Cit 470 advanced network and system administration
This presentation is the property of its rightful owner.
Sponsored Links
1 / 28

CIT 470: Advanced Network and System Administration PowerPoint PPT Presentation


  • 78 Views
  • Uploaded on
  • Presentation posted in: General

CIT 470: Advanced Network and System Administration. Directories. Topics. Directories LDAP Structure LDIF Distinguished Names Replication OpenLDAP Configuration. What is a Directory?. Directory : A collection of information that is primarily searched and read, rarely modified.

Download Presentation

CIT 470: Advanced Network and System Administration

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Cit 470 advanced network and system administration

CIT 470: Advanced Network and System Administration

Directories

CIT 470: Advanced Network and System Administration


Topics

Topics

  • Directories

  • LDAP Structure

  • LDIF

  • Distinguished Names

  • Replication

  • OpenLDAP Configuration

CIT 470: Advanced Network and System Administration


What is a directory

What is a Directory?

Directory: A collection of information that is primarily searched and read, rarely modified.

Directory Service: Provides access to directory information.

Directory Server: Application that provides a directory service.

CIT 470: Advanced Network and System Administration


Directories vs databases

Directories vs. Databases

Directories are optimized for reading.

  • Databases balanced for read and write.

    Directories are tree-structured.

  • Databases typically have relational structure.

    Directories are usually replicated.

  • Databases can be replicated too.

    Both are extensible data storage systems.

    Both have advanced search capabilities.

CIT 470: Advanced Network and System Administration


System administration directories

System Administration Directories

Types of directory data

  • Accounts

  • Mail aliases and lists (address book)

  • Cryptographic keys

  • IP addresses

  • Hostnames

  • Printers

    Common directory services

  • DNS, LDAP, NIS

CIT 470: Advanced Network and System Administration


Advantages of directories

Advantages of Directories

Make administration easier.

  • Change data only once: people, accounts, hosts.

    Unify access to network resources.

  • Single sign on.

  • Single place for users to search (address book)

    Improve data management

  • Improve consistency (one location vs many)

  • Secure data through only one server.

CIT 470: Advanced Network and System Administration


Nis network information service

NIS: Network Information Service

Originally called Sun Yellow Pages

  • Clients run ypbind.

  • Servers run ypserv.

  • Data stored under /var/yp on server.

    Server shares NIS maps with clients

  • Each UNIX file may provide multiple NIS maps.

  • NIS maps map keys like UID, username to data.

  • passwd: passwd.byname, passwd.byuid

    Slave servers replicate master server content.

    Easy to use, but insecure, difficult to extend.

CIT 470: Advanced Network and System Administration


Cit 470 advanced network and system administration

LDAP

Lightweight Directory Access Protocol

  • Lightweight compared to X.500 directories.

  • Directory, not a database, service.

  • Access Protocol, not a directory itself.

CIT 470: Advanced Network and System Administration


Ldap clients and servers

LDAP Clients and Servers

LDAP Clients

  • Standalone directory browsers.

  • Embedded clients (mail clients, logins, etc.)

  • Cfg/etc/nsswitch.conf on UNIX to use LDAP.

    Common LDAP servers

CIT 470: Advanced Network and System Administration


Ldap structure

LDAP Structure

An LDAP directory is made of entries.

  • Entries may be employee records, hosts, etc.

    Each entries consists of attributes.

  • Attributes can be names, phone numbers, etc.

  • objectClass attribute identifies entry type.

    Each attribute is a type / value pair.

  • Type is a label for the information stored (name)

  • Value is value for the attribute in this entry.

  • Attributes can be multi-valued.

CIT 470: Advanced Network and System Administration


Tree structure of ldap directories

Tree-structure of LDAP Directories

CIT 470: Advanced Network and System Administration


Ldap schemas

LDAP Schemas

Schemas specify allowed objectClasses and attributes.

CIT 470: Advanced Network and System Administration


Cit 470 advanced network and system administration

LDIF

LDAP Interchange Format.

  • Standard text format for storing LDAP configuration data and directory contents.

    LDIF Files

  • Collection of entries separated by blank lines.

  • Mapping of attribute names to values.

    Uses

  • Import new data into directory.

  • Export directory to LDIF files for backups.

CIT 470: Advanced Network and System Administration


Ldif output example

LDIF Output Example

CIT 470: Advanced Network and System Administration


Ldif backups and restores

LDIF Backups and Restores

Backing up an LDAP directory

slapcat > backup.ldif

OR to do a daily backup use date in name

slapcat > backup-`date +%F`.ldif

Restoring an LDAP directory

service ldap stop

rm -rf /var/lib/ldap/*

slapadd < backup.ldif

service ldap start

CIT 470: Advanced Network and System Administration


Distinguished names

Distinguished Names

Distinguished Names (DNs)

  • Uniquely identify an LDAP entry.

  • Provides path from LDAP root to the named entry.

  • Similar to an absolute pathname.

  • dn:cn=Jeff Foo,ou=Sales,dc=plainjoe,dc=org

    Relative DNs (RDNs)

  • Any unique attribute pair in directory’s container.

  • ex: cn=Jeff Foo OR username=fooj

  • Similar to a relative pathname.

  • Except may have multiple components.

