campus-wide central authentication using directory servicessiva/talks/ldap-iim.pdf · motivation:...
Post on 21-Aug-2018
239 Views
Preview:
TRANSCRIPT
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
Campus-wide Central Authentication usingDirectory Services
G. Sivakumar
Computer Science and EngineeringIIT Bombay
siva@iitb.ac.in
March 4, 2005
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
Sample E-mail issues
E-mail still most critical service.
Centralized vs. Distributed Solution
Mail is not a Login Account! (Hotmail/Yahoo)
Spam, Virus, Impostors, Harassment, Admissions/ScholsAssume your are postmaster (postbox.iitb.ac.in)
Who is user@iitb.ac.in?Real User (where is his mailbox?)Simple Mail Alias (Dean, Head, ...)Mailing ListUnknown user (can be real problem)
From Client SideAddressBookMailForwardingChoosing Unique IDLifelong ID
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
Sample Issues in Web Browsing
World Wide Wait! (Bandwidth)What’s the good stuff?
Research reportsBooks, Software, ...
What’s the bad stuff?Pirated EntertainmentPornography...
Controlled access via Caching ProxySquid (the best)
User Management NightmareA recent suicide threat!Adding/DeletingLocking Passwords (why?)Need for Static IP mappings
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
Static IP Mappings
You live in Hostel 6. Room 322.Alloted IPs 10.6.3.22, 10.6.13.22, 10.6.23.22, ...What’s your netmask? (255.255.0.0)Who’s your gateway? (10.6.250.1)64K IPs available per Hostel (400 students)Why fix a static IP-MAC binding?
Virus (bombarding proxy, mail servers etc.)Who downloaded the mp3/porn?Accountabiltiy (CCTeam is not too popular!)Chess Funda (Threat is stronger than execution!)
But, how to do the mapping?New Computer.Change Ethernet card.CCTeam should not be the bottleneck!Centralize data/knowledge, not work!Delegate authority (LDAP to rescue).G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
User Accounts and Central Storage
Public Access Terminals (spread out including Hostels, Depts)
How to create/delete logins?
Forgotten Passwords!
Home Directories
Access Restrictions (Timings)
PAM (Pluaggable Authentication Modules)
NIS and its disadvantages
Kerberos (complex solution)
Can LDAP help?
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
What can LDAP do?
Create and Manage User Info centrally
Allow Access Control in Applications
Allow a Policy Based Framework
Allows restricted delegation of authority
Caution: LDAP is only a tool
You still need a good design/implementation.
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
LDAP at IIT Bombay
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
Architecture, Schemas, AttributesIITB LDAP Structure Examples
What is LDAP
http://www.openldap.org
Lightweight Directory Access Protocol
Based on X.500
Directory service (RFC1777)
Stores attribute based data
Data generallly read more than written toNo transactionsNo rollback
Hierarchical data structureEntries are in a tree-like structure called Directory InformationTree (DIT)
user@iitb.ac.in ID (lifelong) created on day of entry into IIT.
Catch your alumni early!
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
Architecture, Schemas, AttributesIITB LDAP Structure Examples
LDAP Architecture
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
Architecture, Schemas, AttributesIITB LDAP Structure Examples
LDAP Hierarchy
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
Architecture, Schemas, AttributesIITB LDAP Structure Examples
LDAP Schema
Set of rules that describes what kind of data is stored
Helps maintain consistancy and quality of data
Reduces duplication of data
Object class attribute determines schema rules the entry mustfollow
Schema contains the following:
Required attributesAllowed attributesHow to compare attributesLimit what the attributes can store - ie, restrict to integer etcRestrict what information is stored - ie, stops duplication etc
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
Architecture, Schemas, AttributesIITB LDAP Structure Examples
Person Schema
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
Architecture, Schemas, AttributesIITB LDAP Structure Examples
Some Jargon
Attribute abbreviations (See RFC2256)
uid (User id)
cn (Common Name)
sn (Surname)
ou (Organisational Unit)
dc (Domain Component)
st (State)
c (Country)
dc=iitb,dc=ac,dc=in
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
Architecture, Schemas, AttributesIITB LDAP Structure Examples
IIT LDAP Structure
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
Architecture, Schemas, AttributesIITB LDAP Structure Examples
A Typical User Entry
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
Architecture, Schemas, AttributesIITB LDAP Structure Examples
Simple Mail Alias
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
Architecture, Schemas, AttributesIITB LDAP Structure Examples
Mailing List
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
ReplicationAccess Control and Delegation
Replication
Increases:
Reliability - if one copy of the directory is downAvailability - more likely to find an available serverPerformance - can use a server closer to youSpeed - can take more queries as replicas are added
Having replicas close to clients is important - network goingdown is same as server going down
Removes single point of failure
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
ReplicationAccess Control and Delegation
Replication Architecture
replogfile /var/lib/ldap/openldap-master-replogreplica host=ldap1.iitb.ac.in:389
binddn="cn=Replicator,dc=iitb,dc=ac,dc=in"bindmethod=simple credentials=somepasstls=no
replica host=ldap2.iitb.ac.in:389binddn="cn=Replicator,dc=iitb,dc=ac,dc=in"bindmethod=simple credentials=somepasstls=no
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
ReplicationAccess Control and Delegation
Multi-Master Configuration
Also possible
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
ReplicationAccess Control and Delegation
Managing the Directory
Centralized data (management) can become a majorbottleneck!
