main ldap training day2

8/11/2019 Main Ldap Training Day2

http://slidepdf.com/reader/full/main-ldap-training-day2 1/39

LDAPOpenLDAP

By: Ashish khurana

Extn. 2173Short id - [email protected]



LDAP Schedule

1. Introduction to LDAP - Day 12. LDAP concepts - Day 1

3. OpenLDAP - Day 24. LDAP Replication - Day 25. LDAP Authentication - Day 3

6. LDAP with sendmail - Day 3Query - Day 3



LdapSchemas

• a schema is a set of rules that determines what data can be stored in a database or directory service.

• Helps maintain consistency and quality of data• Reduces duplication of data• Object class attribute determines schema rules the

entry must follow.• Schema contains the following:

• Required attributes• Allowed attributes• How to compare attributes• Limit what the attributes can store - ie, restrict to

integer etc• Restrict what information is stored - ie, stops

duplication etc.



LdapSchemas

• Schemas can also be used to impose constraints on thesize, range, and format of data values stored in thedirectory. For example – Internet email add.abc@xyz. com

• directory entries contain a collection of attribute typesand values. Attribute types (or simply attributes ) holdspecific data elements such as a name, business phone

number, or printer's rated speed in pages per minute.



LdapSchemas – Attributes types include following

– A name that uniquely identifies the attribute type – An object identifier (OID) that also uniquely identifies the attribute – A textual description – An associated attribute syntax – A set of matching rules that govern comparisons and searches – A usage indicator (whether for applications or for operation of the

directory service itself) – An indication of whether the attribute is multivalued or single-

valued – An indication of whether the attribute can be modified by regular

applications – Restrictions on the range or size of the values that may be stored in

the attribute



LdapSchemas

• Attribute names are usually fairly short and somewhatcryptic. Attribute names have the following properties:

– They are not case sensitive; for example, cn and CN bothrefer to the same attribute.

– Characters used within them are limited to ASCII letters,digits, and the hyphen character; and they must beginwith a letter.

– They must be unique across the entire directory service because LDAP applications generally refer to attributesusing their names.

– way, faxPhone2, and pagesPerMinute. Some examples ofinvalid attribute names are last#, 2for2, my.boss, andfavorite_drink.



LdapSchemas

• An attribute's OID is a unique numerical identifierusually written as a sequence of integers separated bydots. For example, the OID for the postalAddressattribute is 2.5.4.16.

• Operational attributes are used by the directory serviceitself for administrative or system-related purposes andare usually maintained by the directory serversthemselves.

• Examples of Operational Attributes• modifyTimeStamp - Date/time an entry was last

• modifiedmodifiersName- Distinguished name (DN) of

the entry that made the last modification.



LdapObjectclass

• object classes are used to group related information.• Typically, an object class models a real-world object such as a

person, printer, or network device.• Each directory entry belongs to one or more object classes. The

names of the object classes to which an entry belongs are always

listed as values for a special multivalued attribute calledobjectclass.• The set of object classes associated with an entry serves the

following needs: – It determines which attribute types must be included in the entry. – It determines which attribute types may be included in the entry. – It provides a convenient way for directory clients to retrieve a

subset of entries during search operations.



LdapObjectclass

• The definition of an LDAP object class includes all the

following pieces of information: – A name that uniquely identifies the class. – A textual description. – An OID that also uniquely identifies the class. – A set of mandatory attribute types. – A set of allowed attribute types. – A kind (structural, auxiliary, or abstract).

• Structural - used to place restriction where to store info. in DIT• Auxiliary – used to add a set of related attributes to an entry

that already belongs to structural class. Exp. mailRecipient• Abstract – used only for classes needed to support LDAP basic

information model. Exp. Top and alias.



LdapObject Class Inheritance

• One object class can be derived from another, in which case

it inherits some characteristics of the other class. This issometimes called subclassing , or object class inheritance .Below Figure shows an example.



