LDAP Applied (EuroOSCON 2005)
-
Upload
fran-fabrizio -
Category
Technology
-
view
66 -
download
0
Transcript of LDAP Applied (EuroOSCON 2005)
LDAP Applied
Fran FabrizioSr. Systems Administrator
Dept. of Computer & Information SciencesU of Alabama at Birmingham
EuroOSCONAmsterdam, The Netherlands
October 17-20, 2005
This talk....
WILL● Briefly review LDAP
concepts● Cover common uses
of LDAP● Present examples of
advanced usage● Hopefully inspire you
to use LDAP!
WILL NOT● Show you how to
install LDAP● Teach you how to
configure LDAP in specific OSes
● Give all the details needed to use LDAP
● Leave you disappointed (hopefully!)
Link to Slides● These slides are available now online at
http://www.cis.uab.edu/fran/ if you wish to follow along
● They will also be available after the conference on the conference web site
Getting to Know the Audience● How many of you know what LDAP is?● How many of you are using LDAP right now?● How many of you are using it for something
other than user authentication or email address books?
What is LDAP?● Lightweight Directory Access Protocol● A standard protocol for accessing directory
services● Also used to refer to the directories being
accessed● Based on the X.500 specification● Represents hierarchical information in entries
consisting of a collection of attributes with a unique, or distinguished name
No really, what is LDAP?● It's a good way to store data that is:
– Mostly read access– Needed by many machines/services on the network– Generally represents collections of entities common
in large organizations● User and Group Accounts● Computers● Email Addresses and Contact Information● Departments and Business Units
LDAP Structure
● An object class defines the valid attributes and properties for an entry
● A set of related object classes forms a schema. For example, you may have a schema to represent the users in a university department.
● Distinguished names similar to DNS. Ex: ou=People,dc=eurooscon,dc=example,dc=com
● LDIF (Lightweight Directory Interchange Format)
LDIF Exampledn: uid=test,ou=People,dc=eurooscon,dc=example,dc=comcn: Test Useruid: testuseruidNumber: 501loginShell: /bin/shhomeDirectory: /home/testusergidNumber: 100userPassword:: e2NyeXB0fVRYaHRIa05GOUdBSWc=objectClass: posixAccountobjectClass: shadowAccountobjectClass: inetOrgPersonshadowLastChange: 13072givenName: Testsn: Usergecos: Test User
More on LDAP structure● One entry can have multiple classes
– only one can be structural (inetOrgPerson)– the rest are auxiliary
● For each class, there is a set of required attributes and a set of optional attributes.– If you are a posixAccount, you must have a uid and
may have a description● Each entry will have a unique distinguished
name to reference it
Common Uses of LDAP● User Directories: email addresses, students● User Accounts: Centralizing accounts, access
control, groups● Inventory Catalogs: machines, offices ● Network Service Backend: DNS, Email● Usually NOT a replacement for relational data
Migrating User Accounts to LDAP
● Why do you want to do this?● To centralize user accounts● To modernize from some other network account
store (e.g. NIS)
Migrating User Accounts to LDAP
● Why do you want to do this?● To centralize user accounts● To modernize from some other network account
store (e.g. NIS)● Eliminate duplication of data (already using
LDAP for corporate address book?)
Migrating User Accounts to LDAP
● Why do you want to do this?● To centralize user accounts● To modernize from some other network account
store (e.g. NIS)● Eliminate duplication of data (already using
LDAP for corporate address book?)● To better scale to the needs of a growing
organization
Migrating User Accounts to LDAP
● NIS/NIS+ LDAP or /etc/passwd LDAP
● PADL.com MigrationTools scripts– May need to be modified
● General solution: – produce LDIF– Import into LDAP with ldapadd and ldapmodify
Migrating User Accounts to LDAP
● posixAccount – a standard LDAP schema to represent user accounts
● Demo: migrate_passwd.pl
nisSchema.2.0 NAME 'posixAccount' SUP top AUXILIARY DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description )
Activating LDAP-Based Logins● pam_ldap (from PADL.com), inserts into the
PAM authentication stack and partners with nss_ldap (also PADL.com) to provide authentication against LDAP
● Seamlessly authenticates both local and LDAP-based users
● Many distros automate configuration (e.g. Fedora)
● Demo: pam_ldap configuration
Integrating LDAP and Email● Client Side - why?
– Address Book lookups in LDAP– Autocompletion of partial email addresses
Integrating LDAP and Email● Client Side - why?
– Address Book lookups in LDAP– Autocompletion of partial email addresses
● Server Side - why?– Store white/blacklists– virtual mailboxes– Aliases– User preferences
Integrating LDAP and Email● Client Side - why?
– Address Book lookups in LDAP– Autocompletion of partial email addresses
● Server Side - why?– Store white/blacklists– virtual mailboxes– Aliases– User preferences
● Add the inetOrgPerson schema to LDAP entries
LDAP and Email - Client● Demo: Thunderbird and LDAP● Many other email clients support LDAP lookups
– Outlook, Outlook Express, Netscape, Pine, Eudora, Evolution, SquirrelMail, Mac Mail, etc...
