199 Introducing Network Information Services.. Over the past 12 years, he has worked on the e-mail and LDAP capabilities of Palm VII, helped architect many large-scale ISPs servicing mil
Trang 1Deploying OpenLDAP
TOM JACKIEWICZ
Trang 2Deploying OpenLDAP
Copyright (c)2005 by Tom Jackiewicz
All rights reserved No part of this work may be reproduced or transmitted in any form or by any means,electronic or mechanical, including photocopying, recording, or by any information storage or retrievalsystem, without the prior written permission of the copyright owner and the publisher
ISBN (pbk): 1-59059-413-4
Printed and bound in the United States of America 9 8 7 6 5 4 3 2 1
Trademarked names may appear in this book Rather than use a trademark symbol with every occurrence
of a trademarked name, we use the names only in an editorial fashion and to the benefit of the trademarkowner, with no intention of infringement of the trademark
Lead Editor: Jim Sumser
Technical Reviewers: Massimo Nardone, Oris Orlando
Editorial Board: Steve Anglin, Dan Appleman, Ewan Buckingham, Gary Cornell, Tony Davis, John Franklin,Jason Gilmore, Chris Mills, Dominic Shakeshaft, Jim Sumser
Project Manager: Laura E Brown
Copy Edit Manager: Nicole LeClerc
Copy Editor: Kim Wimpsett
Production Manager: Kari Brooks-Copony
Production Editor: Laura Cheu
Compositor: Linda Weidemann
Proofreader: Nancy Sixsmith
Indexer: John Collin
Artist: Kinetic Publishing Services, LLC
Cover Designer: Kurt Krames
Manufacturing Manager: Tom Debolski
Distributed to the book trade in the United States by Springer-Verlag New York, LLC, 233 Spring Street,6th Floor, New York, New York 10013 and outside the United States by Springer-Verlag GmbH & Co KG,Tiergartenstr 17, 69112 Heidelberg, Germany
In the United States: phone 1-800-SPRINGER, fax 201-348-4505, e-mail orders@springer-ny.com, or visithttp://www.springer-ny.com Outside the United States: fax +49 6221 345229, e-mail orders@springer.de,
or visit http://www.springer.de
For information on translations, please contact Apress directly at 2560 Ninth Street, Suite 219, Berkeley,
CA 94710 Phone 510-549-5930, fax 510-549-5939, e-mail info@apress.com, or visit http://www.apress.com.The information in this book is distributed on an “as is” basis, without warranty Although every precau-tion has been taken in the preparation of this work, neither the author(s) nor Apress shall have any liabil-ity to any person or entity with respect to any loss or damage caused or alleged to be caused directly orindirectly by the information contained in this work
Trang 3Contents at a Glance
About the Author xiii
About the Technical Reviewers xv
Acknowledgments xvii
Preface xix
Introduction xxi
CHAPTER 1 Assessing Your Environment 1
CHAPTER 2 Understanding Data Definitions 23
CHAPTER 3 Implementing Deployment, Operations, and Administration Strategies 47
CHAPTER 4 Installing OpenLDAP 65
CHAPTER 5 Implementing OpenLDAP 93
CHAPTER 6 Scripting and Programming LDAP 123
CHAPTER 7 Integrating at the System Level 199
CHAPTER 8 Integrating OpenLDAP with Applications, User Systems, and Client Tools 263
INDEX 289
v
Trang 4About the Author xiii
About the Technical Reviewers xv
Acknowledgments xvii
Preface xix
Introduction xxi
■ CHAPTER 1 Assessing Your Environment 1
Gathering Information 1
Name 3
E-mail 4
Phone 4
PKI Information 5
Badge 6
Customer Data 7
Creating an Ongoing Process 8
Changing Application Sources 8
Understanding Meta-Directories 12
Avoiding Mistakes 15
LDAP As Oracle 15
LDAP As a Sync Source 18
Shortsighted Deployment 20
Summary 22
■ CHAPTER 2 Understanding Data Definitions 23
Defining Your Schema 23
Understanding Schemas 26
ASN Schema Format 26
Object Identifiers (OIDs) 27
Attributes 29
Object Classes 34
Other Data Definition Information 35
vii
Trang 5Understanding Distinguished Names (DNs) 38
Schema Checking 38
Referential Integrity 39
Structuring the Directory Information Tree (DIT) 39
Regional Deployment of Information 40
Functional Deployment of Information 40
Organization by Business Function or Group 40
Introducing the LDAP Data Interchange Format (LDIF) 41
LDAP Operations 41
Chaining Operations 43
Indexing Data 44
Summary 45
■ CHAPTER 3 Implementing Deployment, Operations, and Administration Strategies 47
Separating Your Environments 47
Setting Up Classes of Hosts 50
Using Naming Conventions 52
Using the Creative Convention 52
Using the Logical Convention 55
Reaching a Compromise 57
Following Standard Procedures 57
Using the Standard Host Specifications 57
Using the Standard Host Installation 58
Using the Standard Application Installation 60
Running the Application 60
