1 / 42

OpenLDAP Directory Administration Standard Unix Services and LDAP

OpenLDAP Directory Administration Standard Unix Services and LDAP. Table of Contents. The Directory Namespace An FTP/HTTP Combination User Authentication with Samba FreeRadius Resolving Hosts Central Printer Management. Table of Contents. The Directory Namespace An FTP/HTTP Combination

cybill
Download Presentation

OpenLDAP Directory Administration Standard Unix Services and LDAP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OpenLDAP Directory AdministrationStandard Unix Services and LDAP

  2. Table of Contents • The Directory Namespace • An FTP/HTTP Combination • User Authentication with Samba • FreeRadius • Resolving Hosts • Central Printer Management

  3. Table of Contents • The Directory Namespace • An FTP/HTTP Combination • User Authentication with Samba • FreeRadius • Resolving Hosts • Central Printer Management

  4. The Directory Namespace • This chapter explores how standard Unix services can make use of our directory • We continue with the namespace developed in chapter 6 and 7 • We will eventually need to modify it dc=plainjoe,dc=org ou=group ou=people ou=services adminstrative groups and pisixGroups user accounts application data

  5. Table of Contents • The Directory Namespace • An FTP/HTTP Combination • User Authentication with Samba • FreeRadius • Resolving Hosts • Central Printer Management

  6. An FTP/HTTP Combination • ProFTPD (http://www.proftpd.org/) + LDAP • Apache (http://www.apache.org/) + LDAP • Assume that ftp and web platform cannot make use of PAM or NSS • Schema: www.plainjoe.org ldap.plainjoe.org home directory and account information LDAP directory upload files to ~public_html http://www.plainjoe.org/~user

  7. An FTP/HTTP Combination (cont.) ProFTPD • Comes with a mod_ldap module (not same as Apache's) • Compilation flag: --with-modules=mod_ldap • Listing built-in modules: $ proftpd -l Compiled-in modules: mod_core.c mod_xfer.c mod_auth_unix.c ... mod_ldap.c ... mod_log.c mod_site.c mod_auth_pam.c mod_quotatab.c mod_ratio.c mod_tls.c mod_rewrite.c mod_radius.c mod_ifsession.c mod_cap.c

  8. An FTP/HTTP Combination (cont.) ProFTPD (cont.) • Sample start configuration: ServerType standalone DefaultServer on Port 21 Umask 022 User nobody Group nobody DefaultRoot ~/public_html # LDAP parameters will go in here <Directory /*> AllowOverwrite on </Directory>

  9. An FTP/HTTP Combination (cont.) ProFTPD (cont.) • LDAP Configuration: LDAPDoAuth on “ou=people,dc=plainjoe,dc=org” LDAPServer ldap.plainjoe.org # By default, anonymous binds are used # LDAPAuthBinds off (=anonymous bind, or simple bind via LDAPDNInfo # as DN. Use password must be stored in clear {text} or {crypt} format) # LDAPAuthBinds on (=authenticates connecting user by binding to the # directory server, locates DN of user, userPassword attribute is never # requested. Then bind to LDAP server again using user's DN & password # entered) LDAPAuthBinds on # How to inform proftpd to resolve UIDs and GIDs when listing files ? LDAPDoGIDLookups on “ou=group,dc=plainjoe,dc=org” LDAPDoUIDLookups on “ou=people,dc=plainjoe,dc=org” # Default search filters of (&(uidNumber=UNIX uid) # (objectclasses=posixAccount)) and (&(gidNumber=UNIX gid) # (objectclasses=posixGroup)) can be overriden via extra parameter

