campus-wide central authentication using directory servicessiva/talks/ldap-iim.pdf · motivation:...

Motivation: Why LDAP?How LDAP worksManaging LDAP

How Applications use LDAP

Campus-wide Central Authentication usingDirectory Services

G. Sivakumar

Computer Science and EngineeringIIT Bombay

[email protected]

March 4, 2005

G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]

Campus-wide Central Authentication using Directory Services



Sample E-mail issues

E-mail still most critical service.

Centralized vs. Distributed Solution

Mail is not a Login Account! (Hotmail/Yahoo)

Spam, Virus, Impostors, Harassment, Admissions/ScholsAssume your are postmaster (postbox.iitb.ac.in)

Who is [email protected]?Real User (where is his mailbox?)Simple Mail Alias (Dean, Head, ...)Mailing ListUnknown user (can be real problem)

From Client SideAddressBookMailForwardingChoosing Unique IDLifelong ID





Sample Issues in Web Browsing

World Wide Wait! (Bandwidth)What’s the good stuff?

Research reportsBooks, Software, ...

What’s the bad stuff?Pirated EntertainmentPornography...

Controlled access via Caching ProxySquid (the best)

User Management NightmareA recent suicide threat!Adding/DeletingLocking Passwords (why?)Need for Static IP mappings





Static IP Mappings

You live in Hostel 6. Room 322.Alloted IPs 10.6.3.22, 10.6.13.22, 10.6.23.22, ...What’s your netmask? (255.255.0.0)Who’s your gateway? (10.6.250.1)64K IPs available per Hostel (400 students)Why fix a static IP-MAC binding?

Virus (bombarding proxy, mail servers etc.)Who downloaded the mp3/porn?Accountabiltiy (CCTeam is not too popular!)Chess Funda (Threat is stronger than execution!)

But, how to do the mapping?New Computer.Change Ethernet card.CCTeam should not be the bottleneck!Centralize data/knowledge, not work!Delegate authority (LDAP to rescue).G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]




User Accounts and Central Storage

Public Access Terminals (spread out including Hostels, Depts)

How to create/delete logins?

Forgotten Passwords!

Home Directories

Access Restrictions (Timings)

PAM (Pluaggable Authentication Modules)

NIS and its disadvantages

Kerberos (complex solution)

Can LDAP help?





What can LDAP do?

Create and Manage User Info centrally

Allow Access Control in Applications

Allow a Policy Based Framework

Allows restricted delegation of authority

Caution: LDAP is only a tool

You still need a good design/implementation.





LDAP at IIT Bombay





Architecture, Schemas, AttributesIITB LDAP Structure Examples

What is LDAP

http://www.openldap.org

Lightweight Directory Access Protocol

Based on X.500

Directory service (RFC1777)

Stores attribute based data

Data generallly read more than written toNo transactionsNo rollback

Hierarchical data structureEntries are in a tree-like structure called Directory InformationTree (DIT)

[email protected] ID (lifelong) created on day of entry into IIT.

Catch your alumni early!






LDAP Architecture






LDAP Hierarchy






LDAP Schema

Set of rules that describes what kind of data is stored

Helps maintain consistancy and quality of data

Reduces duplication of data

Object class attribute determines schema rules the entry mustfollow

Schema contains the following:

Required attributesAllowed attributesHow to compare attributesLimit what the attributes can store - ie, restrict to integer etcRestrict what information is stored - ie, stops duplication etc






Person Schema






Some Jargon

Attribute abbreviations (See RFC2256)

uid (User id)

cn (Common Name)

sn (Surname)

ou (Organisational Unit)

dc (Domain Component)

st (State)

c (Country)

dc=iitb,dc=ac,dc=in






IIT LDAP Structure






A Typical User Entry






Simple Mail Alias






Mailing List





ReplicationAccess Control and Delegation

Replication

Increases:

Reliability - if one copy of the directory is downAvailability - more likely to find an available serverPerformance - can use a server closer to youSpeed - can take more queries as replicas are added

