An Information System

Similar documents
Configuring idrac6 for Directory Services

User Management / Directory Services using LDAP

CA SiteMinder. Directory Configuration - OpenLDAP. r6.0 SP6

LDAP Server Configuration Example

Creating an LDAP Directory

Ciphermail Gateway Separate Front-end and Back-end Configuration Guide

Samba and LDAP in 30 Minutes

Introduction Installing and Configuring the LDAP Server Configuring Yealink IP Phones Using LDAP Phonebook...

The following gives an overview of LDAP from a user's perspective.

LDAP Server Configuration Example

Practical LDAP on Linux

Introduction to Linux (Authentication Systems, User Accounts, LDAP and NIS) Süha TUNA Res. Assist.

OpenEyes - Windows Server Setup. OpenEyes - Windows Server Setup

DB2 - LDAP. To start with configuration of transparent LDAP, you need to configure the LDAP server.

OpenLDAP. Linux Systems Authentication. Dr. Giuliano Taffoni IASFBO

CLEARSWIFT SECURE Web Gateway HTTPS/SSL decryption

SECURE Web Gateway. HTTPS/SSL Technical FAQ. Version 1.1. Date 04/10/12

Directory Solutions Using OpenLDAP

Configuring MailArchiva with Insight Server

Ciphermail Gateway Web LDAP Authentication Guide

Steps to configure SiteMinder Policy Server to connect to CA Directory using LDAPS

CN=Monitor Installation and Configuration v2.0

Install and Configure an Open Source Identity Server Lab

Implementazione dell autenticazione con LDAP

Securing SAS Web Applications with SiteMinder

Using LDAP Authentication in a PowerCenter Domain

EVERYTHING LDAP. Gabriella Davis

Single Node Hadoop Cluster Setup

SSL Tunnels. Introduction

Integrating EJBCA and OpenSSO

Writing Access Control Policies for LDAP

C O N F I G U R I N G O P E N L D A P F O R S S L / T L S C O M M U N I C A T I O N

Integrating Apache Web Server with Tomcat Application Server

Sun Java System Web Server 6.1 Using Self-Signed OpenSSL Certificate. Brent Wagner, Seeds of Genius October 2007

prefer to maintain their own Certification Authority (CA) system simply because they don t trust an external organization to

SSL Interception on Proxy SG

Contents Set up Cassandra Cluster using Datastax Community Edition on Amazon EC2 Installing OpsCenter on Amazon AMI References Contact

MATLAB Toolbox implementation for LDAP based Server accessing

CYAN SECURE WEB HOWTO. NTLM Authentication

IBM Security Identity Manager Version 6.0. Security Guide SC

TIBCO Spotfire Platform IT Brief

Apache based WebDAV Server with LDAP and SSL

escan SBS 2008 Installation Guide

Secure File Transfer Installation. Sender Recipient Attached FIles Pages Date. Development Internal/External None 11 6/23/08

Title: How to set up SSL between CA SiteMinder Web Access Manager - SiteMinder Policy Server and Active Directory (AD)

To integrate Oracle Application Server with Active Directory follow these steps.

SER Authentication with Radius and LDAP

WirelessOffice Administrator LDAP/Active Directory Support

Crypto Lab Public-Key Cryptography and PKI

User Management Resource Administrator. Managing LDAP directory services with UMRA

H3C SSL VPN Configuration Examples

Oracle Net Service Name Resolution

HSearch Installation

Creation and Management of Certificates

Configuring Sponsor Authentication

Integrating WebSphere Portal V8.0 with Business Process Manager V8.0

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

Novell Identity Manager

Cloud Services. Introduction...2 Overview...2 Simple Setup...2

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Configuring a Windows 2003 Server for IAS

CHAPTER 7 SSL CONFIGURATION AND TESTING

Surviving Cyrus SASL

Avoid the SSLippery Slope of Default SSL

NSi Mobile Installation Guide. Version 6.2

IMF Tune Quarantine & Reporting Running SQL behind a Firewall. WinDeveloper Software Ltd.

Univention Corporate Server. Extended domain services documentation

IIS 6.0SSL Certificate Deployment Guide

Native SSL support was implemented in HAProxy 1.5.x, which was released as a stable version in June 2014.

Expresso Quick Install

CentOS. Apache. 1 de 8. Pricing Features Customers Help & Community. Sign Up Login Help & Community. Articles & Tutorials. Questions. Chat.

Oracle Mobile Security Suite Workshop. Installation

SOLR INSTALLATION & CONFIGURATION GUIDE FOR USE IN THE NTER SYSTEM

Linuxdays 2005, Samba Tutorial

: IBM Tivoli Identity Manager V4.5 Implenentation

LDaemon. This document is provided as a step by step procedure for setting up LDaemon and common LDaemon clients.

