SlideShare une entreprise Scribd logo

Practical LDAP Integration on Linux

Balaji Ravi
Balaji Ravi
1  sur  28
Télécharger pour lire hors ligne
Practical LDAP on Linux A practical guide to integrating LDAP directory services on Linux Michael Clark <michael@metaparadigm.com> http://gort.metaparadigm.com/ldap/ Aug-23-02 1
Presentation Overview ‹ The need for LDAP ‹ LDAP Overview and Basics ‹ Setting up and tuning OpenLDAP ‹ Name services, authentication and authorisation ‹ Mail routing with sendmail and postfix ‹ Apache authentication ‹ Other LDAP tools and applications Aug-23-02 2
The need for LDAP ‹ Multiple disparate sources of the same information ‹ Users need separate logins and passwords to login to different systems ‹ Complex to keep information in sync ‹ Similar data spread around many flat files or in database with different formats ‹ Inadequacies of NIS ie. Not very extensible ‹ X.500 is too complicated Aug-23-02 3
LDAP Overview ‹ LDAP is a ‘Lightweight Directory Access Protocol’ ‹ LDAP marries a lightweight DAP with the X.500 information model ‹ Uses an extensible hierarchical object data model ‹ An LDAP server may implement multiple ‘back-ends’: RDBMS, simple indexes (Berkeley DB), X.500 gateway ‹ Designed for frequent reads and infrequent writes Aug-23-02 4
LDAP Benefits ‹ Standardised schemas exist for many purposes (well beyond that of NIS) ‹ Allows consolidation of many information sources ‹ Well defined API, support from many applications ‹ Easily replicated and distributed ‹ Multiple backends allow integration with existing data sources (RDBMS, etc) ‹ Much faster than RDBMS (using lightweight backend like Berkeley DB) Aug-23-02 5
dc=com ----- dc=metaparadigm LDAP Basics |----- ou=people | ----- uid=mclark ----- ou=groups ----- cn=users ‹ Data is organised into an hierarchical tree ‹ Each ‘entry’ (tree node) is identified by a DN (distinguished name) e.g. uid=mclark,ou=people,dc=metaparadigm,dc=com ‹ Each component of a DN is called an RDN (relative DN) and represents a branch in the tree ‹ The RDN must be unique within the nodes at the same level of the tree (is generally equivalent to one of the attributes ie. ‘uid’ or ‘cn’ in the case of a person) ‹ Each node has 1 or many attribute values associated with it. Each attribute can have 1 or many values Aug-23-02 6
LDAP Basics (cont.) ‹ ‘objectClass’ is a mandatory attribute which specifies the schema (attribute constraints) for the given node ‹ Multiple ‘objectClass’ attributes can be combined together to achieve inheritance ‹ Example ‘objectClass’ (common schema) attributes: dcObject, organizationalUnit, person, organizationalPerson, inetOrgPerson, inetLocalMailRecipient ‹ CN (Canonical Name) is another common attribute used to provide a unique name for a directory object Aug-23-02 7
LDAP Schemas ‹ Many standard schemas exist including: People schemas - person, organisationalPerson, inetOrgPerson, posixAccount, mailLocalRecpient, strongAuthenticationUser Group schemas – groupOfUniqueNames, posixGroup, organisationalRole, roleMember Host / Network schemas – domain, ipHost, ipNetwork, ipProtocol, ipService, ieee802Device, bootableDevice ‹ An invaluable schema repository from Alan Knowles at the Hong Kong Linux Centre: <http://ldap.akbkhome.com/> Aug-23-02 8
LDIF File format ‹ LDIF (Lightweight Directory Interchange Format) is used to import/export from a LDAP directory server dn: dc=metaparadigm,dc=com objectclass: dcObject objectclass: organization o: Metaparadigm Pte Ltd dc: metaparadigm dn: ou=people,dc=metaparadigm,dc=com objectclass: organisationalUnit ou: people dn: uid=mclark,ou=people,dc=metaparadigm,dc=com objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson uid: mclark cn: Michael Clark givenname: Michael sn: Clark o: Metaparadigm Pte Ltd userPassword: {SSHA}D3DT4BJyKicf+PJ1+eqkWMNRG/B28xt+ mail: michael@metaparadigm.com Aug-23-02 9
Custom schemas ‹ LDAP schemas uses SNMP style OIDs (Object Ids) for uniquely defining schema elements ‹ Apply for IANA enterprise number here: <http://www.iana.org/cgi-bin/enterprise.pl> ‹ Private enterprise number OID prefix is 1.3.6.1.4.1 eg. Metaparadigm uses 1.3.6.1.4.1.11137 ‹ Information on custom schemas can be found here: <http://www.openldap.org/doc/admin/schema.html> Aug-23-02 10
Linux LDAP servers ‹ OpenLDAP is the primary open-source LDAP implementation based on Univ. Michigan LDAP <http://www.openldap.org/> ‹ Sun provides the iPlanet Directory Server ‹ Oracle provides an LDAP server using an Oracle database backend ‹ Many others available (Innosoft) ‹ Linux can also integrate with LDAP servers running on other platforms such as Microsoft Active Directory or Novell eDirectory Aug-23-02 11
Scalability and Fault Tolerance ‹ OpenLDAP supports real-time directory replication to provide load-balancing and high availibility ‹ OpenLDAP supports single master, multiple slaves ‹ Most LDAP aware applications can be configured to use multiple LDAP servers (providing fallback servers) ‹ Multiple master support is in the works (currently alpha) ‹ OpenLDAP can be integrated with ‘heartbeat’ and ‘mon’ to provide fault tolerance <http://www.linux-ha.org/> Aug-23-02 12
Setting up OpenLDAP ‹ Configuration is located in: /etc/openldap/slapd.conf ‹ We need to include the schemas we are using include /etc/openldap/schema/core.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema ‹ Next we specify a database database ldbm suffix “dc=metaparadigm,dc=com" rootdn "cn=Manager,dc=metaparadigm,dc=com " rootpw {crypt}mvRCcD3ajNmf2 directory /opt/openldap/var/openldap-ldbm index objectClass eq Aug-23-02 13
Setting up OpenLDAP (cont.) ‹ We can now start slapd (Standalone LDAP daemon) # /etc/init.d/ldap start ‹ Next step is to add data to the directory using the LDIF example presented earlier # ldapadd -D cn=Manager,dc=metaparadigm,dc=com -W < init.ldif Enter LDAP Password: xxxxx adding new entry "dc=metaparadigm,dc=com" adding new entry "ou=people,dc=metaparadigm,dc=com" adding new entry "uid=mclark,ou=people,dc=metaparadigm,dc=com" Aug-23-02 14
Tuning OpenLDAP ‹ We need to add additional indexes for performance index uidNumber,gidNumber,mailLocalAddress pres,eq index cn,sn,givenName,memberUid,uid,mail pres,eq,sub ‹ We need to add ACLs for security access to attr=userPassword by self write by anonymous auth by * none access to dn="" by * read access to * by self write by users read by anonymous auth Aug-23-02 15
