Professional Documents
Culture Documents
TRCH YU
ti n chuyn ngnh ca chng ti l : xy dng h thng mng ubuntu bao gm LDAP servre, Web Server , Mail Server , DNS , DHCP , File Server , Firewall . Qua vic nghin cu cc ti liu v Ubuntu v thc hnh cc bi lab , chng ti xy dng c mt h thng mng c bn vi LDAP Server lm c s d liu cho cc dch v khc nh SAMBA , MAIL ,WEB .v.v trong mi trng qun l tp trung trn h iu hnh Ubuntu .
TRCH YU .......................................................................................................................................................... 1 LI CM N ........................................................................................................................................................ 5 PHN CNG TRONG NHM .............................................................................................................................. 6 GII THIU .......................................................................................................................................................... 7 PHN L THUYTPHN 1: LDAP ................................................................................................................. 8 I. Gii Thiu : .................................................................................................................................................... 9 II. Tng qut v LDAP : ............................................................................................................................... 10 III. CU TRC LDAP : ................................................................................................................................ 11 1. Cu Trc Cy Th Mc Trong H iu Hnh dng Unix .............................................................................. 11 2. Directory Servive .......................................................................................................................................... 11 3. LDAP Directory ........................................................................................................................................... 12 4. Distinguished Name...................................................................................................................................... 12 5. LDAP Schema .............................................................................................................................................. 12 6. Object class .................................................................................................................................................. 13 7. LDIF ............................................................................................................................................................ 13 8. LDAP l mt giao thc hng thng ip...................................................................................................... 13 PHN 2: SAMBA SERVER ............................................................................................................................ 16 I. Gii thiu Samba: ......................................................................................................................................... 16 II. Gii Thiu NFS (Network File System) :.................................................................................................. 17 III. Cu hnh v khi ng dch v Samba ...................................................................................................... 17 IV. SAMBA v LDAP : ................................................................................................................................. 21 PHN 3: MAIL SERVER ................................................................................................................................ 22 I. Mt s thut ng : ......................................................................................................................................... 22 1. MTA ( Mail Transfer Agent ) : ...................................................................................................................... 22 2. MDA ( Mail Delivery Agent ) : ..................................................................................................................... 22 3. MUA ( Mail User Agent ) : ........................................................................................................................... 22 4. SMTP ( Simple Mail Transfer Protocol ) : ..................................................................................................... 22 5. POP3 ( Post Office Protocol 3 ) : .................................................................................................................. 23 6. IMAP (Internet Message Access Protocol) : .................................................................................................. 23 II. Qu trnh gi v nhn 1 email nh th no :.............................................................................................. 23 III. Postfix : ................................................................................................................................................... 24 1. Gii Thiu : .................................................................................................................................................. 24 2. Cu trc ca Postfix : .................................................................................................................................... 24 a. Thnh Phn ca Postfix :............................................................................................................................... 24 b. Messages vo h thng Postfix nh th no: .................................................................................................. 25 c. The Postfix Queue : ...................................................................................................................................... 27 d. Mail Delivery : ............................................................................................................................................. 27 e. Tracing a Message Through Postfix :............................................................................................................ 29 3. Postfix vi LDAP : ....................................................................................................................................... 31 IV. DOVECOT :............................................................................................................................................ 31 1. Gii Thiu : .................................................................................................................................................. 31 2. C bn v cu hnh dovecot : ........................................................................................................................ 31 3. Dovecot v LDAP :....................................................................................................................................... 33 a. Password lookups: ........................................................................................................................................ 34 b. Authentication binds : ................................................................................................................................... 35 PHN 4 : FIREWALL ..................................................................................................................................... 36 I. FireWall l g :.............................................................................................................................................. 36 II. Phn Loi Firewall : ................................................................................................................................. 36 1. Firewall cng : L nhng firewall c tch hp trn Router. ........................................................................ 36 2. Firewall mm: L nhng Firewall c ci t trn Server. ........................................................................... 36 III. Ti sao cn Firewall ? .............................................................................................................................. 37 IV. IPTABLE FRIWALL: ............................................................................................................................. 37 1. Gii thiu : ................................................................................................................................................... 37 2. Cu Trc Iptable : ......................................................................................................................................... 37 Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
Trnh t x l gi tin ca iptables : ................................................................................................................ 38 PHN 5 : DNS SERVER ................................................................................................................................. 41 I. Gii Thiu: ................................................................................................................................................... 41 II. The Reverse Zone File : ........................................................................................................................... 41 III. Master (Primary) Name Servers : ............................................................................................................. 41 IV. Slave (Secondary) Name Servers :............................................................................................................ 42 V. Stealth (a.k.a. DMZ or Split) Name Server : ............................................................................................. 43 PHN 6: WEB SEVER (APACHE) ................................................................................................................. 45 I. Gii Thiu : .................................................................................................................................................. 45 1. M Hnh Hot ng: .................................................................................................................................... 46 2. a Ch URL : .............................................................................................................................................. 46 II. Gii Thiu V APACHE :........................................................................................................................ 46 1. Tng Quan :.................................................................................................................................................. 46 III. APACHE V LDAP : ............................................................................................................................. 47 1. The Authentication Phase :............................................................................................................................ 48 2. The Authorization Phase : ............................................................................................................................. 48 3. The Require Directives : ............................................................................................................................... 49 a. Require ldap-user : ........................................................................................................................................ 49 b. Require ldap-group : ..................................................................................................................................... 50 c. Require ldap-dn: ........................................................................................................................................... 51 d. Require ldap-attribute : ................................................................................................................................. 51 e. Require ldap-filter :....................................................................................................................................... 52 PHN 7 : DHCP .............................................................................................................................................. 53 I. Vai Tr Ca DHCP Trong Mt H Thng Mng : ......................................................................................... 53 1. DHCP l g : ................................................................................................................................................. 53 2. DHCP lm vic nh th no: ......................................................................................................................... 53 II. B Sung V Cp Php Cho Dch V DHCP Hot ng : .......................................................................... 53 1. Ti sao s dng dch v DHCP: .................................................................................................................... 53 2. a ch IP ng c bit l g ? ...................................................................................................................... 53 3. Cch thc cp pht a ch IP ng :.............................................................................................................. 53 III. Cu Hnh Phm Vi Cp Pht Ca Dch V DHCP: ................................................................................... 54 1. Phm vi cp pht DHCP l g : ...................................................................................................................... 54 2. Ti sao phi s dng phm vi cp pht DHCP?.............................................................................................. 54 IV. Cu hnh a ch DHCP ginh sn (Reservations) v cc ty chn ca DHCP: .......................................... 54 1. a ch DHCP dnh sn l g? ....................................................................................................................... 54 2. Mt di a ch IP dnh sn bao gm c cc thng tin sau : ............................................................................ 54 3. Ty chn DHCP l g? .................................................................................................................................. 54 4. Ti sao phi s dng ty chn DHCP? .......................................................................................................... 54 5. Mt s ty chn chung ca DHCP: ............................................................................................................... 54 V. CU HNH DHCP DHCP Relay Agent: .................................................................................................. 55 1. DHCP relay agent l g?................................................................................................................................ 55 2. Ti sao phi s dng DHCP relay agent: ....................................................................................................... 55 VI. Phng thc hot ng ca dch v DHCP: .............................................................................................. 55 I. Chun b : ..................................................................................................................................................... 59 II. Ci t v cu hnh LDAP v SAMBA server........................................................................................... 59 III. Cu hnh client Winodws Xp v Windows 7 vo h thng SAMBA: ......................................................... 74 1. To user trn SAM PDC : ............................................................................................................................. 74 2. Join windows Xp SP2 : ................................................................................................................................. 75 3. Join Windows 7 : .......................................................................................................................................... 77 PHN 2 : MAIL SERVER V DNS SERVER ................................................................................................. 79 I. Ci t v cu hnh DNS: .............................................................................................................................. 79 1. Ci t : ........................................................................................................................................................ 79 2. Cu hnh DNS server : .................................................................................................................................. 79 II. Ci t v cu hnh Mail server vi Postfix v Dovecot : .......................................................................... 81 Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
Ci t : ........................................................................................................................................................ 81 Cu hnh : .................................................................................................................................................... 83 PHn 4: FTP V FIREWALL ......................................................................................................................... 89 I. FTP : ............................................................................................................................................................ 89 1. Gii thiu : ................................................................................................................................................... 89 2. Ci t : ........................................................................................................................................................ 89 3. Cu hnh Proftpd vi LDAP : ........................................................................................................................ 90 II. FIREWALL:............................................................................................................................................ 91 1. Gii thiu : ................................................................................................................................................... 91 2. Cu hnh NAT : ............................................................................................................................................ 91 3. NAT inbound cho web server : ...................................................................................................................... 93 PHN 5: WEB SERVER ................................................................................................................................. 94 1. Ci t : ....................................................................................................................................................... 94 PHN 6 : CU HNH DHCP ........................................................................................................................... 98
LI CM N
Nhm chng em xin chn thnh cm n thy Lu Thanh Tr v anh L Hu Ti , ging vin ph trch hng dn n hng ngnh ca chng em . Thy Tr v anh Ti gip chng em v l thuyt cng nh thc thnh chng em hon thnh c n ny .
Cng Vic
c v nghin cu ti liu
Thc hnh Cu hnh LDAP Server , SAMBA server Hiu Mailserver , file server Thc hnh Cu hnh DHCP , Firewall Hu
Cng
Vit v Chnh Bo Co
Hiu-Hu-Cng
GII THIU
Ubuntu l mt h iu hnh m ngun m xy dng xung quanh nhn Linux , c cng ng cng pht trin. H iu hnh Ubuntu c y chc nng ca mt h iu hnh hin i, hot ng tt trn my tnh bn, my tnh xch tay v h thng my ch. Tuy ra i cha lu, nhng h iu hnh ny ang c nhng bc tin nhy vt, sc lan to rt ln, hin ang c s dng rt rng ri trn th gii v ang dn dn ph bin Vit Nam. Lch s ca Ubuntu bt u t thng T nm 2004, khi Mark Shuttleworth tp hp mt nhm cc nh pht trin phn mm m ngun m to ra mt h iu hnh mi. Vi quyt tm hin thc ho nhng tng, cc lp trnh vin ny t tn nhm l Warthogs v cng nhau lm vic trong su thng cho ra i phin bn th hin khi nim ca h iu hnh mi. H ly tn nhm t cho phin bn Ubuntu u tin ny, Warty Warthog. Da trn nn tng chc chn ca bn phn phi Debian, cng vi nhng nguyn tc v thi gian pht hnh, chng trnh GNOME qun l giao din Desktop, v mt cam kt mnh m v s t do, ch trong vng ba nm, Ubuntu pht trin mt cng ng ln n mi hai ngn thnh vin v s lng ngi dng c tnh n hn tm triu (thng By nm 2007). Nhng nm gn y Ubuntu c bit n nh mt h iu hnh thn thin trong mi trng Desktop nhng cc phin bn server ca Ubuntu cng pht trin mnh, qua y chng ti xin c trin khai mt h thng mng c bn da trn cc nn tng Ubuntu, to ra mt trng Domain tng tc gia ngi dng windows l Linux c qun l tp trung , chia s ngun ti nguyn ng thi xy dng h thng email trong mng.
