Presentation is loading. Please wait.

Presentation is loading. Please wait.

April 23,2001LDAP as replacement for NIS1 LDAP as a replacement for NIS Wolfgang Friebel DESY Zeuthen.

Published byVirginia Mosley Modified over 9 years ago

Similar presentations

Presentation on theme: "April 23,2001LDAP as replacement for NIS1 LDAP as a replacement for NIS Wolfgang Friebel DESY Zeuthen."— Presentation transcript:

1 April 23,2001LDAP as replacement for NIS1 LDAP as a replacement for NIS Wolfgang Friebel DESY Zeuthen

2 April 23,2001LDAP as replacement for NIS2 Contents n Motivation n The LDAP server n The LDAP client n Maintaining the system n Performance tuning n Experiences

3 April 23,2001LDAP as replacement for NIS3 Why LDAP as a NIS replacement? n Central maintenance of UNIX accounts and groups, hosts,... In addition to or as replacement of maintenance local to a machine made NIS a successful concept n Netgroups can be used to structure accounts, hosts etc. u Example: netgroup linux contains linux hosts, l3 contains l3 users n NIS is one of the more frequent causes for instability under Linux u fallback to other NIS masters sometimes fails when ypserv crashes u varying temporary problems (timeout etc.) in daily use n Modification of NIS contents only locally on master u LDAP allows modification from remote sites after authentication n LDAP is better suited for integration with other services than NIS n Hope for a more scalable and less resource intense service

4 April 23,2001LDAP as replacement for NIS4 LDAP Server Installation n Any server should work, but we tested only OpenLDAP n We installed OpenLDAP 2.0.7 u LDAP version 3 protocol u Backend Database Berkeley DB (Sleepycat Version 3 recommended) u For NIS functionality authorization required for content updates only F all queries done unauthenticated u Compiled on a Linux SuSE 6.3 system F successful tests also with OpenLDAP 1.x on Solaris 2.6 F precompiled RPM's should be o.k. as well n Make sure you use recent versions of OpenLDAP and Berkeley DB

5 April 23,2001LDAP as replacement for NIS5 LDAP Server Configuration (OpenLDAP) Specify proper backend, define subtree and directory for that tree databaseldbm suffix"dc=IFH, dc=DE" directory/var/openldap/db/nis Define columns to be indexed (very important for performance) index cn,sn,uid,givennamepres,eq,sub index objectclasspres,eq indexuidNumber,gidNumber,memberUideq indexoncRpcNumber,ipServicePorteq indexipNetworkNumber,ipHostNumbereq n Too few indexes reduce search performance n Too much indexes reduce write performance

6 April 23,2001LDAP as replacement for NIS6 Population of LDAP Server with data n Loading of data relevant for NIS usually done with MigrationTools from http://www.padl.com (current version is 37 or above) u collection of shell and perl scripts for populating a running server or for creation of ldif files, that can be loaded later using ldapadd u only support for initial loading of LDAP server, no tools provided for modification of LDAP server contents afterwards (can be done with commandline tool ldapmodify or graphical LDAP frontends) n Loading of data with tool ldapsync developed at DESY Zeuthen (ftp://ftp.ifh.de/pub/unix/networking/ldapsync) more flexible u does almost precisely what MigrationTools-37 would do (single script) u produces ldif data (running unauthenticated) or otherwise updates server u can be applied several times, resyncs LDAP and NIS information u allows for longer migration period from NIS to LDAP

7 April 23,2001LDAP as replacement for NIS7 ldapsync n Still in test phase u works at DESY, but untested at other sites u configuration info is partly still contained in script, i.e. to adapt the script to other sites a change of source code might be required u update process scales only to a few thousand items contained in LDAP due to principal limitations of LDAP (no directory browsing !!!). Could be changed, but then ldapsync has to run locally on LDAP server host u still room for optimization

8 April 23,2001LDAP as replacement for NIS8 Verifying the LDAP server installation n Do queries that are relevant for the NIS functionality  ldapsearch -h ldap.ifh.de -x -b "dc=ifh,dc=de" -s base dn: dc=ifh,dc=de objectClass: domain objectClass: top objectClass: domainRelatedObject dc: ifh associatedDomain: ifh.de  ldapsearch -h ldap.ifh.de -x -b "dc=ifh,dc=de" "uid=friebel" dn: uid=friebel,ou=People,dc=ifh,dc=de uid: friebel cn: Wolfgang Friebel uidNumber:...