LdapObjectClass

• Therefore, inetOrgPerson entries require all the attributes

required of organizationalPerson entries (and thereforeof person enTRies as well). Similarly, inetOrgPerson entries are allowed to include any of the optional attributesfrom the superior classes.

• In general, the class from which another class inherits someof its characteristics is called the superior class , orsuperclass (that is, organizationalPerson is thesuperior class of inetOrgPerson ). When one class isderived from another, it inherits the set of required attributetypes, the set of optional attribute types, and the kind ofobject class from its superior.



LdapObject class inheritance

• All structural object classes are ultimately derivedfrom one special abstract object class called top .The definition of the top class consists of a singlemandatory attribute called objectclass , whichensures that all LDAP entries contain at least onevalue for objectclass .



LdapAttribute

• Attributes are used to hold values. Like variables inprograms perform a similar task – they storeinformation.



OpenLDAP Obtaining openldap

• Many Linux vendors include precompiled versionsof OpenLDAP with their distributions.

• The latest version of OpenLDAP can be obtainedfromhttp://www.OpenLDAP.org/software/download/.The OpenLDAP 2 branch is an LDAPv3-

compliant implementation.

Day-1



OpenLdap

S/w required before installation of LDAP

• Our OpenLDAP server will require several external software packages:

• Support for POSIX threads, either by the operating system or anexternal library.

• SSL/TLS libraries (such as the OpenSSL package, which isavailable from http://www.openssl.org/).

• A database manager library that supports DBM type storagefacilities. The current library of choice is the Berkeley DB 4.1

package from Sleepycat Software (http://www.sleepycat.com/).• Release 2.1 of the SASL libraries from Carnegie Mellon

University (http://asg.web.cmu.edu/sasl/sasl-library.html).



Openldap Installed components included with OpenLDAP

• libexec/slapdThe LDAP server.• libexec/slurpdThe LDAP replication helper.• bin/ldapadd, bin/ldapmodify, bin/ldapdelete,bin/ldapmodrdn Command-line tools for adding, modifying, and deleting entries on

an LDAP server. These commands support both LDAPv2 and

LDAPv3• bin/ldapsearch, bin/ldapcompare Command-line utilities for searching for an LDAP directory or

testing a compare operation on a specific attribute held by an

entry



Openldap Installed components included with OpenLDAP Cont…

• bin/ldappasswd A tool for changing the password attribute in LDAP entries. This

tool is the LDAP equivalent of / bin/passwd .• sbin/slapadd, sbin/slapcat, sbin/slapindexTools for manipulating the local backend data store used by the

slapd daemon. • sbin/slappasswd A simple utility to generate password hashes suitable for use in

slapd.conf .• lib/libldap*, lib/liblber*, include/ldap*.h, include/lber*.h The OpenLDAP client SDK.



OpenLdapInstallation

• rpm – ivh packagename.rpm• [root@thor root]# rpm -qa | grep openldapopenldap-devel-2.0.23-4openldap-2.0.23-4openldap-servers-2.0.23-4

openldap-clients-2.0.23-4[root@thor root]#



OpenLdap

Configuration - slapd.conf• The slapd.conf file is the central source of configuration

information for the OpenLDAP standalone server ( slapd ), thereplication helper daemon ( slurpd ), and related tools, such as slapcat and slapadd .

• In the tradition of Unix configuration files, slapd.conf is anASCII file with the following rules: – Blank lines and lines beginning with a pound sign (#) are ignored. – Parameters and associated values are separated by whitespace characters

(space or tab). – A line with a blank space in the first column is considered to be a

continuation of the previous one. There is no need for a line continuationcharacter such as a backslash (\).



Introduction to LDAPMigration tools

• Perl scripts designed to convert the various /etc system files(e.g., /etc/passwd and /etc/hosts ) into LDIF format.

