main ldap training day2
TRANSCRIPT
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 1/39
LDAPOpenLDAP
By: Ashish khurana
Extn. 2173Short id - [email protected]
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 2/39
LDAP Schedule
1. Introduction to LDAP - Day 12. LDAP concepts - Day 1
3. OpenLDAP - Day 24. LDAP Replication - Day 25. LDAP Authentication - Day 3
6. LDAP with sendmail - Day 3Query - Day 3
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 3/39
LdapSchemas
• a schema is a set of rules that determines what data can be stored in a database or directory service.
• Helps maintain consistency and quality of data• Reduces duplication of data• Object class attribute determines schema rules the
entry must follow.• Schema contains the following:
• Required attributes• Allowed attributes• How to compare attributes• Limit what the attributes can store - ie, restrict to
integer etc• Restrict what information is stored - ie, stops
duplication etc.
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 4/39
LdapSchemas
• Schemas can also be used to impose constraints on thesize, range, and format of data values stored in thedirectory. For example – Internet email add.abc@xyz. com
• directory entries contain a collection of attribute typesand values. Attribute types (or simply attributes ) holdspecific data elements such as a name, business phone
number, or printer's rated speed in pages per minute.
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 5/39
LdapSchemas – Attributes types include following
– A name that uniquely identifies the attribute type – An object identifier (OID) that also uniquely identifies the attribute – A textual description – An associated attribute syntax – A set of matching rules that govern comparisons and searches – A usage indicator (whether for applications or for operation of the
directory service itself) – An indication of whether the attribute is multivalued or single-
valued – An indication of whether the attribute can be modified by regular
applications – Restrictions on the range or size of the values that may be stored in
the attribute
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 6/39
LdapSchemas
• Attribute names are usually fairly short and somewhatcryptic. Attribute names have the following properties:
– They are not case sensitive; for example, cn and CN bothrefer to the same attribute.
– Characters used within them are limited to ASCII letters,digits, and the hyphen character; and they must beginwith a letter.
– They must be unique across the entire directory service because LDAP applications generally refer to attributesusing their names.
– way, faxPhone2, and pagesPerMinute. Some examples ofinvalid attribute names are last#, 2for2, my.boss, andfavorite_drink.
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 7/39
LdapSchemas
• An attribute's OID is a unique numerical identifierusually written as a sequence of integers separated bydots. For example, the OID for the postalAddressattribute is 2.5.4.16.
• Operational attributes are used by the directory serviceitself for administrative or system-related purposes andare usually maintained by the directory serversthemselves.
• Examples of Operational Attributes• modifyTimeStamp - Date/time an entry was last
• modifiedmodifiersName- Distinguished name (DN) of
the entry that made the last modification.
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 8/39
LdapObjectclass
• object classes are used to group related information.• Typically, an object class models a real-world object such as a
person, printer, or network device.• Each directory entry belongs to one or more object classes. The
names of the object classes to which an entry belongs are always
listed as values for a special multivalued attribute calledobjectclass.• The set of object classes associated with an entry serves the
following needs: – It determines which attribute types must be included in the entry. – It determines which attribute types may be included in the entry. – It provides a convenient way for directory clients to retrieve a
subset of entries during search operations.
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 9/39
LdapObjectclass
• The definition of an LDAP object class includes all the
following pieces of information: – A name that uniquely identifies the class. – A textual description. – An OID that also uniquely identifies the class. – A set of mandatory attribute types. – A set of allowed attribute types. – A kind (structural, auxiliary, or abstract).
• Structural - used to place restriction where to store info. in DIT• Auxiliary – used to add a set of related attributes to an entry
that already belongs to structural class. Exp. mailRecipient• Abstract – used only for classes needed to support LDAP basic
information model. Exp. Top and alias.
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 10/39
LdapObject Class Inheritance
• One object class can be derived from another, in which case
it inherits some characteristics of the other class. This issometimes called subclassing , or object class inheritance .Below Figure shows an example.