Starting the Application 60
Stopping the Application 61
Using Command-Line Options 61
Implementing Logs 62
Summary 63
■ CHAPTER 4 Installing OpenLDAP 65
Choosing a Distribution 65
Setting Up Your System 66
Choosing a Special User 66
Obtaining the Distribution 66
Performing the Base Installation 68
Compiling OpenLDAP 71
■C O N T E N T S
viii
Trang 6Creating a Local Database 71
Creating an Offline Database 73
Using LDAP Search Filters 75
Using OpenLDAP Utilities 78
ldapmodify (1) and ldapadd (1) 79
ldapsearch (1) 81
ldapdelete (1) 84
ldapmodrdn (1) 87
slapcat (8C) 89
slapadd (8C) 90
slapindex (8C) 91
Summary 91
■ CHAPTER 5 Implementing OpenLDAP 93
How Much RAM Do You Need? 93
How Much Disk Space Do You Need? 94
Considering Security in Your Implementation 96
Authentication 96
SASL 97
X.509 Certificates 103
Transport Layer Security 103
Access Control 104
Kerberos 104
Understanding Replication 105
changelog/Replication Log 106
slurpd 108
updateref 109
Importing Databases 109
slapcat 110
Testing 111
Understanding Referrals 112
DNS Resource Records for Service Location 112
Localized Scope 113
Understanding the Installation Structure 114
ldap.conf 114
slapd.conf 116
slapd.at.conf 121
slapd.oc.conf 121
Summary 122
■C O N T E N T S ix
Trang 7■ CHAPTER 6 Scripting and Programming LDAP 123
Utilizing Command-Line Tools 123
LDAP Controls 128
LDAP API 133
Obtaining the LDAP Perl API 138
Using the LDAP Perl API 139
Mozilla::LDAP::API 145
Performing Operations Against Your OpenLDAP Directory 174
Using Java and JNDI 175
OASIS Standards 189
Directory Services Markup Language (DSML) 189
Directory Schema 194
Conformance 197
Summary 198
■ CHAPTER 7 Integrating at the System Level 199
Introducing Network Information Services 199
Introducing Standard NIS Configurations 200
Performing Synchronization with LDAP 202
Performing Direct Integration 203
Configuring the LDAP Client (Host) 238
Using the ldapclient Utility 244
Configuring NSS 249
Configuring PAM 250
Setting Up Security 251
Using Sendmail 252
Enabling the Software 253
Building the Binaries 255
Migrating Information 255
Setting Up LDAP Routing 259
Summary 261
■ CHAPTER 8 Integrating OpenLDAP with Applications, User Systems, and Client Tools 263
Preparing for Integration 263
Integrating Apache 264
Integrating Pine 268
Integrating Samba 274
■C O N T E N T S
x
Trang 8Integrating Eudora 282
Integrating Exchange 283
Integrating LDAP Browsers 286
Integrating Appliances 286
Summary 287
■ INDEX 289
■C O N T E N T S xi
Trang 9About the Author
■TOM JACKIEWICZis currently responsible for global LDAP and e-mail architecture at a Fortune
100 company Over the past 12 years, he has worked on the e-mail and LDAP capabilities of
Palm VII, helped architect many large-scale ISPs servicing millions of active e-mail users, and
audited security for a number of Fortune 500 companies
Tom has held management, engineering, and consulting positions at Applied Materials,Motorola, TAOS, and WinStar GoodNet Jackiewicz has also published articles on network
security and monitoring, IT infrastructure, Solaris, Linux, DNS, LDAP, and LDAP security He
lives in San Francisco’s Mission neighborhood, where he relies on public transportation plus
a bicycle to transport himself to the office—fashionably late
xiii
Trang 10About the
Technical Reviewers
Born under Vesuvius in southern Italy, MASSIMO NARDONE moved to
Fin-land more than eight years ago, where he now works and lives He holds
a master’s of science degree in computing science from the University ofSalerno, Italy, and has more than nine years of work experience in projectmanagement and the mobile, security, and Web technology areas for bothnational and international projects Massimo has worked as a technicalaccount manager, project manager, software engineer, research engineer, chief security
architect, and software specialist for many different software houses and international
tele-communication companies Massimo is also a visiting lecturer and supervisor at the
Network-ing Laboratory of the Helsinki University of Technology (TKK) for the course “Security of
Communication Protocols.” As a software engineer, he mainly develops Internet and mobile
applications involving different technologies, such as Java/J2EE/WebLogic, ASP/COM+, WAP,
SMS, PKI, and WPKI As a research engineer, he participated in different research projects
involv-ing PKI, WPKI, WAP, sim applications, SMS, SIP, SAML, BS7799, TTS, security, NGN, and mobile
applications In his role as chief security architect, he has been researching security standards
and methods, as well as developing a security framework model for different companies He
