cit 470 advanced network and system administration
Download
Skip this Video
Download Presentation
CIT 470: Advanced Network and System Administration

Loading in 2 Seconds...

play fullscreen
1 / 28

CIT 470: Advanced Network and System Administration - PowerPoint PPT Presentation


  • 110 Views
  • Uploaded on

CIT 470: Advanced Network and System Administration. Directories. Topics. Directories LDAP Structure LDIF Distinguished Names Replication OpenLDAP Configuration. What is a Directory?. Directory : A collection of information that is primarily searched and read, rarely modified.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'CIT 470: Advanced Network and System Administration' - jack-stephenson


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cit 470 advanced network and system administration

CIT 470: Advanced Network and System Administration

Directories

CIT 470: Advanced Network and System Administration

topics
Topics
  • Directories
  • LDAP Structure
  • LDIF
  • Distinguished Names
  • Replication
  • OpenLDAP Configuration

CIT 470: Advanced Network and System Administration

what is a directory
What is a Directory?

Directory: A collection of information that is primarily searched and read, rarely modified.

Directory Service: Provides access to directory information.

Directory Server: Application that provides a directory service.

CIT 470: Advanced Network and System Administration

directories vs databases
Directories vs. Databases

Directories are optimized for reading.

  • Databases balanced for read and write.

Directories are tree-structured.

  • Databases typically have relational structure.

Directories are usually replicated.

  • Databases can be replicated too.

Both are extensible data storage systems.

Both have advanced search capabilities.

CIT 470: Advanced Network and System Administration

system administration directories
System Administration Directories

Types of directory data

  • Accounts
  • Mail aliases and lists (address book)
  • Cryptographic keys
  • IP addresses
  • Hostnames
  • Printers

Common directory services

  • DNS, LDAP, NIS

CIT 470: Advanced Network and System Administration

advantages of directories
Advantages of Directories

Make administration easier.

  • Change data only once: people, accounts, hosts.

Unify access to network resources.

  • Single sign on.
  • Single place for users to search (address book)

Improve data management

  • Improve consistency (one location vs many)
  • Secure data through only one server.

CIT 470: Advanced Network and System Administration

nis network information service
NIS: Network Information Service

Originally called Sun Yellow Pages

  • Clients run ypbind.
  • Servers run ypserv.
  • Data stored under /var/yp on server.

Server shares NIS maps with clients

  • Each UNIX file may provide multiple NIS maps.
  • NIS maps map keys like UID, username to data.
  • passwd: passwd.byname, passwd.byuid

Slave servers replicate master server content.

Easy to use, but insecure, difficult to extend.

CIT 470: Advanced Network and System Administration

slide8
LDAP

Lightweight Directory Access Protocol

  • Lightweight compared to X.500 directories.
  • Directory, not a database, service.
  • Access Protocol, not a directory itself.

CIT 470: Advanced Network and System Administration

ldap clients and servers
LDAP Clients and Servers

LDAP Clients

  • Standalone directory browsers.
  • Embedded clients (mail clients, logins, etc.)
  • Cfg/etc/nsswitch.conf on UNIX to use LDAP.

Common LDAP servers

CIT 470: Advanced Network and System Administration

ldap structure
LDAP Structure

An LDAP directory is made of entries.

  • Entries may be employee records, hosts, etc.

Each entries consists of attributes.

  • Attributes can be names, phone numbers, etc.
  • objectClass attribute identifies entry type.

Each attribute is a type / value pair.

  • Type is a label for the information stored (name)
  • Value is value for the attribute in this entry.
  • Attributes can be multi-valued.

CIT 470: Advanced Network and System Administration

tree structure of ldap directories
Tree-structure of LDAP Directories

CIT 470: Advanced Network and System Administration

ldap schemas
LDAP Schemas

Schemas specify allowed objectClasses and attributes.

CIT 470: Advanced Network and System Administration

slide13
LDIF

LDAP Interchange Format.

  • Standard text format for storing LDAP configuration data and directory contents.

LDIF Files

  • Collection of entries separated by blank lines.
  • Mapping of attribute names to values.

Uses

  • Import new data into directory.
  • Export directory to LDIF files for backups.

CIT 470: Advanced Network and System Administration

ldif output example
LDIF Output Example

CIT 470: Advanced Network and System Administration

ldif backups and restores
LDIF Backups and Restores

Backing up an LDAP directory

slapcat > backup.ldif

OR to do a daily backup use date in name

slapcat > backup-`date +%F`.ldif

Restoring an LDAP directory

service ldap stop

rm -rf /var/lib/ldap/*

slapadd < backup.ldif

service ldap start

CIT 470: Advanced Network and System Administration

distinguished names
Distinguished Names

Distinguished Names (DNs)

  • Uniquely identify an LDAP entry.
  • Provides path from LDAP root to the named entry.
  • Similar to an absolute pathname.
  • dn:cn=Jeff Foo,ou=Sales,dc=plainjoe,dc=org

Relative DNs (RDNs)

  • Any unique attribute pair in directory’s container.
  • ex: cn=Jeff Foo OR username=fooj
  • Similar to a relative pathname.
  • Except may have multiple components.
  • cn=Jane Smith+ou=Sales
  • cn=Jane Smith+ou=Engineering

CIT 470: Advanced Network and System Administration

r dn example 1
(R)DN Example #1

CIT 470: Advanced Network and System Administration

r dn example 2
(R)DN Example #2

CIT 470: Advanced Network and System Administration

ldapsearch
ldapsearch

Options

-LLL removes comments and LDAP version info.