• Once you've converted the system files to LDIF, you canimport them into your LDAP store either online using theldapadd(1) command or by using an offline database

creation utility such as the OpenLDAP slapadd(8c) tool.• These LDAP migration scripts can be found at

http://www.padl.com/OSS/MigrationTools.html.• After unpacking the migration scripts, you must customize

the migrate_common.ph script to fit your network settings.Within this Perl script is a variable named$DEFAULT_BASE, which is used to define the base suffixunder which the organizational units that will serve ascontainers for migrated information will be created.



Introduction to LDAPMigration Tools

• The scripts accept input and output filenames ascommand-line parameters. If no output filenameis present, the scripts write the converted entries

to standard output. For example, the followingcommand converts /etc/passwd into an LDIFfile:

• root# migrate_passwd.pl /etc/passwd/tmp/passwd.ldif

• There are various migration scripts support

translating –




• /etc/fstab (stored in ou=Mounts) • /etc/hosts (stored in ou=Hosts) • /etc/passwd and /etc/shadow (stored in

ou=People) • /etc/group (stored in ou=Group) • /etc/protocols (stored in ou=Protocols)

• /etc/rpc (stored in ou=Rpc) • /etc/services (stored in ou=Services) • /etc/networks (stored in ou=Networks)

• netgroups (stored in ou=Netgroups)




• Since we are primarily dealing with users andgroups in this chapter, the following entrieshave already been added to the directory:

• dn: ou=people,dc=plainjoe,dc=orgobjectclass: organizationalUnitou: people• dn: ou=group,dc=plainjoe,dc=orgobjectclass: organizationalUnitou: group




• The Name Service Switch (NSS) is similar to PAMexcept that it only provides a mechanism forinformation retrieval. PADL Software's nss_ldapmodule can be obtained fromhttp://www.padl.com/OSS/nss_ldap.html. The currentimplementation can be used on AIX, HP-UX, Linux,and Solaris.

• The nss_ldap module uses the same /etc/ldap.conf configuration file as PADL's pam_ldap module. The

configuration parameters for this module aresummarized in Table 6-3 . While both pam_ldap andnss_ldap read /etc/ldap.conf for configuration settings,the parameters prefixed by pam_ do not affect the

behavior of nss_ldap.

http://safari.oreilly.com/JVXSL.asp?x=1&mode=section&sortKey=rank&sortOrder=desc&view=&xmlid=1-56592-491-6/?xmlid=1-56592-491-6/ldapsa-CHP-6-SECT-4







• To configure a service to use the nss_ldap module, addthe keyword ldap to the appropriate lines in your /etc/nsswitch.conf file. PADL's NSS module currentlysupports the following databases:

• passwd• group

• hosts• services

• networks• protocols• rpc• ethers• netgroups




• Here's an excerpt from an nsswitch.conf file. Itspecifies that the system should consult thelocal password, shadow password, and group

files before querying the directory server.• ## Define the order of lookups for users and

groups.

passwd: files ldapshadow: files ldapgroup: files ldap



ldap & sendmailAccess

• L DAP SM TP A ccess Contr ol L DAP SM TP A ccess Contr ol

• One example of the use of "arbitrary" LDAPconnectivity to

• enhance the functionality of sendmail is toreplaces the access file

• traditionally used to reject, deny, or allow

various domain names• from using a SMTP server.• By replacing ...



Ldap and SendmailAccess

• Kaccess hash /etc/mail/access• in /etc/sendmail.cf with ...• Kaccess ldap -1 -v morrisonmailaccesslevel -k (&

(objectClass=morrisonmailaccess)(morrisonmailaccesscriteria=%0))

• sendmail can be configured to look into the DIT fordomains and

• hosts that are to be granted the various levels of access.• NOTE: The above configuration file entry resides

entirely on one line in the• actual /etc/sendmail.cf file.



Ldap and SendmailAccess – Relay

Example LDAP objects used to replaces thetraditional sendmail access file.