PHN L THUYT
PHN 1: LDAP
I. Gii Thiu :
LDAP vit tt Lightweight Directory Access Protocol (ting Vit c th gi l: giao thc truy cp nhanh cc dch v th mc) l mt chun m rng cho phng thc truy cp th mc, hay l mt ngn ng LDAP server v client s dng giao tip vi nhau. Cc tnh cht ca LDAP: y l mt giao thc hng thng ip. L mt giao thc tm, truy nhp cc thng tin dng th mc trn server. N l mt giao thc Client/Server dng truy cp dch v th mc, da trn dch v th mc X500. LDAP chy trn TCP/IP hoc nhng dch v hng kt ni khc. L mt m hnh thng tin cho php xc nh cu trc v c im ca thng tin trong th mc. L mt khng gian tn cho php xc nh cch cc thng tin c tham chiu v t chc Mt m hnh cc thao tc cho php xc nh cc tham chiu v phn b d liu L mt giao thc m rng, c nh ngha nhiu phng thc m rng cho vic truy cp v update thng tin trong th mc. L mt m hnh thng tin m rng. V LDAP t chc d liu theo th mc phn cp nn c tnh m t cao, c ti u cho vic tm kim. LDAP c so snh vi lightweight v s dng gi tin overhead thp, c xc nh chnh xc trn lp TCP (v X.500 l mt giao thc ng dng v cha nhiu th hn nh network header c bao quanh cc gi tin mi layer trc khi n
10
chuyn i trong mng). Mt khc LDAP c coi l lightweight v lc b rt nhiu phng thc t c dng ca X.500.
y chng ta cn trnh hiu nhm t "th mc" nh trn Windows l folder hay directory, l th mc theo ngha hp qun l h thng tp tin. T th mc trong LDAP mang ngha rng hn, n bao hm cc cu trc d liu dng lit k theo th mc (hay mc lc) - mt "t kho" ca dn th vin nhm m ch cch thc sp xp d liu tin truy xut nht. OpenLDAP l 1 m hnh qun l tp trung khng th thiu i vi admin v open source, n tng ng vi AD bn Windows Server 2003 v u da trn chun X.500 v X.509 v qun l mng trn m hnh logical phn cp.
II.
11
attr,
mi
attr
nhn
din
nh
mt
LDAP
Object.
Nhng im trn hnh thnh mt ci gi l LDAP schema v c tiu chun thng nht gia cc ng dng pht trin LDAP. y l l do LDAP c a chung cho cng tc lu tr v tch hp vi cc c phn authentication / authorisation v chng c th c dng gia cc LDAP system (bt k cng ty sn xut) min sao cc cty sn xut tun th ng tiu chun chung. LDAP ng vai tr rt quan trng trong vic ng dng SSO (single sign on). iu ny c ngha l mt ngi ng nhp vo mt h thng, ngi y c th truy cp n cc servers / services / ti nguyn... cho php m khng cn phi xc thc li. Th hnh dung vic logon mail.yahoo.com, sau c th nhy n yahoo 360, yahoo mailing list.... m khng cn phi xc thc ti khon na. Th hnh dung yahoo s c nhng dch v khc v mi yahoo account ch cn cha 1 ni v cc dch v dng chung mt LDAP cha account xc thc ngi dng. Th hnh dung yahoo c 1000 servers v 1000 /etc/passwd file bo tr ). Ngoi ra, LDAP c to ra c bit cho hnh ng "c". Bi th, xc thc ngi dng bng phng tin "lookup" LDAP nhanh, hiu sut, t tn ti nguyn, n gin hn l query 1 user account trn CSDL.
III.
2. Directory Servive
y l mt loi service c th nm trong client hoc server.Tuy nhin mt s ngi thng nhm ln Directory service ging nh mt database. Tuy gia hai ci c mt s chc nng ging nhau nh h tr tm kim d liu v cha cc file cu hnh h thng nhng Directory service c hitt k ly d liu nhiu hn l ghi cn Database cung cp kh nng c v ghi d liu lin tc.
Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
12
3. LDAP Directory
Thnh phn c bn ca LDAP directory l ENTRY, y l ni cha ton b thng tin ca mt i tng. Mi entry c mt tn c trng gi l DN (Distinguished Name) Mi entry l tp hp ca cc thuc tnh, tng thuc tnh ny m t mt nt c trng tiu biu ca mt i tng. Mi thuc tnh c kiu mt hay nhiu gi tr, kiu ca thuc tnh m t loi thng tin c cha, gi tr l d liu thc s.
4. Distinguished Name
Distinguished Name (DN) l tn ca mt entry trong LDAP. DN ch ra cch bn c th tham chiu n cc entry trn th mc, hai entru khsc nhau trn th mc c hai DNs khc nhau. Tn ca mt entry LDAP c hnh thnh bng cch ni tt c cc tn ca tng entry cp trn (cha) cho n khi tr ln root, ging nh ng dn cu h thng tp tin. V d: uid=John, ou=people, dc=abc, dc=com
5. LDAP Schema
Thit lp cc m t nhng loi data no c lu tr gip qun l mt cch nht qun v cht lng ca data v gim s trng lp data. LDAP Schema ch nhng thng tin sau: Nhng thuc tnh yu cu. Nhng thuc tnh c php. So snh cc thuc tnh nh th no. Gii hn nhng thuc tnh g c th lu tr. Nhng thuc tnh g th b cm lu tr hay sao lu.
Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
13
6. Object class
y l cng c dng nhm cc thng tin li vi nhau. Objectclass cung cp nhng thng tin sau: Thuc tnh yu cu. Thuc tnh c php. D dng ly c nhm thng tin. Entry bt buc phi c objectclass v c th c nhiu objectclass. Cc objectclass theo chun LDAP l: Groups in the directory, Locations, Organizations in the directory, People in the directory.
7. LDIF
c vit tt t LDAP Interchange Format. c s dng thm d liu mi vo trong directory hoc thay i d liu c. y l mt chun nh dng file text lu tr nhng thng tin cu hnh LDAP v ni dung th mc. Thng thng mt file LDIF s theo dng sau: Mi tp entry khc nhau c phn cch bi mt dng trng. Tn thuc tnh c sp theo gi tr. Mt tp cc ch dn c php lm sao x l c thng tin. D liu trong file LDIF tun theo lut trong schema ca LDP Directory. V vy mi thnh phn c thm vo hoc thay i trong directory s c kim tra li trong schema m bo s chnh xc.
14
Hnh nh m phng thao tc tm kim theo hng thng ip ca LDAP Client c php pht ra nhiu thng ip yu cu ng thi cng mt lc. Trong LDAP, message ID dng phn bit cc yu cu ca client v kt qu tr v ca server. Vic cho php nhiu thng ip cng x l ng thi ny lm cho LDAP linh ng hn cc giao thc khc. V d: giao thc HTTP vi mi yu cu t client phi c tr li trc khi mt yu cu khc gi i, mt HTTP client program nh web browser mun ti cng mt lc nhiu file th web browser phi thc hin m tng kt ni cho tng file Trong khi LDAP qun l tt c thao tc trn mt kt ni.
15
16
17
Cc tin ch ca dch v Samba smbadduser To ti khon Samba. smbpasswd Thay i thng tin ti khon Samba. smbclient Truy nhp dch v SMB smbstatus Theo di tnh trng kt ni hin hnh.
II.
III.
