Académique Documents
Professionnel Documents
Culture Documents
..
nding
lmmary
ons
52
Chapter 3
Directory Services
Introduction
Directory services form a crucial component for managing and cataloging
objects such as user accounts and profile settings, groups, computers, printers, email, and other network and infrastructure objects. Just as core network services
are a prerequisite for directory services, directory services are a prerequisite (or a
desirable integration point) for other network services such as authentication,
messaging, and groupware services.
This chapter begins with an overview of directory services and Lightweight
Directory Access Protocol (LDAP). The section covers LDAP fundamentals
including Directory Information Tree (DIT) concepts, Distinguished Name (DN)
convention, objectclasses, schema components, and other LDAP concepts. We
also examine LDAP queries and connections.
Following the directory services overview, we explore Microsoft's directory
services solutions. Microsoft's directory services changed considerably from
Windows NT / Exchange 5.5 to Windows 2000. In Windows NT, the Security
Accounts Manager (SAM) stores all user account information, and Exchange 5.5
provides extended contact and messaging information. In Windows 2000, both of
these functions are combined into Active Directory (AD).
The next section examines OpenLDAP, the premier open source directory
server. We examine features of the OpenLDAP suite including server daemons,
client and server utilities, distributed directory services, and data import / export.
Directory services in a small company may consist of a single, non-dedicated
server, whereas directory services in a larger company tend to be distributed,
redundant, and utilized as an integration point for many other network services.
The section entitled "Designing Linux-Based Directory Services" will help you
determine key requirements for your company's directory services and design a
flexible solution that meets the current requirements as well as allowing for
future growth.
www.syngress.com
I
ou=Groups
Figure 3.2 shows a DIT for a company with very clear delineation among
business units. This might be a good way to organize a company where business
units operate as separate "islands", with almost no commumcation or information
sharing between business groups.
F i g u r e 3.2 Directory Information T r e e - Business Group Model
oo=s, ,os
.....................................
I..........i~.......................
53
54
)
,
[' ou=Americas ) [ o u
=AsiaPacific]
( ou =Europe
(._oo:G.roo0,)[
=
'I
i
.....
.....Christian
i Lahti
[cn"
IobjectClass:person
I~: L.hu
[uid: lahti
www.syngress.com
( 2.5.6.6
NAME
DESC
'RFC2256:
a person'
SUP
MUST
MAY
top
'person'
STRUCTURAL
( sn
$ cn
( userPassword
$ telephoneNumber
$ seeAlso
$ description
) )
This objectclass definition lists the attributes that must comprise a person
object (common name and surname) and the attributes that may optionally be
present (userPassword, telephoneNumber, seeAlso, and description). The following shows the definition of selected attributes.
attributetype
DESC
SUP
( 2.5.4.3
'RFC2256:
name
attributetype
DESC
SUP
'commonName'
common name(s)
( 2.5.4.4
name
DESC
( 'cn'
is
known
by'
'RFC2256:
attributetype
NAME
NAME
last
( 'sn'
(family)
'surname'
name(s)
is k n o w n
by'
( 2.5.4.20
NAME
'telephoneNumber'
EQUALITY
telephoneNumberMatch
SUBSTR
telephoneNumberSubstringsMatch
SYNTAX
1.3.6.1.4.1.1466'.115.121.1.50{32}
55
56
Anonymous bind
Simple bind
Search Base The search base contains the D N of the portion of directory tree where the search should begin. Typically this is in the form of
dc=domain,dc=com, although older implementations may use o=orga nization,c=country. This is also sometimes called the search sufftx.
Search Scope The search scope may be base, one, or sub. A base
search scope searches only at the search base level. A search scope of one
searches up to one level below the base. The sub search scope will search
through all subtrees below and including the search base.
Search Filter The search fdter specifies which types of objects and
attributes the directory server should return. Search fdters are specified
using regular expression syntax.
Search Attributes The search attributes parameter lists the attributes
to return in the LDAP query. If the search attribute field is not popu-
Directory Services
Chapter 3
lated, all attributes of the object will be returned. To mimmize the performance impact to the directory server, it is considered a best practice
to ask for only the attributes that are needed.
Another way to represent an LDAP search is through the use of a Uniform
Resource Indicator, or U R I . The basic format of an LDAP U R I is as follows:
'idap://' [hostport]
[filter] ]] ] ] ]
['/'
[dn ['?'
[attributes]
['?'
[scope]
['?'
Understanding
Microsoft Directory Services
Windows N T and Windows 2000 Server employ three directory servers. These
three servers are the N T Security Accounts Manager, Exchange 5.5 Directory
Services, and Windows 2000 Active Directory. We examine these directory
servers below.
57
58
only one PDC in a Windows N T domain, but there may be zero or more
BDCs.
Windows N T domains are not hierarchical, but instead depend on trust relationships for interoperation. In this book, we shall consider only a single-domain
model. If you have multiple domains, you may use the single-domain migration
techniques to migrate some or all portions of each domain individually. These
domains may be kept separate or collapsed into a single domain, depending on
your requirements.
www.syngress.com
,,,
Windows NT Domains
,,,,,
DNS-integrated.
Hierarchical, transitive trust model.
No DNS integration.
Island model with various types of trust
relationships.
Store credentials for Kerberos and
NT/LANMAN authentication.
capabilities.
Stores extensive user contact
information.
Multi-master replication model.
,,,
Understanding OpenLDAP
OpenLDAP is the premier open source directory solution. It contains a full suite
of client and server components necessary to implement and utilize directory
services. OpenLDAP runs on all versions of Linux and features robust replication
59
60
Description
Idapsearch
Idapadd
Idapmodify
Idapdelete
Idappasswd
slappasswd
www.syngress.com
Description
slapcat
slapadd
slapindex
,,,
In order to maintain database consistency, slapd should be shut down (or runrang in read-only mode) when performing a slapcat or slapindex operation.
