An Information System

Transcription

1 An Information System Module 1: Tutorials and Exercises Basics

2 Software Setup Login in your machine cd $HOME/MyOpenLDAP chmod u+x setup.sh./setup.sh

3 ./setup.sh (BDB setup) Prepare the Berkeley Database backend Download software (gzip tarball) from Oracle wnloads/index.html $ cd $HOME/MyOpenLDAP $ tar xzvf db tar.gz $ cd db /build_unix $../dist/configure prefix=$home/myopenldap/db5 $ make $ make install $ ls l../../db5

4

5 ./setup.sh (LDAP setup) Prepare LDAP software Download (gzip tarball) $ cd $HOME/MyOpenLDAP $ tar xzvf openldap tgz; cd openldap $ export LD_LIBRARY_PATH=$HOME/MyOpenLDAP/db5/lib: $LD_LIBRARY_PATH $ CPPFLAGS=" I$HOME/MyOpenLDAP/db5/include I/usr/include/libiodbc/" LDFLAGS=" L$HOME/MyOpenLDAP/db5/lib"./configure prefix=$home/myopenldap/openldap 24.1 exec prefix=$home/myopenldap/openldap 24.1 bindir=$home/myopenldap/openldap 24.1/bin libdir=$home/myopenldap/openldap 24.1/lib includedir=$home/myopenldap/openldap 24.1/include enable modules enable backends enable overlays disable ndb disable perl $ make depend; make; make install

6 LDAP Configuration slapd configuration (slapd.conf) sections $HOME/MyOpenLDAP/etc/openldap/slapd.conf # global configuration directives <global config directives> # backend definition backend <typea> <backend specific directives> # first database definition & config directives database <typea> <database specific directives> # second database definition & config directives database <typeb> <database specific directives>

7 LDAP Configuration Key configuration options (slapd.conf) $ cat $HOME/MyOpenLDAP/openldap 24.1/etc/openldap/slapd.conf include /home/profesor/myopenldap/openldap 24.1/etc/openldap/schema/core.schema database bdb suffix "dc=ibergrid,dc=eu" rootdn "cn=manager,dc=ibergrid,dc=eu" rootpw secret directory /home/profesor/openldap/openldap 24.1/var/openldap data

8 Schema Inspect the included schema core.schema Study the following ObjectClass(es) 'dcobject', 'organization' and 'country' Determine the type of objectclass Determine which attributes are MUST for each objectclass Determine the format of each attribute

9 slapd Startup slapd process has to be started by root But it can be executed by any user $ sudo LD_LIBRARY_PATH=$HOME/MyOpenLDAP/db5/lib:$LD_LIBRARY_PATH $HOME/MyOpenLDAP/openldap 24.1/libexec/slapd u <user> ( d 255 h ldap://localhost:<port>) $ ps xuawww grep slapd $ profesor pts/1 Sl+ 19:44 0:00 /home/profesor/myopenldap/openldap 24.1/libexec/slapd u profesor d 255

10 ldapsearch ldapsearch to query slapd server $ export PATH=$HOME/MyOpenLDAP/openldap 24.1/bin:$PATH $ which ldapsearch ~/MyOpenLDAP/openldap 24.1/bin/ldapsearch $ ldapsearch x b dc=ibergrid,dc=eu # search result search: 2 result: 32 No such object # numresponses: 1

11 An Information System Module 1: Tutorials and Exercises Deploy a DIT

12 LDIF Input directory LDIF DIT configurations $HOME/MyOpenLDAP/LdifFiles Start.ldif dc=eu Implements the primordial DIT dc=ibergrid c=portugal c=spain

13 Create the initial DIT via ldapadd Use Start.ldif file to feed slapd server Check what is published using ldapsearch $ ldapadd x D "cn=manager,dc=ibergrid,dc=eu" W f $HOME/MyOpenLDAP/LdifFiles/Start.ldif Enter LDAP Password: adding new entry "dc=ibergrid,dc=eu" adding new entry "c=pt,dc=ibergrid,dc=eu" adding new entry "c=es,dc=ibergrid,dc=eu" $ ldapsearch x b 'dc=ibergrid,dc=eu'