18
[global]) cha cc khai bo v mt ti nguynn c hia s. Mt nhm c bt u bi tn nhm (share_name, c t trong cp du ngoc vung []), tip theo sau l cc khai bo tham s ca nhm, mi khai bo tham s nm trn mt dng v c dng nh sau: name=value(ch l tn ca nhm v tham s khng phn bit ch thng v ch hoa), nhng dng no c bt u bi k t ; hoc # l nhng dng ghi ch. Trong tp tin smb.conf c ba nhm c bit c khai bo sn l [global], [homes] v [printers] Cc tham s xc nh cc thuc tnh ca nhm. Nhm [global] c th cha mi tham s. Mt s tham s ch c th c khai bo trong nhm [global]. Mt s tham s c th c s dng trong bt k nhm no. V mt s tham s ch cho php khai bo trong cc nhm bnh thng. Nhm [global] Cc tham s trong nhm ny c p dng mt cch ton cc cho ton dch v, ng thi, mt s tham s trong nhm ny cng l cc tham s mc nh ca cc nhm khng khai bo tng minh. Nhm ny phi c t ti phn u trong tp tin cu hnh /etc/samba/smb.conf. Mt s tham s c bn trong nhm [global] cn c cu hnh bao gm: workgroup Ch ra tn ca nhm (workgroup) mun hin th trn mng. Trn Windows, tn ny c hin th trong ca s Network Neighborhood. host allow Ch ra nhng a ch mng hay a ch my c truy nhp ti dch v Samba. Cc a ch trong danh sch c vit cch nhau mt khong trng. encrypt passwords Gi tr mc nh l yes. Vi tham s ny, Samba s thc hin m ho mt m tng thch c vi cch m ha ca windows. Trong trng hp khng m ha mt m, ngi dng ch c th s dng dch v Samba gia cc my Linux vi nhau hoc ngi dng phi cu hnh li my tnh Windows nu mun s dng dch v Samba trn Linux. smb passwd file Nu encrypt passwords=yes, tham s ny s xc nh tp cha mt m c m ha. Mc nh l /etc/samba/smbpasswd username map Ch ra tp tin cha cc tn hiu (alias) cho mt ti khon h thng. mc nh l /etc/samba/smbusers printcap file Cho php Samba np cc m t my in t tp tin printcap. Gi tr mc nh l /etc/printcap security
19
Khai bo ny xc nh cch thc cc my tnh tr li dch v Samba. Mc nh tham s ny c gi tr l user, gi tr cn s dng khi kt ni ti cc my tnh windows. Th d v cc khai bo trong phn [global] nh sau: [global] #workgroup = ten mien hoac ten nhom workgroup = SMB-GROUP # chi cho cac may trong mang cuc bo truy nhap host allow = 172.16.10. 127.0.0.1 # yeu cau Samba su dung mot tap tin nhat ky rieng cho moi may truy nhap log file = /var/log/samba/%m.log #che do bao mat security = user #ma hoa mat ma de tuong thich voi Windows encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd #nguoi dung Unix co the su dung nhieu ten truy nhap SMB. username map = /etc/samba/smbusers Nhm [homes] Nhm [homes] xc nh cc iu khin mc nh cho truy nhp th mc ch ca ngi dng thng qua giao thc SMB bi ngi dng t xa. Khi c yu cu kt ni, Samba s thc hin kim tra cc nhm hin c, nu nhm no p ng c yu cu, nhm s c s dng. Nu khng p ng c yu cu, tn nhm c yu cu s c coi nh tn ti khon ngi dng v tm kim trong tp tin cha mt m ca Samba. Nu tn ti khon ny tn ti ( v ng mt m) mt ti nguyn s c to a trn nhm [homes] Th d v cc khai bo trong nhm [homes] nh sau: [homes] comment = Home Directories browseable = no writeable = yes Ch : Trng hp khng c khai bo tham s path trong nhm [homes], ng dn s c gn ti th mc ch ca ngi dng. Nu trong nhm ny c khai bo cho php guest c truy nhp, tt c cc th mc ch ca ngi dng u cho php mi ngi t do truy nhp. Nhm [printers] Tng t nh nhm [homes] nhng dnh ring cho my in. Khi c yu cu kt ni. Samba s thc hin kim tra cc nhm hin c, nu nhm no p ng c yu cu, nhm s c s dng. Nu khng p ng c
Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
20
yu cu, nhng nhm [homes] tn ti n s c x l nh m t trn. Mt khc, tn nhm c yu cu cng c x l nh mt tn ca my in v Samba thc hin tm kim tp tin printcap tng ng xc nh xem tn nhm c yu cu c hp l khng. Nu hp l, mt ti nguyn dng chung s c da trn nhm [ printers]. Th d v cc khai bo trong nhm [printers] nh sau: [printers] comment = All Printers path = /var/spool/samba browserable = no public = yes printable = yes Ngoi ba nhm c bit c nu trn, thc hin to cc nguyn dng chung khc, ngi dng cn thc hin to thm cc nhm khai bo thng tin v ti nguyn ny. Cc nhm dnh cho cc ti nguyn dng chung, nh l cc th mc trn h thng, thng c t sau nhm [homes] v [printers] v c th t tn bt k. Cc tham s thng c khai bo trong cc nhm khai bp ti nguyn dng chung trong tp tin cu hnh /etc/samba/smb.conf bao gm : comment M t tu cho ti nguyn c a ln mng dng chung path Ch ra ng dn n th mc trn h thng tp tin m ti nguyn dng chung tham chiu ti. public C gi tr l yes hoc no. Nu l public = yes, Samba cho php mi ngi dng u c th truy nhp ti nguyn dng chung . browseable C gi tr l yes hoc no. Nu l browseable = yes, th th mc c dng chung s c nhn thy trn mng. Gi tr mc nh l yes valid users Danh sch nhng ngi dng c quyn truy nhp ti nguyn dng chung. Tn ngi dng c cch nhau bi khong trng hoc k t ,. Tn nhm c ng trc bi k t @ invalid users Danh sch nhng ngi dng khng c quyn truy nhp ti nguyn dng chung. Tn ngi dng c cch nhau bi khong trng hoc k t ,. Tn nhm c ng trc bi k t @ writeable C gi tr l yes hoc no. Nu l writeable = yes ngi dng c php ghi vo th mc dng chung.
Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
21
write list Xc nh danh sch ngi dng/nhm c quyn ghi ti th mc dng chung. Trong trng hp ch ra tn nhm, trc tn nhm phi l mt k t @. printable C gi tr l yes hoc no. Nu l printable=yes ngi dng c php truy nhp n dch v in. create mask Thit lp quyn trn th mc/tp tin c to trong th mc c dng chung. Gi tr mc nh l 0744 Th d di y l cc khai bo thc hin a mt ti nguyn c tn dng chung l mydoc (th mc trn h thng l /home/shired) cho hai ti khon allan, piter v cc ti nguyn thuc nhm staff c php truy nhp: [mydoc] path=/home/shired public=no valid users = allan piter @staff writable = yes create mask = 0766 Ch : Th mc c a ln mng dng chung phi cung cp quyn tng ng cho ngi dng Cc tham s c ch ra nhm ti nguyn c dng chung s c hiu lc thay th cc tham s c thit lp nhm [global] Trong tp tin smb.conf c th s dng mt s bin thay th nh %m tn NetBIOS ca my client, %Samba- tn dch v hin hnh (nu c), %u tn ngi dng hin hnh (nu c) Th d : path = /home/%u s c phin dch l path=/ymp/foo nu ti khon foo thc hin truy nhp. Khi ng dch v Samba Sau mi ln thay i ni dung tp tin /etc/samba/smb.conf, ngi dng cn khi ng li dch v Samba cp nht li cu hnh mi. khi ng li dch v Samba, ngi dng thi hnh lnh sau: # /etc/rc.d/init.d/smb restart | start | stop
IV.
SAMBA v LDAP :
SAMBA c th s dng lu tr thng tin ng nhp ca user , printer , objectsfiles .. 1 trong 3 dng ,v c nh ngha bng kha passdb backend: A flat text file : A trivial database (tdb) file An LDAP directory service
22
23
II.
24
Trong hnh 1 khi 1 E-mail Client peter@a.de son 1 email bng cc chng trnh MUA gi n user E-mail Client tim@b.de do th MDA ca domain s vn chuyn ti MTA domain a.de v kim tra ci policy v nu ph hp th MTA domain a.de s nhn l mail ny. Bc tip theo, MTA ca domain a.de s truy vn DNS tm ra bn ghi MX Record ca domain b.de. Bn ghi tr v IP no ni l MTA ca domain b.de . Sau khi nhn c kt qu tr v t DNS th MTA ca domain a.de s telnet vo MTA ca domain b.de bng port SMTP(25) send mail. Qu trnh HELO\EHLO, check policies (PTR, SPF, Blacklist...) din ra. Khi passed qua, MTA ca domain b.de s nhn l mail v chuyn cho MDA ca domain b.de. MDA ca domain b.de tip nhn v chuyn cho End-Users ca domain b.de. . End-Users tim@b.de ca domain b.de s dng MUA nhn v c mail.
III.
25
trnh ca postfix lm vic ring bit, ta xem hnh 2 nhn r 3 nhim v ca postfix.
26
Hnh 3- Local Email Submission Email From Network : Hnh 4 bn di minh ha cho chng ta thy ng i ca mt network email message i vo h thng Postfix. Message nhn t network c chp nhn bng Postfix smtpd daemon. Smtpd daemon thc hin vic kim tra v c th cu hnh cho php client relay email trn server hoc t chi . smtpd daemon a message vo cleanup deamon, ni m thc hin vic kim tra v in thng tin cho message v sau a vo incoming queue . Queue manager s gi MDA ph hp vn chuyn messaga.
27
Hnh 4- Email from network Postfix Email Notifications : Khi user manager b hon hay khng th chuyn i c, Postfix s dng defer hay bounce daemon to ra 1 error message. Error message khng b a vo cleanup daemon m c kim tra bnh thng trc khi a v incoming queue. Email Forwarding : i khi sau khi x l 1 email Postfix nhn ra rng a ch ngi nhn thc s tr ti 1 a ch khc trn 1 h thng khc. Postfix c th n gin chuyn message n smtp client chuyn i 1 cch trc tip , nhng m bo tt c cc ngi nhn c x l v ghi nhn chnh xc, postfix resubmitted message nh l 1 new message v c x l nh locally submitted message.
d. Mail Delivery :
Postfix s dng cc nh ngha ca cc lp a ch ( address class ) khi xc ch n no ( destinations ) c chp nhn gi i v bng cch no vn chuyn. Cc lp a ch chnh gm c : local, virtual alias, virtual mailbox, v relay. Nhng ch n no khng phi nhng lp trn s
Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
28
c vn chuyn qua network bi smtp client. Da vo cc lp a ch trn, the queue manager gi cc delivery agent ph hp x l message Local Delivery : The Local Delivery Agent iu khin mail cho cc users c shell account trn h thng m Postfix ang chy. Domain names cho local delivery c lit k trong bin mydestination. Nhng messages c gi ti bt k mydestination domain u c chuyn n cc shell account c nhn cho user. Ni 1 cch n gin l Local Delivery Agent chuyn email message n cc ni lu tr cc b ( local message store ). Khi mt message c chuyn tip ( forward ) n 1 ni khc, n s c gi li cho Postfix c chuyn n a ch mi. Nu xy ra li th delivery agent s bo cho queue manager nh du message ny s c gng gi i li trong thi gian ti v cha n defer queue. Virtual Alias Messages : Virtual alias Message l nhng email c chuyn tip n 1 a ch khc. Vd : user name tom cho a ch emai l tom@hoasen.net , ng thi cng c 1 alias email khc l tom.weslly@hoasen.com , vy khi 1 email gi ti tom.weslly@hoasen.com s kim tra v nhn thy rng a ch email thc ca ngi nhn l tom@hoasen.net . postfix s resubmitted email gi n tom@hoasen.net . Domain name ca virtual alias c nh ngha trong bin virtual_alias_domian v nhng user v a ch email thc s ca chng c nh ngha trong bng tm kim ( lookup table ) c nh ngha trong virtual_alias_maps. Virtual Mailbox Messages : Virtual Delivery Agent iu khin vic gi v nhn mail ca a ch virtual mailbox. Nhng Mailboxs ny khng c lin kt no vi bt k user no trn h thng ( shell account ). Domain name v user ca virtual mailboxs c nh ngha trong 2 bin virtual_mailbox_domain v virtual_mailbox_maps . Rrelay Messages : Smtp Delivery Agents iu khin mail ca cc relay domains. a ch Email trong relay domain l nhng a ch c lu tr trn h thng khc, nhng Postfix chp nhn cc messages v chuyn tip chng n ng
29
h thng lu tr email . Domain names ca relay domain c khai bo trong bin relay_domain. Ch : ngoi nhng delivery agent nu trn Postfix cn h tr cc delivery agent khc, nh ngha mt delivery agents c thc hin trong file master.cf .