Slapd should also be shut down during a slapadd operation. In most cases, an
LDIF fde is specified for input when executing ldapadd, ldapmodify, or
ldapdelete, especially if multiple objects are to be affected. More information
about OpenLDAP utilities may be obtained by typing m a n utilityname.
Designing
Linux-Based Directory Services
With an understanding of directory services, LDAP, and OpenLDAP, you are
ready to design and deploy your Linux-based directory services. The following
sections will help you determine the best way to meet your orgamzation's directory services requirements.
61
62
1 ...............
.....
(o0oG 00 , ?
fo0o=00,,4 {o0=o
www.syngress.com
Directory Services
Chapter 3
Boron
Nitrogen
Repllcdon
OpenLDAP
Master
OpenLDAP
Slave
(i!
m ,]
63
64
Configuring and
Testing the OpenLDAP Server(s)
With the type and placement of your server(s) determined, you are ready to test
directory services in the lab. Compile and install the current OpenLDAP package
or install the current OpenLDAP package from your distribution on a test lab
server. Depending on which features of OpenLDAP you wish to use, you may
need to supply switches to ./configure to enable specific compile-time options.
If you are installing an OpenLDAP package from a distribution, there may be
multiple similarly named versions compiled with different options. For basic
unencrypted directory services, the default options should work well. If you need
additional features, you may recompile or upgrade the OpenLDAP software at a
later time. More information about building and installing OpenLDAP is available at ww.openldap.org/doc/admin22/install.html.
After you install OpenLDAP, you must customize the OpenLDAP server
configuration file, slapd.conf, to reflect your environment. The following illustrates the sladp.conf fde for Acme Widgets.
# Schema
~les
include
include
include
/ etc / o p e n l d a p / s c h e m a / i n e t o r g p e r s o n , schema
include
include
schemacheck
on
lastmod
on
# This
section
database
suffix
deflnes the a c m e w i d g e t s . c o m
directory
database
bdb
"dc=acmewidgets,dc=com"
rootdn
"cn=Manager,dc=acmewidgets,dc=com"
rootpw
"secret"
directory
# These
/var/lib/Idap
database
indices
improve
performance
eq
index
objectClass, uidNumber, g i d N u m b e r
index
pres, sub, eq
index
mail, givenname, m e m b e r U i d
index
sambaSID, s a m b a P r i m a r y G r o u p S I D , s a m b a D o m a i n N a m e
# Access
access
Control
to a t t r s = u s e r P a s s w o r d , s a m b a N T P a s s w o r d , s a m b a L M P a s s w o r d
by
self w r i t e
by a n o n y m o u s
by
# all
access
eq
others
to
by
auth
* none
attributes
are
readable
to e v e r y b o d y
*
* read
samba.schema from the Samba package. These schemas are required to provide
the following objectclasses that will be used for the migration:
65
66
top
posixAccount
shadowAccount
sambaAccount
[]
sambaSAMAccount
m sambaDomain
person
m orgamzationalPerson
inetOrgPerson
m posixGroup
sambaGroupMapping
W h e n you have properly set up slapd.conf, start the OpenLDAP server and
perform a simple bind operation using the rootdn credentials
(cn=Manager, dc=yourdomain,dc=com). Although there will be no visible data
other than the schema information, you have verified that you are able to properly connect to the directory server.You are now ready to populate the directory
with your data.
www.syngress.com
I~
~.~
Directory Services
Chapter 3
Summary
Directory services enable the hierarchical storage and centralized management of
information about users, groups, computers, and other network and infrastructure
items. Since directory services are a prerequisite (or a desirable integration point)
for the other network services mentioned in this book, deploying your Linuxbased directory services represents the establishment of a significant foundation
for the network services in the following chapters.
in the next chapter you will be introduced to Samba, which will integrate with
your OpenLDAP directory to allow for authentication. We will also examine the
migration of NT, Exchange 5.5, and/or Active Directory information.
-,'~7"',,: ~'
:: :=:
......~':~
~~~
~'i:~:~:
:';~
...
~_~,.
L ' ; i:-
~-
'
- "
-,,. ~
':,~..'-
..
~/I The Exchange 5.5 directory features multi-master replication and LDAP
support, and contains a rich set of objects and attributes. The Exchange
directory supports user mailboxes, groups (for mailing lists), and custom
recipients. User mailboxes are linked to the N T SAM through the use
of a P r i m a r y W'mdows N T A c c o u n t field.
I/] Active Directory is Microso~'s Windows 2000 implementation of enter-~
prise directory services. Active Directory contains a superset of the
information in the N T SAM and Exchange 5.5 directories. More informarion about Active Directory is avaihble at www.microsoft.com/windows2000/technologies/directory/.
Understanding OpenLDAP
OpenLDAP is the premier open source directory solution. It contains a
fixU-feamred suite of client and server components necessary to implement and utilize directory services.
The final step prior to deployment is to install, configure, and test directory services in the lab. Customize slapd.conf to include the schema
files, base DN, database configuration, and access controls appropriate for
your organization.
Q: Is there
A: The use of slapcat and slapadd is recommended for these purposes. Do not
attempt to copy the database ftle of a live database that is performing write
operations - the database may be in an inconsistent state and cause a restore
operation to fail.
Q: Are
one, two,
What is the b,
tlenecks?
A: Using round-robin DNS is a best-practices methodology to enable load balancing, redundant, and highly available directory services.