Managing Identities and Admin Access

dotdefender v5.12 for Apache Installation Guide Applicure Web Application Firewall Applicure Technologies Ltd. 1 of 11 support@applicure.

Tonido Cloud Admin Guide

Generating and Installing SSL Certificates on the Cisco ISA500

Hinemos ver.2 Installation manual

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

LPRD Handbook License Plate Recognition Data

Enterprise SSL Support

CycleServer Grid Engine Support Install Guide. version 1.25

CERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER

CO Web Server Administration and Security. By: Szymon Machajewski

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

Setting Up CAS with Ofbiz 5

LDAP (Lightweight Directory Access Protocol) LDAP is an Internet standard protocol used by

Encrypted Connections

SSL Certificates HOWTO

CA and SSL Certificates

FirstClass Directory Services 10 (Build 11)

ADAM (AD LDS) Pass thru Authentication. Idalia Torres STC Using ADAM to Keep AD out of Harm s Way

Skyward LDAP Launch Kit Table of Contents

Installation of the Shibboleth-Apache Authorisation Module. 2. Obtain and compile the Apache server software

LoadMaster SSL Certificate Quickstart Guide

Transcription:

An Information System Module 1: Tutorials and Exercises Basics

Software Setup Login in your machine cd $HOME/MyOpenLDAP chmod u+x setup.sh./setup.sh

./setup.sh (BDB setup) Prepare the Berkeley Database backend Download software (gzip tarball) from Oracle http://www.oracle.com/technetwork/products/berkeleydb/do wnloads/index.html $ cd $HOME/MyOpenLDAP $ tar xzvf db 5.3.15.tar.gz $ cd db 5.3.15/build_unix $../dist/configure prefix=$home/myopenldap/db5 $ make $ make install $ ls l../../db5

./setup.sh (LDAP setup) Prepare LDAP software Download (gzip tarball) http://www.openldap.org/software/download/ $ cd $HOME/MyOpenLDAP $ tar xzvf openldap 2.4.31.tgz; cd openldap 2.4.31 $ export LD_LIBRARY_PATH=$HOME/MyOpenLDAP/db5/lib: $LD_LIBRARY_PATH $ CPPFLAGS=" I$HOME/MyOpenLDAP/db5/include I/usr/include/libiodbc/" LDFLAGS=" L$HOME/MyOpenLDAP/db5/lib"./configure prefix=$home/myopenldap/openldap 24.1 exec prefix=$home/myopenldap/openldap 24.1 bindir=$home/myopenldap/openldap 24.1/bin libdir=$home/myopenldap/openldap 24.1/lib includedir=$home/myopenldap/openldap 24.1/include enable modules enable backends enable overlays disable ndb disable perl $ make depend; make; make install

LDAP Configuration slapd configuration (slapd.conf) sections $HOME/MyOpenLDAP/etc/openldap/slapd.conf # global configuration directives <global config directives> # backend definition backend <typea> <backend specific directives> # first database definition & config directives database <typea> <database specific directives> # second database definition & config directives database <typeb> <database specific directives>

LDAP Configuration Key configuration options (slapd.conf) $ cat $HOME/MyOpenLDAP/openldap 24.1/etc/openldap/slapd.conf include /home/profesor/myopenldap/openldap 24.1/etc/openldap/schema/core.schema database bdb suffix "dc=ibergrid,dc=eu" rootdn "cn=manager,dc=ibergrid,dc=eu" rootpw secret directory /home/profesor/openldap/openldap 24.1/var/openldap data

Schema Inspect the included schema core.schema Study the following ObjectClass(es) 'dcobject', 'organization' and 'country' Determine the type of objectclass Determine which attributes are MUST for each objectclass Determine the format of each attribute

slapd Startup slapd process has to be started by root But it can be executed by any user $ sudo LD_LIBRARY_PATH=$HOME/MyOpenLDAP/db5/lib:$LD_LIBRARY_PATH $HOME/MyOpenLDAP/openldap 24.1/libexec/slapd u <user> ( d 255 h ldap://localhost:<port>) $ ps xuawww grep slapd $ profesor 19475 0.5 1.4 83552 7244 pts/1 Sl+ 19:44 0:00 /home/profesor/myopenldap/openldap 24.1/libexec/slapd u profesor d 255

ldapsearch ldapsearch to query slapd server $ export PATH=$HOME/MyOpenLDAP/openldap 24.1/bin:$PATH $ which ldapsearch ~/MyOpenLDAP/openldap 24.1/bin/ldapsearch $ ldapsearch x b dc=ibergrid,dc=eu # search result search: 2 result: 32 No such object # numresponses: 1