14 Add entries to the DIT via ldapadd AddEntries.ldif: Adds new entries to the DIT dc=eu dc=ibergrid $ ldapadd x D "cn=manager,dc=ibergrid,dc=eu" W f $HOME/MyOpenLDAP/LdifFiles/AddNewEntries.ldif $ ldapsearch x b 'dc=ibergrid,dc=eu' c=portugal c=spain o=upv cn=ignacio Blanquer

15 Modify attribute using ldapmodify ModifyAttribute.ldif : Changes telephonenumber attribute of the entry dn: cn=ignacio Blanquer,o=upv,c=es,dc=ibergrid,dc=eu $ ldapmodify x D "cn=manager,dc=ibergrid,dc=eu" W f $HOME/MyOpenLDAP/LdifFiles/ModifyAttribute.ldif $ ldapsearch x b 'dc=ibergrid,dc=eu'

16 Delete attribute using ldapmodify DeleteAttribute.ldif : Delete telephonenumber attribute of the entry dn: cn=ignacio Blanquer,o=upv,c=es,dc=ibergrid,dc=eu $ ldapmodify x D "cn=manager,dc=ibergrid,dc=eu" W f $HOME/MyOpenLDAP/LdifFiles/DeleteAttribute.ldif $ ldapsearch x b 'dc=ibergrid,dc=eu'

17 Delete entry using ldapdelete The deletion of an entry can be done in the command line $ ldapdelete 'cn=ignacio Blanquer,o=upv,c=es,dc=ibergrid,dc=eu' D "cn=manager,dc=ibergrid,dc=eu" W $ ldapsearch x b 'dc=ibergrid,dc=eu'

18 Build the following DIT Do it on your own dc=eu dc=ibergrid use the organizationalperson objectclass c=pt c=es o=upv Add the userpassword attribute cn=<yourself> cn=ignacio Blanquer

19 $ cat $HOME/MyOpenLDAP/LdifFiles/Exercise.ldif A possible solution dn: cn=ignacio Blanquer,o=upv,c=es,dc=ibergrid,dc=eu objectclass: organizationalperson objectclass: Top cn: Ignacio Blanquer sn: Blanquer telephonenumber: title: Professor userpassword: dn: cn=juanito Juarez,o=upv,c=es,dc=ibergrid,dc=eu objectclass: organizationalperson objectclass: Top cn: Juanito Juarez sn: Juarez telephonenumber: title: Student userpassword:

20 An Information System Module 1: Tutorials and Exercises Grid Information System Example

21 ldapsearch command line Explore the information of a top bdii Returns information about all sites $ ldapsearch x h topbdii01.ncg.ingrid.pt p 2170 b 'mds voname=local,o=grid' $ ldapsearch x h topbdii01.ncg.ingrid.pt p 2170 b 'mds voname=upv GRyCAP,mds vo name=local,o=grid' Returns information only about UPV-GryCAP site

22 ldapsearch command line $ ldapsearch x h topbdii01.ncg.ingrid.pt p 2170 b 'GlueCEUniqueID=ngiescream.i3m.upv.es:8443/cream pbs lifeig,mds voname=upv GRyCAP,mds vo name=local,o=grid' Returns information only about a specific CE queue at UPV-GryCAP site $ ldapsearch x h topbdii01.ncg.ingrid.pt p 2170 b 'GlueCEUniqueID=ngiescream.i3m.upv.es:8443/cream pbs lifeig,mds voname=upv GRyCAP,mds vo name=local,o=grid' GlueCEStateFreeJobSlots GlueCEStateRunningJobs Returns information only about specific attributes of a specific CE queue at UPV-GryCAP site

23 Search filters Operators & = and = or! = not ~= = approx equal >= = greater than or equal <= = less than or equal * = any

24 ldapsearch command line $ $ ldapsearch -x -h topbdii01.ncg.ingrid.pt -p b 'mds-vo-name=upv-grycap,mdsvo-name=local,o=grid' '(&(GlueCEUniqueID=ngiescream.i3m.upv.es:8443/*) (GlueCEAccessControlBaseRule=VO:life.vo.ibergrid.eu))' GlueCEStateFreeCPUs GlueCEStateFreeJobSlots Returns information only about specific attributes of a specific CE queue at UPV-GryCAP site What should be the query to show all the CE queues at UPV-GryCAP with active Running Jobs?

