You are on page 1of 45

Linux for Organization

Infrastructure Management

Part 1
Light Weight Directory
Access Protocol

Light-Weight Directory Access


Protocol (LDAP)

Directory Access
(
Active Directory)

Light-Weight Directory Access


Protocol (LDAP)

LDAP
LDAP
LDAP X.500
4

LDAP

LDAP

LDAP Secure Secure


Authentication Linux LDAP
Replication

LDAP

LDAP /

LDAP Schema


objectClass
schema

LDAP Schema
objectclass ( 2.5.6.2 NAME
'country'
DESC 'RFC2256: a country'
SUP top STRUCTURAL
MUST c
MAY ( searchGuide $
description ) )

objectclass
country
top
c
searchGuide
description

LDAP Linux

LDAP Server Linux OpenLDAP


OpenLDAP (www.openldap.org)
Slapd OpenLDAP
Slurpd Replication Backup
OpenLDAP
Fedora Directory Server (directory.fedora.redhat.com)
LDAP Server Netscape Directory Server
OpenLDAP
OpenLDAP
Linux Distribution
Authentication LDAP Authentication

OpenLDAP

OpenLDAP
/etc/openldap

/etc/openldap/slapd.conf slapd
/etc/openldap/ldap.conf
OpenLDAP client


/etc/openldap/schema Schema
LDAP LDAP

9

OpenLDAP

LDAP Authentication system



LDAP Authentication

/etc/openldap/slapd.conf
/etc/openldap/ldap.conf slapd.conf
slapd

OpenLDAP
search

10


C=TH
TH

O=TrainCorp1
TrainCorp1
CN=Manager

Manager

cn=Group3cn=User1

User1

OU=People

People

OU=Group

Group

cn=User2 cn=User3 cn=Group1 cn=Group2 cn=Group3

User2

User3

Group1 Group2 Group3


11

/etc/openldap/slapd.conf

Option suffix rootdn

suffix suffix

rootdn rootdn Admin


Ldap

O=Traincorp1,c=TH o=Traincorp2,c=TH

cn=Manager,o=Traincorp1,c=TH
cn=Manager,o=Traincorp2,c=TH

rootpw password rootdn


slappasswd

slappasswd >> slapd.conf


password password
slapd.conf rootpw
12

/etc/openldap/slapd.conf ()

LDAP
Admin
LDAP Admin X.500
Admin
slapd.conf Admin account

Admin

13

/etc/openldap/ldap.conf

Query
LDAP ldapsearch, ldapadd
ldapmodify
HOST Address slapd
BASE suffix slapd.conf

BASE search filter ldap


BASE
cn=Group1,ou=Group
cn=group1,ou=Group,o=Traincorp1,c=TH
14

Slapd server

/sbin/service ldap start


/sbin/chkconfig ldap on
ldapsearch x

-x simple authentication

15

Ldif
OpenLDAP ldapadd
Red Hat Linux 9
/etc/passwd /etc/group ldif

LDAP_DEFAULT_MAIL_DOMAIN=localhost
LDAP_EXTENDED_SCHEMA=1
LDAP_BASEDN="o=Traincorp1,c=TH"
/usr/share/openldap/migration/migrate_passwd.pl
/etc/passwd > pwd.ldif

LDAP_DEFAULT_MAIL_DOMAIN=localhost
LDAP_EXTENDED_SCHEMA=1
LDAP_BASEDN="o=Traincorp1,c=TH"
/usr/share/openldap/migration/migrate_group.pl /etc/group >>
pwd.ldif
16

()

parent directory pwd.ldif


dn: o=Traincorp1,c=TH

o: Traincorp1
objectClass: top
objectClass: organization
dn: ou=People,o=Traincorp1,c=TH
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,o=Traincorp1,c=TH
ou: Group
objectClass: top
objectClass: organizationalUnit

17

()

(user1-3 group1-3)
pwd.ldif
root LDAP

User ID

18

ldapadd x W D
cn=Manager,o=Traincor
p1,c=TH f pwd.ldif

ldapsearch x
ldapsearch x
uid=user1


add user
convert

19

LDAP
Authentication

system-config-authentication
System Setting -> Authentication

20

LDAP
Authentication

21

User Information Configuration


Authentication Configuration

User Information Configuration


Authenticate (Log-in)

finger, ls User
Information Configuration

Authentication Configuration
Authenticate

password username

22

finger user1 user



: home directory
useradd

mkdir /home/user1
cd /etc/skel
tar cf - .[a-zA-Z]* | (cd /home/user1 ; tar xf -)
chown R user1.group1 /home/user1

23

1: LDAP

Authentication
Authenticate LDAP

24

LDAP

ldapadd
LDIF
ldapmodify
ldapsearch
ldapdelete entry
ldapmodrdn rename entry
ladppasswd password entry
slappasswd password
LDAP
25