  10. An FTP/HTTP Combination (cont.) ProFTPD LDAP Parameters

  11. An FTP/HTTP Combination (cont.) ProFTPD LDAP Parameters (cont.)

  12. An FTP/HTTP Combination (cont.) Apache • There is more than one LDAP module for Apache • We will use mod_ldap_userdir here • Searches LDAP directory for posixAccountentry with matching uid value • Building the module is not covered here • Configuration: LoadModule ldap_userdir_module /usr/lib/apache/mod_ldap_userdir.so <IfModule mod_ldap_userdir.c> LDAPUserDirServer ldap.plainjoe.org LDAPUserDirSearchScope subtree LDAPUserDirBaseDN ou=people,dc=plainjoe,dc=org LDAPUserDir public_html </IfModule>

  13. An FTP/HTTP Combination (cont.) Apache (cont.) Directives for mod_ldap_userdir

  14. Table of Contents • The Directory Namespace • An FTP/HTTP Combination • User Authentication with Samba • FreeRadius • Resolving Hosts • Central Printer Management

  15. User Authentication with Samba • http://www.samba.org/ • Implements server portion of SMB/CIFS protocol (Server Message Block/Common Internet File System) • Full Samba coverage is not the scope of this course • To support challenge/response authentication mothods used by MS Windows clients, Samba requires a list of hashed passwords separate from the passwords in /etc/shadow, smbpasswd file: username:uid:LM_HASH:account_flags:timestamp • Disadvantages of smbpasswd for large sites: • Lookups are performed sequentially • Single smbpasswd file replicated to multipe servers is a clumsy solution (eg. uids/gids must be identical, etc.) • Format of smbpasswd file limits number of attributes (eg. location of user's roaming profile)

  16. User Authentication with Samba (cont.) Configuring Samba • Covered here: Samba 2.2.7a (LDAP support must be enabled at compile time: --with-ldapsam) • Samba 3 LDAP support is different (more powerful) • sambaAccount object in LDAP directory • smb.conf file (partial): [global] netbios name = TASHTEGO workgroup = PEQUOD security = user encrypt passwords = yes ldap admin dn = “cn=smbadmin,ou=people,dc=plainjoe,dc=org” ldap server = ldap.plainjoe.org ldap ssl = start_tls ldap port = 389 ldap suffix = “ou=people,dc=plainjoe,dc=org” ldap filter = “(&(uid=%U)(objectclass=sambaAccount))” ...

  17. User Authentication with Samba (cont.) smb.conf LDAP Parameters • Make sure the NTLM hashes are not retrievable by an anonymous user • Password for LDAP bind is not stored in smb.conf, but in the secrets.tdb file: # smbpasswd -w secret Setting stored password for “cn=smbadmin,ou=people,dc=plainjoe,dc=org” in secrets.tdb

  18. User Authentication with Samba (cont.) Configuring OpenLDAP • LDAP server must support the appropriate schema • sambaAccount schema, samba.schema • slapd.conf: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/samba.schema

  19. User Authentication with Samba (cont.) sambaAccount Object Class required attributes objectClass:sambaAccount uid: rid: cn: lmPassword: ntPassword: pwdLastSet: logonTime: logoffTime: kickoffTime: userWorkstations: primaryGroupID: domain: pwdCanChange: pwdMustChange: acctFlags: displayName: smbHome: homeDrive: scriptPath: profilePath: description: optional attributes

  20. User Authentication with Samba (cont.) Access Control Rules • New access rules to prevent normal users from retrieving LanMan/NT password hashes # Previous ACLs access to attrs=userPassword by self write by * auth # Don't let users snoop Windows passwords access to attrs=lmPassword,ntPassword by dn=”cn=smbadmin,ou=people,dc=plainjoe,dc=org” write by * none # Allow smbadmin to add new entries and modify existing ones access to dn.subtree=”ou=people,dc=plainjoe,dc=org” by dn=”cn=smbadmin,ou=people,dc=plainjoe,dc=org” write by * read # Previous ACLs access to dn.subtree=”ou=group,dc=plainjoe,dc=org” by * read