An Information System Module 1: Tutorials and Exercises Deploy a DIT

LDIF Input directory LDIF DIT configurations $HOME/MyOpenLDAP/LdifFiles Start.ldif dc=eu Implements the primordial DIT dc=ibergrid c=portugal c=spain

Create the initial DIT via ldapadd Use Start.ldif file to feed slapd server Check what is published using ldapsearch $ ldapadd x D "cn=manager,dc=ibergrid,dc=eu" W f $HOME/MyOpenLDAP/LdifFiles/Start.ldif Enter LDAP Password: adding new entry "dc=ibergrid,dc=eu" adding new entry "c=pt,dc=ibergrid,dc=eu" adding new entry "c=es,dc=ibergrid,dc=eu" $ ldapsearch x b 'dc=ibergrid,dc=eu'

Add entries to the DIT via ldapadd AddEntries.ldif: Adds new entries to the DIT dc=eu dc=ibergrid $ ldapadd x D "cn=manager,dc=ibergrid,dc=eu" W f $HOME/MyOpenLDAP/LdifFiles/AddNewEntries.ldif $ ldapsearch x b 'dc=ibergrid,dc=eu' c=portugal c=spain o=upv cn=ignacio Blanquer

Modify attribute using ldapmodify ModifyAttribute.ldif : Changes telephonenumber attribute of the entry dn: cn=ignacio Blanquer,o=upv,c=es,dc=ibergrid,dc=eu $ ldapmodify x D "cn=manager,dc=ibergrid,dc=eu" W f $HOME/MyOpenLDAP/LdifFiles/ModifyAttribute.ldif $ ldapsearch x b 'dc=ibergrid,dc=eu'

Delete attribute using ldapmodify DeleteAttribute.ldif : Delete telephonenumber attribute of the entry dn: cn=ignacio Blanquer,o=upv,c=es,dc=ibergrid,dc=eu $ ldapmodify x D "cn=manager,dc=ibergrid,dc=eu" W f $HOME/MyOpenLDAP/LdifFiles/DeleteAttribute.ldif $ ldapsearch x b 'dc=ibergrid,dc=eu'

Delete entry using ldapdelete The deletion of an entry can be done in the command line $ ldapdelete 'cn=ignacio Blanquer,o=upv,c=es,dc=ibergrid,dc=eu' D "cn=manager,dc=ibergrid,dc=eu" W $ ldapsearch x b 'dc=ibergrid,dc=eu'

Build the following DIT Do it on your own dc=eu dc=ibergrid use the organizationalperson objectclass c=pt c=es o=upv Add the userpassword attribute cn=<yourself> cn=ignacio Blanquer

$ cat $HOME/MyOpenLDAP/LdifFiles/Exercise.ldif A possible solution dn: cn=ignacio Blanquer,o=upv,c=es,dc=ibergrid,dc=eu objectclass: organizationalperson objectclass: Top cn: Ignacio Blanquer sn: Blanquer telephonenumber: 123456789 title: Professor userpassword: 123456789 dn: cn=juanito Juarez,o=upv,c=es,dc=ibergrid,dc=eu objectclass: organizationalperson objectclass: Top cn: Juanito Juarez sn: Juarez telephonenumber: 22222222 title: Student userpassword: 222222222

An Information System Module 1: Tutorials and Exercises Grid Information System Example

ldapsearch command line Explore the information of a top bdii Returns information about all sites $ ldapsearch x h topbdii01.ncg.ingrid.pt p 2170 b 'mds voname=local,o=grid' $ ldapsearch x h topbdii01.ncg.ingrid.pt p 2170 b 'mds voname=upv GRyCAP,mds vo name=local,o=grid' Returns information only about UPV-GryCAP site

ldapsearch command line $ ldapsearch x h topbdii01.ncg.ingrid.pt p 2170 b 'GlueCEUniqueID=ngiescream.i3m.upv.es:8443/cream pbs lifeig,mds voname=upv GRyCAP,mds vo name=local,o=grid' Returns information only about a specific CE queue at UPV-GryCAP site $ ldapsearch x h topbdii01.ncg.ingrid.pt p 2170 b 'GlueCEUniqueID=ngiescream.i3m.upv.es:8443/cream pbs lifeig,mds voname=upv GRyCAP,mds vo name=local,o=grid' GlueCEStateFreeJobSlots GlueCEStateRunningJobs Returns information only about specific attributes of a specific CE queue at UPV-GryCAP site

