openldap directory administration replacing nis n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
OpenLDAP Directory Administration Replacing NIS PowerPoint Presentation
Download Presentation
OpenLDAP Directory Administration Replacing NIS

Loading in 2 Seconds...

play fullscreen
1 / 47

OpenLDAP Directory Administration Replacing NIS - PowerPoint PPT Presentation


  • 88 Views
  • Uploaded on

OpenLDAP Directory Administration Replacing NIS. Table of Contents. Introduction More about NIS Schemas for Information Services Information Migration The pam_ldap Module The nss_ldap Module OpenSSH, PAM, and NSS Authorizing Through PAM Netgroups Security Automount Maps

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'OpenLDAP Directory Administration Replacing NIS' - sonel


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide2

Table of Contents

  • Introduction
  • More about NIS
  • Schemas for Information Services
  • Information Migration
  • The pam_ldap Module
  • The nss_ldap Module
  • OpenSSH, PAM, and NSS
  • Authorizing Through PAM
  • Netgroups
  • Security
  • Automount Maps
  • PADL's NIS/LDAP Gateway
slide3

Table of Contents

  • Introduction
  • More about NIS
  • Schemas for Information Services
  • Information Migration
  • The pam_ldap Module
  • The nss_ldap Module
  • OpenSSH, PAM, and NSS
  • Authorizing Through PAM
  • Netgroups
  • Security
  • Automount Maps
  • PADL's NIS/LDAP Gateway
slide4

Introduction

  • This chapter: how to replace Sun's Network Information Service (NIS) with LDAP
  • NIS, used for centralized management of:
    • user information
    • Passwords
    • Hostnames
    • IP addresses
    • Automount maps (control mounting of remote filesystems)
    • Other administrative information
  • Note that there are alternatives to NIS and LDAP
  • General approach:
    • Get information you want to share in the directory
    • Get clients to use the directory
    • Disable old information-sharing mechanism
slide5

Introduction (cont.)

  • Two fundamental strategies:
    • Setting up an NIS/LDAP gateway
      • An NIS server that accepts NIS queries
      • Retrieves answers from an LDAP directory
      • No client modifications required
    • Making a complete transition to LDAP
      • Install LDAP libraries and modules on all clients
      • Disable all NIS lookups on clients
      • eg. PAM and NSS LDAP modules released by PADL Software under LGPL
  • Either way, we need to define the attribute types and object classes needed to move the information served by NIS into an LDAP directory
  • PAM and NSS allow for transparent upgrades from NIS to LDAP
slide6

Table of Contents

  • Introduction
  • More about NIS
  • Schemas for Information Services
  • Information Migration
  • The pam_ldap Module
  • The nss_ldap Module
  • OpenSSH, PAM, and NSS
  • Authorizing Through PAM
  • Netgroups
  • Security
  • Automount Maps
  • PADL's NIS/LDAP Gateway
slide7

More about NIS

  • Most commonly used to distribute system password and account maps to client machines
  • Other files: also possible (/etc/hosts, /etc/services, /etc/group, /etc/networks, ...)
  • Master copy of any shared data always resides on a master server, and is distributed to slave servers
  • NIS master acts as directory system agent (DSA)
  • Flat namespace, eg. passwd.byname map
  • To work around this: group machines into NIS domains
  • Different NIS domains are different directories, but may be served by the same server
  • LDAP: hierarchical namespace
slide8

More about NIS (cont.)

Comparing Namespaces

YP:domain1.com

jerry:##:...

LDAP namespace

YP:domain2.com

jerry:##:...

dc=plainjoe,dc=org

NIS namespace

ou=sales

ou=engr

uid=jerry,

ou=sales...

uid=jerry,

ou=engr...

slide9

Table of Contents

  • Introduction
  • More about NIS
  • Schemas for Information Services
  • Information Migration
  • The pam_ldap Module
  • The nss_ldap Module
  • OpenSSH, PAM, and NSS
  • Authorizing Through PAM
  • Netgroups
  • Security
  • Automount Maps
  • PADL's NIS/LDAP Gateway
slide10

Schemas for Information Services

RFC 2307 - “An Approach for Using LDAP as a Network Information Service”

  • Note:has recently been updated in an Internet-Draft by LDAPbis working group
  • Defines attribute types and object classes needed to use an LDAP directory as a replacement for NIS
  • Despite experimental status, supported by many vendors: Sun, OpenLDAP, Apple, HP, PADL
  • Lengthy list of attribute types and object classes
slide11

Schemas for Information Services (cont.)