25 Apache Directory Studio Apache offers a free LDAP Browser cd $HOME/MyOpenLDAP tar xzvf ApacheDirectoryStudio-linux-x86_ v /ApacheDirectoryStudio

26 Apache Directory Studio Configure a new connection LDAP New Connection Connection Name: MyConn Hostname: topbdii01.ncg.ingrid.pt Port: 2170 Hit Next Authentication Method: No Authentication Hit Finish

27 Explore the DIT Apache Directory Studio o=grid Mds-vo-name=local Mds-vo-name=<Site Name> Look up for UPV-GRyCAP What is the CE name? How many slots are available for phys.vo.ibergrid.vo? How many jobs for VO phys.vo.ibergrid.eu are running?

28 GSTAT

29 An Information System Module 2: Tutorials and Exercises LDAP ACLs

30 Define an ACL in slapd that LDAP ACL Exercises Only authenticated users can access information The userpassword attribute is only readable/writable by the entry No one else should have any kind of rights All other attributes are writable by the entry and readable by all

31 A possible solution LDAP ACL Exercises $ cat $HOME/MyOpenLDAP/openldap 24.1/etc/openldap/slapd.conf access to attrs=userpassword by self write by anonymous auth by * none access to * by self write by anonymous auth by * read $ restart slapd $ ldapsearch x b 'dc=ibergrid,dc=eu' $ ldapsearch x b 'dc=ibergrid,dc=eu' D 'cn=juanito Juarez,o=upv,c=es,dc=ibergrid,dc=eu' W

32 An Information System Module 2: Tutorials and Exercises LDAP Referrals

33 Referrals Edit setup.sh Comment the compilation of the BDB part Change the LDAP_INSTALL_DIR defintion to LDAP_INSTALL_DIR="$BASE/openldap-24.2" Rerun./setup.sh The objective is to deploy another slapd server in the same machine

34 Referrals Lauch the 2nd slapd instances Start the 2 nd instance (as root) in a different port Copy / Change slapd conf file $ cp $HOME/MyOpenLDAP/openldap 24.1/etc/openldap/slapd.conf $HOME/MyOpenLDAP/openldap 24.2/etc/openldap/slapd.conf $ sudo LD_LIBRARY_PATH=LD_LIBRARY_PATH=$HOME/MyOpenLDAP/db5/lib: $LD_LIBRARY_PATH $HOME/MyOpenLDAP/openldap 24.2/libexec/slapd u <user> h ldap://localhost:390 # netstat tapn grep slapd tcp : :* LISTEN 6210/slapd tcp : :* LISTEN 6215/slapd

35 Configure a DIT in the 2nd instance dc=eu Referrals o=lip dc=ibergrid c=pt cn=goncalo Borges $ ldapadd x D "cn=manager,dc=ibergrid,dc=eu" H ldap://localhost:390 W f $HOME/MyOpenLDAP/LdifFiles/Start_2ndslapd.ldif $ ldapsearch x D "cn=manager,dc=ibergrid,dc=eu" b 'dc=ibergrid,dc=eu' H ldap://localhost:390 W

36 ldap://localhost:389 Referrals dc=eu ldap://localhost:390 dc=ibergrid c=pt c=es o=lip o=upv cn=goncalo Borges cn=juanito Juarez cn=ignacio Blanquer

37 Referrals Add o=lip entry to the 1nd slapd DIT Create o=lip using objectclass referral ref: ldap://localhost:390/o=lip,c=pt,dc=ibergrid,dc=eu as the only attribute $ ldapadd x D "cn=manager,dc=ibergrid,dc=eu" W f $HOME/MyOpenLDAP/LdifFiles/Referrals.ldif $ ldapsearch x D "cn=manager,dc=ibergrid,dc=eu" b 'dc=ibergrid,dc=eu' W

38 Referrals Change slapd config of the 1 st Restart 1 st slapd instance instance $ cat $HOME/MyOpenLDAP/openldap 24.1/etc/openldap/slapd.conf moduleload back_ldap.la overlay chain chain max depth 1 chain return error TRUE overlay chain chain uri "ldap://localhost:390/" chain rebind as user yes chain idassert bind bindmethod="simple" binddn="cn=manager,dc=ibergrid,dc=eu" credentials="secret" mode="self"