9 April 23,2001LDAP as replacement for NIS9 LDAP Client installation n The LDAP Client requires the nsswitch mechanism u contained at least in Linux and Solaris u nsswitch.conf determines the method to fetch data (nis, ldap, file) u libnss_xxx.so provides the functionality for method xxx u vendors usually provide libnss_ldap.so n Source code to build a libnss_ldap.so library is available from http://www.padl.com (current version 150 or higher) u works at least for Linux and Solaris u we installed libnss_ldap.so from source (version 149) u recommended, as it might fix bugs that come with the vendor version n DESY Hamburg experiments with vendor supplied mechanisms on Solaris 2.8 and IRIX 6.5 (does work, little experience up to now)

10 April 23,2001LDAP as replacement for NIS10 LDAP Client configuration n The client requires the proper /etc/nsswitch.conf u we installed nsswitch.ldap and moved nsswitch.conf to nsswitch.nis u then we have a symlink nsswitch.conf to switch between NIS and LDAP n Our nsswitch.ldap contains (some entries left out) passwd:compat ldap group:files ldap hosts:files dns ldap services: files ldap netgroup: files nis n The library libnss_ldap needs additional info in /etc/ldap.conf u OpenLDAP clients expect the file in /etc/openldap, therefore symlink it u ldap.conf contains info on ldap servers, ldap version etc. u specifying more than one server makes the mechanism (more) failsafe

11 April 23,2001LDAP as replacement for NIS11 Our /etc/ldap.conf # ldap.ifh.de ldap2.ifh.de host 141.34.1.149 141.34.27.20 # The distinguished name of the search base. base dc=ifh,dc=de # The LDAP version to use (defaults to 2) ldap_version 3

12 April 23,2001LDAP as replacement for NIS12 Testing the LDAP client n Activate the proper nsswitch.conf n For testing purposes shut down the name service cache daemon nscd n Issue commands that do name resolution u ls -l u id u if protocols and services are resolved by LDAP do further tests (ping,...) u The output should contain names, not numbers for user, group etc. u you can modify nsswitch.conf temporarily to force LDAP name resolution n Watch the activity on the LDAP server if possible

13 April 23,2001LDAP as replacement for NIS13 Maintaining the system n More than one LDAP server should be available n Do replication of the directory tree u setting up slurpd that propagates changes from the master server to replica server F advantages: consistency of data, use standard methods F disadvantage: still single point of failure - no updates, if master is down u using multiple master servers and keep them in sync F advantages: updates of data can be done as long as at least one server is up F disadvantages: additional mechanisms required to enforce data consistency n Maintenance software has to be integrated with LDAP u enhance your tools to also update the LDAP tree (ldapadd, ldapmodify,..) or u use ldapsync to maintain NIS as before and synchronize with LDAP

14 April 23,2001LDAP as replacement for NIS14 Performance tuning n Choice of platform and software influences performance u after initial tests with Solaris and LDAP v2 switched to Linux and v3 u easy access to fast PC's with large memory at DESY u impression from reading the mailing list: Linux is less problematic n Watch your server for resource usage u server forks additional processes for listening u server becomes slow when doing a lot of syslogging (especially on Linux), therefore we started slapd with -s 0 n Ensure that proper indexes requested and really been built u see also man slapindex n Make sure the name service caching daemon nscd is running

15 April 23,2001LDAP as replacement for NIS15 Experiences n Migration can be done without rebooting u ldconfig might be required however u if done with running nscd then LDAP lookups will not occur instantly n User does not notice change from NIS to LDAP u initially we had some problems due to missing entries in services and using "files ldap" instead of "compat ldap" in passwd resolution n As stated in the NEWS of the nss_ldap library netgroup name resolution is still missing, but "This is a lot easier now..."(to write) u until this is done either rely on NIS for netgroups or use /etc/netgroups n Some programs need recompilation (if linked against LDAP1.xx) u httpd(SuSE 6.3), maybe pine