  • cn=Jane Smith+ou=Sales

  • cn=Jane Smith+ou=Engineering

CIT 470: Advanced Network and System Administration


R dn example 1

(R)DN Example #1

CIT 470: Advanced Network and System Administration


R dn example 2

(R)DN Example #2

CIT 470: Advanced Network and System Administration


Ldapsearch

ldapsearch

Options

-LLL removes comments and LDAP version info.

-b base supplies base DN (uses ldap.conf if no -b.)

-x uses simple authentication instead of SASL.

-H ldap://your.server.edu accesses that server.

If -H not specified, uses ldap.conf to find server.

Search for all elements

ldapsearch -LLL -x -b "dc=gkar,dc=nku,dc=edu" "(objectclass=*)"

CIT 470: Advanced Network and System Administration


Ldapsearch lll x dn

ldapsearch -LLL -x "(DN)"

> ldapsearch -LLL -x "(uid=fooj)"

dn: uid=fooj,ou=People,dc=gkar,dc=nku,dc=edu

objectClass: top

objectClass: account

objectClass: posixAccount

objectClass: shadowAccount

uid: fooj

uidNumber: 10101

cn: fooj

homeDirectory: /home/c/fooj

loginShell: /bin/bash

gidNumber: 10101

CIT 470: Advanced Network and System Administration


Ldapsearch lll x dn1

ldapsearch -LLL -x "(DN)"

> ldapsearch -LLL -x "(uidNumber=10101)"

dn: uid=fooj,ou=People,dc=gkar,dc=nku,dc=edu

objectClass: top

objectClass: account

objectClass: posixAccount

objectClass: shadowAccount

uid: fooj

uidNumber: 10101

cn: fooj

homeDirectory: /home/c/fooj

loginShell: /bin/bash

gidNumber: 10101

CIT 470: Advanced Network and System Administration


Multiple record matches

Multiple Record Matches

> ldapsearch -LLL -x "(loginShell=/bin/bash)"

dn: uid=fooj,ou=People,dc=gkar,dc=nku,dc=edu

objectClass: top

objectClass: account

objectClass: posixAccount

objectClass: shadowAccount

uid: fooj

uidNumber: 10101

cn: fooj

homeDirectory: /home/b/fooj

loginShell: /bin/bash

...

Size limit exceeded (4)

CIT 470: Advanced Network and System Administration


Wildcard matches

Wildcard Matches

> ldapsearch -LLL -x "(uid=smith*)"

dn: uid=smitha,ou=People,dc=gkar,dc=nku,dc=edu

uid: smitha

uidNumber: 10221

cn: smitha

homeDirectory: /home/f/smitha

loginShell: /bin/bash

...

dn:

uid: smithj

uidNumber: 12302

cn: smithj

homeDirectory: /home/g/smithj

CIT 470: Advanced Network and System Administration


Cit 470 advanced network and system administration

Open source LDAPv3 server.

  • LDAP server: slapd

  • Client commands: ldapadd, ldapsearch

  • Backend storage: BerkeleyDB

  • Backend commands: slapadd, slapcat

  • Schemas: /etc/openldap/schema

  • Data: /var/lib/ldap

    Configuration files

  • Client: /etc/openldap/ldap.conf

  • Server: /etc/openldap/slapd.conf

CIT 470: Advanced Network and System Administration


Building an openldap server

Building an OpenLDAP Server

  • Install OpenLDAP.

  • Configure LDAP for your domain.

    Edit slapd.conf

    OR use Run Time Configuration (RTC)

  • Start server

    Immediate: service ldap start

    Permanent: chkconfig --level 35 ldap on

  • Add data with ldapadd.

  • Verify functionality with ldapsearch.

CIT 470: Advanced Network and System Administration


Slapd conf server

slapd.conf (Server)

File Locations (usually accept defaults)

Schema files

Configuration files

Database directory

Database

suffix = DN of topmost node in directory

rootdn = DN of LDAP administrative user

rootpw = Password of LDAP administrator

Access Control

CIT 470: Advanced Network and System Administration


Ldap conf client

ldap.conf (Client)

#

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

#BASE dc=example,dc=com (match suffix in slapd.conf)

#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12

#TIMELIMIT 15

#DEREF never

CIT 470: Advanced Network and System Administration


References

References

  • Brian Arkills, LDAP Directories Explained: An Introduction and Analysis, Addison-Wesley, 2003.

  • Gerald Carter, LDAP System Administration, O’Reilly, 2003.

  • LDAP Howtos, Links, and Whitepapers, http://www.bind9.net/ldap/, 2005.

  • http://www.ldapman.org/, 2005.

  • LDAP for Rocket Scientists, http://www.zytrax.com/books/ldap/, 2009.

  • Thomas Limoncelli, Christine Hogan, Strata Chalup, The Practice of System and Network Administration, 2nd ed, Limoncelli and Hogan, Addison-Wesley, 2007.

  • Luiz Malere, “Linux LDAP HOWTO,” http://www.tldp.org/HOWTO/LDAP-HOWTO/, 2004.

  • Evi Nemeth et al, UNIX System Administration Handbook, 3rd edition, Prentice Hall, 2001.

  • OpenLDAP, OpenLDAP Administrator’s Guide, http://www.openldap.org/devel/admin/, 2005.

CIT 470: Advanced Network and System Administration


  • Login