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 11/39
LdapObjectClass
• Therefore, inetOrgPerson entries require all the attributes
required of organizationalPerson entries (and thereforeof person enTRies as well). Similarly, inetOrgPerson entries are allowed to include any of the optional attributesfrom the superior classes.
• In general, the class from which another class inherits someof its characteristics is called the superior class , orsuperclass (that is, organizationalPerson is thesuperior class of inetOrgPerson ). When one class isderived from another, it inherits the set of required attributetypes, the set of optional attribute types, and the kind ofobject class from its superior.
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 12/39
LdapObject class inheritance
• All structural object classes are ultimately derivedfrom one special abstract object class called top .The definition of the top class consists of a singlemandatory attribute called objectclass , whichensures that all LDAP entries contain at least onevalue for objectclass .
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 13/39
LdapAttribute
• Attributes are used to hold values. Like variables inprograms perform a similar task – they storeinformation.
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 14/39
OpenLDAP Obtaining openldap
• Many Linux vendors include precompiled versionsof OpenLDAP with their distributions.
• The latest version of OpenLDAP can be obtainedfromhttp://www.OpenLDAP.org/software/download/.The OpenLDAP 2 branch is an LDAPv3-
compliant implementation.
Day-1
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 15/39
OpenLdap
S/w required before installation of LDAP
• Our OpenLDAP server will require several external software packages:
• Support for POSIX threads, either by the operating system or anexternal library.
• SSL/TLS libraries (such as the OpenSSL package, which isavailable from http://www.openssl.org/).
• A database manager library that supports DBM type storagefacilities. The current library of choice is the Berkeley DB 4.1
package from Sleepycat Software (http://www.sleepycat.com/).• Release 2.1 of the SASL libraries from Carnegie Mellon
University (http://asg.web.cmu.edu/sasl/sasl-library.html).
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 16/39
Openldap Installed components included with OpenLDAP
• libexec/slapdThe LDAP server.• libexec/slurpdThe LDAP replication helper.• bin/ldapadd, bin/ldapmodify, bin/ldapdelete,bin/ldapmodrdn Command-line tools for adding, modifying, and deleting entries on
an LDAP server. These commands support both LDAPv2 and
LDAPv3• bin/ldapsearch, bin/ldapcompare Command-line utilities for searching for an LDAP directory or
testing a compare operation on a specific attribute held by an
entry
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 17/39
Openldap Installed components included with OpenLDAP Cont…
• bin/ldappasswd A tool for changing the password attribute in LDAP entries. This
tool is the LDAP equivalent of / bin/passwd .• sbin/slapadd, sbin/slapcat, sbin/slapindexTools for manipulating the local backend data store used by the
slapd daemon. • sbin/slappasswd A simple utility to generate password hashes suitable for use in
slapd.conf .• lib/libldap*, lib/liblber*, include/ldap*.h, include/lber*.h The OpenLDAP client SDK.
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 18/39
OpenLdapInstallation
• rpm – ivh packagename.rpm• [root@thor root]# rpm -qa | grep openldapopenldap-devel-2.0.23-4openldap-2.0.23-4openldap-servers-2.0.23-4
openldap-clients-2.0.23-4[root@thor root]#
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 19/39
OpenLdap
Configuration - slapd.conf• The slapd.conf file is the central source of configuration
information for the OpenLDAP standalone server ( slapd ), thereplication helper daemon ( slurpd ), and related tools, such as slapcat and slapadd .
• In the tradition of Unix configuration files, slapd.conf is anASCII file with the following rules: – Blank lines and lines beginning with a pound sign (#) are ignored. – Parameters and associated values are separated by whitespace characters
(space or tab). – A line with a blank space in the first column is considered to be a
continuation of the previous one. There is no need for a line continuationcharacter such as a backslash (\).
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 20/39
Introduction to LDAPMigration tools
• Perl scripts designed to convert the various /etc system files(e.g., /etc/passwd and /etc/hosts ) into LDIF format.