16 April 23,2001LDAP as replacement for NIS16 Integration with Windows n Active directory could be used in principle to host the name service information, then a separate LDAP server would not be needed n To store the relevant data the scheme definitions need to be known to active directory. u Procedure for adding a new scheme fairly complicated u attributes and classes with the same name may have different definitions u attributes and classes with different names may mean the same u not managed to do this first step up to now n Given the above complications integrating LDAP for NIS with the Active directory seems not to be of advantage

17 April 23,2001LDAP as replacement for NIS17 Statistics n Primary LDAP server is on a 233Mhz Intel PIII machine running SuSE6.3 and kernel 2.2.18, a second server is also running n 85 Linux clients with LDAP use presently our primary server n load can be neglected (typically around 0.01) n total CPU time accumulated by slapd processes about 2 minutes/day (40 minutes during 20 days) n on average about 250 -300 established LDAP connections are served from up to 36 server processes simultaneously. n No difference in application speed as compared to NIS seen  ls -ld /afs/ifh.de/user/*/* took about 1.5s (around 1200 name lookups, both for NIS and LDAP with running nscd) n Very preliminary tests with Ultra1 Solaris machine in Hamburg were less promising

18 April 23,2001LDAP as replacement for NIS18 Outlook n We will continue to migrate from NIS to LDAP u 30 new clients added last week without any complications u could switch all Linux machines instantly (except web server), but we will look first for long term effects (months) before a full migration n Further services can make use of this LDAP branch, we will investigate whether this has advantages for us u mail aliases for mail server u automounter maps n Some day we will need to integrate the maintenance of the NIS data in LDAP into a central tool (that is not yet existing)

Download ppt "April 23,2001LDAP as replacement for NIS1 LDAP as a replacement for NIS Wolfgang Friebel DESY Zeuthen."

Similar presentations

Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.

Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.
Objektorienteret Middleware Presentation 2: Distributed Systems – A brush up, and relations to Middleware, Heterogeneity & Transparency.

Objektorienteret Middleware Presentation 2: Distributed Systems – A brush up, and relations to Middleware, Heterogeneity & Transparency.
HEPNT/HEPiX meeting Oct 6, 1999 1 Securing mail access with Kerberos and SSL Wolfgang Friebel DESY.

HEPNT/HEPiX meeting Oct 6, Securing mail access with Kerberos and SSL Wolfgang Friebel DESY.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
Low level CASE: Source Code Management. Source Code Management  Also known as Configuration Management  Source Code Managers are tools that: –Archive.

Low level CASE: Source Code Management. Source Code Management  Also known as Configuration Management  Source Code Managers are tools that: –Archive.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA.

LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA.
Source Code Management Or Configuration Management: How I learned to Stop Worrying and Hate My Co-workers Less.

Source Code Management Or Configuration Management: How I learned to Stop Worrying and Hate My Co-workers Less.
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.

LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.
CIT 470: Advanced Network and System Administration

CIT 470: Advanced Network and System Administration
1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.

1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
NovaBACKUP 10 xSP Technical Training By: Nathan Fouarge

NovaBACKUP 10 xSP Technical Training By: Nathan Fouarge
Chapter 11: Directory Services. Directory Services A directory service is a database that contains information about all objects on the network. Directory.

Chapter 11: Directory Services. Directory Services A directory service is a database that contains information about all objects on the network. Directory.
BZUPAGES.COM An Introduction to. BZUPAGES.COM Introduction Large corporations today face the following problems Finding a certain file. Seeing everything.

BZUPAGES.COM An Introduction to. BZUPAGES.COM Introduction Large corporations today face the following problems Finding a certain file. Seeing everything.
Configuring CIFS Upon completion of this module, you should be able to: Configure the Data Mover for a Windows environment Create and Join a CIFS Server.

Configuring CIFS Upon completion of this module, you should be able to: Configure the Data Mover for a Windows environment Create and Join a CIFS Server.

Similar presentations

Ads by Google