LDAPSPARCS 10 이대근 (harry)

Contents

Directory Service What is LDAP? Installation Configuration ldap-utils User authentication with LDAP

Question

How can an organization keep one cen-tralized up-to-date phone book that ev-erybody has access to?

How can SPARCS share login informa-tion among all servers?

Directory Service

Directory

A directory is a map of the differences between names and values

More than directories of file system

Directory: examples

Word Definition

Dictionary

Name Phone number

Telephone directory

Domain name IP address

DNS

Directory service

The software system that stores, orga-nizes and provides access to informa-tion in a directory

Directory service vs RDBMS

Directory service Relational DBMS

Be read more often Data may be redundant if

it helps performance

Must May

Namespace

Be written more often Data must be unique (in

most case)

Not null Nullable

X.500

A series of computer networking stan-dards covering electronic directory ser-vices

ProtocolsDAP: Directory Access ProtocolDSP: Directory System ProtocolDISP: Directory Information Shadowing Protocol

DOP: Directory Operational Bindings Management Protocol

X.500 Directory service

What is LDAP?

LDAP

Lightweight Directory Access Protocoli.e., Lightweight DAP

A protocol to access directory service through TCP/IP

Designed at the University of Michigan

Directory structureFile system

Directory structureLDAP

Available backend typesType Descriptionbdb Berkeley DB transactional backend

dnssrv DNS SRV backendldbm Lightweight DBM backendldap LDAP (Proxy) backendmeta Meta Directory backend

monitor Monitor backendpasswd Provides read-only access to passwd(5)

perl Perl programmable backendshell Shell (external program) backendsql SQL programmable backend

Installation

Installation

Serverapt-get install slapd

Clientapt-get install ldap-utils

Configuration

/etc/ldap/ldap.conf

include /etc/ldap/schema/core.schema

schemacheck on

pidfile /var/run/slapd/slapd.pid

argsfile /var/run/slapd.args

loglevel 0

database bdb

suffix "dc=sparcs,dc=net"

rootdn "cn=DsnManager,dc=sparcs,dc=net"

rootpw {SSHA}8DihK78pIOVntXZftMugdq4rxhYat03R

slappasswd

Nice tool to generate hashed password

Sample output: {SSHA}8DihK78pIOVntXZftMugdq4rxhYat03R

You just need to copy&paste the output to configuration file

Access Control List

access to <ENTRY> by <DN> <PERMISSION> [ by <DN> <PERMISSION> … ]

Access Control List: Ex-ampledefaultaccess none

access to *

by self write

by dn=“.+” read

by dn=“^$$” read

by * none

#No permission by default

#Granting permission for all entries

#A user entry can modify itself

#An authenticated user can read

#An anonymous user can read

#Else granting no permission

Access Control List: Ex-ampleaccess to dn=“.*,dc=(.*),dc=(.*),dc=net”

attrs=children,entry,uid

by dn=“cn=Administrator,dc=$1,dc=$2” write

Caution

No blank around separator(,)dn=“dc=example,dc=com” (O)dn=“dc=example, dc=com” (X)

ACL is not overriddenDetails should precede the general configs

The more complicated ACL, the slower search results

ldap-utils

ldap-utils

Common usage <command> –D <Base DN>

–W –f <LDIF_FILE_PATH>

ldapadd

Define which schema is used objectclass: dcobject

Describe all ‘Must’ attributes dn: dc=mydomain,dc=com

dc: database

ldapadd: example

objectclass: dcobject

dn: dc=mydomain,dc=com

dc: database

ldapsearch: scope

ldapsearch: filters

(cn=harry) (cn=h*) (cn~=pipe) (cn>=harry) (&(cn=h*)(cn=*y)) (|(cn=h*)(cn=*y)) (!(cn=harry))

ldapsearch: example

sn=Daniels

givenname=Charlene

ldapmodify Declare which entry you want to modify

dn: cn=harry,dc=sparcs,dc=org State what kind of change will occur

changetype: modify / add / delete (if changetype: modify)

State what kind of modification will occurreplace: cnadd: sndelete: sn

Enter the value of the attribute if necessarycn: hodduc

ldapmodify: example

dn: cn=harry,dc=sparcs,dc=org

changetype: modify

replace: cn

cn: hodduc

ldapmodrdn

Declare which entry you want to modify

Enter new RDN

ldapmodrdn: example

cn=harry,dc=sparcs,dc=org

cn=noname

User authentication with LDAP

Client

apt-get install libnss-ldap libpam-ldap nss-updatedb nscd ldap-auth-client

Configuration files/etc/ldap.conf/etc/auth-client-config/profile.d/ldap-auth-

config/etc/pam.d//etc/nssswitch.conf

Server

Automatic migration toolsapt-get install migrationtools

Question?

Web sites & Documenta-tions http://wiki.kldp.org/wiki.php/LDAP-Tips

Nice KOREAN document explaining how to configure for LDAP authentication

http://50001.com/sub/down/ldap.docAlso nice Korean document explaining gen-

eral usage of LDAP

Thank youI’m very sleepy