Tuning OpenLDAP (cont.) ‹ Setup logging in syslog.conf (default is LOCAL4) local4.* /var/log/ldap.log ‹ Make sure ‘slapd’ runs as non privileged user ‹ Make ‘slapd’ bind to SSL port for security need signed certificates with openSSL and modify slapd.conf TLSCertificateFile /etc/openldap/ldap.metaparadigm.com.cer TLSCertificateKeyFile /etc/openldap/ldap.metaparadigm.com.key modify init script to bind to SSL port /usr/libexec/slapd -h 'ldap://ldap.metaparadigm.com/ ldaps://ldap.metaparadigm.com/' -l LOCAL4 -u ldap -g ldap Aug-23-02 16
LDAP Search Filters ‹ LDAP uses a simple ‘search filters’ syntax (RFC2254) ‹ LDAP queries return all attributes of matching entries (or specifically selected attributes) which match the search filter ‹ LDAP query particles are enclosed within parenthesis in the form of ( attribute <matching rule> value ) ie. (cn=Michael Clark) ‹ Matching rules include (=, =~, >=, <=) ‹ * can be used as a wildcard within the value ‹ These can be combined together using the boolean operators: and, or and not (&, |, !) eg: (&(cn=Michael Clark)(objectClass=posixAccount)) (&(objectClass=inetOrgPerson)(!(o=Microsoft*))) (|(cn=Michael*)(cn=Mike*)) Aug-23-02 17
LDAP Search Filters ‹ The following example ldap search retrieves the names and email address of all users with a givenname of ‘Michael’ or ‘Mark’ # ldapsearch -LLL -h ldap1-prd -b dc=ofs,dc=edu,dc=sg '(&(|(givenname=Michael)(givenname=Mark))(objectClass=inetOrgPerson))' cn mail dn: uid=mark_bergeron,ou=people,dc=ofs,dc=edu,dc=sg mail: mark_bergeron@ofs.edu.sg cn: Mark Bergeron dn: uid=michael,ou=people,dc=ofs,dc=edu,dc=sg mail: michael_chen@ofs.edu.sg cn: Michael Chen dn: uid=mclark,ou=people,dc=ofs,dc=edu,dc=sg mail: michael_clark@ofs.edu.sg cn: Michael Clark … ‹ Very easy to incorporate this into shell scripts with awk or sed Aug-23-02 18
Unix Name service ‹ LDAP integrates with NSS (Name Service Switch) using the nss_ldap module <http://www.padl.com/OSS/nss_ldap.html/> Requires configuration of /etc/ldap.conf host ldap.metaparadigm.com base dc=metaparadigm,dc=com ldap_version 3 binddn cn=Manager,dc=metaparadigm,dc=com bindpw secret pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid nss_base_passwd ou=people,dc=metaparadigm,dc=com?one nss_base_group dc=metaparadigm,dc=com?sub Unix lookups are redirected in the same way as NIS: /etc/nsswitch.conf passwd: files nisplus ldap shadow: files nisplus group: files nisplus ldap hosts: files nisplus dns ldap Aug-23-02 19
LDAP authentication ‹ LDAP integrates with PAM (Pluggable Authentication Modules) using pam_ldap <http://www.padl.com/OSS/pam_ldap.html> pam_ldap shares /etc/ldap.conf with nss_ldap.conf We create a pam definition file: /etc/pam.d/ldap-auth #%PAM-1.0 auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so We point a services auth at LDAP eg. /etc/pam.d/imap auth required /lib/security/pam_stack.so service=ldap-auth account required /lib/security/pam_stack.so service=ldap-auth session required /lib/security/pam_stack.so service=ldap-auth Aug-23-02 20
Mail routing - sendmail ‹ We use the ‘inetLocalMailRecipient’ schema which extends ‘inetOrgPerson’ ‹ Additional attributes ‘mailLocalAddress’, ‘mailHost’ and ‘mailRoutingAddress’. Users can have multiple ‘mailLocalAddress’ attributes. ‹ Allows for easily distributed multiple back-end mail stores ‹ Below are changes to sendmail.mc (tested in 8.11.x) define(`confLDAP_DEFAULT_SPEC',`-h ldap.metaparadigm.com -b dc=metaparadigm,dc=com')dnl FEATURE(ldap_routing)dnl LDAPROUTE_DOMAIN(metaparadigm.com) Aug-23-02 21
Mail routing – sendmail (cont.) ‹ Any sendmail map can be defined using LDAP. ‹ Example of custom alias map using 8.11.x (should also work on 8.12.x only official map schema support is available) LOCAL_CONFIG undefine(`ALIAS_FILE') Kldapaliases ldap -z, -v mailForwardingAddress -k (&(objectClass=mailForwardingAlias)(mailAlias=%0)) O AliasFile=sequence:ldapaliases attributetype ( 1.3.6.1.4.1.11137.3.1.48 NAME 'mailAlias' DESC 'alias part of address' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.11137.3.1.47 NAME 'mailForwardingAddress' DESC 'RFC822 address to use' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) objectclass ( 1.3.6.1.4.1.11137.3.2.49 NAME 'mailForwardingAlias' DESC 'Internet local mail recipient' SUP top AUXILIARY MAY ( cn $ o $ mail $ mailAlias $ mailForwardingAddress ) ) Aug-23-02 22
Mail routing - postfix ‹ Postfix documentation specifies a non-standard schema. Below example is implemented with same schema as sendmail. (change in /etc/postfix/main.cf) virtual_maps = ldap:metaroute metaroute_server_host = ldap.metaparadigm.com metaroute_search_base = dc=metaparadigm,dc=com metaroute_query_filter = (mailLocalAddress=%s) metaroute_result_attribute = mailRoutingAddress metaroute_domain = metaparadigm.com metaroute_bind = no ‹ Transport map can also be LDAP routed to provide mutliple backend support Aug-23-02 23
Shared Address book ‹ LDAP provides a convenient Corporate style shared address book similar to that of Exchange which is not otherwise available with standard Internet e-mail ‹ Support in almost all email clients: Evolution Mozilla Outlook Eudora Various web mail clients … Aug-23-02 24
Apache Authentication ‹ 2 Apache modules available ‘mod_auth_ldap’ apache module <http://nona.net/software/ldap/> ‘auth_ldap’ apache module <http://www.rudedog.org/auth_ldap/> ‹ Example httpd.conf using mod_auth_ldap <Location /secret> AuthType Basic AuthName "Secret" AuthLDAPURL ldap://ldap.metaparadigm.com:389/ou=people,dc=metaparadigm,dc=com?uid require valid-user </Location> Aug-23-02 25
LDAP Browsers and Editors ‹ Java LDAP Browser <http://www.iit.edu/~gawojar/ldap/> Allows easy updating and editing of directory information. Can create templates for commonly used directory objects. ‹ Huge number of other tools (web, GTK, …) Aug-23-02 26
Migration to LDAP ‹ Padl migration tools <http://www.padl.com/OSS/MigrationTools.html> ‹ Migrates existing flat files or NIS databases passwd, group, hosts, networks, services, etc… Aug-23-02 27
Other Application support ‹ Samba LDAP-PDC <http://www.unav.es/cti/ldap-smb-howto.html> ‹ LDAP DNS (no more HUPing named) http://www.nimh.org/code/ldapdns/ ‹ RADIUS (various patches floating around) ‹ Any application that supports PAM ssh, netatalk, many others… Aug-23-02 28