researches, designs, and implements security methodologies for Java (JAAS, JSSE, JCE, and so
on), BEA WebLogic, J2EE, LDAP, Apache, Microsoft SQL Server, XML, and so on He’s an expert
on the security standard BS7799 and the protocols PKI and WPKI, where he holds two
inter-national patent applications
■ORIS ORLANDO,born in Naples, Italy, in 1971, has been interested in puter science since the ’80s His first computer was a Computer IntellivisionModule that developed programs written in the limited-edition BASIC lan-guage At the end of the ’80s, he began to use 8086 machines In 1989 heenrolled at the University of Salerno, in Italy, for computer science Duringhis university career, he developed many applications for small businessesand used the BBS before the Internet became prominent He graduated in
com-1997 from the University of Salerno In December com-1997 he began working for Siemens Nixdorf
for two years as an analyst/programmer (Java, C, PL/SQL, CGI, HTML) in the Web environment
In 1999 he came to work for Bull H.N For two years he worked with the technical team; in the
third year he became a project leader in the security department, and this year he’s a project
manager He has had significant experience with Unix, Windows, Linux, DOS, computer
pro-gramming, security, and databases (Oracle and LDAP), and he’s certified for the BS7799 security
standard
xv
Trang 11Implementing Deployment,
Operations, and
Administration Strategies
For many, simply installing software on a system signals the end of the project But for system
administrators, the process of maintaining an installation, troubleshooting it, and debugging
it—administering—has just begun In management’s perfect world, software runs itself,
noth-ing ever breaks, and you can just let somethnoth-ing sit untouched until it has outlived its
useful-ness This isn’t the case—your fun is just beginning
It will benefit you to understand the basic concepts of environment deployment, namestandardization, and system optimization in order to best run an OpenLDAP environment In
this chapter, I’ll discuss the basics of environment setup and describe some of the tools required
to successfully run an OpenLDAP environment
Separating Your Environments
Environment separation, which is your ability to physically or logically isolate environments,
is often quite difficult to accomplish at a well-established company but is achievable at the
beginning Without having any level of separation within your environment, you reduce your
ability to expand without having to rearchitect your existing systems That is, your
environ-ment may be so flat that adding new components to your system will have a negative impact
on your existing environment Although you may not always be able to do something about
the problem, it’s necessary to view the topography of the network you’ll be using to
under-stand complexities in your OpenLDAP deployment
Unlike an isolated system, OpenLDAP often relies on network services and data storedoutside its own host The potential for multiple environments that are configured to share
a common set of data to corrupt or cause disruption is high You can prevent the overlapping
of data between a system being used for testing and one that’s running in a production state
by appropriately separating the two environments This separation will allow you to perform
tests of varying levels of impact without disrupting existing services Imagine needing to
per-form an upgrade on a development system that’s tied to your production environment Your
ability to do this will be hindered because any errors that are made will be introduced into
your production environment How you implement the separation will depend on the goal of
47
C H A P T E R 3
■ ■ ■
Trang 12C H A P T E R 3 ■ I M P L E M E N T I N G D E P L OY M E N T, O P E R AT I O N S, A N D A D M I N I S T R AT I O N S T R AT E G I E S
48
each environment In a typical organization, an environment could be split into one (or evenmany) groups
The following are common environments:
• Development: In this environment, standard development on your systems takes
place Development can mean many things depending on your organization
• Staging: After software is developed or new system configurations are established, they’re
commonly moved from a development environment to a staging environment
• Production: The final move of new software or new system configuration is into the
production environment
The following are some other common environments:
• Engineering: Engineering work is performed in one environment.
