s entire DIT may reside in single database In larger organizations, the DIT may be distributed among multiple databases/servers Each server typically takes responsibility for one or more directory sub-trees Servers use referrals to redirect clients to other servers as needed Some servers use chaining to query other servers on behalf of clients o=hp.com I’m looking for an entry in ou=eastern,o=hp.com ou=western ou=eastern Contact ldap://nyc.ny.hp.com:389/ ou=eastern,o=hp.com H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P.

13 © 2005 Hewlett-Packard Development Company, L.P.
[Course Title] [Module Title] Security LDAP-compliant Directory servers provide several mechanisms for securing directory data Password policies enforce password aging and format policies Resource limits prevent denial of service attacks Access Control Instructions (ACIs) determine who can access/edit each subtree/attribute Directory servers typically support several client authentication/encryption alternatives Anonymous Access: allows anyone to view/search the directory Simple Password Authentication: authenticates users via cleartext usernames/passwords SSL Simple Authentication: simple password authentication, but via an SSL connection SASL Authentication: provides an extensible, secure authentication mechanism Configuring a Subtree/User Password Policy Using the Console To set up the password policy for a subtree or user, you need to add the required entries and attributes at the subtree or user level, set the appropriate values to the password policy attributes, and enable fine-grained password policy checking. 1. Enable fine-grained password policy. a. In the Directory Server Console, select the Configuration tab. b. In the navigation tree, select the Data node. Managing the Password Policy Chapter 7 User Account Management 281 c. In the right pane, select the Passwords tab. d. Check the “Enable fine-grained password policy” checkbox. e. Click Save to save your changes. 2. Create the local password policy for the subtree or user. a. In the Directory Server Console, select the Directory tab. b. In the navigation pane, select the subtree or user entry for which you want to set up the password policy. c. From the Object menu, select the Manage Password Policy option, and then select the “For user” or “For subtree.” Depending on your selection, the User Password Policy or Subtree Password Policy window appears. d. In the Passwords tab, select the “Create subtree/user level password policy” checkbox to add the required attributes, fill in the appropriate values, and click Save. e. In the Account Lockout tab, specify the appropriate information, and click Save. SETTING RESOURCE LIMITS ON PAGE 296. H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. [Rev. # or date]

14 LDAP Software Solutions for HP-UX
Several LDAP-compliant directory server products are available free for HP-UX Netscape Directory Server Novell eDirectory Server OpenLDAP (unsupported, but included on the Internet Express DVD) HP’s LDAP-UX client product is included on the Applications DVD LDAP-UX allows HP-UX to authenticate users via any LDAP compliant directory server LDAP-UX even allows HP-UX clients to authenticate users via MS Windows ActiveDirectory! LDAP-UX includes scripts to easily migrate UNIX configuration files to a directory server LDAP-UX supports LDAP resolution of users, groups, hosts, and other objects LDAP-UX is fully supported by HP H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P.

15 Installing a Basic Netscape Directory Server
Installing Netscape Directory Server is a multi-step process. This slide provides an overview; see the notes for details. More complex configurations are also possible Install J4258CA and (optionally) J4269AA Modify kernel parameters Run the server setup script Import data into the directory Use the console GUI to customize configuration H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P.

16 Verifying a Netscape Directory Server
Use the following commands to verify that a Directory Server is functional Is the directory server daemon running? # ps –ef | grep slapd Is the directory server listening on port 389? # netstat –an | grep 389 Is the directory server answering user queries? # /opt/ldapux/bin/ldapsearch -h \ -b "ou=People,ou=MyOrganizationalUnit,o=hp.com" \ uid=* Is the directory server answering group queries? # /opt/ldapux/bin/ldapsearch -h \ -b "ou=groups,ou=MyOrganizationalUnit,o=hp.com" \ cn=* H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P.

17 Installing a Basic LDAP-UX Client
The LDAP-UX client setup script automates LDAP-UX configuration of the first client Install J4269AA (LDAP-UX Client) Run the menu-based client setup script Review/customize the resulting /etc/opt/ldapux/ldapux_client.conf file Review/customize the resulting /etc/opt/ldapux/ldapclientd.conf file Review the /etc/opt/ldapux/ldapux_profile.ldif profile Verify that the ldapuxclientd daemon is running Add LDAP to the Name Service Switch configuration in /etc/nsswitch.conf Add LDAP to the Pluggable Authentication Module configuration in /etc/pam.conf Remove LDAP users and groups from /etc/passwd and /etc/group Create a tar archive of the client’s configuration files H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P.

18 Using the LDAP-UX Client
LDAP is just one of several mechanisms HP-UX uses to obtain configuration information HP-UX must be told when/if LDAP should be used for lookups Commands that authenticate users use /etc/pam.conf to select a lookup source Other commands use /etc/nsswitch.conf to select a lookup source In either case, if LDAP is selected, the ldapclientd daemon helps process the request pam.conf Client libpam_hpsec.so.1 $ login $ su $ ssh PAM libpam_unix.so.1 libpam_ldap.so.1 nsswitch.conf Client LDAP Server $ ll $ ps $ who NSS ldapclientd H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P.

19 Configuring /etc/nsswitch.conf
Some HP-UX commands such as ll, ps, who, and nsquery use the /etc/nsswitch.conf file to determine how user, group, and other information should be resolved. /etc/nsswitch.conf without LDAP: /etc/nsswitch.conf with LDAP: passwd: files group: files hosts: files dns networks: files protocols: files rpc: files publickey: files netgroup: files automount: files aliases: files services: files passwd: files ldap group: files ldap hosts: files dns ldap networks: files ldap protocols: files ldap rpc: files ldap publickey: files netgroup: files ldap automount: files aliases: files services: files ldap H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P.