  21. User Authentication with Samba (cont.) The smbadmin Account • Since Samba will bind to LDAP using this account, the account must possess a userPassword attribute. However, it is not necessary to have a UID, so we can use the person structural object class • Corresponding LDIF: objectClass:person cn: sn: userPassword: telephoneNumber: seeAlso: description: required attributes optional attributes dn: cn=smbadmin,ou=people,dc=plainjoe,dc=org objectClass: person cn: smbadmin sn: smbadmin userPassword: {SSHA}xDG3/Cfj7ATgJ9yP0exS2lGD+infJqCj

  22. User Authentication with Samba (cont.) Adding and Using a sambaAccount • Add user: • List user: # smbpasswd -a kristi -s testpass LDAP search “(&(uid=kristi)(objectclass=sambaAccount))” returned 0 entries. Added user kristi dn: uid=kristi,ou=people,dc=plainjoe,dc=org objectClass: inetOrgperson objectClass: posixAccount objectClass: sambaAccount ... uid: kristi pwdLastSet: 1040186720 logonTime: 0 logoffTime: 2147483647 kickoffTime: 2147483647 pwdCanChange: 0 pwdMustChange: 2147483647 rid: 2570 primaryGroupID: 1201 lmPassword: ... ntPassword: ... acctFlags: [UX ]

  23. Table of Contents • The Directory Namespace • An FTP/HTTP Combination • User Authentication with Samba • FreeRadius • Resolving Hosts • Central Printer Management

  24. FreeRadius • Not discussed in this course

  25. Table of Contents • The Directory Namespace • An FTP/HTTP Combination • User Authentication with Samba • FreeRadius • Resolving Hosts • Central Printer Management

  26. Resolving Hosts • Most widespread mechanism for hostname resolution is DNS (Domain Name System) • LDAP is not really a replacement for a specialized directory service such as DNS • LDAP can be used as a back-end storage system for zone files • A patch for BIND9 exists: (http://www.vernaas.no/ldap/bind-sdb/)

  27. Resolving Hosts (cont.) Overview LDAP search dc=plainjoe,dc=org ou=people Name query ou=hosts ou=group ou=services DNS zone (plainjoe.org) Directory

  28. Resolving Hosts (cont.) How to Get It to Work ? • Copy ldap.c to bind source directory • Copy ldap.h to the include directory of BIND source tree • Edit bin/named/Makefile.in, add: • you may need to add the path to the LDAP include files and liraries to DDRIVER_INCLUDES and DDRIVER_LIBS • Edit bin/named/main.c and add the lines DDRIVER_OBJS = ldapdb.@*@ DDRIVER_SRCS = ldapdb.c DDRIVER_LIBS = -lldap -llber #include <xxdb.h> #include <ldapdb.h> xxdb_init(); ldapdb_init(); xxdb_clear(); ldapdb_clear();

  29. Resolving Hosts (cont.) How to Get It to Work ? (cont.) • Given the following zone file: plainjoe.org. IN SOA dns1.plainjoe.org. root.dns.plainjoe.org. ( 3 ; serial 10800 ; Refresh after 3 hours 3600 ; Retry after 1 hour 604800 ; Expire after 1 week 86400 ) ; Minimum TTL of 1 day ; Name servers plainjoe.org. IN NS dns1.plainjoe.org. ; Addresses for local printers localhost.plainjoe.org IN A 127.0.0.1 dns1.plainjoe.org. IN A 192.168.1.10 ldap.plainjoe.org. IN A 192.168.1.70 ahab.plainjoe.org. IN A 192.168.1.80

  30. Resolving Hosts (cont.) How to Get It to Work ? (cont.) • There is a structural dNSZone object class that allows you to store DNS records in the directory objectClass:dNSZone zoneName: relativeDomainName: DNSTTL: DNSClass: ARecord: MDRecord: PTRRecord: MXRecord: NSRecord: SOARecord: CNAMERecord: NAPTRRecord: KXRecord: DNAMERecord: HINFORecord: MINFORecord: TXTRecord: SIGRecord: KEYRecord: AAAARecord: LOCRecord: NXTRecord: SRVRecord: CERTRecord: A6Record: required attributes optional attributes