How to migrate all user accounts and groups into OpenLDAP: (slapd.conf)

include /usr/local/etc/openldap/schema/core.schema

include /usr/local/etc/openldap/schema/cosine.schema

include /usr/local/etc/openldap/schema/nis.schema

pidfile var/run/slapd.pid

argsfile /usr/run/slapd.args

loglevel 256

TLSCipherSuite 3DES:RC4:EXPORT40

TLSCertificateFile /usr/local/etc/openldap/slapd-cert.pem

TLSCertificateKeyFile /usr/local/etc/openldap/slapd-private-key.pem

database bdb

suffix “dc=plainjoe,dc=org”

rootdn “cn=Manager,dc=plainjoe,dc=org”

rootpw {SSHA}2aksIaicAvwc+DhCrXUFlhgWsbBJPLxy

directory /var/ldap/plainjoe.org

mode 0600

index objectClass eq

index cn,uid eq

index uidNumber eq

index gidNumber eq

slide12

Schemas for Information Services (cont.)

Relationships between posixAccount Object Class and an Entry from the /etc/passwd File

/bin/bash

gcarter:

KpP.s/mnFoEoI:

Gerald Carter:

/home/gcarter:

780:100:

required attributes

objectClass:posixAccount

cn:

uid:

uidNumber:

gidNumber:

homeDirectory:

userPassword:

gecos:

loginShell:

description:

optional attributes

slide13

Schemas for Information Services (cont.)

Relationships between posixGroup Object Class and an Entry from the /etc/group File

admin:

*:101:

gcarter

required attributes

objectClass:posixGroup

cn:

gidNumber:

userPassword:

memberUid:

description:

optional attributes

slide14

Schemas for Information Services (cont.)

Relationships between posixGroup Object Class and an Entry from the /etc/group File

gcarter:

LnMJ/n2rQsR.c:

11276:

0:

99999:

7:

-1:

-1:

134540300

required attributes

objectClass:shadowAccount

uid:

userPassword:

shadowLastChange:

shadowMin:

shadowMax:

shadowWarning:

shadowInactive:

shadowExpire:

shadowFlag:

description:

optional attributes

slide15

Table of Contents

  • Introduction
  • More about NIS
  • Schemas for Information Services
  • Information Migration
  • The pam_ldap Module
  • The nss_ldap Module
  • OpenSSH, PAM, and NSS
  • Authorizing Through PAM
  • Netgroups
  • Security
  • Automount Maps
  • PADL's NIS/LDAP Gateway
slide16

Information Migration

  • PADL Software has a set of Perl scripts designed to convert various /etc/ system files into LDIF format
  • http://www.padl.com/OSS/MigrationTools.html
  • Customize the migrate_common.ph script to fit your network settings

eg. $DEFAULT_BASE variable

  • eg.
  • Currently supported:

/etc/fstab (ou=Mounts)

/etc/hosts (ou=Hosts)

/etc/group (ou=Group)

/etc/protocols (ou=Protocols)

/etc/passwd & /etc/shadow (ou=People)

# ./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif

/etc/rpc (ou=Rpc)

/etc/services (ou=Services)

/etc/networks (ou=Networks)

netgroups (ou=Netgroups)

slide17

Table of Contents

  • Introduction
  • More about NIS
  • Schemas for Information Services
  • Information Migration
  • The pam_ldap Module
  • The nss_ldap Module
  • OpenSSH, PAM, and NSS
  • Authorizing Through PAM
  • Netgroups
  • Security
  • Automount Maps
  • PADL's NIS/LDAP Gateway
slide18

The pam_ldap Module

  • Pluggable Authentication Modules are implemented as shared libraries that distance applications from the details of account data storage, mechanisms used to authenticate users, and service authorization processes
  • pam_ldap module developed by PADL Software
  • Supported on Linux, FreeBSD, HP-UX, Mac OS 10.2, Solaris
  • http://www.padl.com/OSS/pam_ldap
  • Compilation not discussed here
  • Makes use of configuration parameters in /etc/ldap.conf
slide19

The pam_ldap Module (cont.)

ldap.conf Parameters Shared by pam_ldap & nss_ldap

slide20

The pam_ldap Module (cont.)

ldap.conf Parameters Used by pam_ldap

slide21

The pam_ldap Module (cont.)