Recommandé

Ldap intro
Ldap introLdap intro
Ldap introyousry ibrahim
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap ProtocolGlen Plantz
 
Using OpenLDAP
Using OpenLDAPUsing OpenLDAP
Using OpenLDAPWildan Maulana
 
Directory Servers and LDAP
Directory Servers and LDAPDirectory Servers and LDAP
Directory Servers and LDAPWildan Maulana
 
Open LDAP vs. Active Directory
Open LDAP vs. Active DirectoryOpen LDAP vs. Active Directory
Open LDAP vs. Active DirectoryAhmad Haghighi
 
LDAP
LDAPLDAP
LDAPKhemnath Chauhan
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolS. Hasnain Raza
 
Ldap
LdapLdap
LdapShiva Krishna Chandra Shekar
 

Recommandé

Ldap intro
Ldap introLdap intro
Ldap introyousry ibrahim
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap ProtocolGlen Plantz
 
Using OpenLDAP
Using OpenLDAPUsing OpenLDAP
Using OpenLDAPWildan Maulana
 
Directory Servers and LDAP
Directory Servers and LDAPDirectory Servers and LDAP
Directory Servers and LDAPWildan Maulana
 
Open LDAP vs. Active Directory
Open LDAP vs. Active DirectoryOpen LDAP vs. Active Directory
Open LDAP vs. Active DirectoryAhmad Haghighi
 
LDAP
LDAPLDAP
LDAPKhemnath Chauhan
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolS. Hasnain Raza
 
Ldap
LdapLdap
LdapShiva Krishna Chandra Shekar
 
Ldap
LdapLdap
LdapHigher Private School of Engineering and Technology
 
Active Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersActive Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersPerforce
 
LDAP
LDAPLDAP
LDAPChandanapriya Sathavalli
 
AD & LDAP
AD & LDAPAD & LDAP
AD & LDAPCynoteck Technology Solutions Private Limited
 
Ldap system administration
Ldap system administrationLdap system administration
Ldap system administrationAli Abdo
 
LDAP Theory
LDAP TheoryLDAP Theory
LDAP Theorycyberleon95
 
Spring Ldap
Spring LdapSpring Ldap
Spring LdapPiergiorgio Lucidi
 
LDAP Integration
LDAP IntegrationLDAP Integration
LDAP IntegrationDell World
 
L2tp1
L2tp1L2tp1
L2tp1Shiva Krishna Chandra Shekar
 
Introduction to LDAP and Directory Services
Introduction to LDAP and Directory ServicesIntroduction to LDAP and Directory Services
Introduction to LDAP and Directory ServicesRadovan Semancik
 
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryEdson Oliveira
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)Anatoliy Okhotnikov
 
What is active directory
What is active directoryWhat is active directory
What is active directoryrajasekar1712
 
Synchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCSynchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCLDAPCon
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsLDAPCon
 
SQL Server 2012 - FileTables
SQL Server 2012 - FileTables SQL Server 2012 - FileTables
SQL Server 2012 - FileTables Sperasoft
 
X.500 More Than a Global Directory
X.500 More Than a Global DirectoryX.500 More Than a Global Directory
X.500 More Than a Global Directorylurdhu agnes
 
