Curs 1 - Serviciul LDAP · inut curs (cont.) I continuarea cursului de GSR I platform a suport:...

Curs 1Serviciul LDAP

Servicii avansate pentru ISP

20 februarie 2017

SAISP Curs 1, Serviciul LDAP 1/47

Outline

Prezentare curs

Serviciul LDAP

Directory Services

LDAP

Clientul LDAP

Integrare client de LDAP

Incheiere

Intrebari


Servicii Avansate pentru ISP

I fancy name pentru Advanced Network System Administration

I LDAP, virtualizare, volume management, scalabilitate,automatizare

I destinat profilului de sysdevops (system administration /development / operations)


Servicii de ret,ea pentru ISP (cont.)

I http://ocw.cs.pub.ro/saisp/

I curs, luni, 18-20, PR706

I laborator, luni, 16-18, 20-22, PR706

I primul curs are loc luni, 20 februarie 2017

I primul laborator are loc luni, 27 februarie 2017


http://ocw.cs.pub.ro/saisp/

Cont, inut curs

1. Serviciul LDAP

2. Administrarea LDAP

3. Monitorizare

4. Gestiunea scalabila a dispozitivelor de stocare

5. Redundant, a s, i load balancing

6. Sisteme de fis, iere ın ret,ea

7. Containere

8. Virtualizare nativa

9. Accelerarea accesului web

10. Automatizarea scalabila a sistemelor

11. Limitarea traficului

12. Recapitulare


Cont, inut curs (cont.)

I continuarea cursului de GSR

I platforma suport: Debian s, i solut, ii de virtualizare (KVM)I cerint,e

I familiarizarea cu mediul LinuxI elemente de baza de ret,elisticaI elemente de administrareI concepte de virtualizareI cunos, tint,e de baza de programareI cunos, tint,e de baza de inginerie software


Notare

I laborator – 2p (activitate)I teste practice – 5p

I test practic 1 – 2.5p (dupa laboratorul 5)I test practic 2 – 2.5p (ın sesiune)

I teste de curs – 2p (5 teste x 0.4 puncte/test)

I test grila – 2p (ın sesiune)


Outline

Prezentare curs

Serviciul LDAP

Directory Services

LDAP

Clientul LDAP


Incheiere

Intrebari


Moto

The secret of all victory lies in the organization of the non-obvious.

Marcus Aurelius

If you don’t know how to do something, you don’t know how to doit with a computer.


Prezentare curs

Serviciul LDAP

Directory Services

LDAP

Clientul LDAP


Incheiere

Intrebari


Suport

I “Unix and Linux System Administration”I Chapter 19 – Sharing System Files

I Section 19.3 – LDAP: The Lightweight Directory AccessProtocol

I “Professional Linux System Administration”I Chapter 16 – Directory Services


Outline

Prezentare curs

Serviciul LDAP

Directory Services

LDAP

Clientul LDAP


Incheiere

Intrebari


Directory

I mecanism de organizare a informat, iei

I mapare/asociere ıntre nume s, i valoare

I ın general o organizare ierarhicaI noduri (nodes) de informat, ie s, i tipuri de date

I ın telefonie: nume s, i numere de telefonI ın DNS: nume de domeniu (nod) s, i adrese IP, alias-uri, servere

de mail (tipuri de date)

I directory service / naming service

I DIT – Directory Information Tree


Directory Services

I naming services

I localizarea unei resurse ın ret,ea pe baza unui nume

I informat, ii despre o resursa – obiect cu atributeI interfat, a de localizare s, i gestiune a resurselor ıntr-o ret,ea

I directoare, fis, iere, utilizatori, grupuri, dispozitive, numere detelefon

I similar cu un RDBMS, dar . . .I citiri mult mai frecvente decat scrieriI redundant,a datelor pentru performant, a (de exemplu DNS

caching)


Exemple de directory services

I DNS – Domain Name SystemI NIS – Network Information Service

I ınlocuit din ce ın ce mai mult cu LDAP

I LDAP/X.500I Directory Access ProtocolI A set of such systems, together with the directory information

that they hold, can be viewed as an integrated whole, calledthe Directory


Folosire directory services pe Unix

I /etc/nsswitch.confI Name Service SwitchI serviciile/fis, ierele folosite de ,,baze de date” ale sistemuluiI /lib/libnss_*