  • pam_ldap module must be able to locate the directory server
    • Must be specified in /etc/ldap.conf
    • (nss_ldap can also do a DNS query – see later)
  • Example /etc/ldap.conf:
  • Results in this search:

(&(objectClass=posixAccount)(uid=gcarter))

uri ldap://ldap.plainjoe.org/

ldap_version 3

base dc=plainjoe,dc=org

scope sub

timelimit 30

# binddn

# bindpw

pam_login_attribute uid

pam_filter_filter objectclass=posixAccount

slide22

Table of Contents

  • Introduction
  • More about NIS
  • Schemas for Information Services
  • Information Migration
  • The pam_ldap Module
  • The nss_ldap Module
  • OpenSSH, PAM, and NSS
  • Authorizing Through PAM
  • Netgroups
  • Security
  • Automount Maps
  • PADL's NIS/LDAP Gateway
slide23

The nss_ldap Module

  • Name Service Switch (NSS) is similar to PAM except it only provides a mechanism for information retrieval
  • PADL Software's nss_ldap module
  • Supported on AIX, HP-UX, Linux and Solaris, not on FreeBSD and Mac OS 10.2 (unlike pam_ldap module)
  • Compilation of module not discussed here
    • /lib/libnss_ldap.so on Linux
    • /lib/nss_ldap.so on Solaris
  • Uses /etc/ldap.conf configuration file, so must be readable by processes (dangerous when it contains binddn & bindpw information)
  • To configure NSS to use LDAP, add the keyword ldap to the appropriate lines in /etc/nsswitch.conf
slide24

The nss_ldap Module (cont.)

  • Currently supported:

passwd

group

hosts

services

networks

protocols

rpc

ethers

netgroups

  • Currently unsupported

netmasks

bootparms

publickey

automount

slide25

The nss_ldap Module (cont.)

  • Example /etc/nsswitch.conf file:
  • Parameters (ldap.conf) that affect load on LDAP servers:
  • Testing configuration:

passwd: files ldap

shadow: files ldap

group: files ldap

nss_base_passwd ou=people,dc=plainjoe,dc=org?one

nss_base_shadow ou=people,dc=plainjoe,dc=org?one

nss_base_group ou=group,dc=plainjoe,dc=org?one

$ getent passwd

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:

...

gcarter:x:780:100:G. Carter:/home/queso/gcarter:/bin/bash

jerry:x:782:782:Jerry Carter:/home/queso/jerry:/bin/bash

This output is retrieved

from the LDAP server

slide26

The nss_ldap Module (cont.)

ldap.conf Parameters Used by nss_ldap

slide27

The nss_ldap Module (cont.)

LDIF listing for gcarter:

  • Because of the shadowAccount object class, the getent returns a “x” for the shadow password
  • Without the presence of this class, the second field of the getent output would have been the password hash (assuming the directory would have returned this)

dn: uid=gcarter,ou=People,dc=plainjoe,dc=org

uid: gcarter

cn: Gerald (Jerry) Carter

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

loginShell: /bin/bash

uidNumber: 780

gidNumber: 100

homeDirectory: /home/queso/gcarter

userPassword: {crypt}GoYLwzMD6cuZE

slide28

Table of Contents

  • Introduction
  • More about NIS
  • Schemas for Information Services
  • Information Migration
  • The pam_ldap Module
  • The nss_ldap Module
  • OpenSSH, PAM, and NSS
  • Authorizing Through PAM
  • Netgroups
  • Security
  • Automount Maps
  • PADL's NIS/LDAP Gateway
slide29

OpenSSH, PAM, and NSS

  • Once pam_ldap and nss_ldap have been installed and /etc/ldap.conf has been configured, we can configure individual services to use LDAP
  • We will cover OpenSSH as an example
  • /etc/pam.d/sshd (session module is ignored by pam_ldap):

auth required /lib/security/pam_nologin.so

auth sufficient /lib/security/pam_ldap.so

auth required /lib/security/pam_unix.so shadow nullok use_first_pass

account sufficient /lib/security/pam_ldap.so

account required /lib/security/pam_unix.so

password required /lib/security/pam_cracklib.so

password required /lib/security/pam_unix.so nullok use_authok shadow

session required /lib/security/pam_unix.so

session optional /lib/security/pam_console.so

slide30

Table of Contents

  • Introduction
  • More about NIS
  • Schemas for Information Services
  • Information Migration
  • The pam_ldap Module
  • The nss_ldap Module
  • OpenSSH, PAM, and NSS
  • Authorizing Through PAM
  • Netgroups
  • Security
  • Automount Maps
  • PADL's NIS/LDAP Gateway
slide31

Authorizing Through PAM

  • Two means of restricting access to a host, independent of any other PAM modules (eg. pam_nologin.so)
    • One host and a group of users
      • Specify a group of users who are allowed to use a particular host
    • One user and a group of hosts
      • Specify the machines that any given use is allowed to access
slide32

Authorizing Through PAM (cont.)