• Once you've converted the system files to LDIF, you canimport them into your LDAP store either online using theldapadd(1) command or by using an offline database
creation utility such as the OpenLDAP slapadd(8c) tool.• These LDAP migration scripts can be found at
http://www.padl.com/OSS/MigrationTools.html.• After unpacking the migration scripts, you must customize
the migrate_common.ph script to fit your network settings.Within this Perl script is a variable named$DEFAULT_BASE, which is used to define the base suffixunder which the organizational units that will serve ascontainers for migrated information will be created.
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 21/39
Introduction to LDAPMigration Tools
• The scripts accept input and output filenames ascommand-line parameters. If no output filenameis present, the scripts write the converted entries
to standard output. For example, the followingcommand converts /etc/passwd into an LDIFfile:
• root# migrate_passwd.pl /etc/passwd/tmp/passwd.ldif
• There are various migration scripts support
translating –
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 22/39
Introduction to LDAPMigration Tools
• /etc/fstab (stored in ou=Mounts) • /etc/hosts (stored in ou=Hosts) • /etc/passwd and /etc/shadow (stored in
ou=People) • /etc/group (stored in ou=Group) • /etc/protocols (stored in ou=Protocols)
• /etc/rpc (stored in ou=Rpc) • /etc/services (stored in ou=Services) • /etc/networks (stored in ou=Networks)
• netgroups (stored in ou=Netgroups)
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 23/39
Introduction to LDAPMigration Tools
• Since we are primarily dealing with users andgroups in this chapter, the following entrieshave already been added to the directory:
• dn: ou=people,dc=plainjoe,dc=orgobjectclass: organizationalUnitou: people• dn: ou=group,dc=plainjoe,dc=orgobjectclass: organizationalUnitou: group
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 24/39
Introduction to LDAPMigration Tools
• The Name Service Switch (NSS) is similar to PAMexcept that it only provides a mechanism forinformation retrieval. PADL Software's nss_ldapmodule can be obtained fromhttp://www.padl.com/OSS/nss_ldap.html. The currentimplementation can be used on AIX, HP-UX, Linux,and Solaris.
• The nss_ldap module uses the same /etc/ldap.conf configuration file as PADL's pam_ldap module. The
configuration parameters for this module aresummarized in Table 6-3 . While both pam_ldap andnss_ldap read /etc/ldap.conf for configuration settings,the parameters prefixed by pam_ do not affect the
behavior of nss_ldap.
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 25/39
Introduction to LDAPMigration Tools
• To configure a service to use the nss_ldap module, addthe keyword ldap to the appropriate lines in your /etc/nsswitch.conf file. PADL's NSS module currentlysupports the following databases:
• passwd• group
• hosts• services
• networks• protocols• rpc• ethers• netgroups
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 26/39
Introduction to LDAPMigration Tools
• Here's an excerpt from an nsswitch.conf file. Itspecifies that the system should consult thelocal password, shadow password, and group
files before querying the directory server.• ## Define the order of lookups for users and
groups.
passwd: files ldapshadow: files ldapgroup: files ldap
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 27/39
ldap & sendmailAccess
• L DAP SM TP A ccess Contr ol L DAP SM TP A ccess Contr ol
• One example of the use of "arbitrary" LDAPconnectivity to
• enhance the functionality of sendmail is toreplaces the access file
• traditionally used to reject, deny, or allow
various domain names• from using a SMTP server.• By replacing ...
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 28/39
Ldap and SendmailAccess
• Kaccess hash /etc/mail/access• in /etc/sendmail.cf with ...• Kaccess ldap -1 -v morrisonmailaccesslevel -k (&
(objectClass=morrisonmailaccess)(morrisonmailaccesscriteria=%0))
• sendmail can be configured to look into the DIT fordomains and
• hosts that are to be granted the various levels of access.• NOTE: The above configuration file entry resides
entirely on one line in the• actual /etc/sendmail.cf file.
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 29/39
Ldap and SendmailAccess – Relay
Example LDAP objects used to replaces thetraditional sendmail access file.