I system databasesI passwd, group, hosts, networks, protocols, services, shadow

I getent – interogarea bazelor de dateI getent passwdI getent passwd razvanI getent networksI getent services ldaps


X.500

I set de standarde pentru servicii de director

I DAP, DSP, DISP, DOP

I foloses, te stiva OSII alternative care sa foloseasca stiva TCP/IP

I alternativa la DAP – Lightweight Directory Access Protocol(LDAP)

I un singur DIT – Directory Information TreeI a hierarchical organization of entries which is distributed across

one or more servers

I fiecare intrare identificata unic de un DN (DistinguishedName)

I prea complex


Implementari LDAP/X.500

I ActiveDirectory (Microsoft)

I eDirectory (Novell)

I Red Hat Directory Server

I OpenLDAP

I OpenDirectory (Apple) – construit peste OpenLDAP

I Apache Directory Server

I 389 Directory Service (RedHat) – fork din OpenLDAP


Active Directory

I bazat pe Novell eDirectory

I LDAP, Kerberos

I zona centrala de administrare s, i delegare de autoritate

I scalabilitate

I ın Windows Server 2008 – Active Directory Domain ServicesI ierarhie de obiecte

I resourcesI security principals (utilizatori s, i grupuri) – au asociat un

identificator unic (SID – security identifier)

I OU – Organization Unit – container de obiecte aferente unuidomeniu

I ıntr-un domeniu un utilizator dispune de un atribut cu valoareunica (sAMAccountName pre-2000, userPrincipalName)


Outline

Prezentare curs

Serviciul LDAP

Directory Services

LDAP

Clientul LDAP


Incheiere

Intrebari


LDAP

I Lightweight Directory Access Protocol

I ,,Lightweight” ın contextul X.500

I forma simplificata a DAP ın X.500

I organizare ierarhica

I foloses, te DNS pentru nivelurile topmost

I cont, ine intrari reprezentand persoane, grupuri, imprimante,documente etc.

I LDAPv3 – RFC 4510

I peste 30 de RFC-uri


Operat, ii client, i

I TCP 389I TCP 636 pentru LDAP over SSL (ldaps)

I Operat, iiI Start TLS – disponibil de la LDAPv3I Bind (autentificare)I SearchI CompareI Add entryI Delete entryI Modify entryI Unbind (ınchide conexiunea; nu este opusul Bind)


Directory Information Tree

I organizarea informat, iei – schema

I ierarhie

I fiecare intrare identificata de un DN (Distinguished Name)

I ın general, numele cont, ine o componenta ımprumutata dinDNS (dc=test,dc=cs,dc=pub,dc=ro)

I ın general, flat namespacesI namespace pentru persoane – cont, ine lista de persoaneI namespace pentru grupuri – cont, ine lista de grupuri


Intrari s, i atribute

I un director este o colect, ie de intrariI o intrare este data de o colect, ie de atribute

I un atribut cont, ine un nume s, i una sau mai multe valoriI atributele sunt definite ın schemaI atributele pot fi de forma MUST sau MAY

I o intrare este identificata de un DN (Distinguished Name)I compus din mai multe elemente, parte din care sunt DC

(domain component)I uid=gsclipici,dc=test,dc=cs,dc=pub,dc=ro


LDIF

I LDAP Data Interchange FormatI format de reprezentare pentru

I cont, inutul directorului (listare, adaugare)

dn: cn=The Postmaster,dc=example,dc=com

objectClass: organizationalRole

cn: The Postmaster

I cereri de actualizare (modificare)

dn: cn=gsclipici,ou=People,dc=test,dc=cs,dc=pub,dc=ro

changetype: modify

replace: mail

mail: [email protected]

-

replace: initials

initials: GS

-

I format numeAtribut: valoare atribut


Acronime LDAP

I DN – Distinguished NameI RDN (Relative Distinguished Name) + Parent DNI dn: cn=Ana Popa,dc=rd,dc=ro

I RDN: cn=Ana PopaI Parent DN: dc=rd,dc=ro

I DC – Domain Componenent

I CN – Common Name

I OU – Organizational Unit

I LDIF – LDAP Data Interchange Format


Cautare/comparare ın LDAP

I se cauta atribute

I uid

I uid=gsclipici

I sn=P*

I (&(sn=P*)(cn=A*))