Hnh 5- Tracing A Message 1 V Helene c account tren h thng nn email c gi bng lnh postdrop v a vo maildrop directory, email s c cc daemon pickup, cleanup, trivial-rewrite in cch thng tin cn thit cho email v c a vo incoming queue trong queue manager. Tip tc email c chuyn n active queue, bi v ch n ca email ny nm bn ngoi h thng nn
Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
30
queue manager gi smtp delivery agent iu khin vic gi email ny. Stmp agent truy vn DNS bit c a ch ca mail server ca domain postfix.org v gi email i.
Hnh 6 Tracing A Message 2 Hnh 6 cho ta thy daemon smtp ca domain postfix.org nhn email t daemon smtp ca domain oreilly.com. email ln lt c cc daemon cleanup , trivial-rewrite kim tra trc khi t email vo incoming queue, tip n email c chuyn sang active queue v queue manager nhn thy phi gi local delivery agent chuyn email i. Local delivery agent kim tra v nhn ra frank l 1 alias ( b danh ) v local delivery agent resubmitted email qua clenup daemon v gi i vi a ch mi.
31
Hnh 7 Tracing A Message 3 hnh 7 , cc bc nhn email c thc hin ging nh hnh 6 cho n bc gi local delivery agent chuyn email n ngi nhn th local delivery agent kim tra v nhn thy email hp l v lu vo Message store cho ngi nhn.
3. Postfix vi LDAP :
Postfix c th s dng LDAP Directory nh l ngun d liu cho mi lookup ca postfix nh : alias, virtual, canonical. iu ny gip bn gi thng tin ca cc ti khon email an ton v c bo v tt hn. V khng c thng tin no lu trn local nn c th c nhiu mail server cng s dng chung 1 th vin thng tin m khng gp vn v s tr hon khi update d liu cho nhiu server. Postfix hot ng c vi LDAP directory th postfix phi ci t gi postfix-ldap bng lnh sau : apt-get install postfix-ldap Ngoi ra bn cng cn phi khai bo trong file main.cf postfix bit lookup thng tin bng giao thc no : Vd : alias_maps = ldap:/etc/postfix/ldap-aliases.cf Trong file ldap-aliases.cf cn khai bo nhng thng tin nh sau : server_host = ldap.example.com \\ ch ra a ch ca LDAP server search_base = dc=example, dc=com query_filter = mail=%s \\ attribute cn thit tm kim result_attribute = maildrop \\ attribute c tr v.
IV.
2. C bn v cu hnh dovecot :
cu hnh Dovecot bn tinh chnh file sau /etc/dovecot/dovecot.conf
Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
32
u tin bn chn cc protocol m dovecot s h tr bng bin sau : protocols = pop3 pop3s imap imaps k n bn chn nh dng mailbox m dovecot s dng : mail_location = maildir:~/Maildir # (for maildir) or mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u # (for mbox) ch : l bn cng phi cu hnh MTA s dng mailbox ging nh bn chn trn. y l nhng cu hnh c bn m bn nn tm hiu, ng thi bn cng nn hiu Authentication Databases ca Dovecot. Authentication Databases : Dovecot h tr cc dng authentication databases sau : Passwd: System users (NSS, /etc/passwd, or similiar) Passwd-file: /etc/passwd-like file in specified location LDAP: Lightweight Directory Access Protocol SQL: SQL database (PostgreSQL, MySQL, SQLite) VPopMail: External software used to handle virtual domains Nhng Databases nn trn c s dng cha thng tin user v password ca cc ti khon email m dovecot gi l password databases v user databases. Password Databases : Dovecot chng thc user da vo cc Password Databases v bn c th s dng nhiu password databases cng mt lc. Nu Dovecot kim tra vi Databases th nht m khng ph hp n s tip tc kim tra tip Databases th 2. iu ny rt thun li nu nh bn mun h tr cho c local user v virtual user. Success/failure databases : Nhng loi thuc databases ny n gin kim tra password bn cung cp c ng hay khng , Dovecot khng ly password t database m ch ly li thng tin success hay failure. Nhng Databases thuc loi ny gm c: Khoa Khoa Hc Cng Ngh
33
Lookup databases : C hai loi databases thuc Lookup databases nh sau : Databases ch h tr looking up password , khng h tr cc thng tin m rng ca user : - Passwd: System users (NSS, /etc/passwd, or similiar). - Shadow: Shadow passwords for system users (NSS, /etc/shadow or similiar). - VPopMail: External software used to handle virtual domains. Database h tr tm kim tt c cc thng tin : - Passwd-file: /etc/passwd-like file in specified location. - LDAP: Lightweight Directory Access Protocol. - SQL: SQL database (PostgreSQL, MySQL, SQLite). User Databases : sau khai user chng thc thnh cng, Dovecot tm kim thng tin ca user, vic tm kim c thc hin bi cc delivery tm ra cc thng tin cn thit vn chuyn mail cho user. Cc thng tin c tm kim l : uid: User's UID (UNIX user ID) gid: User's GID (UNIX group ID) home: Home directory mail: Mail location (khi c tm kim th kt u tr v s thay th gi tr ca mail_location) nhng user databases c dovecot h tr gm c : Passwd: System users (NSS, /etc/passwd, or similiar) Passwd-file: /etc/passwd-like file in specified location NSS: Name Service Switch (v1.1+) LDAP: Lightweight Directory Access Protocol SQL: SQL database (PostgreSQL, MySQL, SQLite) Static: Userdb information generated from a given template VPopMail: External software used to handle virtual domains Prefetch: This assumes that the passdb already returned also all the required user database information
3. Dovecot v LDAP :
Nh trnh by pha trn ta thy Dovecot c kh nng s dng LDAP l Authentication Databases.
Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
34
a. Password lookups:
u im ca Password lookups so vi Authentication binds : - Nhanh hn , v Dovecot c th gi nhiu yu cu ng b LDAP cng mt lc ti server. Vi Authentication binds th phi ch hon thnh xong 1 request ri mi gi tip. - H tr non-plaintext authentication mechanisms - Khi s dng Delivery v static userdb, delivery c th kim tra s tn ti ca user. Cn vi Authentication th khng th thc hin c vic ny. LDAP server permissions : thng thng th LDAP server khng cp quyn cho bt c user ny c quyn truy xut password ca user, cho nn bn cn to 1 administrator account c quyn truy xut userPassword field. Bng cch thm dng sau trong file /etc/ldap/slapd.conf: # there should already be something like this in the file: access to attribute=userPassword by dn="<dovecot's dn>" read # just add this line by anonymous auth by self write by * none Thay "<dovecot's dn>" bng DN m bn khai bo trong dovecot-ldap.conf. Dovecot configuration : c 2 cu hnh quan trong trong password lookup l : pass_filter : ch ra b lc Ldap no c th tm c user. Pass_attrs : ch ra cc attributes no c tr v t LDAP sever. Nu trng th s tr v tt c cc attributes. Thng thng th LDAP attribute khng c tn trng vi cc attribute ca Dovecot s dng , do chng ta phi nh x chng vi nhau. C cu trc nh sau : <ldap attribute>=<dovecot field>. Vd : pass_attrs = uid=user, userPassword=password Sau y l 1 v d c cu hnh trong file dovecot-ldap.conf : auth_bind = no pass_attrs = uid=user, userPassword=password pass_filter = (&(objectClass=posixAccount)(uid=%u))
Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
35
default_pass_scheme = MD5
b. Authentication binds :
u im : - LDAP server kim tra password cho nn Dovecot khng cn bit nh dng lu tru ca password. - C thm 1 cht bo mt, v khng cn to dovecot user c th truy xut n password ca tt c user trn LDAP server. Ta c th bt chc nng Authentication binds bng bin auth_bind=yes Vd :
auth_bind = yes pass_attrs = uid=user pass_filter = (&(objectClass=posixAccount)(uid=%u)) auth_bind_userdn = cn=%u,ou=people,o=org
36
PHN 4 : FIREWALL
I.
-
FireWall l g :
Thut ng FireWall c ngun gc t mt k thut thit k trong xy dng ngn chn, hn ch ho hon. Trong Cng ngh mng thng tin, FireWall l mt k thut c tch hp vo h thng mng chng li s truy cp tri php nhm bo v cc ngun thng tin ni b cng nh hn ch s xm nhp vo h thng ca mt s thng tin khc khng mong mun. Internet FireWall l mt tp hp thit b (bao gm phn cng v phn mm) c t gia mng ca mt t chc, mt cng ty, hay mt quc gia (Intranet) v Internet. Trong mt s trng hp, Firewall c th c thit lp trong cng mt mng ni b v c lp cc min an ton. V d nh m hnh di y th hin mt mng Firewall ngn cch phng my, ngi s dng v Internet.
II.
c im ca Firewall cng: Khng c linh hot nh Firewall mm: (Khng th thm chc nng, thm quy tc nh firewall mm) Firewall cng hot ng tng thp hn Firewall mm (Tng Network v tng Transport) Firewall cng khng th kim tra c nt dung ca gi tin. V d Firewall cng: NAT (Network Address Translate).
c im ca Firewall mm: Tnh linh hot cao: C th thm, bt cc quy tc, cc chc nng Firewall mm hot ng tng cao hn Firewall cng (tng ng dng)
Ngnh : Mng My Tnh
37
Firewal mm c th kim tra c ni dung ca gi tin (thng qua cc t kha). + V d v Firewall mm: ISA , iptables
III.
Ti sao cn Firewall ?
Nu my tnh ca bn khng c bo v, khi bn kt ni Internet, tt c cc giao thng ra vo mng u c cho php, v th hacker, trojan, virus c th truy cp v ly cp thng tin c nhn cu bn trn my tnh. Chng c th ci t cc on m tn cng file d liu trn my tnh. Chng c th s dng my tnh cu bn tn cng mt my tnh ca gia nh hoc doanh nghip khc kt ni Internet. Mt firewall c th gip bn thot khi gi tin him c trc khi n n h thng ca bn. Chc nng chnh ca Firewall: Chc nng chnh ca Firewall l kim sot lung thng tin t gia Intranet v Internet. Thit lp c ch iu khin dng thng tin gia mng bn trong (Intranet) v mng Internet. C th l: - Cho php hoc cm nhng dch v truy nhp ra ngoi (t Intranet ra Internet). - Cho php hoc cm nhng dch v php truy nhp vo trong (t Internet vo Intranet). - Theo di lung d liu mng gia Internet v Intranet. - Kim sot a ch truy nhp, cm a ch truy nhp. - Kim sot ngi s dng v vic truy nhp ca ngi s dng. - Kim sot ni dung thng tin thng tin lu chuyn trn mng.