  31. Resolving Hosts (cont.) How to Get It to Work ? (cont.) • LDIF entry for A record for host ahab.plainjoe.org: • Next step is to tell named service about the LDAP database: • Note: zone2ldap tool included in BIND distribution (or Venaas' web site) dn: relativeDomainName=ahab,ou=hosts,dc=plainjoe,dc=org aRecord: 192.168.1.80 objectClass: dNSZone relativeDomainName: ahab dNSTTL: 86400 zoneName: plainjoe.org zone “plainjoe.org” in { type master; database “ldap ldap://192.168.1.70/ou=hosts,dc=plainjoe,dc=org 172800”; }

  32. Table of Contents • The Directory Namespace • An FTP/HTTP Combination • User Authentication with Samba • FreeRadius • Resolving Hosts • Central Printer Management

  33. Central Printer Management • Network printers are devices associated with entries in DNS and possess attributes used to support a non-DNS application • Next step: design directory-based solution for managing printing configuration information: • Adding printers • Deploying printers • Retiring printers • See namespace on next slide

  34. Central Printer Management (cont.) LDAP Namespace for Directory-based Storage of Printer Configuration Data dc=plainjoe,dc=org ou=hosts ou=printers ou=services ou=people ou=group ou=location host DNS configuration ou=config ou=floor-1 ou=global printer configuration data common printers printer groups

  35. Central Printer Management (cont.) The Namespace • The config OU sits at the root of the actual configuration tree • Each printer has an entry (name, max print size job, ...) • Also contains DNS information • ou=config,ou=printers,dc=plainjoe,dc=org entry acts as base suffix for the lp.plainjoe.org DNS zoneused by BIND9 • If an administrator removes a printer's entry, it is immediately removed from DNS as well • Printers listed below ou=global entry should be available to all clients on the network • ou=location tree has a similar function to the global tree • Holder for another group of organizational units • Each OU represents a group of printers • Big difficulty = deciding on acceptable schema for representing printer capabilities and data

  36. Central Printer Management (cont.) The Namespace (cont.) • There is currently no standardized printer schema • Closest: draft-fleming-ldap-printer-schema-XX.txt • See also “Network Printing” from O'Reilly • Some additional object classes and attributes needed to generate printcap entries for LPD and LPRng • Problem: dNSZone and printerService objects are both structural classes • Fortunately, BIND9 LDAP lookups do not use the objectClass • Use extensibleObject class in place of dNSZone • Other solution would be to define a new auxiliary object class with all the attributes contained in a dNSZone object

  37. Central Printer Management (cont.) Object Classes for Printing objectClass:printerAbstract printer-name: printer-natural-language-configured: printer-location: printer-info: printer-more-info: printer-make-and-model: printer-multiple-document-jobs-supported: printer-charset-configured: printer-charset-supported: printer-generated-natural-language-supported: printer-document-format-supported: printer-color-supported: printer-compression-supported: printer-pages-per-minute: printer-pages-per-minute-color: printer-finishings-supported: printer-number-up-supported: printer-sides-supported: printer-media-supported: printer-media-local-supported: printer-resolution-supported: printer-print-quality-supported: printer-job-priority-supported: printer-copies-supported: printer-job-k-octets-supported: printer-current-operator: printer-service-person: printer-delivery-orientation-supported: printer-stacking-order-supported: printer-output-features-supported: objectClass:printerLRP printer-name: printer-aliases: required objectClass:nprinterPortPrinterInfo nprintDeviceName: nprintDeviceFlags: nprintFilter: objectClass:nprintNetworkPrinterInfo nprintDNSName: nprintHardwareQueueName: nprintQueuePort: objectClass:printerService printer-uri: printer-xri-supported: optional parent