Having replicas close to clients is important - network goingdown is same as server going down

Removes single point of failure






Replication Architecture

replogfile /var/lib/ldap/openldap-master-replogreplica host=ldap1.iitb.ac.in:389

binddn="cn=Replicator,dc=iitb,dc=ac,dc=in"bindmethod=simple credentials=somepasstls=no

replica host=ldap2.iitb.ac.in:389binddn="cn=Replicator,dc=iitb,dc=ac,dc=in"bindmethod=simple credentials=somepasstls=no






Multi-Master Configuration

Also possible






Managing the Directory

Centralized data (management) can become a majorbottleneck!

How to avoid?

Delegate Authorities.

Use Access Control Information (ACIs).






Authority Delegation






ACIs

Restrict access to attributes.

Selectively open up some attributes to some users.

Applies to Tree below the point where ACI is defined.

Static vs Dynamic ACIs.Static - explicitly list out people(dn) and their authority.Dynamic - say people belonging to Sysad Group and theirauthority.






ACI Example 1

Allow User herself to Modify Non-Critical Fields.






ACI Example 2

Allow Sysads to modify only their part of Tree.





LDAP APILDAP Interfaces at IITB

LDAP Enabled Applications






Squid Configuration for LDAP

auth_param basic program /squid/libexec/squid_ldap_auth-b ou=people,dc=iitb,dc=ac,dc=in -u uid-f "(&(uid=%s)(!(myaccountstatus=locked))

(!(myaccountstatus=expired)))"-P -h ldap.iitb.ac.in

auth_param basic children 10auth_param basic realm Squid proxy-caching web serverauth_param basic credentialsttl 2 hours

redirect_program /squid/bin/squidGuard-c /squid/etc/squidGuard.conf

redirect_children 20






LDAP API






Common API functions

Bind to a server

Add an entry to the server

Delete an entry from the server

Modify an entry’s Distinguished Name (DN)

Modify the contents of an entry

Perform a search on a directory

Unbind from a server






Using Perl’s Net::LDAP

#!/usr/bin/perluse Net::LDAP;$ldap = Net::LDAP->new("localhost");$ldap->bind("cn=Manager,dc=iitb,dc=ac,dc=in", password=>"secret");while(<>) {

chomp $_;($uid,$givenName,$sn,$mail) = split(/:/,$_);$cn="$givenName $sn";$dn="uid=$uid,ou=People,dc=iitb,dc=ac,dc=in";$result = $ldap->add($dn,attr => [ ’uid’ => $uid,

’cn’ => $cn,’sn’ => $sn,’mail’ => $mail,’givenName’ => $givenName,’objectclass’ => [ ’person’, ’inetOrgPerson’]

]);

$result->code && warn "error: ", $result->error;}






What LDAP superuser can do?






Static MAC-IP mappings






Adding a Student






LDAP Logs

Logs are stored in slapd.log

Various log analysis packages are available

Output of ldap-stats.pl

Operation totals

------------------

Total operations : 12326

Total connections : 5004

Total authentication failures : 34

Total binds : 2928

Total unbinds : 4096

Total searches : 5261

Total modifications : 38

Total additions : 3

Operations per connection : 2.46

Hostname Connections Searches Adds Mods Dels

-------- ----------- -------- ---- ---- ----

10.100.106.40 290 582 0 0 0

10.100.11.1 735 1186 3 37 0

10.100.116.111 2 2 0 0 0






Conclusion

SlapdUniversity of MichiganOpenldap

Netscape Directory Server

Microsoft Active Directory (AD)

Novell Directory Services (NDS)

Sun Directory Services (iPlanet)

Lucent’s Internet Directory Server (IDS)

...

LDAP is a very valuable tool to implement effective networkmanagement.starting points ldapguru.org openldap.orgSingle Sign on (www.pubcookie.org)



campus-wide central authentication using directory servicessiva/talks/ldap-iim.pdf · motivation:...

Documents