![Page 1: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/1.jpg)
LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL
03 AUGUST 2005
LINUX SYSTEM ADMINISTRATION AND SECURITY
VINEET BHARDWAJ
VINAY KUMAR THOTA
![Page 2: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/2.jpg)
INTRODUCTION
CONFIGURATION
INSTALLATION
SECURITY ISSUES
CONCLUSION
![Page 3: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/3.jpg)
DIRECTORY SERVICE
LDAP
DESIGNED AT UNIVERSITY OF MICHIGAN
EXIST AT THREE LEVELS
BIG PUBLIC SERVERS
LARGE ORGANIZATIONAL SERVERS
SMALLER WORK GROUP SERVERS
![Page 4: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/4.jpg)
INFORMATION
ARRANGEMENT
KIND
REFERENCE
ACCESS
A Directory service structure for the internet. It has many features that make it ideal for providing network information services, including encryption support, access control lists, fast read access, etc.. LDAP will combine several systems that normally have to be maintained separately , such as NT authentication, UNIX authentication, MTA routing information, services/protocols/hosts information, network address books, etc.
![Page 5: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/5.jpg)
The structure of an LDAP directory tree
LDAP directory servers store their data hierarchically.
As with DNS host names, an LDAP directory record's Distinguished Name (DN for short) is read from the individual
entry, backwards through the tree, up to the top level.
Prerequisite Software Versions
![Page 6: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/6.jpg)
THE ORGANIZATION
ORGANIZATIONAL UNIT
PERSON
COUNTRY
STATE
A DIRECTORY TREE STRUCTURE
![Page 7: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/7.jpg)
HOW DOES LDAP WORK ????
CLIENT SERVER MODEL
TCP/IP OR ANY OTHER CONNECTION ORIENTED
X.500,THE OSI DIRECTORY SERVICE
![Page 8: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/8.jpg)
ABOUT Slapd Slurpd
Slapd
Supports strong authentication and data security SASL
Transport layer security
Topology control – TCP Wrappers
Access Control
Choice of database back ends
![Page 9: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/9.jpg)
Threads
Replication
Single Configuration file
Slurpd
Replicated service
Failed requests
![Page 10: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/10.jpg)
Installing the LDAP Server
Five steps are necessary to install the server:• Install the pre-required packages (if not already
installed).• Download the server.• Unpack the software.• Configure the Makefiles.• Build the server.
![Page 11: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/11.jpg)
Downloading the package• There are two free distributed LDAP servers:
University of Michigan LDAP server and Open LDAP server
• It's latest tar gzipped version is available on the following address:
http://www.openldap.org
• If you want to get the latest version of University of Michigan Server, go to this address:
ftp://terminator.rs.itd.umich.edu/ldap
Installation contd.
![Page 12: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/12.jpg)
Unpacking the software
• First copy the package to a desirable directory, for example /usr/local. Next use the following command:
tar xvzf openldap-2.2.5.tgz
• You can use this command too, as well:
gunzip openldap-2.2.5.tgz | tar xvf –
Installation contd.
![Page 13: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/13.jpg)
Configuring the software
• Type the following command on the directory where you unpacked the software:./configure --help
This will print all options that you can customize with the configure script before you build the software.
• Normally if you run configure without options, it will auto-detect the appropriate settings and prepare to build things on the default common location. So just type:./configure
Installation contd.
![Page 14: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/14.jpg)
Building the server
• After configuring the software you can start building it. First build the dependencies, using the command:make depend
• Build the server after that, using the command:make
• To ensure a correct build, you should run the test suitemake test
• Now install the binaries and man pages. You may need to be superuser to do this (depending on where you are installing things): su root -c 'make install'
Installation contd.
![Page 15: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/15.jpg)
Configuration
• All slapd (LDAP directory server) runtime configuration is accomplished through the slapd.conf file, installed in the prefix directory one specifies in the configuration script or by default in /usr/local/etc/openldap
• First create an /etc/openldap/slapd.confg file. You need to change the following linesuffix “dc=mydomain, dc=com”rootdn “cn=admin, dc=mydomain, dc=com”rootpw {crypt}abjnggxhB/yWI
![Page 16: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/16.jpg)
Configuration contd.• The suffix is your “LDAP basename”. Common
practice is to use your DNS domain name as your LDAP basename.
• The rootdn is adminstrator’s name, and rootpw is administrator’s password.
• You also need to change the /etc/ldap.conf and etc/openldap/ldap.conf to change the name of your LDAP server and your basename.
![Page 17: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/17.jpg)
Configuration contd.
Populating your server
The easiest way to populate your LDAP server is that Padl Software which provides a free set of Perl scripts that migrate existing flat files. They are available from www.padl.com/tools.html
![Page 18: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/18.jpg)
Configuration contd.
Setting up a LDAP client
• Edit the LDAP config files (/etc/ldap.conf and etc/openldap/ldap.conf ) to specify the server and your site’s basename.
• You can verify that you are connecting to the LDAP server correctly by running ldapsearch – x, which dumps the entire database.
• Finally, change the appropriate lines in /etc/nsswitch.conf to use the LDAP server as a data source.
![Page 19: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/19.jpg)
USING LDAP
CONNECTING LDAP SERVER
NORMAL LDAP CONNECTION WORKS BY THE PORT 389
AUTHENTICATION METHODS
DATA INTEGRITY AND CONFIDENTIALITY PROTECTION
NETWORK SECURITY
LDAPS
![Page 20: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/20.jpg)
DATA INTEGRITY AND CONFIDENTIALITY PROTECTION
LDAPv3 AND TSL
NETWORK SECURITY
SELECTIVE LISTENING
IP FIREWALL
AUTHENTICATION METHODSSIMPLE AND SASL
TCP WRAPPERS
![Page 21: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/21.jpg)
LDAPS
VERIFICATION
X.509 CERTIFICATES
ALGORITHMS IN OPENSSL
![Page 22: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/22.jpg)
LDAPv3 AND TLS
RFC 2246 DESCRIBES TLS
CLEANED UP AND STANDARDIZED VERSION OF SSL
SWITCHING
DATA INTEGRITY AND CONFIDENTIALITY PROTECTION
SECURITY STRENGHT FACTORS SSF
![Page 23: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/23.jpg)
AUTHENTICATION METHODS
SIMPLE
ANONYMOUS
UNAUTHENTICATED AND
USER/PASWORD AUTHENTICATED
![Page 24: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/24.jpg)
SASL
AN AUTHENTICATION FRAME WORK
SNIFFING
MECHANISMS LIKE CRAM-MD5 AND EXTERNAL
![Page 25: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/25.jpg)
LDAP has broader applications, such as looking up services and devices on the Internet (and intranets). Netscape Communicator can store user
preferences and bookmarks on an LDAP server. There is even a plan for linking all LDAP servers into a worldwide hierarchy, all searchable from
your client.
LDAP promises to save users and administrators time and frustration, making it easy for everyone to connect with people without frustrating
searches for email addresses and other trivia.
Most LDAP servers are simple to install, easily maintained, and easily optimized
The LDAP protocol is both cross-platform and standards-based
![Page 26: LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d7e5503460f94a60f8e/html5/thumbnails/26.jpg)
LDAP is particularly useful for storing information that you wish to read from many locations, but update infrequently
If the answer to each of the following questions is Yes, then storing your data in LDAP is a good idea.
Would you like your data to be available cross-platform?
Do you need to access this data from a number of computers or applications?
Do the individual records you're storing change a few times
a day or less, on average?
Does it make sense to store this type of data in a flat database instead of a relational database? That is, could
you effectively store all the data for a given item in a single record?