IBM Spark Meetup - RDD & Spark Basics
IBM Spark Meetup - RDD & Spark BasicsIBM Spark Meetup - RDD & Spark Basics
IBM Spark Meetup - RDD & Spark BasicsSatya Narayan
 
Virtuoso Sponger - RDFizer Middleware for creating RDF from non RDF Data Sources
Virtuoso Sponger - RDFizer Middleware for creating RDF from non RDF Data SourcesVirtuoso Sponger - RDFizer Middleware for creating RDF from non RDF Data Sources
Virtuoso Sponger - RDFizer Middleware for creating RDF from non RDF Data Sourcesrumito
 
Spark core
Spark coreSpark core
Spark corePrashant Gupta
 
Kdump-FUDcon-2015-Session
Kdump-FUDcon-2015-SessionKdump-FUDcon-2015-Session
Kdump-FUDcon-2015-SessionBuland Singh
 
Learning Puppet Chapter 1
Learning Puppet Chapter 1Learning Puppet Chapter 1
Learning Puppet Chapter 1Vishal Biyani
 

Contenu connexe

Tendances

Active Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersActive Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersPerforce
 
Ldap system administration
Ldap system administrationLdap system administration
Ldap system administrationAli Abdo
 
LDAP Integration
LDAP IntegrationLDAP Integration
LDAP IntegrationDell World
 
Introduction to LDAP and Directory Services
Introduction to LDAP and Directory ServicesIntroduction to LDAP and Directory Services
Introduction to LDAP and Directory ServicesRadovan Semancik
 
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryEdson Oliveira
 
What is active directory
What is active directoryWhat is active directory
What is active directoryrajasekar1712
 
Synchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCSynchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCLDAPCon
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsLDAPCon
 
SQL Server 2012 - FileTables
SQL Server 2012 - FileTables SQL Server 2012 - FileTables
SQL Server 2012 - FileTables Sperasoft
 
X.500 More Than a Global Directory
X.500 More Than a Global DirectoryX.500 More Than a Global Directory
X.500 More Than a Global Directorylurdhu agnes
 
IBM Spark Meetup - RDD & Spark Basics
IBM Spark Meetup - RDD & Spark BasicsIBM Spark Meetup - RDD & Spark Basics
IBM Spark Meetup - RDD & Spark BasicsSatya Narayan
 
Virtuoso Sponger - RDFizer Middleware for creating RDF from non RDF Data Sources
Virtuoso Sponger - RDFizer Middleware for creating RDF from non RDF Data SourcesVirtuoso Sponger - RDFizer Middleware for creating RDF from non RDF Data Sources
Virtuoso Sponger - RDFizer Middleware for creating RDF from non RDF Data Sourcesrumito
 

Tendances (20)

Ldap
LdapLdap
Ldap
 
Active Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersActive Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without Triggers
 
LDAP
LDAPLDAP
LDAP
 
AD & LDAP
AD & LDAPAD & LDAP
AD & LDAP
 
Ldap system administration
Ldap system administrationLdap system administration
Ldap system administration
 
LDAP Theory
LDAP TheoryLDAP Theory
LDAP Theory
 
Spring Ldap
Spring LdapSpring Ldap
Spring Ldap
 
LDAP Integration
LDAP IntegrationLDAP Integration
LDAP Integration
 
L2tp1
L2tp1L2tp1
L2tp1
 
Introduction to LDAP and Directory Services
Introduction to LDAP and Directory ServicesIntroduction to LDAP and Directory Services
Introduction to LDAP and Directory Services
 
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)
 
What is active directory
What is active directoryWhat is active directory
What is active directory
 
Synchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCSynchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSC
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clients
 
SQL Server 2012 - FileTables
SQL Server 2012 - FileTables SQL Server 2012 - FileTables
SQL Server 2012 - FileTables
 
X.500 More Than a Global Directory
X.500 More Than a Global DirectoryX.500 More Than a Global Directory
X.500 More Than a Global Directory
 
IBM Spark Meetup - RDD & Spark Basics
IBM Spark Meetup - RDD & Spark BasicsIBM Spark Meetup - RDD & Spark Basics
IBM Spark Meetup - RDD & Spark Basics
 
Virtuoso Sponger - RDFizer Middleware for creating RDF from non RDF Data Sources
Virtuoso Sponger - RDFizer Middleware for creating RDF from non RDF Data SourcesVirtuoso Sponger - RDFizer Middleware for creating RDF from non RDF Data Sources
Virtuoso Sponger - RDFizer Middleware for creating RDF from non RDF Data Sources
 
Spark core
Spark coreSpark core
Spark core
 

En vedette

Kdump-FUDcon-2015-Session
Kdump-FUDcon-2015-SessionKdump-FUDcon-2015-Session
Kdump-FUDcon-2015-SessionBuland Singh
 
Learning Puppet Chapter 1
Learning Puppet Chapter 1Learning Puppet Chapter 1
Learning Puppet Chapter 1Vishal Biyani
 
Pro Puppet
Pro PuppetPro Puppet
Pro Puppetdsadas
 
Seawater desalination operation maintainence and trouble shooting
Seawater desalination operation maintainence and trouble shootingSeawater desalination operation maintainence and trouble shooting
Seawater desalination operation maintainence and trouble shootingRajesh Mon
 
The Theory of Reverse Osmosis (RO)
The Theory of Reverse Osmosis (RO)The Theory of Reverse Osmosis (RO)
The Theory of Reverse Osmosis (RO)AAA Drafting
 
Openstack Basic with Neutron
Openstack Basic with NeutronOpenstack Basic with Neutron
Openstack Basic with NeutronKwonSun Bae
 
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...Dave Neary
 
OpenStack Neutron Tutorial
OpenStack Neutron TutorialOpenStack Neutron Tutorial
OpenStack Neutron Tutorialmestery
 

En vedette (8)

Kdump-FUDcon-2015-Session
Kdump-FUDcon-2015-SessionKdump-FUDcon-2015-Session
Kdump-FUDcon-2015-Session
 
Learning Puppet Chapter 1
Learning Puppet Chapter 1Learning Puppet Chapter 1
Learning Puppet Chapter 1
 
Pro Puppet
Pro PuppetPro Puppet
Pro Puppet
 
Seawater desalination operation maintainence and trouble shooting
Seawater desalination operation maintainence and trouble shootingSeawater desalination operation maintainence and trouble shooting
Seawater desalination operation maintainence and trouble shooting
 
The Theory of Reverse Osmosis (RO)
The Theory of Reverse Osmosis (RO)The Theory of Reverse Osmosis (RO)
The Theory of Reverse Osmosis (RO)
 
Openstack Basic with Neutron
Openstack Basic with NeutronOpenstack Basic with Neutron
Openstack Basic with Neutron
 
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...
 