● Clients can use LDAP for other things besides just address lookups– ex. SquirrelMail (web mail) has a plugin to store
user preferences in LDAP.
LDAP and Email - Server● Many email servers can integrate with LDAP● Alias lookups (Postfix)alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf
(all on one line)
ldap-aliases.cf contains:
server_host = 192.168.139.128sever_base = dc=eurooscon,dc=example,dc=com
● Now, Postfix can deliver to both local and LDAP user mail aliases
LDAP and Email - Server● Postfix expects a certain LDAP schema to
support this (these names are configurable)
dn: cn=Accounting Staff List, dc=my, dc=comcn: Accounting Staff Listo: my.comobjectclass: maillistmailacceptinggeneralid: accountingstaffmailacceptinggeneralid: accounting-staffmaildrop: mylist-ownermaildrop: an-accountantmaildrop: some-other-accountantmaildrop: this, that, theother
LDAP and Email - Server● Common usage is virtual mailboxes (e.g. ISP)● Another common usage is to rewrite addresses
[email protected]@eurooscon.example.com
● Sendmail, Exim, Courier, Courier-IMAP, Cyrus, uw-imap, and Qmail (and many others) all support integration with LDAP to various degrees
LDAP and Web-Based Resources● Authenticate users to gain access to restricted
parts of web site● mod_auth_ldap – Apache module● User-based and group-based authentication
Using LDAP with Apache● Apache 2.0 ships with mod_auth_ldap● Restrict access to a directory with Location
<Location /protected> AuthName “Protected Directory” AuthType basic AuthLDAPURL ldap://ldap.cis.uab.edu:389/ou=People,dc=cis,dc=uab,dc=edu require valid-user # OR require group membership instead AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off require group cn=admin,ou=group, dc=eurooscon,dc=example,dc=com</Location>
Advanced Apache/LDAP Integration
● Fancy filtersAuthLDAPURL
ldap://eurooscon.example.com:389/ou=people,dc=eurooscon,dc=example,dc=com??(|(pagerID=*)(uid=fran))
● Demo: Fancy Filters Example – “LDAP Applied Attendees Only”
Fancy Filter Example● Configuration for the demo...
<Location /ldapapplied> AuthType basic AuthName "LDAP Applied Attendees Only" AuthLDAPURL ldap://192.168.139.128/ou=people,dc=eurooscon,dc=example,dc=com?uid??(comExampleEuroosconSession=LDAPApplied) require valid-user</Location>
Extending LDAP Schemas● Last slide implies attribute
comExampleEuroosconSession with a value of “LDAPApplied” exists for some users
● How'd that work? We extend the LDAP Schema...– Store information custom to your environment
local.schema● We define a local schema for this attribute in a
file called local.schema: attributetype (1.3.6.1.4.1.7341.999.2.1 NAME 'comExampleEuroosconSession' DESC 'a session at EuroOSCON' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )objectclass (1.3.6.1.4.1.7341.999.1.1 NAME 'comExampleEuroosconAttendee' DESC 'optional class to represent EuroOSCON sessions' AUXILIARY MAY comExampleEuroosconSession )
The “1.3.6.1.4.1.7341.999.2.1” is an OID, a unique LDAP objectidentifier. More information available at http://www.iana.org/.This one was taken from my workplace. You probably don't needto use them, but I do just to be complete.
local.schema continued● We tell the LDAP server to include this in its
known schemas
include /etc/openldap/schema/local.schema
● Now LDAP user entries can have:– comExampleEuroosconAttendee - optional auxiliary
class– comExampleEuroosconSession – optional attribute
within that class
LDAP and DNS● Storing DNS tables in LDAP instead of flat files● Bind, tinydns, PowerDNS and others support
this● dnsZone structural object class● zone2ldap tool with bind will convert flat files to
LDAP
LDAP and Perl● From Perl, use Net::LDAP
use Net::LDAP; $ldap = Net::LDAP->new('ldap.eurooscon.com');$msg = $ldap->bind;$msg = $ldap->search( base=>”dc=example,dc=com”, filter=>”(objectClass=*)”);$msg->code && die $msg->error;
$result = $ldap->add( “cn=fran,ou=People,dc=uab,dc=edu”, attr => [ cn => [“Fran Fabrizio”], mail => [“[email protected]”], etc.....
