Tài liệu Advanced Network and System Administration ppt

Directory Service: Provides access to directory information.. Directory Server: Application that provides a directory service... System Administration Directories Types of directory d

Advanced Network and

System Administration

Accounts and Namespaces

What is a Directory?

Directory: A collection of information that is

primarily searched and read, rarely modified.

Directory Service: Provides access to

directory information.

Directory Server: Application that provides a

directory service.

Directories vs Databases

 Directories are optimized for reading.

 Databases balanced for read and write

 Directories are tree-structured.

 Databases typically have relational structure

 Directories are usually replicated.

 Databases can be replicated too

 Both are extensible data storage systems.

System Administration Directories

 Types of directory data

Advantages of Directories

 Make administration easier.

 Change data only once: people, accounts, hosts

 Unify access to network resources.

 Single sign on

 Single place for users to search (address book)

 Improve data management

 Improve consistency (one location vs many)

 Secure data through only one server

NIS: Network Information Service

 Originally called Sun Yellow Pages

 Clients run ypbind

 Servers run ypserv

 Data stored under /var/yp on server.

 Server shares NIS maps with clients

 Each UNIX file may provide multiple maps

 passwd: passwd.byname, passwd.byuid

 Slave servers replicate master server content.

 Easy to use, but insecure, difficult to extend.

 Lightweight Directory Access Protocol

 Lightweight compared to X.500 directories

 Directory, not a database

 Access Protocol, not a directory itself

LDAP Clients and Servers

 LDAP Clients

 Standalone directory browsers.

 Embedded clients (mail clients, logins, etc.)

 Cfg /etc/nsswitch.conf on UNIX to use LDAP.

 Common LDAP servers

 OpenLDAP

 Fedora Directory Server (formerly Sun, Netscape)

 Mac Open Directory

 Microsoft ActiveDirectory

 Novell eDirectory (NDS)

LDAP Structure

 An LDAP directory is made of entries.

 Entries may be employee records, hosts, etc

 Each entries consists of attributes.

 Attributes can be names, phone numbers, etc

 objectClass attribute identifies entry type

 Each attribute is a type / value pair.

 Type is a label for the information stored (name)

 Value is value for the attribute in this entry

Tree-structure of LDAP Directories

LDAP Schemas

 LDAP Interchange Format.

 Standard text format for storing LDAP

configuration data and directory contents

 LDIF Files

 Collection of entries separated by blank lines

 Mapping of attribute names to values

 Import new data into directory

 Export directory to LDIF files for backups

LDIF Output Example

Distinguished Names

 Distinguished Names (DNs)

 Uniquely identify an LDAP entry.

 Provides path from LDAP root to the named entry.

 Similar to an absolute pathname.

 dn:cn=Jeff Foo,ou=Sales,dc=plainjoe,dc=org

 Relative DNs (RDNs)

 Any unique attribute pair in directory’s container.

 ex: cn=Jeff Foo OR username=fooj

 Similar to a relative pathname.

 Except may have multiple components.

 cn=Jane Smith+ou=Sales

 cn=Jane Smith+ou=Engineering

LDAP Client/Server Interaction

1. Client requests to bind to server.

2. Server accepts/denies bind request.

3. Client sends search request.

4. Server returns zero or more dir entries.

5. Server sends result code with any errors.

6. Client sends an unbind request.

7. Server sends result code and closes socket.

LDAP Operations

 Client Session Operations

 Bind, unbind, and abandon

 Query and Retrieval Operations

 Search and compare

 Modification Operations

 Add, modify, modifyRDN, and delete

Anonymous Authentication

Binds with empty DN and password

Simple Authentication

Binds with DN and password Cleartext

Simple Authentication over SSL/TLS

Use SSL to encrypt simple authentication

Simple Authentication and Security Layer

SASL is an extensible security scheme

 Have local server serve local data to LAN.

 Only use WAN for non-local data on other servers.

 Administrative Boundaries

 Let each side administrate their own directory.

 Open source LDAPv3 server.

 LDAP server: slapd

 Client commands: ldapadd, ldapsearch

 Backend storage: BerkeleyDB

 Backend commands: slapadd, slapcat

Building an OpenLDAP Server

1. Install OpenLDAP.

2. Configure LDAP for your domain.

Change suffix, rootdn, rootpw options

vim /etc/openldap/slapd.conf

3. Start server

Immediate: /sbin/service ldap start

Permanent: /sbin/chkconfig –level 35 ldap on

4. Add data with ldapadd

5. Verify functionality with ldapsearch

LDAP Authentication

1. Configure server with schema + user data.

2. Point clients to hostname and rootDN of svr.

/etc/ldap.conf and /etc/openldap/ldap.conf

3. Verify server access with ldapsearch

4. Configure clients to use LDAP auth

/etc/nsswitch.conf

passwd: files ldap shadow: files ldap

1. Brian Arkills, LDAP Directories Explained: An Introduction and

Analysis, Addison-Wesley, 2003.

2. Gerald Carter, LDAP System Administration, O’Reilly, 2003.

3 J Heiss, “Replacing NIS with Kerberos and LDAP,”

, 2005.