Download presentation
Presentation is loading. Please wait.
Published byPirjo Kokkonen Modified over 6 years ago
1
CIT 470: Advanced Network and System Administration
Directories CIT 470: Advanced Network and System Administration
2
CIT 470: Advanced Network and System Administration
Topics Directories LDAP Structure LDIF Distinguished Names Replication OpenLDAP Configuration CIT 470: Advanced Network and System Administration
3
CIT 470: Advanced Network and System Administration
What is a Directory? Directory: A collection of information that is primarily searched and read, rarely modified. Directory Service: Provides access to directory information. Directory Server: Application that provides a directory service. CIT 470: Advanced Network and System Administration
4
Directories vs. Databases
Directories are optimized for reading. Databases balanced for read and write. Directories are tree-structured. Databases typically have relational structure. Directories are usually replicated. Databases can be replicated too. Both are extensible data storage systems. Both have advanced search capabilities. CIT 470: Advanced Network and System Administration
5
System Administration Directories
Types of directory data Accounts Mail aliases and lists (address book) Cryptographic keys IP addresses Hostnames Printers Common directory services DNS, LDAP, NIS CIT 470: Advanced Network and System Administration
6
Advantages of Directories
Make administration easier. Change data only once: people, accounts, hosts. Unify access to network resources. Single sign on. Single place for users to search (address book) Improve data management Improve consistency (one location vs many) Secure data through only one server. CIT 470: Advanced Network and System Administration
7
NIS: Network Information Service
Originally called Sun Yellow Pages Clients run ypbind. Servers run ypserv. Data stored under /var/yp on server. Server shares NIS maps with clients Each UNIX file may provide multiple NIS maps. NIS maps map keys like UID, username to data. passwd: passwd.byname, passwd.byuid Slave servers replicate master server content. Easy to use, but insecure, difficult to extend. CIT 470: Advanced Network and System Administration
8
CIT 470: Advanced Network and System Administration
LDAP Lightweight Directory Access Protocol Lightweight compared to X.500 directories. Directory, not a database, service. Access Protocol, not a directory itself. CIT 470: Advanced Network and System Administration
9
LDAP Clients and Servers
Standalone directory browsers. Embedded clients (mail clients, logins, etc.) Cfg /etc/nsswitch.conf on UNIX to use LDAP. Common LDAP servers OpenLDAP Fedora Directory Server (formerly Sun, Netscape) Mac Open Directory Microsoft ActiveDirectory Novell eDirectory (NDS) CIT 470: Advanced Network and System Administration
10
CIT 470: Advanced Network and System Administration
LDAP Structure An LDAP directory is made of entries. Entries may be employee records, hosts, etc. Each entries consists of attributes. Attributes can be names, phone numbers, etc. objectClass attribute identifies entry type. Each attribute is a type / value pair. Type is a label for the information stored (name) Value is value for the attribute in this entry. Attributes can be multi-valued. CIT 470: Advanced Network and System Administration
11
Tree-structure of LDAP Directories
CIT 470: Advanced Network and System Administration
12
CIT 470: Advanced Network and System Administration
LDAP Schemas Schemas specify allowed objectClasses and attributes. CIT 470: Advanced Network and System Administration
13
CIT 470: Advanced Network and System Administration
LDIF LDAP Interchange Format. Standard text format for storing LDAP configuration data and directory contents. LDIF Files Collection of entries separated by blank lines. Mapping of attribute names to values. Uses Import new data into directory. Export directory to LDIF files for backups. CIT 470: Advanced Network and System Administration
14
CIT 470: Advanced Network and System Administration
LDIF Output Example CIT 470: Advanced Network and System Administration
15
LDIF Backups and Restores
Backing up an LDAP directory slapcat > backup.ldif OR to do a daily backup use date in name slapcat > backup-`date +%F`.ldif Restoring an LDAP directory service ldap stop rm -rf /var/lib/ldap/* slapadd < backup.ldif service ldap start CIT 470: Advanced Network and System Administration
16
CIT 470: Advanced Network and System Administration
Distinguished Names Distinguished Names (DNs) Uniquely identify an LDAP entry. Provides path from LDAP root to the named entry. Similar to an absolute pathname. dn:cn=Jeff Foo,ou=Sales,dc=plainjoe,dc=org Relative DNs (RDNs) Any unique attribute pair in directory’s container. ex: cn=Jeff Foo OR username=fooj Similar to a relative pathname. Except may have multiple components. cn=Jane Smith+ou=Sales cn=Jane Smith+ou=Engineering CIT 470: Advanced Network and System Administration
17
CIT 470: Advanced Network and System Administration