How to avoid?
Delegate Authorities.
Use Access Control Information (ACIs).
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
ReplicationAccess Control and Delegation
Authority Delegation
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
ReplicationAccess Control and Delegation
ACIs
Restrict access to attributes.
Selectively open up some attributes to some users.
Applies to Tree below the point where ACI is defined.
Static vs Dynamic ACIs.Static - explicitly list out people(dn) and their authority.Dynamic - say people belonging to Sysad Group and theirauthority.
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
ReplicationAccess Control and Delegation
ACI Example 1
Allow User herself to Modify Non-Critical Fields.
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
ReplicationAccess Control and Delegation
ACI Example 2
Allow Sysads to modify only their part of Tree.
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
LDAP APILDAP Interfaces at IITB
LDAP Enabled Applications
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
LDAP APILDAP Interfaces at IITB
Squid Configuration for LDAP
auth_param basic program /squid/libexec/squid_ldap_auth-b ou=people,dc=iitb,dc=ac,dc=in -u uid-f "(&(uid=%s)(!(myaccountstatus=locked))
(!(myaccountstatus=expired)))"-P -h ldap.iitb.ac.in
auth_param basic children 10auth_param basic realm Squid proxy-caching web serverauth_param basic credentialsttl 2 hours
redirect_program /squid/bin/squidGuard-c /squid/etc/squidGuard.conf
redirect_children 20
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
LDAP APILDAP Interfaces at IITB
LDAP API
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
LDAP APILDAP Interfaces at IITB
Common API functions
Bind to a server
Add an entry to the server
Delete an entry from the server
Modify an entry’s Distinguished Name (DN)
Modify the contents of an entry
Perform a search on a directory
Unbind from a server
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
LDAP APILDAP Interfaces at IITB
Using Perl’s Net::LDAP
#!/usr/bin/perluse Net::LDAP;$ldap = Net::LDAP->new("localhost");$ldap->bind("cn=Manager,dc=iitb,dc=ac,dc=in", password=>"secret");while(<>) {
chomp $_;($uid,$givenName,$sn,$mail) = split(/:/,$_);$cn="$givenName $sn";$dn="uid=$uid,ou=People,dc=iitb,dc=ac,dc=in";$result = $ldap->add($dn,attr => [ ’uid’ => $uid,
’cn’ => $cn,’sn’ => $sn,’mail’ => $mail,’givenName’ => $givenName,’objectclass’ => [ ’person’, ’inetOrgPerson’]
]);
$result->code && warn "error: ", $result->error;}
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
LDAP APILDAP Interfaces at IITB
What LDAP superuser can do?
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
LDAP APILDAP Interfaces at IITB
Static MAC-IP mappings
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
LDAP APILDAP Interfaces at IITB
Adding a Student
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
LDAP APILDAP Interfaces at IITB
LDAP Logs
Logs are stored in slapd.log
Various log analysis packages are available
Output of ldap-stats.pl
Operation totals
------------------
Total operations : 12326
Total connections : 5004
Total authentication failures : 34
Total binds : 2928
Total unbinds : 4096
Total searches : 5261
Total modifications : 38
Total additions : 3
Operations per connection : 2.46
Hostname Connections Searches Adds Mods Dels
-------- ----------- -------- ---- ---- ----
10.100.106.40 290 582 0 0 0
10.100.11.1 735 1186 3 37 0
10.100.116.111 2 2 0 0 0
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
Motivation: Why LDAP?How LDAP worksManaging LDAP
How Applications use LDAP
LDAP APILDAP Interfaces at IITB
Conclusion
SlapdUniversity of MichiganOpenldap
Netscape Directory Server
Microsoft Active Directory (AD)
Novell Directory Services (NDS)
Sun Directory Services (iPlanet)
Lucent’s Internet Directory Server (IDS)
...
LDAP is a very valuable tool to implement effective networkmanagement.starting points ldapguru.org openldap.orgSingle Sign on (www.pubcookie.org)
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Campus-wide Central Authentication using Directory Services
top related