OpenStack Neutron Tutorial
OpenStack Neutron TutorialOpenStack Neutron Tutorial
OpenStack Neutron Tutorial
 

Similaire à Practical LDAP Integration on Linux

Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01SANE Ibrahima
 
LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)Fran Fabrizio
 
Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2Vinaykumar Hebballi
 
OpenLDAP - Installation and Configuration
OpenLDAP - Installation and ConfigurationOpenLDAP - Installation and Configuration
OpenLDAP - Installation and ConfigurationWildan Maulana
 
Ldapsession 1217528612650451-9
Ldapsession 1217528612650451-9Ldapsession 1217528612650451-9
Ldapsession 1217528612650451-9rezgui
 
EKON 12 Running OpenLDAP
EKON 12 Running OpenLDAP EKON 12 Running OpenLDAP
EKON 12 Running OpenLDAP Max Kleiner
 
RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...
RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...
RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...Clément OUDOT
 
Apache Spark Fundamentals Meetup Talk
Apache Spark Fundamentals Meetup TalkApache Spark Fundamentals Meetup Talk
Apache Spark Fundamentals Meetup TalkEren Avşaroğulları
 
LDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAPCon
 
LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010Jonathan Clarke
 
LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010 LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010RUDDER
 
A Tale of Three Apache Spark APIs: RDDs, DataFrames, and Datasets with Jules ...
A Tale of Three Apache Spark APIs: RDDs, DataFrames, and Datasets with Jules ...A Tale of Three Apache Spark APIs: RDDs, DataFrames, and Datasets with Jules ...
A Tale of Three Apache Spark APIs: RDDs, DataFrames, and Datasets with Jules ...Databricks
 
Jump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with DatabricksJump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with DatabricksAnyscale
 
Install ldap server
Install ldap serverInstall ldap server
Install ldap serverMawardi 12
 
Install ldap server
Install ldap serverInstall ldap server
Install ldap serverMawardi 12
 
UnderstandingLDAP.ppt
UnderstandingLDAP.pptUnderstandingLDAP.ppt
UnderstandingLDAP.pptEfrizal Zaida
 
Under the Hood 11g Identity Management
Under the Hood 11g Identity ManagementUnder the Hood 11g Identity Management
Under the Hood 11g Identity ManagementInSync Conference
 

Similaire à Practical LDAP Integration on Linux (20)

Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01Ldap 121020013604-phpapp01
Ldap 121020013604-phpapp01
 
ivanova-samba_backend.pdf
ivanova-samba_backend.pdfivanova-samba_backend.pdf
ivanova-samba_backend.pdf
 
LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)LDAP Applied (EuroOSCON 2005)
LDAP Applied (EuroOSCON 2005)
 
Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2
 
OpenLDAP - Installation and Configuration
OpenLDAP - Installation and ConfigurationOpenLDAP - Installation and Configuration
OpenLDAP - Installation and Configuration
 
Ldapsession
LdapsessionLdapsession
Ldapsession
 
Ldapsession 1217528612650451-9
Ldapsession 1217528612650451-9Ldapsession 1217528612650451-9
Ldapsession 1217528612650451-9
 
EKON 12 Running OpenLDAP
EKON 12 Running OpenLDAP EKON 12 Running OpenLDAP
EKON 12 Running OpenLDAP
 
RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...
RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...
RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...
 
Apache Spark Fundamentals Meetup Talk
Apache Spark Fundamentals Meetup TalkApache Spark Fundamentals Meetup Talk
Apache Spark Fundamentals Meetup Talk
 
LDAP(In_Linux).pptx
LDAP(In_Linux).pptxLDAP(In_Linux).pptx
LDAP(In_Linux).pptx
 
LDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAP Development Using Spring LDAP
LDAP Development Using Spring LDAP
 
LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010
 
LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010 LSC - Synchronizing identities @ Loadays 2010
LSC - Synchronizing identities @ Loadays 2010
 
A Tale of Three Apache Spark APIs: RDDs, DataFrames, and Datasets with Jules ...
A Tale of Three Apache Spark APIs: RDDs, DataFrames, and Datasets with Jules ...A Tale of Three Apache Spark APIs: RDDs, DataFrames, and Datasets with Jules ...
A Tale of Three Apache Spark APIs: RDDs, DataFrames, and Datasets with Jules ...
 