Search filters Operators & = and = or! = not ~= = approx equal >= = greater than or equal <= = less than or equal * = any

ldapsearch command line $ $ ldapsearch -x -h topbdii01.ncg.ingrid.pt -p 2170 -b 'mds-vo-name=upv-grycap,mdsvo-name=local,o=grid' '(&(GlueCEUniqueID=ngiescream.i3m.upv.es:8443/*) (GlueCEAccessControlBaseRule=VO:life.vo.ibergrid.eu))' GlueCEStateFreeCPUs GlueCEStateFreeJobSlots Returns information only about specific attributes of a specific CE queue at UPV-GryCAP site What should be the query to show all the CE queues at UPV-GryCAP with active Running Jobs?

Apache Directory Studio Apache offers a free LDAP Browser cd $HOME/MyOpenLDAP tar xzvf ApacheDirectoryStudio-linux-x86_64-1.5.3.v20100330./ApacheDirectoryStudio

Apache Directory Studio Configure a new connection LDAP New Connection Connection Name: MyConn Hostname: topbdii01.ncg.ingrid.pt Port: 2170 Hit Next Authentication Method: No Authentication Hit Finish

Explore the DIT Apache Directory Studio o=grid Mds-vo-name=local Mds-vo-name=<Site Name> Look up for UPV-GRyCAP What is the CE name? How many slots are available for phys.vo.ibergrid.vo? How many jobs for VO phys.vo.ibergrid.eu are running?

GSTAT http://gstat2.grid.sinica.edu.tw/gstat/summary/

An Information System Module 2: Tutorials and Exercises LDAP ACLs

Define an ACL in slapd that LDAP ACL Exercises Only authenticated users can access information The userpassword attribute is only readable/writable by the entry No one else should have any kind of rights All other attributes are writable by the entry and readable by all

A possible solution LDAP ACL Exercises $ cat $HOME/MyOpenLDAP/openldap 24.1/etc/openldap/slapd.conf access to attrs=userpassword by self write by anonymous auth by * none access to * by self write by anonymous auth by * read $ restart slapd $ ldapsearch x b 'dc=ibergrid,dc=eu' $ ldapsearch x b 'dc=ibergrid,dc=eu' D 'cn=juanito Juarez,o=upv,c=es,dc=ibergrid,dc=eu' W

An Information System Module 2: Tutorials and Exercises LDAP Referrals

Referrals Edit setup.sh Comment the compilation of the BDB part Change the LDAP_INSTALL_DIR defintion to LDAP_INSTALL_DIR="$BASE/openldap-24.2" Rerun./setup.sh The objective is to deploy another slapd server in the same machine

Referrals Lauch the 2nd slapd instances Start the 2 nd instance (as root) in a different port Copy / Change slapd conf file $ cp $HOME/MyOpenLDAP/openldap 24.1/etc/openldap/slapd.conf $HOME/MyOpenLDAP/openldap 24.2/etc/openldap/slapd.conf $ sudo LD_LIBRARY_PATH=LD_LIBRARY_PATH=$HOME/MyOpenLDAP/db5/lib: $LD_LIBRARY_PATH $HOME/MyOpenLDAP/openldap 24.2/libexec/slapd u <user> h ldap://localhost:390 # netstat tapn grep slapd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 6210/slapd tcp 0 0 127.0.0.1:390 0.0.0.0:* LISTEN 6215/slapd

Configure a DIT in the 2nd instance dc=eu Referrals o=lip dc=ibergrid c=pt cn=goncalo Borges $ ldapadd x D "cn=manager,dc=ibergrid,dc=eu" H ldap://localhost:390 W f $HOME/MyOpenLDAP/LdifFiles/Start_2ndslapd.ldif $ ldapsearch x D "cn=manager,dc=ibergrid,dc=eu" b 'dc=ibergrid,dc=eu' H ldap://localhost:390 W

ldap://localhost:389 Referrals dc=eu ldap://localhost:390 dc=ibergrid c=pt c=es o=lip o=upv cn=goncalo Borges cn=juanito Juarez cn=ignacio Blanquer

Referrals Add o=lip entry to the 1nd slapd DIT Create o=lip using objectclass referral ref: ldap://localhost:390/o=lip,c=pt,dc=ibergrid,dc=eu as the only attribute $ ldapadd x D "cn=manager,dc=ibergrid,dc=eu" W f $HOME/MyOpenLDAP/LdifFiles/Referrals.ldif $ ldapsearch x D "cn=manager,dc=ibergrid,dc=eu" b 'dc=ibergrid,dc=eu' W