• cn=Allow SMTP Relay,ou=AccessControl,ou=Electronic Mail,o=MorrisonIndustries,c=US

objectClass=morrisonmailaccessmorrisonmailaccesslevel=RELAYcn=Allow SMTP Relaymorrisonmailaccesscriteria=miemorrisonmailaccesscriteria=barracuda

morrisonmailaccesscriteria=littleboymorrisonmailaccesscriteria=firewallmorrisonmailaccesscriteria=mail.morrison.iserv.netmorrisonmailaccesscriteria=localhostmorrisonmailaccesscriteria=localhost.localdomainmorrisonmailaccesscriteria=127.0.0.1



Ldap and SendmailAccess - Reject

• cn=Reject SMTP,ou=AccessControl,ou=Electronic Mail,o=MorrisonIndustries,c=US

• objectClass=morrisonmailaccess• morrisonmailaccesslevel=REJECT• cn=Reject SMTP• morrisonmailaccesscriteria=smartbrief.rsvp0.net



Ldap and SendmailAccess – Discard

• cn=Discard SMTP,ou=AccessControl,ou=Electronic Mail,o=MorrisonIndustries,c=US

• objectClass=morrisonmailaccess• morrisonmailaccesslevel=DISCARD• cn=Discard SMTP• morrisonmailaccesscriteria=pink4free.com



OpenLdap



OpenLdap

ACL - Syntax• Access Control List syntax:access to <dn="dn matching pattern"><attrs=attribute, attribute, . . . >

by <pattern> < compare | search | read | write >• OpenLDAP support four access levels. Granting a greater access

level implies granting all lower levels. For example, grantingread access implies search and compare.

• write Access to update attribute values (e.g., Change this

telephoneNumber to 555-2345).•

read Access to read search results (e.g., Show me all the entries with a

telephoneNumber of 555*).

OpenLdap



OpenLdap

ACL• search Access to apply search filters (e.g., Are there any entries with a

telephoneNumber of 555*).

• compare Access to compare attributes (e.g., Is your telephoneNumber 555-

1234?).

• auth Access to bind (authenticate). This requires that the client send a

username in the form of a DN and some type of credentials to provehis or her identity.

• none No access.

OpenLdap



OpenLdap

ACL Matching Patterns• There are several special clauses that can be used in

specifying the by<pattern> of the access control rule.

• elf Matches the dn of the object itself, useful forgranting users the ability to modify the attributes

of their own objects.• user Grants privilages to any authentication connection.

• anonymous Grants privilages to anonymous connections.

• auth Grants privilages to the procedures used toauthenticate connections to the DSA.

OpenLdap



OpenLdap

ACL - Examples• access to attr=userpassword

by self writeby anonymous auth

The above gives users write access to their ownuserpassword attribute and authentication privilages toanonymous connections.

• access to *by self write

by users read

The above gives users write access to their own objectand read access to all objects to those connections

that have been authenticated

Ld



LdapObjectClass

• authPasswordObject•

subschema• top• alias• applicationEntity•

dSA• applicationProcess• bootableDevice• certificationAuthority•

certificationAuthority-V2• country• cRLDistributionPoint• dcObject•

device•

• domain• domainNameForm• extensibleObject• groupOfNames• groupOfUniqueNames•

ieee802Device• ipHost• ipNetwork• ipProtocol• ipService• locality• dcLocalityNameForm• nisMap• nisNetgroup•

nisObject

Ldap



LdapObjectclass

• oncRpc• organization• dcOrganizationNameFo

rm• organizationalRole• organizationalUnit• dcOrganizationalUnitNa

meForm• person• organizationalPerson• inetOrgPerson

• uidOrganizationalPersonNameForm

• residentialPerson• posixAccount• posixGroup• shadowAccount•

strongAuthenticationUser



END OF THE DAY

– Thank you – Queries / Suggestions

main ldap training day2

Documents