LDAP

ldapadd

ldapadd c x W D
cn=Manager,o=Traincorp1,c=TH f add.ldif

-x simple authentication
-W password prompt
-D rootdn
-f add.ldif ( standard
input)
-c ( entry
c input)

argument
26

LDAP

ldapdelete

ldapdelete x W D
cn=Manager,o=Traincorp1,c=TH
cn=mailman,ou=Group,o=Traincorp1,c=TH
entry
cn=mailman,ou=Group,o=Traincorp1,c=TH

entry entry

ou=People,o=Traincorp1,c=TH entry
ou=People
27

LDAP

ldapmodrdn

ldapmodrdn x W D
cn=Manager,o=Traincorp1,c=TH f rdn.ldif
rdn.ldif
cn=mailman,ou=Group,o=Traincorp1,c=TH
cn=mailwoman

group mailman mailman mailmanjung

28

LDAP

ldapmodify

ldapmodify x W D
cn=Manager,o=Traincorp1,c=TH f
mod.ldif

entry mod.ldif

mod.ldif
dn: cn=Modified, o=Traincorp1, c=TH
changetype: modify
replace: mail
mail: xx@yy.org
add: title
title: Modified One
delete: description

mail entry cn=Modified,


o=Traincorp1, c=TH xx@yy.org
title Modified One
field description


entry

dn: cn=group1,ou=Group,
o=Traincorp1, c=TH
changetype: modify
add: memberUid
memberUid:
uid=user1,ou=People,o=Traincorp1,
c=TH
memberUid:
uid=user2,ou=People,o=Traincorp1,
c=TH

memberUid entry group1

uid=user1,ou=People,o=Traincorp1,
c=TH
uid=user2,ou=People,o=Traincorp1,
c=TH
ldapadd ldapdelete
ldapmodify changetype
add delete
ldapmodify
29

LDAP

ldapsearch
ldapsearch x cn=mailman,ou=Group,o=Traincorp1,c=TH

ldapsearch x b ou=People,o=Traincorp1,c=TH uid=roo*

entry (cn=mailman)
entry uid= roo ou=People

slappasswd
slappasswd h {CRYPT}
password entry password userPassword
password
crypt UNIX
: password password
Crypt (default SSHA)

30

2: LDAP

user4
ldapadd
gecos user1 I am user1
finger user1
user4 add

31

password

slapd Log-in
Config /etc/openldap/slapd.conf
access to *
by self write
by users read
by anonymous read
access to * access
by self Log-in
by users users Log-in
by anonymous Log-in
LDAP password user userPassword
User password ldapmodify

: anonymous read
Log-in anonymous
password
32

root password

root password User


password rootdn user (
NIS) /etc/ldap.secret password
rootdn password passwd
password rootdn
password secret

rootbinddn /etc/ldap.conf rootdn

rootbinddn cn=Manager,o=TrainCorp1,c=TH

echo secret > /etc/ldap.secret


chmod 600 /etc/ldap.secret #
/etc/ldap.conf Authentication
LDAP ( /etc/openldap/ldap.conf
LDAP )

33

LDAP

Authentication
OpenLDAP
Authentication Name
service caching daemon (nscd) cache
Authentication

Cache information
system-config-authentication
nscd authentication
nscd update nscd refresh
/sbin/service nscd reload

34

LDAP

35

LDAP

LDAP

/sbin/sysctl w fs.file-max = 65536

36

LDAP
(TLS)

OpenLDAP TLS
TLS
/etc/openldap/slapd.conf
TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
/usr/share/ssl/certs certificate
cd /usr/share/ssl/certs
rm f slapd.pem && make slapd.pem

Common name
host

chgrp ldap slapd.pem && chmod 640 slapd.pem


restart ldap server
service ldap restart

37

LDAP TLS

/etc/openldap/ldap.conf

(HOST) Common Name

Common Name
/etc/openldap/ldap.conf
myhostname.mydomainame.com

TLS_REQCERT allow
link /usr/share/ssl/certs
/etc/openldap/cacerts
ln -s /usr/share/ssl/certs /etc/openldap/cacerts

ldapsearch x ZZ (-ZZ
TLS )
38

Authentication LDAP/TLS

Use TLS system-configauthentication TLS Host


Common name Certificate
tls_checkpeer no /etc/ldap.conf
finger user1

39

Authentication LDAP/TLS

40

Authentication LDAP/TLS

41

Certificates Authority (CA)

TLS CA

TLS_REQCERT allow
tls_checkpeer no



CA
Certificates

42

3: TLS + LDAP + NSCD

Authentication
TLS
NSCD Authentication

43

system-config-authentication
/etc/pam.d/system-auth Authentication
system-config-authentication

User Information Configuration system-configuauthenticaion /etc/nsswitch.conf
passwd, hosts, ethers, netgroup, autofs
search base account Log-in
account anonymous Authentication ldap
/etc/ldap.conf

ou=People,o=Traincorp1,c=TH


ou=HumanResource,ou=Employee,o=Traincorp1,c=TH

44

LDAP

Authentication
3

/etc/openldap/slapd.conf OpenLDAP server


/etc/openldap/ldap.conf OpenLDAP command suite
/etc/ldap.conf Authentication system configuration

LDAP Authentication

Outlook Express
Directory service

45