20 Configuring /etc/pam.conf
Commands that authenticate users, such as su, login, and ssh, use Pluggable Authentication Modules (PAM) to access user and password information. Make sure each service in the /etc/pam.conf file consults libpam_ldap.so.1. /etc/pam.conf entries for the login service on an LDAP client # which modules should be used to authenticate users at login? login auth required libpam_hpsec.so.1 login auth sufficient libpam_unix.so.1 login auth required libpam_ldap.so.1 try_first_pass # which modules should be used determine if an account is valid? login account required libpam_hpsec.so.1 login account sufficient libpam_unix.so.1 login account required libpam_ldap.so.1 # which modules should be used to setup/terminate login sessions? login session required libpam_hpsec.so.1 login session sufficient libpam_unix.so.1 login session required libpam_ldap.so.1 # which modules should be used to change the user’s password? login password required libpam_hpsec.so.1 login password sufficient libpam_unix.so.1 login password required libpam_ldap.so.1 try_first_pass H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P.

21 © 2005 Hewlett-Packard Development Company, L.P.
Updating Passwords Users can change their own passwords via the ldappasswd command. $ /opt/ldapux/bin/ldappasswd -h p 389 \ -b "ou=People, ou=MyOrganizationalUnit, o=hp.com“ Changing LDAP password for user1 Old password: ****** New password: ****** Retype new password: ****** Updating password in LDAP... The directory server’s Directory Manager user can change anyone’s password. # /opt/ldapux/bin/ldappasswd -h p 389 \ -b "ou=People, ou=MyOrganizationalUnit, o=hp.com" \ -D "cn=Directory Manager" -w "*****" \ -l user1 Changing LDAP password for user1 New password: ****** Retype new password: ****** Updating password in LDAP... H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P.

22 Managing Directory Entries
The directory server’s Directory Manager user can easily add/modify/delete the most common UNIX directory entry types via the Netscape Directory Server console GUI, or via the ldapentry command. Define directory server connection information in ~/.profile # vi ~/.profile export PATH=/opt/ldapux/bin/:$PATH export MANPATH=/opt/ldapux/share/man/:$MANPATH export LDAP_HOST= export LDAP_BINDDN="cn=Directory Manager" export LDAP_BASEDN="ou=MyOrganizationalUnix, o=hp.com" export EDITOR=vi # . ~/.profile Add/modify/delete directory entries via ldapentry # ldapentry –a type entry # add a new entry # ldapentry –m type entry # modify an existing entry # ldapentry –d type entry # delete an entry H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P.

23 Example: Managing Directory Entries
The example below shows the interface that ldapentry provides to add a user # ldapentry –a passwd user25 dn: uid=user25,ou=MyOrganizationalUnit, o=hp.com uid: user25 cn: user25 sn: uidnumber: gidnumber: homedirectory: /home/user25 loginshell: /usr/bin/ksh gecos: telephonenumber: givenname: mail: Do you want to specify userpassword? (y/n): y value: ****** repeat: ****** Add entry to directory? (y/n): y adding new entry uid=user25,ou=MyOrganizationalUnit, o=hp.com Added. H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P.

24 © 2005 Hewlett-Packard Development Company, L.P.
For Further Study LDAP and Netscape Directory Server are both very complex products. In order to learn more about security, replication, referrals, more complex topologies, and integration with Microsoft Active Directory see the references below. On RFCs 2307, , and many others On LDAP-UX Client Services B Administrator's Guide HP CIFS Server Administrator’s Guide (includes an LDAP chapter) On Netscape Directory Server Administrator’s Guide Netscape Directory Server Deployment Guide Netscape Directory Server Configuration, Command, and File Reference H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P.

25 © 2005 Hewlett-Packard Development Company, L.P.
Lab activity [Course Title] [Module Title] H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. [Rev. # or date]

26 © 2005 Hewlett-Packard Development Company, L.P.
[Course Title] [Module Title] H3065S F.00 © 2005 Hewlett-Packard Development Company, L.P. [Rev. # or date]

Download ppt "Configuring LDAP-UX Module 13 H3065S F.00 [Course Title]"

Similar presentations

automated single login access to Novell storage resources

automated single login access to Novell storage resources
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
Network+ Guide to Networks, Fourth Edition Chapter 10 Netware-Based Networking.

Network+ Guide to Networks, Fourth Edition Chapter 10 Netware-Based Networking.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
1 Chapter 1 Introduction to Windows Server 2003. 2 Two main goals for Net Admin Make network resources available to users Files, folders, printers, etc.

1 Chapter 1 Introduction to Windows Server Two main goals for Net Admin Make network resources available to users Files, folders, printers, etc.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA.

LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA.
Presentation #36576 Presentation #36576 Oracle9i LDAP: Advanced Configuration of Directory Naming Daniel T. Liu Senior Technical consultant First American.

Presentation #36576 Presentation #36576 Oracle9i LDAP: Advanced Configuration of Directory Naming Daniel T. Liu Senior Technical consultant First American.
CIT 470: Advanced Network and System Administration

CIT 470: Advanced Network and System Administration
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
Chapter 11: Directory Services. Directory Services A directory service is a database that contains information about all objects on the network. Directory.

Chapter 11: Directory Services. Directory Services A directory service is a database that contains information about all objects on the network. Directory.
Module 2 Creating Active Directory ® Domain Services User and Computer Objects.

Module 2 Creating Active Directory ® Domain Services User and Computer Objects.

Similar presentations

Ads by Google