ldapsearch Options -LLL removes comments and LDAP version info. -b base supplies base DN (uses ldap.conf if no -b.) -x uses simple authentication instead of SASL. -H ldap://your.server.edu accesses that server. If -H not specified, uses ldap.conf to find server. Search for all elements ldapsearch -LLL -x -b "dc=gkar,dc=nku,dc=edu" "(objectclass=*)" CIT 470: Advanced Network and System Administration
18
ldapsearch -LLL -x "(DN)"
> ldapsearch -LLL -x "(uid=fooj)" dn: uid=fooj,ou=People,dc=gkar,dc=nku,dc=edu objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount uid: fooj uidNumber: 10101 cn: fooj homeDirectory: /home/c/fooj loginShell: /bin/bash gidNumber: 10101 CIT 470: Advanced Network and System Administration
19
ldapsearch -LLL -x "(DN)"
> ldapsearch -LLL -x "(uidNumber=10101)" dn: uid=fooj,ou=People,dc=gkar,dc=nku,dc=edu objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount uid: fooj uidNumber: 10101 cn: fooj homeDirectory: /home/c/fooj loginShell: /bin/bash gidNumber: 10101 CIT 470: Advanced Network and System Administration
20
Multiple Record Matches
> ldapsearch -LLL -x "(loginShell=/bin/bash)" dn: uid=fooj,ou=People,dc=gkar,dc=nku,dc=edu objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount uid: fooj uidNumber: 10101 cn: fooj homeDirectory: /home/b/fooj loginShell: /bin/bash ... Size limit exceeded (4) CIT 470: Advanced Network and System Administration
21
CIT 470: Advanced Network and System Administration
Wildcard Matches > ldapsearch -LLL -x "(uid=smith*)" dn: uid=smitha,ou=People,dc=gkar,dc=nku,dc=edu uid: smitha uidNumber: 10221 cn: smitha homeDirectory: /home/f/smitha loginShell: /bin/bash ... dn: uid: smithj uidNumber: 12302 cn: smithj homeDirectory: /home/g/smithj CIT 470: Advanced Network and System Administration
22
LDAP Client/Server Interaction
Client requests to bind to server. Server accepts/denies bind request. Client sends search request. Server returns zero or more dir entries. Server sends result code with any errors. Client sends an unbind request. Server sends result code and closes socket. CIT 470: Advanced Network and System Administration
23
CIT 470: Advanced Network and System Administration
LDAP Operations Client Session Operations Bind, unbind, and abandon Query and Retrieval Operations Search and compare Modification Operations Add, modify, modifyRDN, and delete CIT 470: Advanced Network and System Administration
24
CIT 470: Advanced Network and System Administration
Authentication Anonymous Authentication Binds with empty DN and password. Simple Authentication Binds with DN and password. Cleartext. Simple Authentication over SSL/TLS Use SSL to encrypt simple authentication. Simple Authentication and Security Layer SASL is an extensible security scheme. SASL mechanisms: Kerberos, GSSAPI, SKEY CIT 470: Advanced Network and System Administration
25
Distributed Directories
Use multiple LDAP servers. Provider: master server provides LDIF to Consumers: provide LDAP access to clients. Why distribute? Throughput More servers can reduce load on any single server. Latency Have local server serve local data to LAN. Only use WAN for non-local data on other servers. Administrative Boundaries Let each side administrate their own directory. CIT 470: Advanced Network and System Administration
26
CIT 470: Advanced Network and System Administration
OpenLDAP Open source LDAPv3 server. LDAP server: slapd Client commands: ldapadd, ldapsearch Backend storage: BerkeleyDB Backend commands: slapadd, slapcat Schemas: /etc/openldap/schema Data: /var/lib/ldap Configuration files Client: /etc/openldap/ldap.conf Server: /etc/openldap/slapd.conf CIT 470: Advanced Network and System Administration
27
Building an OpenLDAP Server
Install OpenLDAP. Configure LDAP for your domain. Edit slapd.conf OR use Run Time Configuration (RTC) Start server Immediate: service ldap start Permanent: chkconfig --level 35 ldap on Add data with ldapadd. Verify functionality with ldapsearch. CIT 470: Advanced Network and System Administration
28
CIT 470: Advanced Network and System Administration
slapd.conf (Server) File Locations (usually accept defaults) Schema files Configuration files Database directory Database suffix = DN of topmost node in directory rootdn = DN of LDAP administrative user rootpw = Password of LDAP administrator Access Control CIT 470: Advanced Network and System Administration
29
CIT 470: Advanced Network and System Administration
ldap.conf (Client) # # LDAP Defaults # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com (match suffix in slapd.conf) #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never CIT 470: Advanced Network and System Administration
30
CIT 470: Advanced Network and System Administration
References Brian Arkills, LDAP Directories Explained: An Introduction and Analysis, Addison-Wesley, 2003. Gerald Carter, LDAP System Administration, O’Reilly, 2003. LDAP Howtos, Links, and Whitepapers, LDAP for Rocket Scientists, Thomas Limoncelli, Christine Hogan, Strata Chalup, The Practice of System and Network Administration, 2nd ed, Limoncelli and Hogan, Addison-Wesley, 2007. Luiz Malere, “Linux LDAP HOWTO,” Evi Nemeth et al, UNIX System Administration Handbook, 3rd edition, Prentice Hall, 2001. OpenLDAP, OpenLDAP Administrator’s Guide, CIT 470: Advanced Network and System Administration
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.