I (|(&(sn=P*)(cn=A*))(&(sn=C*)(cn=S*)))I Polish notation


URI-uri ın LDAP

I ldap://swarm.cs.pub.ro

I ldaps://swarm.cs.pub.ro:636

I ldap://swarm.cs.pub.ro/ou=People,dc=swarm,dc=cs,dc=pub,dc=ro

I ldap://swarm.cs.pub.ro/ou=People,dc=swarm,dc=cs,dc=pub,dc=ro?uid

I ldap://swarm.cs.pub.ro/ou=People,dc=swarm,dc=cs,dc=pub,dc=ro?uid?base?(givenName=Daniel)

I ldaps:// pentru LDAP peste SSL

I ldap:// pentru LDAP peste TLS (foloses,te STARTTLS)


URI-uri ın LDAP (2)

I ldap://host:port/DN?attributes?scope?filter?extensions

I scope – base (cautare singulara), one – cautare pe nivel, sub –cautare ın ierarhie

I filter – (givenName=Daniel),(&(givenName=Daniel)(sn=Popescu))


Implementari client, i LDAP

I OpenLDAP (server + utilities)

I Apache Directory Server/Studio

I LDAPAdminTool (Linux/Windows, comercial)

I web2ldap (web, Python)

I phpLDAPadmin


Outline

Prezentare curs

Serviciul LDAP

Directory Services

LDAP

Clientul LDAP


Incheiere

Intrebari


LDAP CLI

I OpenLDAP

I apt-get install ldap-utils

I ldap*

I /etc/ldap/ldap.confI configurat, iile impliciteI BASE, URII TLS_REQCERT=never: pentru a nu verifica certificatele


ldapsearch

I cautarea informat, iilor ın baza de date LDAP

I ldapsearch -x

I ldapsearch -x uid

I ldapsearch -x uid=gsclipici

I ldapsearch -x &(cn=A*)(sn=B*)

I ldapsearch -x -b dc=test,dc=cs,dc=pub,dc=ro –specificarea base-ului

I ldapsearch -x -H ldap://test.cs.pub.ro – specificareaURI-ului

I ldapsearch -x -D

dc=binder,ou=Gods,dc=test,dc=cs,dc=pub,dc=ro -W –specificarea utilizatorului care face bind (autentificare)

I informat, iile sunt afis,ate ın format LDIF


ldappasswd

I schimbarea parolei pentru intrari de tipul utilizator

I necesita autentificare (binding) (-D, -W)

I ldappasswd -D cn=admin,dc=test,dc=cs,dc=pub,dc=ro

-W uid=gsclipici,dc=test,dc=cs,dc=pub,dc=ro –serverul genereaza parola

I ldappasswd ...-S uid=gsclipici... – solicita parolautilizatorului

I ldappasswd -D cn=admin,dc=test,dc=cs,dc=pub,dc=ro

-w $admin_pass -s $clear_pass

uid=gsclipici,dc=test,dc=cs,dc=pub,dc=ro – utilizareın mod neinteractiv


ldapadd

I adaugarea unei intrariI se specifica ın format LDIF

dn: uid=test,ou=people,dc=swarm,dc=cs,dc=pub,dc=ro

uid: test

cn: test test

sn: test


objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

loginShell: /bin/bash

uidNumber: 1230

gidNumber: 100

homeDirectory: /home/test

I necesita autentificare (-D, -W/-w)I ldapadd ...-f /etc/ldap/ldif/test.ldif


ldapdelete

I s, tergerea unei intrari

I necesita autentificare (-D, -W/-w)

I ldapdelete

...uid=gsclipici,dc=test,dc=cs,dc=pub,dc=ro


ldapmodify

I modificarea unei intrari precizata tot printr-un fis, ier LDIF

dn: cn=Modify Me,dc=example,dc=com

changetype: modify

replace: mail


-

add: title

title: Grand Poobah

-

add: jpegPhoto

jpegPhoto:< file:///tmp/modme.jpeg

-

delete: description

I “atribut” de specificare a tipului modificarii (add, delete,replace)