-b base supplies base DN (uses ldap.conf if no -b.)

-x uses simple authentication instead of SASL.

-H ldap://your.server.edu accesses that server.

If -H not specified, uses ldap.conf to find server.

Search for all elements

ldapsearch -LLL -x -b "dc=gkar,dc=nku,dc=edu" "(objectclass=*)"

CIT 470: Advanced Network and System Administration

ldapsearch lll x dn
ldapsearch -LLL -x "(DN)"

> ldapsearch -LLL -x "(uid=fooj)"

dn: uid=fooj,ou=People,dc=gkar,dc=nku,dc=edu

objectClass: top

objectClass: account

objectClass: posixAccount

objectClass: shadowAccount

uid: fooj

uidNumber: 10101

cn: fooj

homeDirectory: /home/c/fooj

loginShell: /bin/bash

gidNumber: 10101

CIT 470: Advanced Network and System Administration

ldapsearch lll x dn1
ldapsearch -LLL -x "(DN)"

> ldapsearch -LLL -x "(uidNumber=10101)"

dn: uid=fooj,ou=People,dc=gkar,dc=nku,dc=edu

objectClass: top

objectClass: account

objectClass: posixAccount

objectClass: shadowAccount

uid: fooj

uidNumber: 10101

cn: fooj

homeDirectory: /home/c/fooj

loginShell: /bin/bash

gidNumber: 10101

CIT 470: Advanced Network and System Administration

multiple record matches
Multiple Record Matches

> ldapsearch -LLL -x "(loginShell=/bin/bash)"

dn: uid=fooj,ou=People,dc=gkar,dc=nku,dc=edu

objectClass: top

objectClass: account

objectClass: posixAccount

objectClass: shadowAccount

uid: fooj

uidNumber: 10101

cn: fooj

homeDirectory: /home/b/fooj

loginShell: /bin/bash

...

Size limit exceeded (4)

CIT 470: Advanced Network and System Administration

wildcard matches
Wildcard Matches

> ldapsearch -LLL -x "(uid=smith*)"

dn: uid=smitha,ou=People,dc=gkar,dc=nku,dc=edu

uid: smitha

uidNumber: 10221

cn: smitha

homeDirectory: /home/f/smitha

loginShell: /bin/bash

...

dn:

uid: smithj

uidNumber: 12302

cn: smithj

homeDirectory: /home/g/smithj

CIT 470: Advanced Network and System Administration

slide24
Open source LDAPv3 server.
  • LDAP server: slapd
  • Client commands: ldapadd, ldapsearch
  • Backend storage: BerkeleyDB
  • Backend commands: slapadd, slapcat
  • Schemas: /etc/openldap/schema
  • Data: /var/lib/ldap

Configuration files

  • Client: /etc/openldap/ldap.conf
  • Server: /etc/openldap/slapd.conf

CIT 470: Advanced Network and System Administration

building an openldap server
Building an OpenLDAP Server
  • Install OpenLDAP.
  • Configure LDAP for your domain.

Edit slapd.conf

OR use Run Time Configuration (RTC)

  • Start server

Immediate: service ldap start

Permanent: chkconfig --level 35 ldap on

  • Add data with ldapadd.
  • Verify functionality with ldapsearch.

CIT 470: Advanced Network and System Administration

slapd conf server
slapd.conf (Server)

File Locations (usually accept defaults)

Schema files

Configuration files

Database directory

Database

suffix = DN of topmost node in directory

rootdn = DN of LDAP administrative user

rootpw = Password of LDAP administrator

Access Control

CIT 470: Advanced Network and System Administration

ldap conf client
ldap.conf (Client)

#

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

#BASE dc=example,dc=com (match suffix in slapd.conf)

#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12

#TIMELIMIT 15

#DEREF never

CIT 470: Advanced Network and System Administration

references
References
  • Brian Arkills, LDAP Directories Explained: An Introduction and Analysis, Addison-Wesley, 2003.
  • Gerald Carter, LDAP System Administration, O’Reilly, 2003.
  • LDAP Howtos, Links, and Whitepapers, http://www.bind9.net/ldap/, 2005.
  • http://www.ldapman.org/, 2005.
  • LDAP for Rocket Scientists, http://www.zytrax.com/books/ldap/, 2009.
  • Thomas Limoncelli, Christine Hogan, Strata Chalup, The Practice of System and Network Administration, 2nd ed, Limoncelli and Hogan, Addison-Wesley, 2007.
  • Luiz Malere, “Linux LDAP HOWTO,” http://www.tldp.org/HOWTO/LDAP-HOWTO/, 2004.
  • Evi Nemeth et al, UNIX System Administration Handbook, 3rd edition, Prentice Hall, 2001.
  • OpenLDAP, OpenLDAP Administrator’s Guide, http://www.openldap.org/devel/admin/, 2005.

CIT 470: Advanced Network and System Administration

ad