• cn=Allow SMTP Relay,ou=AccessControl,ou=Electronic Mail,o=MorrisonIndustries,c=US
objectClass=morrisonmailaccessmorrisonmailaccesslevel=RELAYcn=Allow SMTP Relaymorrisonmailaccesscriteria=miemorrisonmailaccesscriteria=barracuda
morrisonmailaccesscriteria=littleboymorrisonmailaccesscriteria=firewallmorrisonmailaccesscriteria=mail.morrison.iserv.netmorrisonmailaccesscriteria=localhostmorrisonmailaccesscriteria=localhost.localdomainmorrisonmailaccesscriteria=127.0.0.1
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 30/39
Ldap and SendmailAccess - Reject
• cn=Reject SMTP,ou=AccessControl,ou=Electronic Mail,o=MorrisonIndustries,c=US
• objectClass=morrisonmailaccess• morrisonmailaccesslevel=REJECT• cn=Reject SMTP• morrisonmailaccesscriteria=smartbrief.rsvp0.net
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 31/39
Ldap and SendmailAccess – Discard
• cn=Discard SMTP,ou=AccessControl,ou=Electronic Mail,o=MorrisonIndustries,c=US
• objectClass=morrisonmailaccess• morrisonmailaccesslevel=DISCARD• cn=Discard SMTP• morrisonmailaccesscriteria=pink4free.com
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 32/39
OpenLdap
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 33/39
OpenLdap
ACL - Syntax• Access Control List syntax:access to <dn="dn matching pattern"><attrs=attribute, attribute, . . . >
by <pattern> < compare | search | read | write >• OpenLDAP support four access levels. Granting a greater access
level implies granting all lower levels. For example, grantingread access implies search and compare.
• write Access to update attribute values (e.g., Change this
telephoneNumber to 555-2345).•
read Access to read search results (e.g., Show me all the entries with a
telephoneNumber of 555*).
OpenLdap
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 34/39
OpenLdap
ACL• search Access to apply search filters (e.g., Are there any entries with a
telephoneNumber of 555*).
• compare Access to compare attributes (e.g., Is your telephoneNumber 555-
1234?).
• auth Access to bind (authenticate). This requires that the client send a
username in the form of a DN and some type of credentials to provehis or her identity.
• none No access.
OpenLdap
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 35/39
OpenLdap
ACL Matching Patterns• There are several special clauses that can be used in
specifying the by<pattern> of the access control rule.
• elf Matches the dn of the object itself, useful forgranting users the ability to modify the attributes
of their own objects.• user Grants privilages to any authentication connection.
• anonymous Grants privilages to anonymous connections.
• auth Grants privilages to the procedures used toauthenticate connections to the DSA.
OpenLdap
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 36/39
OpenLdap
ACL - Examples• access to attr=userpassword
by self writeby anonymous auth
The above gives users write access to their ownuserpassword attribute and authentication privilages toanonymous connections.
• access to *by self write
by users read
The above gives users write access to their own objectand read access to all objects to those connections
that have been authenticated
Ld
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 37/39
LdapObjectClass
• authPasswordObject•
subschema• top• alias• applicationEntity•
dSA• applicationProcess• bootableDevice• certificationAuthority•
certificationAuthority-V2• country• cRLDistributionPoint• dcObject•
device•
• domain• domainNameForm• extensibleObject• groupOfNames• groupOfUniqueNames•
ieee802Device• ipHost• ipNetwork• ipProtocol• ipService• locality• dcLocalityNameForm• nisMap• nisNetgroup•
nisObject
Ldap
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 38/39
LdapObjectclass
• oncRpc• organization• dcOrganizationNameFo
rm• organizationalRole• organizationalUnit• dcOrganizationalUnitNa
meForm• person• organizationalPerson• inetOrgPerson
• uidOrganizationalPersonNameForm
• residentialPerson• posixAccount• posixGroup• shadowAccount•
strongAuthenticationUser
8/11/2019 Main Ldap Training Day2
http://slidepdf.com/reader/full/main-ldap-training-day2 39/39
END OF THE DAY
– Thank you – Queries / Suggestions