• Quality assurance: The result of engineering work goes through the quality assurance
(QA) procedures Depending on the type of tasks being performed, QA environmentsoften have a completely different set of network services, such as Domain Name Ser-vice (DNS) and Simple Mail Transfer Protocol (SMTP) servers
• Operations: Upon approval by the QA department, information is passed onto
opera-tions This is where all engineering products that have passed QA end
All these types of environments can be divided into even more environments depending
on the size and scope of your infrastructure You could have hosts for internal access, externalaccess only, external access by internal resources, internal access by external resources, demil-itarized zones (DMZ) systems, and so on The ability to manage these different infrastructuresrelies on the appropriate separation of the resources and valid (and current) documentation.It’s also common to separate different departments so that consistency can be maintained onthat (or any other) level That is, it may be a good idea to have your finance department on adifferent network segment than the help desk because of the sensitive nature of the data goingover the wire
Regardless of the names used for each of these environments, the idea is the same Youseparate different sets of hosts that aren’t meant to specifically interact with each other intodifferent network segments and split them into different domains or DNS zones
Imagine a common scenario where YourCompany’s resources exist in a single local areanetwork (LAN) with the DNS name of YourCompany.com (see Figure 3-1) All machines arewithin the same domain, have random ranges of Internet Protocol (IP) addresses, and canaccess the same information on the LAN
Trang 13C H A P T E R 3 ■ I M P L E M E N T I N G D E P L OY M E N T, O P E R AT I O N S, A N D A D M I N I S T R AT I O N S T R AT E G I E S 49
Figure 3-1. Typical network separation, logical networks
What you see in Figure 3-1 is a simplified network utilizing a single router All environmentsare in the same network In some cases, production systems and the DMZ (if the illusion of one
exists) just hang off the same physical layer
What happens if interns with no security clearance are brought in to do data entry for onedepartment? The interns would have access to the entire network and could actually view net-
work traffic within the entire environment What happens when traffic patterns between
depart-ments differ (or when someone is doing some performance and load testing)? What happens
when the performance required for external-facing systems isn’t achievable because of
out-of-control internal network traffic?
Many people realize that there needs to be physical separation between environments onthe network level and have created complicated, and often high-performance, network topolo-
gies to take advantage of the technology readily available today Companies may use expensive
Layer 3 switches, virtual LANs (VLANs), and oddball packet-shaping tools, only to have their
architectures defeated by inadequate planning What’s often overlooked is the logical
separa-tion between environments on the system side It seems that while the world of networks has
been advancing at a rapid pace, the concept of naming, often put solely in the domain of
sys-tem administrators, has been at a standstill Networks will be separated by a number of
differ-ent layers—all controlled by a single DNS server and single domain name What happens when
YourCompany.com needs different levels of security based on different environments yet you
have no easy way to group the information?
Let’s assume that YourCompany.com has created a LAN environment that allows for easyscalability At first it relied on a single connection out to the Internet with limited network hard-
ware Because of a good level of initial planning, the architects didn’t just dive into the network
architecture and create a large mess that would take months (or years!) to clean up An
environ-ment was created with logically and (somewhat) physically separated networks to eventually
create an appropriately scalable LAN Nothing is worse than attempting to create a controlled
network environment only to have it become a mess