slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
LDAP PowerPoint Presentation
Download Presentation
LDAP

Loading in 2 Seconds...

play fullscreen
1 / 26

LDAP - PowerPoint PPT Presentation


  • 90 Views
  • Uploaded on

LINUX SYSTEM ADMINISTRATION AND SECURITY. LDAP. LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL. VINEET BHARDWAJ VINAY KUMAR THOTA. 03 AUGUST 2005. PRESENTATION OUTLINE. INTRODUCTION. INSTALLATION. CONFIGURATION. SECURITY ISSUES. CONCLUSION. INTRODUCTION. DIRECTORY SERVICE. LDAP.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'LDAP' - jayme


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

LINUX SYSTEM ADMINISTRATION AND SECURITY

LDAP

LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL

VINEET BHARDWAJ

VINAY KUMAR THOTA

03 AUGUST 2005

slide2

PRESENTATION OUTLINE

INTRODUCTION

INSTALLATION

CONFIGURATION

SECURITY ISSUES

CONCLUSION

slide3

INTRODUCTION

DIRECTORYSERVICE

LDAP

DESIGNED AT UNIVERSITY OF MICHIGAN

EXIST AT THREE LEVELS

BIG PUBLIC SERVERS

LARGE ORGANIZATIONAL SERVERS

SMALLER WORK GROUP SERVERS

slide4

A Directory service structure for the internet. It has many features that make it ideal for providing network information services, including encryption support, access control lists, fast read access, etc.. LDAP will combine several systems that normally have to be maintained separately , such as NT authentication, UNIX authentication, MTA routing information, services/protocols/hosts information, network address books, etc.

INFORMATION

KIND

ARRANGEMENT

REFERENCE

ACCESS

slide5

Prerequisite Software

Versions

The structure of an LDAP directory tree

LDAP directory servers store their data hierarchically.

As with DNS host names, an LDAP directory record's Distinguished Name (DN for short) is read from the individual entry, backwards through the tree, up to the top level.

slide6

A DIRECTORY TREE STRUCTURE

COUNTRY

STATE

THE ORGANIZATION

ORGANIZATIONAL UNIT

PERSON

slide7

HOW DOES LDAPWORK ????

CLIENT SERVER MODEL

TCP/IP OR ANY OTHER CONNECTION ORIENTED

X.500,THE OSI DIRECTORY SERVICE

slide8

ABOUTSlapd Slurpd

Slapd

Supports strong authentication and data security

SASL

Transport layer security

Topology control – TCP Wrappers

Access Control

Choice of database back ends

slide9

Threads

Replication

Single Configuration file

Slurpd

Replicated service

Failed requests

installing the ldap server
Installing the LDAP Server

Five steps are necessary to install the server:

  • Install the pre-required packages (if not already installed).
  • Download the server.
  • Unpack the software.
  • Configure the Makefiles.
  • Build the server.
installation contd
Installation contd.

Downloading the package

  • There are two free distributed LDAP servers:

University of Michigan LDAP server and Open LDAP server

  • It's latest tar gzipped version is available on the following address:

http://www.openldap.org

  • If you want to get the latest version of University of Michigan Server, go to this address:

ftp://terminator.rs.itd.umich.edu/ldap

unpacking the software

Installation contd.

Unpacking the software
  • First copy the package to a desirable directory, for example /usr/local. Next use the following command:

tar xvzf openldap-2.2.5.tgz

  • You can use this command too, as well:

gunzip openldap-2.2.5.tgz | tar xvf –

slide13

Installation contd.

Configuring the software

  • Type the following command on the directory where you unpacked the software:

./configure --help

This will print all options that you can customize with the configure script before you build the software.

  • Normally if you run configure without options, it will auto-detect the appropriate settings and prepare to build things on the default common location. So just type:

./configure

slide14

Installation contd.