One Host and a Group of Users

  • Specify a group of users who are allowed to use a particular host
  • Host entry for the machine can be extended to include a list of DNs for users (member) that are authorized to log in via pam_ldap
  • eg. LDIF:
  • Needed in /etc/ldap.conf:

dn: cn=pogo,ou=hosts,dc=plainjoe,dc=org

objectClass: ipHost

objectClass: device

objectClass: extensibleObject

ipHostNumber: 192.168.1.75

cn: pogo.plainjoe.org

cn: pogo

member: uid=gcarter,ou=people,dc=plainjoe,dc=org

member: uid=kristi,ou=people,dc=plainjoe,dc=org

member: uid=deryck,ou=people,dc=plainjoe,dc=org

pam_groupdn cn=pogo,ou=hosts,dc=plainjoe,dc=org

pam_member_attribute member

slide33

Authorizing Through PAM (cont.)

One User and a Group of Hosts

  • Specify the machines that any given use is allowed to access
  • Structural account object class must be present (done by PADL migration scripts)
  • Only one attribute required (uid), host attribute determines access

required attributes

objectClass:account

uid:

description:

localityName:

seeAlso:

o:

ou:

host:

optional attributes

slide34

Authorizing Through PAM (cont.)

One User and a Group of Hosts (cont.)

  • LDIF:
  • This must be enabled in /etc/ldap.conf:

dn: uid=gcarter,ou=people,dc=plainjoe,dc=org

uid: gcarter

cn: Gerald (Jerry) Carter

objectClass: account

objectClass: posixAccount

objectClass: shadowAccount

objectClass: /bin/bash

uidNumber: 780

gidNumber: 100

homeDirectory: /home/queso/gcarter

userPassword: {crypt}GoYLwzMD6cuZE

host: queso.plainjoe.org

host: pogo.plainjoe.org

host: tumnus.plainjoe.org

pam_check_host_attr yes

slide35

Table of Contents

  • Introduction
  • More about NIS
  • Schemas for Information Services
  • Information Migration
  • The pam_ldap Module
  • The nss_ldap Module
  • OpenSSH, PAM, and NSS
  • Authorizing Through PAM
  • Netgroups
  • Security
  • Automount Maps
  • PADL's NIS/LDAP Gateway
slide36

Netgroups

  • Allow machines and/or users to be collected together for various administrative tasks, eg.
    • Grouping machines for use in tcp_wrappers file (/etc/hosts.allow & /etc/hosts.deny)
      • eg. hosts.deny
      • eg. hosts.allow
  • Example netgroups:
  • RFC2307 describes structural nisNetgroup object class
  • Note: testing via “getent netgroup groupname”

sshd: ALL

sshd: @sysadmin

sysadmin (garion.plainjoe.org,-,-)(silk.plainjoe.org,-,-)

all_sysadmins sysadmin secure_clients

slide37

Netgroups (cont.)

The nisNetGroup Object Class

Next Steps

  • Before adding any netgroups, we must create the container ou=netgroup

required attributes

objectClass:nisNetGroup

cn:

nisNetGroupTriple:

memberNisNetgroup:

description:

optional attributes

dn: ou=netgroup,dc=plainjoe,dc=org

objectClass: organizationalUnit

ou: netgroup

slide38

Netgroups (cont.)

Next Steps (cont.)

  • sysadmin netgroup:
  • all_sysadmin netgroup:
  • Change required in /etc/ldap.conf:
  • /etc/nsswitch.conf:

$ ./migrate_netgroup.pl /etc/netgroup

dn: cn=sysadmin,ou=netgroup,dc=plainjoe,dc=org

objectClass: nisNetgroup

objectClass: top

cn: sysadmin

nisNetgroupTriple: (garion.plainjoe.org,-,-)

nisNetgroupTriple: (silk.plainjoe.org,-,-)

dn: cn=all_sysadmin,ou=netgroup,dc=plainjoe,dc=org

objectClass: nisNetgroup

objectClass: top

cn: all_sysadmin

memberNisNetgroup: sysadmin

memberNisNetgroup: secure_clients

nss_base_netgroup ou=netgroup,dc=plainjoe,dc=org

netgroup: ldap

slide39

Table of Contents

  • Introduction
  • More about NIS
  • Schemas for Information Services
  • Information Migration
  • The pam_ldap Module
  • The nss_ldap Module
  • OpenSSH, PAM, and NSS
  • Authorizing Through PAM
  • Netgroups
  • Security
  • Automount Maps
  • PADL's NIS/LDAP Gateway
slide40

