Advanced Network and

System Administration
Accounts and
Namespaces

1
Topics

1. What is a directory?
2. NIS
3. LDAP
4. OpenLDAP
5. LDAP Authentication

2
What is a Directory?

Directory: A collection of information that is

primarily searched and read, rarely modified.

Directory Service: Provides access to

directory information.

Directory Server: Application that provides a

directory service.

3
Directories vs. Databases
Directories are optimized for reading.
Databases balanced for read and write.
Directories are tree-structured.
Databases typically have relational structure.
Directories are usually replicated.
Databases can be replicated too.
Both are extensible data storage systems.
Both have advanced search capabilities.

4
System Administration Directories

Types of directory data

Accounts
Mail aliases and lists (address book)
Cryptographic keys
IP addresses
Hostnames
Printers
Common directory services
DNS, LDAP, NIS
5
Advantages of Directories
Make administration easier.
Change data only once: people, accounts, hosts.
Unify access to network resources.
Single sign on.
Single place for users to search (address book)
Improve data management
Improve consistency (one location vs many)
Secure data through only one server.

6
NIS: Network Information Service
Originally called Sun Yellow Pages
Clients run ypbind
Servers run ypserv
Data stored under /var/yp on server.
Server shares NIS maps with clients
Each UNIX file may provide multiple maps
passwd: passwd.byname, passwd.byuid
Slave servers replicate master server content.
Easy to use, but insecure, difficult to extend.

7
LDAP
Lightweight Directory Access Protocol
Lightweight compared to X.500 directories.
Directory, not a database.
Access Protocol, not a directory itself.

8
LDAP Clients and Servers
LDAP Clients
Standalone directory browsers.
Embedded clients (mail clients, logins, etc.)
Cfg /etc/nsswitch.conf on UNIX to use LDAP.
Common LDAP servers
OpenLDAP
Fedora Directory Server (formerly Sun, Netscape)
Mac Open Directory
Microsoft ActiveDirectory
Novell eDirectory (NDS)

9
LDAP Structure
An LDAP directory is made of entries.
Entries may be employee records, hosts, etc.
Each entries consists of attributes.
Attributes can be names, phone numbers, etc.
objectClass attribute identifies entry type.
Each attribute is a type / value pair.
Type is a label for the information stored (name)
Value is value for the attribute in this entry.
Attributes can be multi-valued.

10
Tree-structure of LDAP Directories

11
LDAP Schemas

Schemas specify allowed objectClasses and attributes.

12
LDIF
LDAP Interchange Format.
Standard text format for storing LDAP
configuration data and directory contents.
LDIF Files
Collection of entries separated by blank lines.
Mapping of attribute names to values.
Uses
Import new data into directory.
Export directory to LDIF files for backups.
13
LDIF Output Example

14
Distinguished Names
Distinguished Names (DNs)
Uniquely identify an LDAP entry.
Provides path from LDAP root to the named entry.
Similar to an absolute pathname.
dn:cn=Jeff Foo,ou=Sales,dc=plainjoe,dc=org
Relative DNs (RDNs)
Any unique attribute pair in directorys container.
ex: cn=Jeff Foo OR username=fooj
Similar to a relative pathname.
Except may have multiple components.
cn=Jane Smith+ou=Sales
cn=Jane Smith+ou=Engineering

15
LDAP Client/Server Interaction

1. Client requests to bind to server.

2. Server accepts/denies bind request.
3. Client sends search request.
4. Server returns zero or more dir entries.
5. Server sends result code with any errors.
6. Client sends an unbind request.
7. Server sends result code and closes socket.

16
LDAP Operations
Client Session Operations
Bind, unbind, and abandon
Query and Retrieval Operations
Search and compare
Modification Operations
Add, modify, modifyRDN, and delete

17
Authentication
Anonymous Authentication
Binds with empty DN and password.
Simple Authentication
Binds with DN and password. Cleartext.
Simple Authentication over SSL/TLS
Use SSL to encrypt simple authentication.
Simple Authentication and Security Layer
SASL is an extensible security scheme.
SASL mechanisms: Kerberos, GSSAPI, SKEY

18
Distributed Directories
Use multiple LDAP servers.
Why distribute?
Throughput
More servers can reduce load on any single server.
Latency
Have local server serve local data to LAN.
Only use WAN for non-local data on other servers.
Administrative Boundaries
Let each side administrate their own directory.

19
OpenLDAP
Open source LDAPv3 server.
LDAP server: slapd
Client commands: ldapadd, ldapsearch
Backend storage: BerkeleyDB
Backend commands: slapadd, slapcat
Schemas: /etc/openldap/schema
Data: /var/lib/ldap
Configuration files
Client: /etc/openldap/ldap.conf
Server: /etc/openldap/slapd.conf

20
Building an OpenLDAP Server
1. Install OpenLDAP.
2. Configure LDAP for your domain.
Change suffix, rootdn, rootpw options.
vim /etc/openldap/slapd.conf
1. Start server
Immediate: /sbin/service ldap start
Permanent: /sbin/chkconfig level 35 ldap on
1. Add data with ldapadd
2. Verify functionality with ldapsearch
21
LDAP Authentication
1. Configure server with schema + user data.
2. Point clients to hostname and rootDN of svr.
/etc/ldap.conf and
/etc/openldap/ldap.conf
1. Verify server access with ldapsearch
2. Configure clients to use LDAP auth
/etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap

22
References
1. Brian Arkills, LDAP Directories Explained: An Introduction and
Analysis, Addison-Wesley, 2003.
2. Gerald Carter, LDAP System Administration, OReilly, 2003.
3. J. Heiss, Replacing NIS with Kerberos and LDAP,
http://www.ofb.net/~jheiss/krbldap/, 2004.
4. LDAP Howtos, Links, and Whitepapers, http://www.bind9.net/ldap/,
2005.
5. http://www.ldapman.org/, 2005.
6. Luiz Malere, Linux LDAP HOWTO,
http://www.tldp.org/HOWTO/LDAP-HOWTO/, 2004.
7. OpenLDAP, OpenLDAP Administrators Guide,
http://www.openldap.org/devel/admin/, 2005.
8. RedHat, Red Hat Enterprise Linux 4 Reference Guide, Chapter 13,
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guid
, 2005.

23