39 Referrals Query the DIT (using the 1 st slapd server) Information from the 2 nd slapd server will be showed $ $ ldapsearch x b 'dc=ibergrid,dc=eu' D "cn=manager,dc=ibergrid,dc=eu" W

40 An Information System Module 2: Tutorials and Exercises LDAPS

41 Create a Certification Authority We need a CA to issue a certificate for our server. This can be one purchased commercially or we can create our own CA To create your own CA we will use OpenSSL This is done only once

42 Create a Certification Authority We need a CA to issue a certificate for our server. This can be one purchased commercially or we can create our own CA To create your own CA we will use OpenSSL This is done only once

43 Create a Certification Authority $ mkdir $HOME/MyOpenLDAP/MyCERTS $ cd $HOME/MyOpenLDAP/MyCERTS $ cp /etc/pki/tls/misc/ca./ca.sh $ cp /etc/pki/tls/openssl.cnf openssl.cnf $ vi openssl.cnf (change the $dir definition) $ SSLEAY_CONFIG=" config./openssl.cnf" CATOP=$PWD./CA.sh newca Read Carefully all the questions Generates a public and a private key for the CA./private/cakey.pem./cacert.pem

44 Generate a host certificate Create a public and private key for the server The set (public+private) keys is the server certificate The Common Name for this cert should be the fully qualified domain name of the server Then use your CA to sign this cert request

45 Generate and sign certificate # The nodes argument above prevents encryption # of the private key. OpenLDAP only works with # unencrypted private keys. $ openssl req new nodes keyout newreq.pem out newreq.pem $ SSLEAY_CONFIG=" config./openssl.cnf" CATOP=$PWD./CA.sh sign Generates a public and a private key for the host./newreq.pem./newcert.pem

46 Install the CA public key The CA public key has to be installed both in server and in clients We have generated our own CA However, in real (grid) world, there is a domain of trusted formed by a well known set of CAs Host Certificates issued by unknown CAs will not be recognized has valid $ cp cacert.pem $HOME/MyOpenLDAP/openldap 24.1/etc/openldap/cacert.pem

47 Install the host certificate in the server $ mv newcert.pem $HOME/MyOpenLDAP/openldap 24.1/etc/openldap/servercrt.pem $ mv newreq.pem $HOME/MyOpenLDAP/openldap 24.1/etc/openldap/serverkey.pem $ chmod 400 $HOME/MyOpenLDAP/openldap 24.1/etc/openldap/serverkey.pem $ chmod 644 $HOME/MyOpenLDAP/openldap 24.1/etc/openldap/servercrt.pem It is important that the host private key has the correct permission (only root should be able to read it)

48 Configure server Server has to be configured to use encryption # SERVER ($HOME/MyOpenLDAP/openldap 24.1/etc/openldap/slapd.conf) TLSCACertificateFile /home/<user>/myopenldap/openldap 24.1/etc/openldap/cacert.pem TLSCertificateFile /home/<user>/myopenldap/openldap 24.1/etc/openldap/servercrt.pem TLSCertificateKeyFile /home/<user>/myopenldap/openldap 24.1/etc/openldap/serverkey.pem

49 Configure client Client has to be configured to use encryption # CLIENT ($HOME/MyOpenLDAP/openldap 24.1/etc/openldap/ldap.conf) TLS_CACERT /home/<user>/myopenldap/openldap 24.1/cacert.pem

50 Test the server response Test if the server is offering the host certificate to the client # RESTART SERVER $ ps xuawww grep slapd $ kill <pid> $ sudo LD_LIBRARY_PATH=$HOME/MyOpenLDAP/db5/lib:$LD_LIBRARY_PATH $HOME/MyOpenLDAP/openldap 24.1/libexec/slapd h ldaps://localhost:636 u <user> $ openssl s_client connect localhost:636 showcerts

51 Be really sure that data is being encrypted Use tcpdump (as root) $ tcpdump A i lo port 636 Compare the information you get when the server is started in the default port 389 No encryption

52 Free Exercise Define a DIT at your will Think what information you want to deliver and implement the model Protect your DIT from unauthorized accesses Implement ACLS Generate a certificate and configure the server for encryption