1. Trang chủ
  2. » Công Nghệ Thông Tin

Tài liệu Advanced Network and System Administration ppt

23 539 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 23
Dung lượng 165,5 KB

Nội dung

Advanced Network and System Administration Accounts and Namespaces Topics What is a directory? NIS LDAP OpenLDAP LDAP Authentication What is a Directory? Directory: A collection of information that is primarily searched and read, rarely modified Directory Service: Provides access to directory information Directory Server: Application that provides a directory service Directories vs Databases  Directories are optimized for reading   Directories are tree-structured    Databases typically have relational structure Directories are usually replicated   Databases balanced for read and write Databases can be replicated too Both are extensible data storage systems Both have advanced search capabilities System Administration Directories  Types of directory data        Accounts Mail aliases and lists (address book) Cryptographic keys IP addresses Hostnames Printers Common directory services  DNS, LDAP, NIS Advantages of Directories  Make administration easier   Unify access to network resources    Change data only once: people, accounts, hosts Single sign on Single place for users to search (address book) Improve data management   Improve consistency (one location vs many) Secure data through only one server NIS: Network Information Service  Originally called Sun Yellow Pages     Server shares NIS maps with clients     Clients run ypbind Servers run ypserv Data stored under /var/yp on server Each UNIX file may provide multiple maps passwd: passwd.byname, passwd.byuid Slave servers replicate master server content Easy to use, but insecure, difficult to extend LDAP  Lightweight Directory Access Protocol    Lightweight compared to X.500 directories Directory, not a database Access Protocol, not a directory itself LDAP Clients and Servers  LDAP Clients     Standalone directory browsers Embedded clients (mail clients, logins, etc.) Cfg /etc/nsswitch.conf on UNIX to use LDAP Common LDAP servers      OpenLDAP Fedora Directory Server (formerly Sun, Netscape) Mac Open Directory Microsoft ActiveDirectory Novell eDirectory (NDS) LDAP Structure  An LDAP directory is made of entries   Each entries consists of attributes    Entries may be employee records, hosts, etc Attributes can be names, phone numbers, etc objectClass attribute identifies entry type Each attribute is a type / value pair    Type is a label for the information stored (name) Value is value for the attribute in this entry Attributes can be multi-valued 10 Tree-structure of LDAP Directories 11 LDAP Schemas Schemas specify allowed objectClasses and attributes 12 LDIF  LDAP Interchange Format   LDIF Files    Standard text format for storing LDAP configuration data and directory contents Collection of entries separated by blank lines Mapping of attribute names to values Uses   Import new data into directory Export directory to LDIF files for backups 13 LDIF Output Example 14 Distinguished Names  Distinguished Names (DNs)      Uniquely identify an LDAP entry Provides path from LDAP root to the named entry Similar to an absolute pathname dn:cn=Jeff Foo,ou=Sales,dc=plainjoe,dc=org Relative DNs (RDNs)       Any unique attribute pair in directory’s container ex: cn=Jeff Foo OR username=fooj Similar to a relative pathname Except may have multiple components cn=Jane Smith+ou=Sales cn=Jane Smith+ou=Engineering 15 LDAP Client/Server Interaction Client requests to bind to server Server accepts/denies bind request Client sends search request Server returns zero or more dir entries Server sends result code with any errors Client sends an unbind request Server sends result code and closes socket 16 LDAP Operations  Client Session Operations   Query and Retrieval Operations   Bind, unbind, and abandon Search and compare Modification Operations  Add, modify, modifyRDN, and delete 17 Authentication Anonymous Authentication Binds with empty DN and password Simple Authentication Binds with DN and password Cleartext Simple Authentication over SSL/TLS Use SSL to encrypt simple authentication Simple Authentication and Security Layer SASL is an extensible security scheme SASL mechanisms: Kerberos, GSSAPI, SKEY 18 Distributed Directories   Use multiple LDAP servers Why distribute?  Throughput   Latency    More servers can reduce load on any single server Have local server serve local data to LAN Only use WAN for non-local data on other servers Administrative Boundaries  Let each side administrate their own directory 19 OpenLDAP  Open source LDAPv3 server        LDAP server: slapd Client commands: ldapadd, ldapsearch Backend storage: BerkeleyDB Backend commands: slapadd, slapcat Schemas: /etc/openldap/schema Data: /var/lib/ldap Configuration files   Client: /etc/openldap/ldap.conf Server: /etc/openldap/slapd.conf 20 Building an OpenLDAP Server Install OpenLDAP Configure LDAP for your domain Change suffix, rootdn, rootpw options vim /etc/openldap/slapd.conf Start server Immediate: /sbin/service ldap start Permanent: /sbin/chkconfig –level 35 ldap on Add data with ldapadd Verify functionality with ldapsearch 21 LDAP Authentication Configure server with schema + user data Point clients to hostname and rootDN of svr /etc/ldap.conf and /etc/openldap/ldap.conf Verify server access with ldapsearch Configure clients to use LDAP auth /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap 22 References Brian Arkills, LDAP Directories Explained: An Introduction and Analysis, Addison-Wesley, 2003 Gerald Carter, LDAP System Administration, O’Reilly, 2003 J Heiss, “Replacing NIS with Kerberos and LDAP,” http://www.ofb.net/~jheiss/krbldap/, 2004 LDAP Howtos, Links, and Whitepapers, http://www.bind9.net/ldap/, 2005 http://www.ldapman.org/, 2005 Luiz Malere, “Linux LDAP HOWTO,” http://www.tldp.org/HOWTO/LDAP-HOWTO/, 2004 OpenLDAP, OpenLDAP Administrator’s Guide, http://www.openldap.org/devel/admin/, 2005 RedHat, Red Hat Enterprise Linux Reference Guide, Chapter 13, http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/re f-guide/ , 2005 23 ...   Databases balanced for read and write Databases can be replicated too Both are extensible data storage systems Both have advanced search capabilities System Administration Directories  Types... request Server sends result code and closes socket 16 LDAP Operations  Client Session Operations   Query and Retrieval Operations   Bind, unbind, and abandon Search and compare Modification Operations... Directories Explained: An Introduction and Analysis, Addison-Wesley, 2003 Gerald Carter, LDAP System Administration, O’Reilly, 2003 J Heiss, “Replacing NIS with Kerberos and LDAP,” http://www.ofb.net/~jheiss/krbldap/,

Ngày đăng: 20/01/2014, 06:20

TỪ KHÓA LIÊN QUAN