IV.
IPTABLE FRIWALL:
1. Gii thiu :
Trong mi trng Linux phn mm firewall ph bin v c bn nht l iptables, thng qua n bn c th d dng hiu c nguyn l hot ng ca mt h thng firewall ni chung.
2. Cu Trc Iptable :
Iptables c bn gm ba bng FILTER, MANGLE, NAT v cc chain trong mi bng, vi chng ngi qun tr c th to ra cc rules cho php cc gi tin vo ra h
Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
38
thng (c bo v bng iptables) tu theo mun ca mnh. Chc nng c th ca chng nh sau. Mangle: dng chnh sa QOS(qulity of service) bit trong phn TCP Header ca gi tin Filter: ng nh tn gi n dng lc cc gi tin gm cc build-in chain - Forward chain: lc nhng gi tin i qua h thng (i vo mt h thng khc). - Input chain: lc nhng gi tin i vo h thng. - Output chain: nhng gi tin i ra t h thng. Nat: sa a ch gi tin gm cc build-in chain - Pre-routing: sa a ch ch ca gi tin trc khi n c routing bi bng routing ca h thng (destination NAT hay DNAT). - Post-routing: ngc li vi Pre-routing, n sa a ch ngun ca gi tin sau khi gi tin c routing bi h thng (SNAT). Mi rule m bn to ra phi tng ng vi mt chain, table no y. Nu bn khng xc nh tables no th iptables coi mc nh l cho bng FILTER.
39
gi tin bng nhng rules tip theo. - REJECT: chc nng ca n cng ging nh DROP tuy nhin n s gi mt error message ti host gi gi tin. - DNAT: dng sa li a ch ch ca gi tin. - SNAT: dng sa li a ch ngun ca gi tin - MASQUERADE: cng l mt kiu dng sa a ch ngun ca gi tin
xy dng cc rules bn cn phi s dng cc tu chn to iu kin so snh.Sau y l mt s tu chn thng dng.
Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
40
-t : ch ra tn ca bng m rule ca bn s dc ghi vo (mc nh l FILTER ). -j : nhy n mt kiu x l (target) tng ng nh nh ngha trn nu iu kin so snh tho mn. - A : ghi ni tip rule vo ui mt chain -p : so snh protocol gi tin. - s : so snh a ch ngun ca gi tin. - d : so snh a ch ch ca gi tin - i : so snh tn card mng m gi tin i vo h thng qua - o : so snh tn card mng m gi tin t h thng i ra qua . -p tcp sport : xc nh port ngun ca gi tin TCP. -p tcp dport : xc nh port ch ca gi tin TCP -p udp sport : xc nh port ngun ca gi tin UDP -p udp dport : xc nh port ch ca gi tin UDP syn : xc nh gi tin c phi l mt yu cu to mt kt ni TCP mi khng. icmp-type : xc nh loi gi icmp (echo-reply hay echo-request). -m multiport sport < port, port >: xc nh mt lot cc gi tr port ngun -m multiport dport < port, port >: xc nh mt lot cc gi tr port ch. -m multiport port < port, port >: xc nh mt lot cc gi tr port ( khng phn bit ngun hay ch ). -m state < state >: xc nh trng thi kt ni m gi tin th hin ESTABLISHED: gi tin thuc mt kt ni c thit lp. NEW: gi tin th hin mt yu cu kt ni. RELATED : gi tin th hin mt yu cu kt ni th hai (c lin quan n kt ni th nht, thng xut hin nhng giao thc FPT hay ICMP) INVALID : th hin mt gi tin khng hp l
41
II.
cho php mt my ch DNS chuyn i ngc li, t mt a ch IP n mt tn my. Reverse tra cu khu vc c s dng bi nhiu my ch ca cc loi khc nhau (FTP, IRC,WWW, v nhng ngi khc) quyt nh xem h thm ch cn mun ni chuyn vi mt my tnh yu cu thng tin. l mt cch ph bin cho mt my ch mail kim tra xem mt e-mail n t mt tn min hp l.
III.
Khi master DNS nhn c cu hi cho mt khu vc m n l chnh thc sau n s tr li l 'Authoritative' (bit AA c t trong mt phn ng truy vn).
Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
42
Nu mt master DNS nhn c mt truy vn cho mt khu vc m n khng phi l mt master cng khng phi l slaver sau n s hot ng nh cu hnh (trong BIND hnh vi ny c nh ngha trong file named.conf): - Nu hnh vi ca b nh m c php v cc truy vn quy c cho php my ch hon ton s tr li cc yu cu hoc tr li mt li. - Nu hnh vi ca b nh m c php v lp i lp li (khng quy) cc truy vn c cho php my ch c th p ng vi cu tr li hon chnh (nu n c trong b nh cache v yu cu khc), giy gii thiu, hoc tr li mt li. - Nu hnh vi ca b nh m l khng c php (mt my ch DNS 'Authoritative Ch c') cc my ch s tr v mt gii thiu hoc li. Mt master DNS c th thng bo thay i khu vc xc nh (thng l slave) cc my ch - y l hnh vi mc nh , thng bo thng ip m bo cc thay i khu vc ang nhanh chng lan truyn n nhng slave (gin on iu khin) hn l da trn my ch slave nh k b phiu cho nhng thay i. Mt tng th khu vc c th l 'n' (ch c mt hoc nhiu slave bit v s tn ti ca n). Khng c yu cu cu hnh nh vy cho cc my ch tng th xut hin trong mt RR NS cho cc tn min. Yu cu duy nht l hai (hoc nhiu) tn my ch h tr cc vng. C hai my ch c th l bt k s kt hp ca ch n, n l hay n l ch thm ch-master.
IV.
A Slave DNS ly vng d liu ca mnh bng cch s dng mt hot ng chuyn vng (thng l t mt tng th khu vc) v n s phn ng nh c thm quyn i vi nhng khu vc m n c nh ngha l mt 'slave' v mt cu hnh khu vc hin ang cn hiu lc. N l khng th xc nh t kt qu truy vn m n n t mt tng th khu vc hoc cc slave. C th c bt k s lng DNS ca slave cho bt k khu vc nht nh. Tnh trng slave c nh ngha trong BIND bng cch bao gm 'slave types'trong phn khai bo vng ca file named.conf nh th hin bi cc on sau y: // example.com fragment from named.conf // defines this server as a zone slave zone "example.com" in{ type slave; file "sec/sec.example.com"; masters {192.168.23.17;}; };
43
Cc master DNS cho tng vng c xc nh trong mt tuyn b ca master ca khu iu khon v cho php slaver lm mi bn ghi khu , khi ht thi hn tham s ca Bn ghi SOA t c. Nu mt slave khng th t c master DNS khi "ht hn" thi gian t ti n s ngng p ng cc yu cu cho khu vc. N s khng s dng d liu thi gian ht hn. Cc tham s tp tin l ty chn v cho php slave ghi cc vng chuyn sang a v do nu BIND c khi ng li trc khi thi gian ht hn s dng ,cc my ch s s dng d liu lu. Trong cc h thng ln DNS ny c th tit kim mt lng ng k lu lng mng.
V.
Mt my ch tng hnh c nh ngha nh l mt my ch tn m khng xut hin trong bt k hin th cng khai NS Records cho domain. Cc my ch tng hnh thng c s dng trong cu hnh c gi l Split Mt cu hnh Split Server c hin th trong hnh:
Cc my ch ni b (my ch Stealth) c th c cu hnh lm dch v c th nhn thy bn trong v bn ngoi, cung cp cc truy vn quy v tt c cc dch v khc. My ch ny s s dng mt tp tin khu vc ch t nhn c th nhn nh th ny: ; private zone master file used by stealth server(s) ; provides public and private services and hosts example.com. IN SOA ns.example.com. root.example.com. ( 2003080800 ; se = serial number 3h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 3h ; min = minimum ) IN NS ns1.example.com. IN NS ns2.example.com.
Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
44
IN MX 10 mail.example.com. ; public hosts ns1 IN A 192.168.254.1 ns2 IN A 192.168.254.2 mail IN A 192.168.254.3 www IN A 192.168.254.4 ftp IN A 192.168.254.5 ; private hosts joe IN A 192.168.254.6 bill IN A 192.168.254.7 fred IN A 192.168.254.8 .... accounting IN A 192.168.254.28 payroll IN A 192.168.254.29 Cc quy nh c th trong Internet style data - NS record l tn my ch ti nguyn ghi li - MX record l bn ghi Mail Exchange,m ch dn e-mail thng tin n mt my tnh ,Nu c nhiu hn mt my ch e-mail, bn c th thm nhiu hn mt bn ghi MX cho chuyn c s d liu tp tin. - CNAME dng ch nh cng mt a ch cho cc my ch khc nh nhng ngi lin quan n my ch FTP hoc thm ch rsync. Tuy nhin, CNAME khng cn lm vic cho cc my ch e-mail.Nu ch mun cu hnh vng chuyn tip trong / bind / etc / named.conf.local, l thi gian c li cc file cu hnh vi lnh rndc reload.
45
46
2. a Ch URL :
URL (vit tt ca Uniform Resource Locator) c dng tham chiu ti ti nguyn trn Internet. URL mang li kh nng siu lin kt cho cc trang mng. Mt URL bao gm tn giao thc (http,ftp), tn min, c th ch nh cng, ng dn tuyt i trn my phc v ca ti nguyn, cc truy vn, ch nh mc con.
II.
47
bng cch s dng Microsoft FrontPage m rng. libapache2-mod-mono: module ny cho Apache lm th no gii m ASP.NET y l mt danh sch ngn v khng y ca tt c cc module c th s dng trn web Apache server: http://modules.apache.org hin danh sch hn 450 m-un. iu quan trng l xc nh chnh xc nhng m-un no cn cho my ch c th m rng chc nng ca n cho ph hp Cc d n Apache Directory cung cp gii php th mc hon ton c vit bng Java. Chng bao gm mt my ch th mc, m c chng nhn l LDAP v3 ph hp do Tp on Open (Apache Directory Server), v cc cng c th mc da trn Eclipse (Apache Directory Studio). Apache Directory Server ApacheDS l mt my ch th mc nhng hon ton c vit bng Java, c chng nhn tng thch LDAPv3 do Tp on Open. Bn cnh LDAP n h tr Kerberos 5 v nhng thay i mt khu Ngh nh th. N c thit k gii thiu gy nn, th tc, hng i v quan im vi th gii ca LDAP thiu cc cu trc phong ph. Apache Directory Studio Apache Directory Studio l mt th mc nn tng cng c hon chnh d nh s c s dng vi bt k my ch LDAP tuy nhin n c bit c thit k s dng vi cc ApacheDS. N l mt ng dng RCP Eclipse, bao gm mt s Eclipse (OSGi) b sung, c th d dng nng cp vi nhng ngi khc. Nhng b sung thm ch c th chy trong Eclipse chnh n.