Building the server

  • After configuring the software you can start building it. First build the dependencies, using the command:

make depend

  • Build the server after that, using the command:

make

  • To ensure a correct build, you should run the test suite

make test

  • Now install the binaries and man pages. You may need to be superuser to do this (depending on where you are installing things):

su root -c 'make install'

configuration
Configuration
  • All slapd(LDAP directory server) runtime configuration is accomplished through the slapd.conffile, installed in the prefix directory one specifies in the configuration script or by default in

/usr/local/etc/openldap

  • First create an /etc/openldap/slapd.confg file. You need to change the following line

suffix “dc=mydomain, dc=com”

rootdn “cn=admin, dc=mydomain, dc=com”

rootpw {crypt}abjnggxhB/yWI

configuration contd
Configuration contd.
  • The suffix is your “LDAP basename”. Common practice is to use your DNS domain name as your LDAP basename.
  • The rootdnis adminstrator’s name, and rootpw is administrator’s password.
  • You also need to change the /etc/ldap.conf and etc/openldap/ldap.conf to change the name of your LDAP server and your basename.
configuration contd1
Configuration contd.

Populating your server

The easiest way to populate your LDAP server is that Padl Software which provides a free set of Perl scripts that migrate existing flat files. They are available from

www.padl.com/tools.html

configuration contd2
Configuration contd.

Setting up a LDAP client

  • Edit the LDAP config files (/etc/ldap.confand etc/openldap/ldap.conf ) to specify the server and your site’s basename.
  • You can verify that you are connecting to the LDAP server correctly by running ldapsearch – x, which dumps the entire database.
  • Finally, change the appropriate lines in /etc/nsswitch.conf to use the LDAP server as a data source.
slide19

SECURITY ISSUES

USING LDAP

CONNECTING LDAP SERVER

LDAPS

NORMAL LDAP CONNECTION WORKS BY THE PORT 389

NETWORKSECURITY

DATA INTEGRITY AND CONFIDENTIALITY PROTECTION

AUTHENTICATION METHODS

slide20

NETWORKSECURITY

SELECTIVE LISTENING

IP FIREWALL

TCP WRAPPERS

DATA INTEGRITY AND CONFIDENTIALITY PROTECTION

LDAPv3 AND TSL

AUTHENTICATION METHODS

SIMPLE AND SASL

slide21

LDAPS

VERIFICATION

X.509 CERTIFICATES

ALGORITHMS IN OPENSSL

slide22

DATA INTEGRITY AND CONFIDENTIALITY PROTECTION

LDAPv3 AND TLS

RFC 2246 DESCRIBES TLS

CLEANED UP AND STANDARDIZED VERSION OF SSL

SWITCHING

SECURITY STRENGHT FACTORS SSF

slide23

AUTHENTICATION METHODS

SIMPLE

ANONYMOUS

UNAUTHENTICATED AND

USER/PASWORD AUTHENTICATED

slide24

SASL

AN AUTHENTICATION FRAME WORK

SNIFFING

MECHANISMS LIKE CRAM-MD5 AND EXTERNAL

slide25

CONCLUSION

LDAP has broader applications, such as looking up services and devices on the Internet (and intranets). Netscape Communicator can store user preferences and bookmarks on an LDAP server. There is even a plan for linking all LDAP servers into a worldwide hierarchy, all searchable from your client.

LDAP promises to save users and administrators time and frustration, making it easy for everyone to connect with people without frustrating searches for email addresses and other trivia.

The LDAP protocol is both cross-platform and standards-based

Most LDAP servers are simple to install, easily maintained, and easily optimized

slide26

LDAP is particularly useful for storing information that you wish to read from many locations, but update infrequently

If the answer to each of the following questions is Yes, then storing your data in LDAP is a good idea.

Would you like your data to be available cross-platform?

Do you need to access this data from a number of computers or applications?

Do the individual records you're storing change a few times a day or less, on average?

Does it make sense to store this type of data in a flat database instead of a relational database? That is, could you effectively store all the data for a given item in a single record?

THANK YOU