LDAPSPARCS 10 이대근 (harry)
Contents
Directory Service What is LDAP? Installation Configuration ldap-utils User authentication with LDAP
Question
How can an organization keep one cen-tralized up-to-date phone book that ev-erybody has access to?
How can SPARCS share login informa-tion among all servers?
Directory Service
Directory
A directory is a map of the differences between names and values
More than directories of file system
Directory: examples
Word Definition
Dictionary
Name Phone number
Telephone directory
Domain name IP address
DNS
Directory service
The software system that stores, orga-nizes and provides access to informa-tion in a directory
Directory service vs RDBMS
Directory service Relational DBMS
Be read more often Data may be redundant if
it helps performance
Must May
Namespace
Be written more often Data must be unique (in
most case)
Not null Nullable
X.500
A series of computer networking stan-dards covering electronic directory ser-vices
ProtocolsDAP: Directory Access ProtocolDSP: Directory System ProtocolDISP: Directory Information Shadowing Protocol
DOP: Directory Operational Bindings Management Protocol
X.500 Directory service
What is LDAP?
LDAP
Lightweight Directory Access Protocoli.e., Lightweight DAP
A protocol to access directory service through TCP/IP
Designed at the University of Michigan
Directory structureFile system
Directory structureLDAP
Available backend typesType Descriptionbdb Berkeley DB transactional backend
dnssrv DNS SRV backendldbm Lightweight DBM backendldap LDAP (Proxy) backendmeta Meta Directory backend
monitor Monitor backendpasswd Provides read-only access to passwd(5)
perl Perl programmable backendshell Shell (external program) backendsql SQL programmable backend
Installation
Installation
Serverapt-get install slapd
Clientapt-get install ldap-utils
Configuration
/etc/ldap/ldap.conf
include /etc/ldap/schema/core.schema
schemacheck on
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd.args
loglevel 0
database bdb
suffix "dc=sparcs,dc=net"
rootdn "cn=DsnManager,dc=sparcs,dc=net"
rootpw {SSHA}8DihK78pIOVntXZftMugdq4rxhYat03R
slappasswd
Nice tool to generate hashed password
Sample output: {SSHA}8DihK78pIOVntXZftMugdq4rxhYat03R
You just need to copy&paste the output to configuration file
Access Control List
access to <ENTRY> by <DN> <PERMISSION> [ by <DN> <PERMISSION> … ]
Access Control List: Ex-ampledefaultaccess none
access to *
by self write
by dn=“.+” read
by dn=“^$$” read
by * none
#No permission by default
#Granting permission for all entries
#A user entry can modify itself
#An authenticated user can read
#An anonymous user can read
#Else granting no permission
Access Control List: Ex-ampleaccess to dn=“.*,dc=(.*),dc=(.*),dc=net”
attrs=children,entry,uid
by dn=“cn=Administrator,dc=$1,dc=$2” write
Caution
No blank around separator(,)dn=“dc=example,dc=com” (O)dn=“dc=example, dc=com” (X)
ACL is not overriddenDetails should precede the general configs
The more complicated ACL, the slower search results
ldap-utils
ldap-utils
Common usage <command> –D <Base DN>
–W –f <LDIF_FILE_PATH>
ldapadd
Define which schema is used objectclass: dcobject
Describe all ‘Must’ attributes dn: dc=mydomain,dc=com
dc: database
ldapadd: example
objectclass: dcobject
dn: dc=mydomain,dc=com
dc: database
ldapsearch: scope
ldapsearch: filters
(cn=harry) (cn=h*) (cn~=pipe) (cn>=harry) (&(cn=h*)(cn=*y)) (|(cn=h*)(cn=*y)) (!(cn=harry))
ldapsearch: example
sn=Daniels
givenname=Charlene
ldapmodify Declare which entry you want to modify
dn: cn=harry,dc=sparcs,dc=org State what kind of change will occur
changetype: modify / add / delete (if changetype: modify)
State what kind of modification will occurreplace: cnadd: sndelete: sn
Enter the value of the attribute if necessarycn: hodduc
ldapmodify: example
dn: cn=harry,dc=sparcs,dc=org
changetype: modify
replace: cn
cn: hodduc
ldapmodrdn
Declare which entry you want to modify
Enter new RDN
ldapmodrdn: example
cn=harry,dc=sparcs,dc=org
cn=noname
User authentication with LDAP
Client
apt-get install libnss-ldap libpam-ldap nss-updatedb nscd ldap-auth-client
Configuration files/etc/ldap.conf/etc/auth-client-config/profile.d/ldap-auth-
config/etc/pam.d//etc/nssswitch.conf
Server
Automatic migration toolsapt-get install migrationtools
Question?
Web sites & Documenta-tions http://wiki.kldp.org/wiki.php/LDAP-Tips
Nice KOREAN document explaining how to configure for LDAP authentication
http://50001.com/sub/down/ldap.docAlso nice Korean document explaining gen-
eral usage of LDAP
Thank youI’m very sleepy