1 / 17

CT 320: Network and System Administration

CT 320: Network and System Administration. Lightweight Directory Access Protocol (LDAP) Colorado State University Computer Science Department Chris Wilcox Fall 2012. Original slides from Dr. James Walden at Northern Kentucky University. Topics. What is a directory? NIS LDAP OpenLDAP

ghada
Télécharger la présentation

CT 320: Network and System Administration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CT 320: Network and System Administration Lightweight Directory Access Protocol (LDAP) Colorado State University Computer Science Department Chris Wilcox Fall 2012 Original slides from Dr. James Walden at Northern Kentucky University.

  2. Topics • What is a directory? • NIS • LDAP • OpenLDAP • LDAP Authentication CT320: Fall Semester 2012

  3. What is a Directory? Directory: A collection of information that is primarily searched and read, rarely modified. Directory Service: Provides access to directory information. Directory Server: Application that provides a directory service. CT320: Fall Semester 2012

  4. Directories vs. Databases • Directories are optimized for reading. • Databases balanced for read and write. • Directories are tree-structured. • Databases typically have relational structure. • Directories are usually replicated. • Databases can be replicated too. • Both are extensible data storage systems. • Both have advanced search capabilities. CT320: Fall Semester 2012

  5. System Administration Directories • Types of directory data • Accounts • Mail aliases and lists (address book) • Cryptographic keys • IP addresses • Hostnames • Printers • Common directory services • DNS, LDAP, NIS CT320: Fall Semester 2012

  6. Advantages of Directories • Make administration easier. • Change data only once: people, accounts, hosts. • Unify access to network resources. • Single sign on. • Single place for users to search (address book) • Improve data management • Improve consistency (one location vs many) • Secure data through only one server. CT320: Fall Semester 2012

  7. NIS: Network Information Service • Originally called Sun Yellow Pages • Clients run ypbind • Servers run ypserv • Data stored under /var/yp on server. • Server shares NIS maps with clients • Each UNIX file may provide multiple maps • passwd: passwd.byname, passwd.byuid • Slave servers replicate master server content. • Easy to use, but insecure, difficult to extend. CT320: Fall Semester 2012

  8. LDAP • Lightweight Directory Access Protocol • Lightweight compared to X.500 directories. • Directory, not a database. • Access Protocol, not a directory itself. CT320: Fall Semester 2012

  9. LDAP Clients and Servers • LDAP Clients • Standalone directory browsers. • Embedded clients (mail clients, logins, etc.) • Cfg /etc/nsswitch.conf on UNIX to use LDAP. • Common LDAP servers • OpenLDAP • Fedora Directory Server (formerly Sun, Netscape) • Mac Open Directory • Microsoft ActiveDirectory • Novell eDirectory (NDS) CT320: Fall Semester 2012

  10. LDAP Structure • An LDAP directory is made of entries. • Entries may be employee records, hosts, etc. • Each entries consists of attributes. • Attributes can be names, phone numbers, etc. • objectClass attribute identifies entry type. • Each attribute is a type / value pair. • Type is a label for the information stored (name) • Value is value for the attribute in this entry. • Attributes can be multi-valued. CT320: Fall Semester 2012

  11. Tree-structure of LDAP Directories CT320: Fall Semester 2012

  12. LDAP Schemas Schemas specify allowed objectClasses and attributes. CT320: Fall Semester 2012

  13. LDAP Client/Server Interaction • Client requests to bind to server. • Server accepts/denies bind request. • Client sends search request. • Server returns zero or more dir entries. • Server sends result code with any errors. • Client sends an unbind request. • Server sends result code and closes socket. CT320: Fall Semester 2012

  14. LDAP Operations • Client Session Operations • Bind, unbind, and abandon • Query and Retrieval Operations • Search and compare • Modification Operations • Add, modify, modifyRDN, and delete CT320: Fall Semester 2012

  15. Authentication Anonymous Authentication Binds with empty DN and password. Simple Authentication Binds with DN and password. Cleartext. Simple Authentication over SSL/TLS Use SSL to encrypt simple authentication. Simple Authentication and Security Layer SASL is an extensible security scheme. SASL mechanisms: Kerberos, GSSAPI, SKEY CT320: Fall Semester 2012

  16. Distributed Directories • Use multiple LDAP servers. • Why distribute? • Throughput • More servers can reduce load on any single server. • Latency • Have local server serve local data to LAN. • Only use WAN for non-local data on other servers. • Administrative Boundaries • Let each side administrate their own directory. CT320: Fall Semester 2012

  17. LDAP Authentication • Configure server with schema + user data. • Point clients to hostname and rootDN of svr. /etc/ldap.conf and /etc/openldap/ldap.conf • Verify server access with ldapsearch • Configure clients to use LDAP auth /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap CT320: Fall Semester 2012

More Related