LDAP and PHP● PHP has an LDAP API
<?php$ldap = ldap_connect('ldap.cis.uab.edu');$result = ldap_bind($ldap);$search=ldap_search($ldap, “dc=cis,dc=uab,dc=edu”, “sn=Fabr*”);$data = ldap_get_entries($ldap, $search);$result = ldap_add(.....);
Programmatic LDAP - Others● Java
– Support through the JNDI or JLDAP (openldap.org)● C
– OpenLDAP's C API● Ruby
– Ruby-ldap● Python
– Python-ldap
LDAP and Relational Data● Would be neat to do queries that link LDAP and
relational data– Example: CIS Web Site
● dblink-ldap – http://pgfoundry.org/projects/dblink-ldap/– beta project to provide LDAP data as a table/view
within PostgreSQL● Microsoft has OLE DB Provider for Directory
Services – access AD with SQL queries
Strategy 1: AD -is- LDAP● Active Directory -is- an LDAP version 3 server● AD can import LDIF
– Ldifde.exe included with Windows Server 2003 and supports batch LDIF operations
Strategy 1: AD -is- LDAP● Active Directory -is- an LDAP version 3 server● AD can import LDIF
– Ldifde.exe included with Windows Server 2003 and supports batch LDIF operations
● Can also script from VBScript
Strategy 1: AD -is- LDAP● Active Directory -is- an LDAP version 3 server● AD can import LDIF
– Ldifde.exe included with Windows Server 2003 and supports batch LDIF operations
● Can also script from VBScript● AD4Unix is a plugin (sf.net/projects/ad4unix)
that adds Unix attributes to AD and manages them through AD Users and Computers MMC.
Strategy 1: AD -is- LDAP● Active Directory -is- an LDAP version 3 server● AD can import LDIF
– Ldifde.exe included with Windows Server 2003 and supports batch LDIF operations
● Can also script from VBScript● AD4Unix is a plugin (sf.net/projects/ad4unix)
that adds Unix attributes to AD and manages them through AD Users and Computers MMC.
● pam_ldap can auth against AD
Strategy 1: AD -is- LDAP● This model can be expanded to allow pam_ldap
to update user passwords in AD
Strategy 1: AD -is- LDAP● This model can be expanded to allow pam_ldap
to update user passwords in AD● Additionally, nss_ldap can also talk to AD, but is
expecting Unix-like attributes for home dirs, uid/gid, shells, etc...– Installing MS's Services for Unix installs the NIS
server, which has the side effect of doing this for you
– Or, extend the schema yourself – install MKSADExtPlugin, and register the Active Directory Schema MMC to set the option to allow schema edits
Strategy 2: Migrate AD to LDAP
● ldifde.exe can export AD forest● Unless you plan to use Kerberos authentication
with your LDAP server, you'll need to reset users' passwords
Strategy 2: Migrate AD to LDAP
● ldifde.exe can export AD forest● Unless you plan to use Kerberos authentication
with your LDAP server, you'll need to reset users' passwords
● This will also require alteration of the LDIF that Microsoft produces to be more Unix friendly
Strategy 2: Migrate AD to LDAP
● ldifde.exe can export AD forest● Unless you plan to use Kerberos authentication
with your LDAP server, you'll need to reset users' passwords
● This will also require alteration of the LDIF that Microsoft produces to be more Unix friendly
● pGina can authenticate Windows clients against Unix LDAP server
Strategy 2: pGina● pGina is an open source replacement for
Microsoft's Gina (Graphical Identification and Authentication)
Strategy 2: pGina● pGina is an open source replacement for
Microsoft's Gina (Graphical Identification and Authentication)
● Allows Windows clients to authenticate against various sources via a plugin architecture– including LDAP, of course
Strategy 2: pGina● pGina is an open source replacement for
Microsoft's Gina (Graphical Identification and Authentication)
● Allows Windows clients to authenticate against various sources via a plugin architecture– including LDAP, of course
● Highly customizable
Strategy 2: pGina● pGina is an open source replacement for
Microsoft's Gina (Graphical Identification and Authentication)
● Allows Windows clients to authenticate against various sources via a plugin architecture– including LDAP, of course
● Highly customizable● Demo: pGina
Monitoring LDAP● Reading LDAP logs
– Debug levels allow output of useful information– /usr/sbin/slapd -d xxx
● 8 – connection management● 32 – search filter processing● 64 – config file processing● 128 – access control list processing● 256 – connections/operations/results● additive – 288 is conn/ops/results and search filters
Managing LDAP● Command line
– ldap* and slap* tools for OpenLDAP● Scripting● GQ – Simple GTK+/GTK2 GUI
– sf.net/projects/gqclient● Webmin
– webmin.com– LDAP Users and Groups plugin
● Demo: webmin
Other Uses of LDAP● Samba authentication
– advantages over smbpasswd file● Serving certificates● Machine configurations● Radius authentication● Managing network printers
Conclusions● LDAP can consolidate many administrative
tasks● LDAP is optimized for reads and will be faster
than SQL for simple reads● LDAP can improve scalability – all mail servers
in organization can use same data store, for instance
● Once in place, LDAP can often be reapplied to solve new problems
For More Information● www.openldap.org● PADL.com
– pam_ldap– nss_ldap– MigrationTools
● Book: LDAP System Administration by Gerald Carter, published by O'Reilly– More detail about a lot of these ideas is found there
Thank You● Thanks for coming!
● My contact information is:
Fran [email protected]://www.cis.uab.edu/fran/
● Feel free to email any questions you may have, or catch me at the conference for the rest of the week!