LDAP scripts

I folosite pentru gestiunea facila a conturilor de utilizator ınLDAP

I apt-get install ldapscripts

I ldapaddgroup, ldapadduser, ldapdeleurser,ldapdeletegroup


Outline

Prezentare curs

Serviciul LDAP

Directory Services

LDAP

Clientul LDAP


Incheiere

Intrebari


Autentificare Unix prin LDAP

I apt-get install libnss-ldap nscd libpam-ldap

I /etc/libnss-ldap.conf

root@valhalla:/etc/ldap# cat /etc/nsswitch.conf | grep ’^$passwd\|group$’

passwd: compat files ldap

group: compat files ldap

I /etc/pam_ldap.conf

I /etc/pam.d/common-session

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022


Configurare LDAP ın Apache

AuthType Basic

AuthName "Windows Research Kernel (use curs.cs.pub.ro account)"

AuthBasicProvider ldap

AuthzLDAPAuthoritative on

AuthLDAPURL "ldaps://ldap.grid.pub.ro/ou=People,dc=cs,dc=curs,dc=pub,dc=ro?uid"

AuthLDAPBindDN "uid=xxx,ou=yyy,dc=cs,dc=curs,dc=pub,dc=ro"

AuthLDAPBindPassword "zzz"

Require valid-user


Configurare LDAP ın Dokuwiki

$conf[’authtype’] = ’ldap’;

$conf[’auth’][’ldap’][’port’] = 636;

$conf[’auth’][’ldap’][’server’] = ’ldaps://swarm.cs.pub.ro’;

$conf[’auth’][’ldap’][’usertree’] = ’ou=People,dc=swarm,dc=cs,dc=pub,dc=ro’;

$conf[’auth’][’ldap’][’grouptree’] = ’ou=Group,dc=swarm,dc=cs,dc=pub,dc=ro’;

$conf[’auth’][’ldap’][’userfilter’] = ’(&(uid=%{user})(objectClass=posixAccount))’;

$conf[’auth’][’ldap’][’groupfilter’] = ’(&(objectClass=posixGroup)(|(gidNumber=%{gid})(memberUID=%{user})))’;

# This is optional but may be required for your server:

$conf[’auth’][’ldap’][’version’] = 3;


LDAP for developers

I libldap2-dev – C

I http://php.net/manual/en/book.ldap.php – PHP

I http://pypi.python.org/pypi/python-ldap/ – Python

I http://ruby-ldap.sourceforge.net/ – Ruby


http://php.net/manual/en/book.ldap.php

http://pypi.python.org/pypi/python-ldap/

http://ruby-ldap.sourceforge.net/

Outline

Prezentare curs

Serviciul LDAP

Directory Services

LDAP

Clientul LDAP


Incheiere

Intrebari


Cuvinte cheie

I Directory

I DIT

I X.500

I /etc/nsswitch.conf

I getent

I LDAP

I Active Directory

I Distinguished Name (DN)

I intrari

I atribute

I LDIF

I DN, RDN, DC, CN, OU

I cautare

I LDAP URL

I base

I filters

I ldapsearch

I ldapadd

I ldappasswd

I ldapmodify

I ldapdelete


Resurse utile

I http://en.wikipedia.org/wiki/LDAP

I http://tldp.org/HOWTO/LDAP-HOWTO/

I http://www.howtoforge.com/linux_ldap_authentication

I Understanding LDAP – Design and Implementation:http://www.redbooks.ibm.com/pubs/pdfs/redbooks/sg244986.pdf

I http://www.zytrax.com/books/ldap/


http://en.wikipedia.org/wiki/LDAP

http://tldp.org/HOWTO/LDAP-HOWTO/

http://www.howtoforge.com/linux_ldap_authentication

http://www.redbooks.ibm.com/pubs/pdfs/redbooks/sg244986.pdf

http://www.zytrax.com/books/ldap/

Outline

Prezentare curs

Serviciul LDAP

Directory Services

LDAP

Clientul LDAP


Incheiere

Intrebari


Date post:	29-Jul-2020
Category:	Documents
Upload:	others
View:	11 times
Download:	1 times

Curs 1 - Serviciul LDAP · inut curs (cont.) I continuarea cursului de GSR I platform a suport:...

Documents