1 / 41

LDAP

SPARCS 10 이대 근 (harry). LDAP. Contents. Directory Service What is LDAP? Installation Configuration ldap-utils User authentication with LDAP. Question. How can an organization keep one centralized up-to-date phone book that everybody has access to ?

xenos
Télécharger la présentation

LDAP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SPARCS 10 이대근 (harry) LDAP

  2. Contents • Directory Service • What is LDAP? • Installation • Configuration • ldap-utils • User authentication with LDAP

  3. Question • How can an organization keep one centralized up-to-date phone book that everybody has access to? • How can SPARCS share login information among all servers?

  4. Directory Service

  5. Directory • A directory is a map of the differences between names and values • More than directories of file system

  6. Directory: examples Dictionary Telephone directory DNS Word Name Domain name Definition Phone number IP address

  7. Directory service • The software system that stores, organizes and provides access to information in a directory

  8. Directory service vs RDBMS • Be read more often • Data may be redundant if it helps performance • Must • May • Namespace • Be written more often • Data must be unique (in most case) • Not null • Nullable Directory service Relational DBMS

  9. X.500 • A series of computer networking standards covering electronic directory services • Protocols • DAP: Directory Access Protocol • DSP: Directory System Protocol • DISP: Directory Information Shadowing Protocol • DOP: Directory Operational Bindings Management Protocol

  10. X.500 Directory service

  11. What is LDAP?

  12. LDAP • Lightweight Directory Access Protocol • i.e., Lightweight DAP • A protocol to access directory service through TCP/IP • Designed at the University of Michigan

  13. Directory structure File system

  14. Directory structure LDAP

  15. Available backend types

  16. Installation

  17. Installation • Server • apt-get install slapd • Client • apt-get install ldap-utils

  18. Configuration

  19. /etc/ldap/ldap.conf include /etc/ldap/schema/core.schema schemacheck on pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd.args loglevel 0 database bdb suffix "dc=sparcs,dc=net" rootdn "cn=DsnManager,dc=sparcs,dc=net" rootpw {SSHA}8DihK78pIOVntXZftMugdq4rxhYat03R

  20. slappasswd • Nice tool to generate hashed password • Sample output: {SSHA}8DihK78pIOVntXZftMugdq4rxhYat03R • You just need to copy&paste the output to configuration file

  21. Access Control List • access to <ENTRY> by <DN> <PERMISSION> [ by <DN> <PERMISSION> … ]

  22. Access Control List: Example defaultaccess none access to * by self write by dn=“.+” read by dn=“^$$” read by * none #No permission by default #Granting permission for all entries #A user entry can modify itself #An authenticated user can read #An anonymous user can read #Else granting no permission

  23. Access Control List: Example access to dn=“.*,dc=(.*),dc=(.*),dc=net”attrs=children,entry,uid by dn=“cn=Administrator,dc=$1,dc=$2” write

  24. Caution • No blank around separator(,) • dn=“dc=example,dc=com” (O) • dn=“dc=example, dc=com” (X) • ACL is not overridden • Details should precede the general configs • The more complicated ACL, the slower search results

  25. ldap-utils

  26. ldap-utils • Common usage <command> –D <Base DN> –W –f <LDIF_FILE_PATH>

  27. ldapadd • Define which schema is used objectclass: dcobject • Describe all ‘Must’ attributes dn: dc=mydomain,dc=com dc: database

  28. ldapadd: example objectclass: dcobject dn: dc=mydomain,dc=com dc: database

  29. ldapsearch: scope

  30. ldapsearch: filters • (cn=harry) • (cn=h*) • (cn~=pipe) • (cn>=harry) • (&(cn=h*)(cn=*y)) • (|(cn=h*)(cn=*y)) • (!(cn=harry))

  31. ldapsearch: example sn=Daniels givenname=Charlene

  32. ldapmodify • Declare which entry you want to modify • dn: cn=harry,dc=sparcs,dc=org • State what kind of change will occur • changetype: modify / add / delete • (if changetype: modify)State what kind of modification will occur • replace: cn • add: sn • delete: sn • Enter the value of the attribute if necessary • cn: hodduc

  33. ldapmodify: example dn: cn=harry,dc=sparcs,dc=org changetype: modify replace: cn cn: hodduc

  34. ldapmodrdn • Declare which entry you want to modify • Enter new RDN

  35. ldapmodrdn: example cn=harry,dc=sparcs,dc=org cn=noname

  36. User authentication with LDAP

  37. Client • apt-get install libnss-ldaplibpam-ldapnss-updatedbnscdldap-auth-client • Configuration files • /etc/ldap.conf • /etc/auth-client-config/profile.d/ldap-auth-config • /etc/pam.d/ • /etc/nssswitch.conf

  38. Server • Automatic migration tools • apt-get install migrationtools

  39. Question?

  40. Web sites & Documentations • http://wiki.kldp.org/wiki.php/LDAP-Tips • Nice KOREAN document explaining how to configure for LDAP authentication • http://50001.com/sub/down/ldap.doc • Also nice Korean document explaining general usage of LDAP

  41. I’m very sleepy Thank you

More Related