Jump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with DatabricksJump Start on Apache Spark 2.2 with Databricks
Jump Start on Apache Spark 2.2 with Databricks
 
Install ldap server
Install ldap serverInstall ldap server
Install ldap server
 
Install ldap server
Install ldap serverInstall ldap server
Install ldap server
 
UnderstandingLDAP.ppt
UnderstandingLDAP.pptUnderstandingLDAP.ppt
UnderstandingLDAP.ppt
 
Under the Hood 11g Identity Management
Under the Hood 11g Identity ManagementUnder the Hood 11g Identity Management
Under the Hood 11g Identity Management
 

Plus de Balaji Ravi

Quest_Software_Best_Practices_for_Exchange_2007
Quest_Software_Best_Practices_for_Exchange_2007Quest_Software_Best_Practices_for_Exchange_2007
Quest_Software_Best_Practices_for_Exchange_2007Balaji Ravi
 
forgot_administrator_password.htm
forgot_administrator_password.htmforgot_administrator_password.htm
forgot_administrator_password.htmBalaji Ravi
 
lost-xp-password.html
lost-xp-password.htmllost-xp-password.html
lost-xp-password.htmlBalaji Ravi
 
Upgrading_and_Migrating_to_Exchange_Server_2007_and_Windows_2008
Upgrading_and_Migrating_to_Exchange_Server_2007_and_Windows_2008Upgrading_and_Migrating_to_Exchange_Server_2007_and_Windows_2008
Upgrading_and_Migrating_to_Exchange_Server_2007_and_Windows_2008Balaji Ravi
 
L03-ajc-C-arrays
L03-ajc-C-arraysL03-ajc-C-arrays
L03-ajc-C-arraysBalaji Ravi
 
3852_wlan_revised
3852_wlan_revised3852_wlan_revised
3852_wlan_revisedBalaji Ravi
 
Virtualizing_Exchange2003
Virtualizing_Exchange2003Virtualizing_Exchange2003
Virtualizing_Exchange2003Balaji Ravi
 

Plus de Balaji Ravi (17)

Quest_Software_Best_Practices_for_Exchange_2007
Quest_Software_Best_Practices_for_Exchange_2007Quest_Software_Best_Practices_for_Exchange_2007
Quest_Software_Best_Practices_for_Exchange_2007
 
forgot_administrator_password.htm
forgot_administrator_password.htmforgot_administrator_password.htm
forgot_administrator_password.htm
 
lost-xp-password.html
lost-xp-password.htmllost-xp-password.html
lost-xp-password.html
 
Upgrading_and_Migrating_to_Exchange_Server_2007_and_Windows_2008
Upgrading_and_Migrating_to_Exchange_Server_2007_and_Windows_2008Upgrading_and_Migrating_to_Exchange_Server_2007_and_Windows_2008
Upgrading_and_Migrating_to_Exchange_Server_2007_and_Windows_2008
 
1.Routing-eng
1.Routing-eng1.Routing-eng
1.Routing-eng
 
b
bb
b
 
bldef_ap.htm
bldef_ap.htmbldef_ap.htm
bldef_ap.htm
 
exch2003
exch2003exch2003
exch2003
 
L03-ajc-C-arrays
L03-ajc-C-arraysL03-ajc-C-arrays
L03-ajc-C-arrays
 
10307021
1030702110307021
10307021
 
show.php.htm
show.php.htmshow.php.htm
show.php.htm
 
182
182182
182
 
3852_wlan_revised
3852_wlan_revised3852_wlan_revised
3852_wlan_revised
 
a
aa
a
 
cryptography
cryptographycryptography
cryptography
 
Virtualizing_Exchange2003
Virtualizing_Exchange2003Virtualizing_Exchange2003
Virtualizing_Exchange2003
 