Referrals Change slapd config of the 1 st Restart 1 st slapd instance instance $ cat $HOME/MyOpenLDAP/openldap 24.1/etc/openldap/slapd.conf moduleload back_ldap.la overlay chain chain max depth 1 chain return error TRUE overlay chain chain uri "ldap://localhost:390/" chain rebind as user yes chain idassert bind bindmethod="simple" binddn="cn=manager,dc=ibergrid,dc=eu" credentials="secret" mode="self"

Referrals Query the DIT (using the 1 st slapd server) Information from the 2 nd slapd server will be showed $ $ ldapsearch x b 'dc=ibergrid,dc=eu' D "cn=manager,dc=ibergrid,dc=eu" W

An Information System Module 2: Tutorials and Exercises LDAPS

Create a Certification Authority We need a CA to issue a certificate for our server. This can be one purchased commercially...... or we can create our own CA To create your own CA we will use OpenSSL This is done only once

Create a Certification Authority We need a CA to issue a certificate for our server. This can be one purchased commercially...... or we can create our own CA To create your own CA we will use OpenSSL This is done only once

Create a Certification Authority $ mkdir $HOME/MyOpenLDAP/MyCERTS $ cd $HOME/MyOpenLDAP/MyCERTS $ cp /etc/pki/tls/misc/ca./ca.sh $ cp /etc/pki/tls/openssl.cnf openssl.cnf $ vi openssl.cnf (change the $dir definition) $ SSLEAY_CONFIG=" config./openssl.cnf" CATOP=$PWD./CA.sh newca Read Carefully all the questions Generates a public and a private key for the CA./private/cakey.pem./cacert.pem

Generate a host certificate Create a public and private key for the server The set (public+private) keys is the server certificate The Common Name for this cert should be the fully qualified domain name of the server Then use your CA to sign this cert request

Generate and sign certificate # The nodes argument above prevents encryption # of the private key. OpenLDAP only works with # unencrypted private keys. $ openssl req new nodes keyout newreq.pem out newreq.pem $ SSLEAY_CONFIG=" config./openssl.cnf" CATOP=$PWD./CA.sh sign Generates a public and a private key for the host./newreq.pem./newcert.pem

Install the CA public key The CA public key has to be installed both in server and in clients We have generated our own CA However, in real (grid) world, there is a domain of trusted formed by a well known set of CAs Host Certificates issued by unknown CAs will not be recognized has valid $ cp cacert.pem $HOME/MyOpenLDAP/openldap 24.1/etc/openldap/cacert.pem

Install the host certificate in the server $ mv newcert.pem $HOME/MyOpenLDAP/openldap 24.1/etc/openldap/servercrt.pem $ mv newreq.pem $HOME/MyOpenLDAP/openldap 24.1/etc/openldap/serverkey.pem $ chmod 400 $HOME/MyOpenLDAP/openldap 24.1/etc/openldap/serverkey.pem $ chmod 644 $HOME/MyOpenLDAP/openldap 24.1/etc/openldap/servercrt.pem It is important that the host private key has the correct permission (only root should be able to read it)

Configure server Server has to be configured to use encryption # SERVER ($HOME/MyOpenLDAP/openldap 24.1/etc/openldap/slapd.conf) TLSCACertificateFile /home/<user>/myopenldap/openldap 24.1/etc/openldap/cacert.pem TLSCertificateFile /home/<user>/myopenldap/openldap 24.1/etc/openldap/servercrt.pem TLSCertificateKeyFile /home/<user>/myopenldap/openldap 24.1/etc/openldap/serverkey.pem

Configure client Client has to be configured to use encryption # CLIENT ($HOME/MyOpenLDAP/openldap 24.1/etc/openldap/ldap.conf) TLS_CACERT /home/<user>/myopenldap/openldap 24.1/cacert.pem

Test the server response Test if the server is offering the host certificate to the client # RESTART SERVER $ ps xuawww grep slapd $ kill <pid> $ sudo LD_LIBRARY_PATH=$HOME/MyOpenLDAP/db5/lib:$LD_LIBRARY_PATH $HOME/MyOpenLDAP/openldap 24.1/libexec/slapd h ldaps://localhost:636 u <user> $ openssl s_client connect localhost:636 showcerts

Be really sure that data is being encrypted Use tcpdump (as root) $ tcpdump A i lo port 636 Compare the information you get when the server is started in the default port 389 No encryption

Free Exercise Define a DIT at your will Think what information you want to deliver and implement the model Protect your DIT from unauthorized accesses Implement ACLS Generate a certificate and configure the server for encryption

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information