III.
APACHE V LDAP :
APACHE s dng Module mod_authnz_ldap Cho php mt th mc LDAP c s dng lu tr cc c s d liu xc thc HTTP c bn: Module ny cung cp chng thc trc kt thc nh mod_auth_basic xc thc ngi dng thng qua mt th mc LDAP. mod_authnz_ldap h tr cc tnh nng sau: - c bit n h tr cc SDK OpenLDAP (c 1.x v 2.x), Novell LDAP SDK v iPlanet cc (Netscape) SDK. - chnh sch cp php phc tp c th c thc hin bi i din chnh sch vi cc b lc LDAP. - S dng rng b nh m ca cc hot ng LDAP thng qua mod_ldap. - H tr cho LDAP qua SSL (yu cu cc SDK Netscape) hoc TLS (yu cu OpenLDAP 2.x SDK hoc Novell LDAP SDK).
Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
48
C hai giai on trong vic cp quyn truy cp cho ngi dng. Giai on u tin l xc thc, trong cc nh cung cp chng thc mod_authnz_ldap xc nhn rng thng tin ca ngi dng l hp l. iu ny cng c gi l tm kim / giai on kt. Giai on th hai l y quyn, trong mod_authnz_ldap quyt nh nu ngi s dng chng thc c php truy cp vo cc ti nguyn trong cu hi. iu ny cng c bit n nh l so snh cc giai on. mod_authnz_ldap ng k c hai nh cung cp xc thc v y quyn authn_ldap authz_ldap mt b x l. Cc nh cung cp authn_ldap chng thc c th c kch hot thng qua cc ch th AuthBasicProvider s dng gi tr ldap. Vic x l y quyn authz_ldap m rng cc loi ch th bng cch thm Yu cu ca ngi s dng ldap, ldap dn-v ldap-nhm cc gi tr. Trong giai on thm nh, tm kim mod_authnz_ldap cho mt mc trong th mc ph hp vi tn ngi dng m my khch HTTP qua. Nu mt trn u duy nht duy nht c tm thy, sau mod_authnz_ldap c gng gn kt vi cc my ch th mc bng cch s dng cc DN ca mc nhp cng vi cc mt khu c cung cp bi cc khch hng HTTP. Bi v n thc hin mt tm kim, sau mt lin kt, n thng c gi tt l tm kim / giai on kt. Di y l cc bc thc hin trong thi gian tm kim / giai on kt.
49
Cp quyn truy cp nu c mt Yu cu ldap-dn ch th, v cc DN trong ch th ph hp vi DN ly t cc th mc LDAP. Cp quyn truy cp nu c mt Yu cu ldap nhm ch th, v cc DN ly t cc th mc LDAP (hoc tn ngi dng thng qua khch hng) xy ra nhm LDAP hay, c kh nng, trong mt nhm con ca n. Cp quyn truy cp nu c mt Yu cu ldap-thuc tnh ch th, v thuc tnh ly t cc th mc LDAP ph hp vi gi tr nht nh. Cp quyn truy cp nu c mt Yu cu ldap-lc ch th, v tm kim cc b lc thnh cng tm thy mt i tng ngi dng duy nht ph hp vi dn ca ngi s dng chng thc. nu khng, ph nhn hoc t chi truy cp Yu cu cc gi tr khc cng c th c s dng m c th yu cu cc m-un ti u quyn b sung. Cp quyn truy cp n tt c ngi dng xc thc thnh cng nu c mt Yu cu hp l ca ngi s dng ch th. (yu cu mod_authz_user) Cp quyn truy cp nu c mt nhm Yu cu cc ch th, v mod_authz_groupfile c ti vi cc ch th AuthGroupFile thit lp.
a. Require ldap-user :
Cc Yu cu ngi s dng ldap ch th xc nh nhng g tn ngi dng c th truy cp cc ti nguyn. Mt khi ly mod_authnz_ldap mt DN c o t th mc, n c mt LDAP so snh hot ng bng cch s dng tn ngi dng quy nh ti cc Yu cu ngi s dng ldap xem tn ngi dng l mt phn ca ch mc LDAP cng iu. Nhiu ngi s dng c th c cp quyn truy cp bng cch t nhiu tn ngi dng trn dng, ngn cch vi khng gian. Nu tn ngi dng mt c mt khng gian trong n, sau n phi c bao quanh vi du ngoc kp. Nhiu ngi dng cng c th c cp quyn truy cp bng cch s dng nhiu ldap Yu cu ngi s dng ch th, vi mt ngi s dng trn mi dng. V d, vi mt AuthLDAPURL ca ldap: / ldap / / o = V d cn (tc l, cn c s dng cho
50
cc tm kim), cc ch th Yu cu sau y c th c s dng hn ch truy cp: Require ldap-user "Barbara Jenson" Require ldap-user "Fred User" Require ldap-user "Joe Manager" Bi v cch x l mod_authnz_ldap ch th ny, Barbara Jenson c th ng nhp vo nh Barbara Jenson, Babs Jenson hoc cn no khc m c c trong mc LDAP ca c. Ch c duy nht dng ldap Yu cu ngi s dng l cn thit h tr tt c cc gi tr ca thuc tnh trong mc nhp ca ngi dng. Nu cc thuc tnh c s dng thay v uid ca thuc tnh cn trong URL trn, ba trn ng c th c c c Require ldap-user bjenson fuser jmanager
b. Require ldap-group :
Ch th ny quy nh mt nhm LDAP m cc thnh vin c php truy cp. N c tn phn bit ca nhm LDAP. Lu : Khng bao quanh tn nhm vi du ngoc kp. V d, gi s rng cc mc sau y tn ti trong th mc LDAP: dn: cn=Administrators, o=Example objectClass: groupOfUniqueNames uniqueMember: cn=Barbara Jenson, o=Example uniqueMember: cn=Fred User, o=Example Ch th sau y s cp quyn truy cp cho c Fred v Barbara: Require ldap-group cn=Administrators, o=Example Cc thnh vin cng c th c tm thy trong cc nhm ca mt nhm LDAP quy nh nu AuthLDAPMaxSubGroupDepth c thit lp l gi tr ln hn 0. V d, gi s cc mc sau y tn ti trong th mc LDAP: dn: cn=Employees, o=Example objectClass: groupOfUniqueNames uniqueMember: cn=Managers, o=Example uniqueMember: cn=Administrators, o=Example uniqueMember: cn=Users, o=Example dn: cn=Managers, o=Example objectClass: groupOfUniqueNames
Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
51
uniqueMember: cn=Bob Ellis, o=Example uniqueMember: cn=Tom Jackson, o=Example dn: cn=Administrators, o=Example objectClass: groupOfUniqueNames uniqueMember: cn=Barbara Jenson, o=Example uniqueMember: cn=Fred User, o=Example dn: cn=Users, o=Example objectClass: groupOfUniqueNames uniqueMember: cn=Allan Jefferson, o=Example uniqueMember: cn=Paul Tilley, o=Example uniqueMember: cn=Temporary Employees, o=Example dn: cn=Temporary Employees, o=Example objectClass: groupOfUniqueNames uniqueMember: cn=Jim Swenson, o=Example uniqueMember: cn=Elliot Rhodes, o=Example
c. Require ldap-dn:
Cc Yu cu ldap-dn ch th cho php ngi qun tr cp quyn truy cp da trn tn phn bit. N ch nh mt DN m phi ph hp cho vic truy cp c cp. Nu tn phn bit c ly t my ch th mc ph hp vi tn phn bit trong Yu cu dn-ldap, sau y quyn c cp. Lu : ng bao quanh tn phn bit vi du ngoc kp. Ch th sau y s cp quyn truy cp vo mt DN c th: Require ldap-dn cn=Barbara Jenson, o=Example
d. Require ldap-attribute :
Cc Yu cu ldap-thuc tnh ch th cho php ngi qun tr cp quyn truy cp da trn cc thuc tnh ca ngi s dng chng thc trong th mc LDAP. Nu cc thuc tnh trong th mc ph hp vi gi tr a ra trong cu hnh, truy cp c cp. Ch th sau y s cp quyn truy cp cho bt k ai vi cc employeeType thuc tnh = hot ng Require ldap-attribute employeeType=active
52
Nhiu thuc tnh / gi tr cc cp c th c ch nh trn cng mt dng cch nhau bi khong trng hoc chng c th c quy nh ti nhiu ldap-Yu cu ch th thuc tnh. Hiu qu ca vic nim yt nhiu thuc tnh / gi tr cp l mt hot ng hoc. Truy cp s c cp nu c ca cc gi tr thuc tnh c lit k ph hp vi gi tr ca thuc tnh tng ng trong cc i tng ngi dng. Nu gi tr ca thuc tnh c mt khng gian, ch c gi tr phi nm trong du ngoc kp. Ch th sau y s cp quyn truy cp cho bt k ai vi cc thnh ph thuc tnh bng "San Jose" hoc tnh trng bng "Active" Require ldap-attribute city="San Jose" status=active
e. Require ldap-filter :
Cc Yu cu ldap-filter ch th cho php ngi qun tr cp quyn truy cp da trn mt b lc tm kim LDAP phc tp. Nu cc dn tr li ca b lc tm kim ph hp vi dn ngi dng xc thc, truy cp c cp. Ch th sau y s cp quyn truy cp cho bt c ai c mt in thoi di ng v l trong b phn tip th Require ldap-filter &(cell=*)(department=marketing) S khc bit gia cc th ldap-filter Yu cu v cc ch th Yu cu ldapthuc tnh l ldap-lc thc hin mt hot ng tm kim trn cc th mc LDAP bng cch s dng b lc tm kim quy nh ch khng phi l mt so snh thuc tnh n gin. Nu so snh thuc tnh n gin l tt c nhng g l cn thit, cc hot ng so snh c thc hin bi thuc tnh-ldap s c nhanh hn cc hot ng tm kim c s dng bi ldap-lc c bit l trong mt th mc ln.