Balaji
BalajiBalaji
Balaji
 

Practical LDAP Integration on Linux

  • 1. Practical LDAP on Linux A practical guide to integrating LDAP directory services on Linux Michael Clark <michael@metaparadigm.com> http://gort.metaparadigm.com/ldap/ Aug-23-02 1
  • 2. Presentation Overview ‹ The need for LDAP ‹ LDAP Overview and Basics ‹ Setting up and tuning OpenLDAP ‹ Name services, authentication and authorisation ‹ Mail routing with sendmail and postfix ‹ Apache authentication ‹ Other LDAP tools and applications Aug-23-02 2
  • 3. The need for LDAP ‹ Multiple disparate sources of the same information ‹ Users need separate logins and passwords to login to different systems ‹ Complex to keep information in sync ‹ Similar data spread around many flat files or in database with different formats ‹ Inadequacies of NIS ie. Not very extensible ‹ X.500 is too complicated Aug-23-02 3
  • 4. LDAP Overview ‹ LDAP is a ‘Lightweight Directory Access Protocol’ ‹ LDAP marries a lightweight DAP with the X.500 information model ‹ Uses an extensible hierarchical object data model ‹ An LDAP server may implement multiple ‘back-ends’: RDBMS, simple indexes (Berkeley DB), X.500 gateway ‹ Designed for frequent reads and infrequent writes Aug-23-02 4
  • 5. LDAP Benefits ‹ Standardised schemas exist for many purposes (well beyond that of NIS) ‹ Allows consolidation of many information sources ‹ Well defined API, support from many applications ‹ Easily replicated and distributed ‹ Multiple backends allow integration with existing data sources (RDBMS, etc) ‹ Much faster than RDBMS (using lightweight backend like Berkeley DB) Aug-23-02 5
  • 6. dc=com ----- dc=metaparadigm LDAP Basics |----- ou=people | ----- uid=mclark ----- ou=groups ----- cn=users ‹ Data is organised into an hierarchical tree ‹ Each ‘entry’ (tree node) is identified by a DN (distinguished name) e.g. uid=mclark,ou=people,dc=metaparadigm,dc=com ‹ Each component of a DN is called an RDN (relative DN) and represents a branch in the tree ‹ The RDN must be unique within the nodes at the same level of the tree (is generally equivalent to one of the attributes ie. ‘uid’ or ‘cn’ in the case of a person) ‹ Each node has 1 or many attribute values associated with it. Each attribute can have 1 or many values Aug-23-02 6
  • 7. LDAP Basics (cont.) ‹ ‘objectClass’ is a mandatory attribute which specifies the schema (attribute constraints) for the given node ‹ Multiple ‘objectClass’ attributes can be combined together to achieve inheritance ‹ Example ‘objectClass’ (common schema) attributes: dcObject, organizationalUnit, person, organizationalPerson, inetOrgPerson, inetLocalMailRecipient ‹ CN (Canonical Name) is another common attribute used to provide a unique name for a directory object Aug-23-02 7
  • 8. LDAP Schemas ‹ Many standard schemas exist including: People schemas - person, organisationalPerson, inetOrgPerson, posixAccount, mailLocalRecpient, strongAuthenticationUser Group schemas – groupOfUniqueNames, posixGroup, organisationalRole, roleMember Host / Network schemas – domain, ipHost, ipNetwork, ipProtocol, ipService, ieee802Device, bootableDevice ‹ An invaluable schema repository from Alan Knowles at the Hong Kong Linux Centre: <http://ldap.akbkhome.com/> Aug-23-02 8
  • 9. LDIF File format ‹ LDIF (Lightweight Directory Interchange Format) is used to import/export from a LDAP directory server dn: dc=metaparadigm,dc=com objectclass: dcObject objectclass: organization o: Metaparadigm Pte Ltd dc: metaparadigm dn: ou=people,dc=metaparadigm,dc=com objectclass: organisationalUnit ou: people dn: uid=mclark,ou=people,dc=metaparadigm,dc=com objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson uid: mclark cn: Michael Clark givenname: Michael sn: Clark o: Metaparadigm Pte Ltd userPassword: {SSHA}D3DT4BJyKicf+PJ1+eqkWMNRG/B28xt+ mail: michael@metaparadigm.com Aug-23-02 9
  • 10. Custom schemas ‹ LDAP schemas uses SNMP style OIDs (Object Ids) for uniquely defining schema elements ‹ Apply for IANA enterprise number here: <http://www.iana.org/cgi-bin/enterprise.pl> ‹ Private enterprise number OID prefix is 1.3.6.1.4.1 eg. Metaparadigm uses 1.3.6.1.4.1.11137 ‹ Information on custom schemas can be found here: <http://www.openldap.org/doc/admin/schema.html> Aug-23-02 10
  • 11. Linux LDAP servers ‹ OpenLDAP is the primary open-source LDAP implementation based on Univ. Michigan LDAP <http://www.openldap.org/> ‹ Sun provides the iPlanet Directory Server ‹ Oracle provides an LDAP server using an Oracle database backend ‹ Many others available (Innosoft) ‹ Linux can also integrate with LDAP servers running on other platforms such as Microsoft Active Directory or Novell eDirectory Aug-23-02 11
  • 12. Scalability and Fault Tolerance ‹ OpenLDAP supports real-time directory replication to provide load-balancing and high availibility ‹ OpenLDAP supports single master, multiple slaves ‹ Most LDAP aware applications can be configured to use multiple LDAP servers (providing fallback servers) ‹ Multiple master support is in the works (currently alpha) ‹ OpenLDAP can be integrated with ‘heartbeat’ and ‘mon’ to provide fault tolerance <http://www.linux-ha.org/> Aug-23-02 12
  • 13. Setting up OpenLDAP ‹ Configuration is located in: /etc/openldap/slapd.conf ‹ We need to include the schemas we are using include /etc/openldap/schema/core.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema ‹ Next we specify a database database ldbm suffix “dc=metaparadigm,dc=com" rootdn "cn=Manager,dc=metaparadigm,dc=com " rootpw {crypt}mvRCcD3ajNmf2 directory /opt/openldap/var/openldap-ldbm index objectClass eq Aug-23-02 13
  • 14. Setting up OpenLDAP (cont.) ‹ We can now start slapd (Standalone LDAP daemon) # /etc/init.d/ldap start ‹ Next step is to add data to the directory using the LDIF example presented earlier # ldapadd -D cn=Manager,dc=metaparadigm,dc=com -W < init.ldif Enter LDAP Password: xxxxx adding new entry "dc=metaparadigm,dc=com" adding new entry "ou=people,dc=metaparadigm,dc=com" adding new entry "uid=mclark,ou=people,dc=metaparadigm,dc=com" Aug-23-02 14
  • 15. Tuning OpenLDAP ‹ We need to add additional indexes for performance index uidNumber,gidNumber,mailLocalAddress pres,eq index cn,sn,givenName,memberUid,uid,mail pres,eq,sub ‹ We need to add ACLs for security access to attr=userPassword by self write by anonymous auth by * none access to dn="" by * read access to * by self write by users read by anonymous auth Aug-23-02 15