  38. Central Printer Management (cont.) Example Networked Printer Configuration Example Non-networked Printer Configuration dn: printer-uri=lpr://hp2100,ou=config,ou=printers,dc=plainjoe,dc=org aRecord: 192.168.1.220 printer-name: hp2100 nprintHarwareQueue: raw printer-uri: lpr://hp2100 relativedomainName: hp2100 objectClass: printerService objectClass: nprintNetworkPrinterInfo objectClass: extensibleObject printer-job-k-octets-supported: 10000 zoneName: lp.plainjoe.org No nprintDNSName attribute: can be determined from relativeDomainName and zoneName attributes dn: printer-uri=lpr://bjc240,ou=config,ou=printers,dc=plainjoe,dc=org printer-name: bjc240 nprintHarwareQueue: raw printer-uri: lpr://bjc240 objectClass: printerService objectClass: printerLPR objectClass: nprintPortPrinterInfo nprintDeviceName: /dev/lp0 printer-aliases: canon

  39. Central Printer Management (cont.) More Configuration ... • Entries below ou=global and ou=location contain only a printer's name, eg. • nprintHostPrinter AUXILIARY object class allows to extend existing entry for a network host to define membership in a printing group dn: printer-name=hp2100,ou=global,ou=printers,dc=plainjoe,dc=org printer-name: hp2100 objectClass: printerService dn: printer-name=bitsink,ou=floor-1,ou=location,dc=plainjoe,dc=org printer-name: bitsink objectClass: printerService objectClass:nprintHostPrinter nprintPrinterName: nprintLocation: optional

  40. Central Printer Management (cont.) More Configuration ... (cont.) • Entry for workstation queso.plainjoe.org: • generate_printcap.pl script dn: relativeDomainName=queso,ou=hosts,dc=plainjoe,dc=org aRecord: 192.168.1.74 nprintLocation: floor-1 objectClass: dNSZone objectClass: nprintHostPrinter relativeDomainName: queso dNSTTL: 86400 nprinterName: draft-printer zoneName: plainjoe.org

  41. Central Printer Management (cont.) Printing Information and Entries for queso.plainjoe.org ou=hosts ou=printers ou=global ou=location relativeDomainName=queso relativeDomainName: queso nprintLocation: floor-1 nprintPrinterName: draft-printer ou=config ou=floor-1 printer-name:hp2100 printer-uri:lpr://hp2100 printer-uri:lpr://bjc240 printer-name:bitsink printer-uri:lpr://draft-printer printer-uri:lpr://bitsink

  42. Central Printer Management (cont.) Resulting printcap File # printer-uri=lpr://hp2100,ou=config,ou=printers,dc=plainjoe,dc=org # objectClass: nprintNetworkPrinterInfo hp2100:\ :sh:\ :mx#10000:\ :lf=/var/spool/lpd/hp2100/lpd-err:\ :sd=/var/spool/lpd/hp2100:\ :lp=/dev/null:\ :rm=hp2100.lp.plainjoe.org:\ :rp=raw: # printer-uri=lpr://bitsink,ou=config,ou=printers,dc=plainjoe,dc=org # objectClass: nprintNetworkPrinterInfo bitsink:\ :sh:\ :mx#0:\ :lf=/var/spool/lpd/bitsink/lpd-err:\ :sd=/var/spool/lpd/bitsink:\ :lp=/dev/null:\ :rm=bitsink.lp.plainjoe.org:\ :rp=bitsink: # printer-uri=lpr://draft-printer,ou=config,ou=printers,dc=plainjoe,dc=org # objectClass: nprintPortPrinterInfo draft-printer:\ :sh:\ :mx#0:\ :lf=/var/spool/lpd/draft-printer/lpd-err:\ :sd=/var/spool/lpd/draft-printer:\ :lp=/dev/lp0:\ :sd=/var/spool/lpd/draft-printer:\ :if=/opt/printers/filters/hpif.sh:

More Related