53
PHN 7 : DHCP
I. Vai Tr Ca DHCP Trong Mt H Thng Mng : 1. DHCP l g :
DHCP l vit tt ca Dynamic Host Configuration Protocol, l giao thc Cu hnh Host ng c thit k lm gim thi gian chnh cu hnh cho mng TCP/IP bng cch t ng gn cc a ch IP cho khch hng khi h vo mng. Dich v DHCP l mt thun li rt ln i vi ngi iu hnh mng. N lm yn tm v cc vn c hu pht sinh khi phi khai bo cu hnh th cng. Ni mt cch tng quan hn DHCP l dich v mang n cho chng ta nhiu li im trong cng tc qun tr v duy tr mt mng TCP/IP nh: - Tp chung qun tr thng tin v cu hnh IP. - Cu hnh ng cc my. - Cu hnh IP cho cc my mt cch lin mch - S linh hot - Kh nng m rng.
II.
B Sung V Cp Php Cho Dch V DHCP Hot ng : 1. Ti sao s dng dch v DHCP:
Gim bt c cc hin tng xung t v IP, hay cc li v IP, lun m bo cho cc my client c cu hnh ng. n gin ha trong cng tc qun tr.
2. a ch IP ng c bit l g ?
a ch IP ng c bit (Automatic private IP Addressing) hay APIPA l mt dc trng ca h iu hnh Microsoft windows cho php gn mt di a ch IP t ng trn cc my Client di a ch ny c gi tr trong khong t: 169.254.0.0 n 169.254.255.255. khi m dch v DHCP server khng c php cp pht IP cho cc my Client.
54
III.
IV.
3. Ty chn DHCP l g?
Cc ty chn DHCP l cc tham s cu hnh my khch b sung m mt my ch DHCP c th gn khi phc v cc my khch DHCP.
55
DNS Domain Name: Tn min DNS xc nh min m my khch s ph thuc. My khch c th s dng thng tin ny d cp nht thng tin ln my ch DNS cc my tnh khc c th tm thy n. DNS Servers: a ch ca bt c my ch DNS no m my khch c th s dng trong qu trnh truyn thng WINS Servers: a ch ca bt c my ch WINS no m my khch c th s dng trong qu trnh truyn thng WINS Node Type: L mt kiu phng thc phn gii tn NetBIOS m cc my khch (Client) c th s dng.
V.
VI.
Dch v DHCP hot ng theo m hnh Client / Server. Theo qu trnh tng tc gia DHCP client v server s din ra theo cc bc sau. Bc 1: Khi my Client khi ng, my s gi broadcast gi tin DHCP DISCOVER, yu cu mt Server phc v mnh. Gi tin ny cng cha a ch MAC ca client. Nu client khng lin lc c vi DHCP Server th sau 4 ln truy vn khng thnh cng n s t ng pht sinh ra 1 a ch IP ring cho chnh mnh nm trong dy 169.254.0.0 n 169.254.255.255 dng lin lc tm thi. V client vn duy tr vic pht tn hiu Broad cast sau mi 5 pht xin cp IP t DHCP Server. Bc 2: Cc my Server trn mng khi nhn c yu cu . Nu cn kh nng cung cp a ch IP, u gi li cho my Client mt gi tin DHCP OFFER, ngh cho thu mt a ch IP trong mt khong thi gian nht nh, km theo l mt Subnet Mask v a ch ca Server. Server s khng cp pht ia ch IP va ngh cho client thu trng sut thi gian thng thuyt.
56
Bc 3:My Client s la chn mt trong nhng li n ngh ( DHCPOFFER) v gi broadcast li gi tin DHCPREQUEST v chp nhn li ngh . iu ny cho php cc li ngh khng c chp nhn s c cc Server rt li v dng cp pht cho cc Client khc. Bc 4: My Server c Client chp nhn s gi ngc li mt gi tin DHCP ACK nh mt li xc nhn, cho bit a ch IP , Subnet Mask v thi hn cho s dng s chnh thc c p dng. Ngoi ra server cn gi km nhng thng tin b xung nh a ch Gateway mc nh, a ch DNS Server...
57
58
59
II.
60
61
Bc 5 : bc ny ta s thc hin add file ldif va mi to trn vo h thng LDAP bng lnh sau :
ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif
62
63
dns proxy = No wins support = Yes ldap admin dn = cn=admin,dc=hoasen,dc=local ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers unix password sync = no ldap passwd sync = yes ldap suffix = dc=hoasen,dc=local ldap ssl = no ldap user suffix = ou=Users panic action = /usr/share/samba/panic-action %d [homes] comment = Home Directories valid users = %S read only = No browseable = No browsable = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon admin users = root guest ok = Yes browseable = No browsable = No [Profiles] comment = Roaming Profile Share path = /var/lib/samba/profiles read only = No profile acls = Yes browseable = No browsable = No [printers] comment = All Printers path = /var/spool/samba admin users = root write list = root read only = No create mask = 0600 guest ok = Yes printable = Yes use client driver = Yes browseable = No browsable = No [print$] comment = Printer Drivers Share path = /var/lib/samba/printers admin users = root write list = root create mask = 0664 directory mask = 0775 Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
64
y l nhng khai bo SAMBA c th hot ng vi LDAP Bc 8: tao to password cho user ca samba bng lnh smbpasswd bn nn to password ging bc 4
smbd restart .
Bc 10 : kim tra xem SAMBA c hot ng hay khng, ta dng lnh sau y, nu c hi password th ch nhn Enter. bc kim tra ny th out phi ging nh hnh bn di nu khng th SAMBA cu hnh sai.
smbclient -L localhost
65
Bc 12 : to file schema_convert.conf tao file ldif add schema samba vo h thng ca LDAP bng lnh nano schema_convert.conf
File schema_convert.conf c ni dung nh sau : include /etc/ldap/schema/core.schema include /etc/ldap/schema/collective.schema include /etc/ldap/schema/corba.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/duaconf.schema include /etc/ldap/schema/dyngroup.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema
Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
66
Bc 15: edit file /tmp/cn\=samba.ldif phn u ca file bn s thy : dn: cn{12}=samba,cn=schema,cn=config cn: {12}samba i thnh : dn: cn=samba,cn=schema,cn=config cn: samba
67
Bc 17: chng ta s kim tra LDAP xem c hot ng tt vi samba.chema c hot ng tt khng. Nu output ca dng lnh sau ging nh trong hnh th LDAP hot ng tt.
ldapsearch -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -b cn=config -W olcDatabase={1}hdb
68
Bc 18 : ta cng kim tra SAMBA c hot ng hay khng. Ta dng lnh sau. Nu output ging nh trong hnh th SAMBA hot ng tt.
net getlocalsid
Bc 20 : dng lnh sau s lm LDAP v SAMBA hot ng vi nhau. Khi chy, chng trnh s hi nhp vo thng tin cn thit, bn ch cn nh Enter. Ch c 2 trng hp bn cn in vo l : - L trng hp "Logon Home" v "Logon Path", hy in vo k t . - Khi hi v password ca master v slave LDAP server, trong trng hp ny bn in vo password bn in vo bc 4
69
70
71
nh Enter
nh Enter
in vo dn ca LDAP server, ri ok
Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
72
Chn version 3
73
nh Enter.
in vo Password ca dn admin ca LDAP server. Lu : nu mun cu hnh li nhng thng tin trn ta dng lnh sau :
dpkg-reconfigure ldap-auth-config
Chn ok
74
Bn chn tt c cc mc nh trong hnh. Bc 27: nh vy ta hon thnh cu hnh SAMBA PDC kt hp vi LDAP Ta reboot h thng hon thnh cu hnh.
III.
Cu hnh client Winodws Xp v Windows 7 vo h thng SAMBA: 1. To user trn SAM PDC :
Ta to 1 user test trn server l : username : user1 , password =123456 Ta dng lnh sau : smbldap-useradd a m P user1
Ta to 1 user adminpdc thuc nhm domain administrator khi join domain my client ta nh username v password. iu ny tng tnh bo mt ca h thng. Ta dng cc dng lnh nh tronh hnh sau:
75
Trong Group policy , enable policy l Donot check for user ownership of Roaming profile folders
76
77
3. Join Windows 7 :
joing windows 7 vo h thng SAMBA ta cn cu hnh nh sau : Trong Windows 7 Registry ta to thm 2 gi tr sau :
HKLM\System\CCS\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0
78
79
I.
Ci t v cu hnh DNS: 1. Ci t :
Ta dng lnh sau ci t DNS server (BIND9) apt-get install bind9
80
81
File /etc/bind/db.192
II.
82
K tip ta ci t Dovecot ( Dovecot ng vai tr l IMAP/POP3 server, MDA, v cng l 1 authentication server cho mail server )
ng thi ta cng c th cu hnh Postfix v Dovecot dng SASL bng cch ci gi dovecot-posfix.
83
2. Cu hnh :
cu hnh mail vi postfix ta c 2 file cu hnh quan trng l /etc/postfix/main.cf v /etc/postfix/master.cf Bc 1 : to virtual user vi user name l vmail thuc group vmail vi th mc home l /home/vmail cng l th mc cha email ca tt c cc user. Ta thc hin cc dng lnh sau vi quyn root : groupadd g 5000 vmail useradd g vmail u 5000 vmail d /home/vmail m Hai dng lnh trn l to group vmail vi gid l 5000, to user vmail vi uid l 5000 v home directory l /home/vmail Dng lnh sau kim tra gid v uid ca vmail trong file /etc/passwd cat /etc/passwd | grep vmail Out ca cc dng lnh trn s ging nh trong hnh sau
Bc 2 : cu hnh Postfix , cu hnh mail vi postfix ta c 2 file cu hnh quan trng l /etc/postfix/main.cf v /etc/postfix/master.cf Cu hnh file main.cf ging on text di y : (lu : nhng s u dng l dng nh du v d gii thch, khng c nm trong file cu hnh )
1 2 3 4 5 6 7 8 9 10 11 alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes config_directory = /etc/postfix debug_peer_level = 5 debug_peer_list = 127.0.0.1 home_mailbox = Maildir/ inet_interfaces = all mailbox_size_limit = 0
Ngnh : Mng My Tnh
84
21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
42 Gii thch : - Dng 9: cu hnh cho postfix s dng mailbox format l Maildir. - Dng 12: y l cu hnh quan trng, v chng ta mun s dng virtual mailbox nn y ta phi gi tr l localhost, v khng bao gi c t tn domain ( domain m bn mun s dng virtual mailbox ) vo trong dng ny. - Dng 18,34: dng ny cu hnh cho postfix s dng TLS trong qu trnh gi nhn mail. - Dng 21 26 : cu hnh postfix s dng SASL l c ch chng thc, v qun l SASL l Dovecot.
Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
myhostname = localhost mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/16 readme_directory = no recipient_delimiter = + relayhost = smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_protocols = SSLv3, TLSv1 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes tls_random_source = dev:/dev/urandom virtual_gid_maps = static:5000 virtual_mailbox_base = /home/vmail virtual_mailbox_domains = /etc/postfix/vhosts virtual_mailbox_maps = ldap:/etc/postfix/ldapmap.cf virtual_minimum_uid = 1000 virtual_transport = dovecot virtual_uid_maps = static:5000
85
Dng 2733 : cu hnh ca TLS trn postfix, ng dn ca cc file key v cert. - Dng 37 : ch ra th mc s cha tt c email ca server - Dng 38 : l dng cha thng tin cc domain c server qun l, v chp nhn gi v nhn mail, bn c th in trc tip, hay c th dng 1 file nh trong bi lab, ni dung file /etc/postfix/vhost s c trnh by bn di. - Dng 39: y l dng cu hnh postfix truy vn thng tin vi ldap server. Ni dung file ldapmap.cf s c trnh by bn di. thng tin c tr v l ni lu tr email cua mi user. - Dng 41: cu hnh postfix dng dovecot nh 1 MDA ( thay the cho virtual MDA ) - Dng 36 v 42 : y l dng khai bo uid , gid ca virtual user m ta to trn, dng cung cp quyn ghi v c trn th mc /home/vmail. Ni dung ca file /etc/postfix/vhosts : hoasen.net vt071A.net (bn tip tc lit k nhng domain m bn mun gi v nhn mail ) Ni dung file /etc/postfix/ldapmap.cf:
bind = no version = 3 timeout = 20 debuglevel = 0 size_limit = 1 expansion_limit = 0 start_tls = no tls_require_cert = no server_host = ldap://192.168.193.10 scope = sub search_base = dc=hoasen, dc=local query_filter = (|(mail=%s)(mailAlternateAddress=%s)) result_attribute = mailMessageStore
Bc 3: cu hnh Dovecot , ta c 2 file cu hnh quan trng l /etc/dovecot/dovecot.conf v /etc/dovecot/dovecot-ldap.conf Ta cu hnh file /etc/dovecot/dovecot.conf nh on text sau : (lu : nhng s u dng l dng nh du v d gii thch, khng c nm trong file cu hnh )
1 2 3 4 5 6 7 8 base_dir = /var/run/dovecot protocols = imap imaps pop3 pop3s log_path = /var/log/dovecot info_log_path = /var/log/dovecot.info log_timestamp = "%Y-%m-%d %H:%M:%S " ssl = yes ssl_cert_file = /etc/ssl/certs/dovecot.pem ssl_key_file = /etc/ssl/private/dovecot.pem
Ngnh : Mng My Tnh
86
ssl_parameters_regenerate = 168 verbose_ssl = yes login_dir = /var/run/dovecot/login login_chroot = yes login_user = dovecot mail_location = maildir:/home/vmail/%d/%n/Maildir mail_privileged_group = mail valid_chroot_dirs = /home/vmail maildir_copy_with_hardlinks = yes protocol imap { login_executable = /usr/lib/dovecot/imap-login mail_executable = /usr/lib/dovecot/imap } protocol pop3 { login_executable = /usr/lib/dovecot/pop3-login mail_executable = /usr/lib/dovecot/pop3 pop3_uidl_format = %08Xu%08Xv pop3_client_workarounds = outlook-no-nuls oe-ns-eoh } protocol managesieve { } protocol lda { postmaster_address = info@hoasen.net auth_socket_path = /var/run/dovecot/auth-master } auth_verbose = yes auth default { mechanisms = plain login passdb ldap { args = /etc/dovecot/dovecot-ldap.conf } userdb prefetch { } socket listen { master { path = /var/run/dovecot/auth-master mode = 0600 user = vmail group = vmail } client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix } } } dict { }
Ngnh : Mng My Tnh
87
Gii thch : - Dng 2 : khai bo cc protocol m dovecot mun h tr - Dng 610: khai bo cc cu hnh Dovecot s dng TLS - Dng 14: cu hnh mail location, vi format mailbox l maildir. Trong ta thy c hai bin %d ,v %n . vi %d l domain name v %n l phn tn trong a ch email. Vd : user1@hoasen.net th %n=user1 Nh vy vi khai bo trn user1@hoasen.net s c th mc lu tr email nh sau : /home/vmail/hoasen.net/user/Maildir - Dng 1824 : cu hnh cho protocal IMAP v POP3, khai bo cc on script to th mc cho user khi ng nhp thnh cng. - Dng 30,31,32 : cu hnh dovecot MDA - Dng 36 : khai bo c ch s dng chng thc password. - Dng 3741 : cu hnh password databases v user databases l ldap server cha thng tin chng thc. file dovecot-ldap.conf s c trnh by bn di. - Dng 4254: cu hnh postfix chng thc SASL. Ta cu hnh file /etc/dovecot/dovecot-ldap.conf chi tit nh sau:
1 2 3 4 5 6 7 8 9 10 hosts = 192.168.193.10 auth_bind = yes auth_bind_userdn = uid=%n,ou=Users,dc=hoasen,dc=local ldap_version = 3 base = ou=Users,dc=hoasen,dc=local scope = subtree user_attrs = ,=home=/home/vmail/%d/%n,=uid=5000,=gid=5000 user_filter = (&(objectClass=*)(mail=%u)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=*)(mail=%u)) default_pass_scheme = CRYPT
11 Gii thch : - Dng 1 : ch ra a ch IP ca LDAP server - Dng 2 : bt ch dng c ch Authentication Bind . - Dng 3 : nh r dn bind vi LDAP server - Dng 7 : v ta dng static user nn ta nh sn gi tr cho cc attribute Bc 4: ta restart cc server service postfix restart service dovecot restart Bc 5 : thm quyn ghi cho postfix trn cc file log ca dovecot ( c 2 file l /var/log/dovecot v /var/log/dovecot.info ) chmod 666 /var/log/dovecot chmod 666 /var/log/dovecot.info Bc 6: ta c th test postfix v dovecot bng cch telnet vo servr nh hnh bn di.
Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
88
telnet mail.hoasen.net 25
89
2. Ci t :
Trong phn ny ta s dng proftpd lm server. Ta dng lnh apt-get install proftpd di quyn root ci t.
90
91
57
Umask 022 022 AllowOverwrite on PersistentPasswd off TransferLog /var/log/proftpd/xferlog SystemLog /var/log/proftpd/proftpd.log Include /etc/proftpd/ldap.conf <Directory /*> AllowOverwrite on </Directory> <Directory /home/ftp/public> <Limit ALL> AllowAll </Limit> </Directory> <Directory /home/ftp/user1> <Limit LOGIN> AllowUser user1 </Limit> Umask 000 <Limit DIRS READ WRITE> AllowAll </Limit> </Directory>
Gii thch: Trong cu hnh trn ta cn lu cc khai bo nh sau: - Dng 26,27 : khai bo th mc cha ca ftpserver. - Dong 37,40: phi bo m c dng ny trong file cu hnh nu chng ta mun s dng chng thc qua LDAP. - Dng 4157 : ta cu hnh cc th mc c chia s trong ftp server. Ta tip tc cu hnh file ldap.conf nh sau :
1. 2. 3. LDAPServer localhost LDAPDNInfo "cn=admin,dc=hoasen,dc=local" "pwd123" LDAPDoAuth on "ou=Users,dc=hoasen,dc=local
Gii thch: Ta khai bo cc thng tin cn thit ftp server c th giao tip vi LDAP server - Dng 1: khai bo ni cha LDAP server. - Dng 2 : khai bo user v password. - Dng 3 : khai bo ni tm kim user trn LDAP.
II.
2. Cu hnh NAT :
Trc khi cu hnh NAT, ta nn cu hnh a ch IP tnh ch cc interface
Bc 1: ta thc hin dng lnh sau: sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" - dng lnh trn s gn gi tr 1 trong file ip_forward, cho php chuyn tip cc gi trong cc interface ca h thng.
Khoa Khoa Hc Cng Ngh Ngnh : Mng My Tnh
92
Bc 2 : ta edit file /etc/sysctl.conf v chuyn cc dng sau : net.ipv4.ip_forward=1 - iu ny gip cho gi tr ca file ip_forward trong bc lun c gi tr bng 1 khi h thng khi ng. bc 3: ta cu hnh NAT bng cc dng lnh sau : lu : h thng c 2 interface nh sau : INTERNET eth1 eth2 internal network
iptables -A FORWARD -o eth1 -i eth2 -s 192.168.193.0/24 -m conntrack --ctstate NEW -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE
Bc 4: v iptables s b xa ht sau khi h thng khi ng li nn ta phi s dng mt scripts c th phc hi cu hnh ca iptales. Ta thc hin nh sau : To 1 file trong /opt/iptable.script vi cc dng lnh sau:
#!/bin/bash iptables -F iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -A FORWARD -o eth1 -i eth2 -s 192.168.193.0/24 -m conntrack --ctstate NEW -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE
93
dng lnh trn c ngha l tt c kt ni no c a ch ch l 192.168.0.110 n t interface mt ngoi ca firewall vi protocol la TCP v port ch l 80 th s nat vo cho a ch 192.168.193.12(a ch web server ) vi port 80. Nu mun lu cu hnh ny bn nn lm li bc 4 trong mc 2 pha trn.
94
95
Ti cui file ny ta comment dng Include /etc/apache2/sites-enabled/ thnh #Include /etc/apache2/sites-enabled/ Cng trong file ny ta thm vo nhng dng sau y.
DocumentRoot /home/vanhieugdpt ServerName www.hoasen.net <Directory /home/vanhieugdpt> Order deny,allow Allow from all </Directory>
96
Ba6ygio72 ta s cu hnh Apache chng thc thng qua LDAP. Trong file /etc/apache2/apache.conf ta cu hnh nh sau :
DocumentRoot /home/vanhieugdpt ServerName www.hoasen.net <Directory /home/vanhieugdpt> Order deny,allow Allow from all AuthType basic AuthName "vanhieugdpt" AuthzLDAPAuthoritative Off AuthBasicProvider ldap AuthLDAPURL ldap://dc.hoasen.net:389/ou=Users,dc=hoasen,dc=local?uid?on e?(objectClass=person) Require ldap-user user1 user2 </Directory>
on cu hnh trn s yu cu chng thc khi vo trang web www.hoasen.net vi user c trn server LDAP Ta restart apache thy c hiu qu!
97
98
II. III.
sudo apt-get install dhcp3-server sudo gedit /etc/default/dhcp3-server Tm dng INTERFACES= v thay bng INTERFACES=eth0
99
Save li v thot.
IV.
Sa thnh :
100
101
V.
102
VI.