Security

  • Discusses how security issues are addressed in pam_ldap and nss_ldap
  • First, determine what level of security is desired
    • Protect passwords ?
    • Protect usernames as well ?
    • Clear-text passwords ?
    • Clear-text of the network ?
  • LDAPv3, two mechanisms to protect passwords:
    • Use of SASL tp support more secure methods of authentication (Kerberos-5, Digest-MD5)
      • Not currently supported by pam_ldap
    • Negotiate secure transport layer to protect information used in the bind request as well as other information
      • StartTLS & LDAPS support
slide41

Security (cont.)

  • /etc/ldap.conf:
  • Check with tcpdump or ethereal (sniffers)
  • Other than encrypting the traffic, one must ensure that users have no access to obtain unauthorized information

eg. userPassword attribute

  • Two ACEs:

ssl start_tls

access to dn=”.*,dc=plainjoe,dc=org” attr=userPassword

by self write

by * auth

access to dn=”.*,dc=plainjoe,dc=org”

by * read

This is not the same as read

access – client can never

obtain the userPassword value

slide42

Table of Contents

  • Introduction
  • More about NIS
  • Schemas for Information Services
  • Information Migration
  • The pam_ldap Module
  • The nss_ldap Module
  • OpenSSH, PAM, and NSS
  • Authorizing Through PAM
  • Netgroups
  • Security
  • Automount Maps
  • PADL's NIS/LDAP Gateway
slide43

Automount Maps

  • Look at autodaemon support
    • Linux' kernel-based autofs ?
    • automount and automountMap object classes
    • However: Red Hat bases automounting on nisObject and nisMap classes described in RFC2307
    • RFC2307bis will include new schema items
  • nisObject and nisMap object classes:

required attributes

required attributes

objectClass:nisObject

cn:

nisMapEntry:

nisMapName:

description:

objectClass:nisMap

nisMapName:

description:

optional attributes

optional attributes

slide44

Automount Maps (cont.)

  • PADL's migration tools (migrate_automount.pl):
  • Informing the automounter (/etc/auto.master):

$ grep src /etc/auto.opt

src -rw,hard,intr queso.plainjoe.org:/export/u1/src

$ ./migrate_automount.pl /etc/auto.opt /tmp/auto.opt.ldif

$ cat /tmp/auto.opt.ldif

dn: nisMapName=auto.opt,dc=plainjoe,dc=org

objectClass: top

objectClass: nisMap

nisMapName: auto.opt

dn: cn=src,nisMapName=auto.opt,dc=plainjoe,dc=org

objectClass: nisObject

cn: src

nisMapEntry: -rw,hard,intr queso.plainjoe.org:/export/u1/src

nisMapName: auto.opt

/opt ldap:ldap1:nisMapName=auto.opt,dc=plainjoe,dc=org --timeout 300

slide45

Table of Contents

  • Introduction
  • More about NIS
  • Schemas for Information Services
  • Information Migration
  • The pam_ldap Module
  • The nss_ldap Module
  • OpenSSH, PAM, and NSS
  • Authorizing Through PAM
  • Netgroups
  • Security
  • Automount Maps
  • PADL's NIS/LDAP Gateway
slide46

PADL's NIS/LDAP Gateway

  • ypldapd daemon
  • From the manpage:
    • ypldapd emulates the equivalent process ypserv by providing an RFC call-compatible interface. Rather than consulting “map” files as ypserv does, however, ypldapd draws its data from LDAP databases
  • In theory, allows NIS domain to be replaced with a directory-based solution without any client machines being aware of the change
  • 30-day trial version available from PADL site (http://www.padl.com/)
  • PADL migration tools described earlier can be used for the migration
slide47

PADL's NIS/LDAP Gateway (cont.)

  • Initial ypldapd.conf file:
  • ypldapd may require a special privileged DN to use when it binds to the LDAP server

# NIS domain to server

ypdomain yp.plainjoe.org

# LDAP server

ldaphost 192.168.1.77

# Search base

basedn dc=plainjoe,dc=org

# Enable caching

caching on

# Dump caches every half hour

cache_dump_interval 30

# Use default naming context mappings

namingcontexts namingcontexts.conf