  • 16. Tuning OpenLDAP (cont.) ‹ Setup logging in syslog.conf (default is LOCAL4) local4.* /var/log/ldap.log ‹ Make sure ‘slapd’ runs as non privileged user ‹ Make ‘slapd’ bind to SSL port for security need signed certificates with openSSL and modify slapd.conf TLSCertificateFile /etc/openldap/ldap.metaparadigm.com.cer TLSCertificateKeyFile /etc/openldap/ldap.metaparadigm.com.key modify init script to bind to SSL port /usr/libexec/slapd -h 'ldap://ldap.metaparadigm.com/ ldaps://ldap.metaparadigm.com/' -l LOCAL4 -u ldap -g ldap Aug-23-02 16
  • 17. LDAP Search Filters ‹ LDAP uses a simple ‘search filters’ syntax (RFC2254) ‹ LDAP queries return all attributes of matching entries (or specifically selected attributes) which match the search filter ‹ LDAP query particles are enclosed within parenthesis in the form of ( attribute <matching rule> value ) ie. (cn=Michael Clark) ‹ Matching rules include (=, =~, >=, <=) ‹ * can be used as a wildcard within the value ‹ These can be combined together using the boolean operators: and, or and not (&, |, !) eg: (&(cn=Michael Clark)(objectClass=posixAccount)) (&(objectClass=inetOrgPerson)(!(o=Microsoft*))) (|(cn=Michael*)(cn=Mike*)) Aug-23-02 17
  • 18. LDAP Search Filters ‹ The following example ldap search retrieves the names and email address of all users with a givenname of ‘Michael’ or ‘Mark’ # ldapsearch -LLL -h ldap1-prd -b dc=ofs,dc=edu,dc=sg '(&(|(givenname=Michael)(givenname=Mark))(objectClass=inetOrgPerson))' cn mail dn: uid=mark_bergeron,ou=people,dc=ofs,dc=edu,dc=sg mail: mark_bergeron@ofs.edu.sg cn: Mark Bergeron dn: uid=michael,ou=people,dc=ofs,dc=edu,dc=sg mail: michael_chen@ofs.edu.sg cn: Michael Chen dn: uid=mclark,ou=people,dc=ofs,dc=edu,dc=sg mail: michael_clark@ofs.edu.sg cn: Michael Clark … ‹ Very easy to incorporate this into shell scripts with awk or sed Aug-23-02 18
  • 19. Unix Name service ‹ LDAP integrates with NSS (Name Service Switch) using the nss_ldap module <http://www.padl.com/OSS/nss_ldap.html/> Requires configuration of /etc/ldap.conf host ldap.metaparadigm.com base dc=metaparadigm,dc=com ldap_version 3 binddn cn=Manager,dc=metaparadigm,dc=com bindpw secret pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid nss_base_passwd ou=people,dc=metaparadigm,dc=com?one nss_base_group dc=metaparadigm,dc=com?sub Unix lookups are redirected in the same way as NIS: /etc/nsswitch.conf passwd: files nisplus ldap shadow: files nisplus group: files nisplus ldap hosts: files nisplus dns ldap Aug-23-02 19
  • 20. LDAP authentication ‹ LDAP integrates with PAM (Pluggable Authentication Modules) using pam_ldap <http://www.padl.com/OSS/pam_ldap.html> pam_ldap shares /etc/ldap.conf with nss_ldap.conf We create a pam definition file: /etc/pam.d/ldap-auth #%PAM-1.0 auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so We point a services auth at LDAP eg. /etc/pam.d/imap auth required /lib/security/pam_stack.so service=ldap-auth account required /lib/security/pam_stack.so service=ldap-auth session required /lib/security/pam_stack.so service=ldap-auth Aug-23-02 20
  • 21. Mail routing - sendmail ‹ We use the ‘inetLocalMailRecipient’ schema which extends ‘inetOrgPerson’ ‹ Additional attributes ‘mailLocalAddress’, ‘mailHost’ and ‘mailRoutingAddress’. Users can have multiple ‘mailLocalAddress’ attributes. ‹ Allows for easily distributed multiple back-end mail stores ‹ Below are changes to sendmail.mc (tested in 8.11.x) define(`confLDAP_DEFAULT_SPEC',`-h ldap.metaparadigm.com -b dc=metaparadigm,dc=com')dnl FEATURE(ldap_routing)dnl LDAPROUTE_DOMAIN(metaparadigm.com) Aug-23-02 21
  • 22. Mail routing – sendmail (cont.) ‹ Any sendmail map can be defined using LDAP. ‹ Example of custom alias map using 8.11.x (should also work on 8.12.x only official map schema support is available) LOCAL_CONFIG undefine(`ALIAS_FILE') Kldapaliases ldap -z, -v mailForwardingAddress -k (&(objectClass=mailForwardingAlias)(mailAlias=%0)) O AliasFile=sequence:ldapaliases attributetype ( 1.3.6.1.4.1.11137.3.1.48 NAME 'mailAlias' DESC 'alias part of address' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.11137.3.1.47 NAME 'mailForwardingAddress' DESC 'RFC822 address to use' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) objectclass ( 1.3.6.1.4.1.11137.3.2.49 NAME 'mailForwardingAlias' DESC 'Internet local mail recipient' SUP top AUXILIARY MAY ( cn $ o $ mail $ mailAlias $ mailForwardingAddress ) ) Aug-23-02 22
  • 23. Mail routing - postfix ‹ Postfix documentation specifies a non-standard schema. Below example is implemented with same schema as sendmail. (change in /etc/postfix/main.cf) virtual_maps = ldap:metaroute metaroute_server_host = ldap.metaparadigm.com metaroute_search_base = dc=metaparadigm,dc=com metaroute_query_filter = (mailLocalAddress=%s) metaroute_result_attribute = mailRoutingAddress metaroute_domain = metaparadigm.com metaroute_bind = no ‹ Transport map can also be LDAP routed to provide mutliple backend support Aug-23-02 23
  • 24. Shared Address book ‹ LDAP provides a convenient Corporate style shared address book similar to that of Exchange which is not otherwise available with standard Internet e-mail ‹ Support in almost all email clients: Evolution Mozilla Outlook Eudora Various web mail clients … Aug-23-02 24
  • 25. Apache Authentication ‹ 2 Apache modules available ‘mod_auth_ldap’ apache module <http://nona.net/software/ldap/> ‘auth_ldap’ apache module <http://www.rudedog.org/auth_ldap/> ‹ Example httpd.conf using mod_auth_ldap <Location /secret> AuthType Basic AuthName "Secret" AuthLDAPURL ldap://ldap.metaparadigm.com:389/ou=people,dc=metaparadigm,dc=com?uid require valid-user </Location> Aug-23-02 25
  • 26. LDAP Browsers and Editors ‹ Java LDAP Browser <http://www.iit.edu/~gawojar/ldap/> Allows easy updating and editing of directory information. Can create templates for commonly used directory objects. ‹ Huge number of other tools (web, GTK, …) Aug-23-02 26
  • 27. Migration to LDAP ‹ Padl migration tools <http://www.padl.com/OSS/MigrationTools.html> ‹ Migrates existing flat files or NIS databases passwd, group, hosts, networks, services, etc… Aug-23-02 27
  • 28. Other Application support ‹ Samba LDAP-PDC <http://www.unav.es/cti/ldap-smb-howto.html> ‹ LDAP DNS (no more HUPing named) http://www.nimh.org/code/ldapdns/ ‹ RADIUS (various patches floating around) ‹ Any application that supports PAM ssh, netatalk, many others… Aug-23-02 28