OpenLDAP. Linux Systems Authentication. Dr. Giuliano Taffoni IASFBO

Similar documents
User Management / Directory Services using LDAP

Practical LDAP on Linux

An Information System

Linux Authentication using LDAP and edirectory

Implementazione dell autenticazione con LDAP

Directory Solutions Using OpenLDAP

DB2 - LDAP. To start with configuration of transparent LDAP, you need to configure the LDAP server.

Security with LDAP. Andrew Findlay. February Skills 1st Ltd

Avaya CM Login with Windows Active Directory Services

Configuring idrac6 for Directory Services

Introduction to Linux (Authentication Systems, User Accounts, LDAP and NIS) Süha TUNA Res. Assist.

OpenLDAP Configuration and Tuning in the Enterprise

The Integration of LDAP into the Messaging Infrastructure at CERN

LDAP (Lightweight Directory Access Protocol) LDAP is an Internet standard protocol used by

The following gives an overview of LDAP from a user's perspective.

Unified Authentication, Authorization and User Administration An Open Source Approach. Ted C. Cheng, Howard Chu, Matthew Hardin

Introduction Installing and Configuring the LDAP Server Configuring Yealink IP Phones Using LDAP Phonebook...

LDAP Server Configuration Example

Creating an LDAP Directory

LDAP Server Configuration Example

Samba and LDAP in 30 Minutes

MATLAB Toolbox implementation for LDAP based Server accessing

Relecture du TP de Benoit Métrot des rencontres mathrice de Poitiers en mars 2008

OpenLDAP Software 2.4 Administrator's Guide

CA SiteMinder. Directory Configuration - OpenLDAP. r6.0 SP6

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

Univention Corporate Server. Extended domain services documentation

FirstClass Directory Services 10 (Build 11)

Linux/Unix Active Directory Authentication Integration Using Samba Winbind

Attunity RepliWeb PAM Configuration Guide

Interoperability Update: Red Hat Enterprise Linux 7 beta and Microsoft Windows

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

System Authentication for AIX and Linux using the IBM Directory Server

Using Active Directory to Authenticate Linux Users. Using Standard Protocols and Open Source Products

Installing Squid with Active Directory Authentication

In this chapter, we will introduce works related to our research. First, we will

Ciphermail Gateway Web LDAP Authentication Guide

Technical Bulletin 41137

Internet infrastructure. Prof. dr. ir. André Mariën

Importing data from Linux LDAP server to HA3969U

Writing Access Control Policies for LDAP

LDAP-UX Client Services B with Microsoft Windows Active Directory Administrator's Guide

Integrating PISTON OPENSTACK 3.0 with Microsoft Active Directory

Install and Configure an Open Source Identity Server Lab

Active Directory and Linux Identity Management

LDAP Theory and Management

KACE Appliance LDAP Reference Guide V1.4

Using LDAP with Sentry Firmware and Sentry Power Manager (SPM)

Using LDAP Authentication in a PowerCenter Domain

LDAP Schema Design. Andrew Findlay Skills 1st Ltd. February

UNIL Administration. > Many databases and applications:

Heinz Johner, Larry Brown, Franz-Stefan Hinner, Wolfgang Reis, Johan Westman. International Technical Support Organization

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

EVERYTHING LDAP. Gabriella Davis

Copyright 2016 Lexmark. All rights reserved. Lexmark is a trademark of Lexmark International, Inc., registered in the U.S. and/or other countries.

User Management Resource Administrator. Managing LDAP directory services with UMRA

90 Marius Leahu, Vasile Buzuloiu, Dan Alexandru Stoichescu

LDAP Directory Integration with Cisco Unity Connection

I am an SE at a large storage system vendor

Integrating AIX into Heterogeneous LDAP Environments

Measurement and Analysis of LDAP Performance

Novell Identity Manager

"Charting the Course... Enterprise Linux Networking Services Course Summary

Configuring and Using the TMM with LDAP / Active Directory

X.500 and LDAP Page 1 of 8

How to Use Microsoft Active Directory as an LDAP Source with the Oracle ZFS Storage Appliance

Oracle Communications Unified Communications Suite

Your Question. Article: Question: How do I Configure LDAP with Net Report?

Lab Tasks 1. Configuring a Slave Name Server 2. Configure rndc for Secure named Control

Surviving Cyrus SASL

Linuxdays 2005, Samba Tutorial

SAS. 9.2 Integration Technologies. Directory Services Reference

Steps to configure SiteMinder Policy Server to connect to CA Directory using LDAPS

RHEL Clients to AD Integrating RHEL clients to Active Directory

Active Directory LDAP Quota and Admin account authentication and management

AXIGEN Mail Server. Implementing, Deploying and Managing a High Availability Distributed Solution on. Copyright 2007 GECAD Technologies S.A.

Apache Directory Studio LDAP Browser. User's Guide

Managing Users and Identity Stores

Managing Identities and Admin Access

How To Authenticate On An Xtma On A Pc Or Mac Or Ipad (For A Mac) On A Network With A Password Protected (For An Ipad) On An Ipa Or Ipa (For Mac) With A Log

prefer to maintain their own Certification Authority (CA) system simply because they don t trust an external organization to

Open Directory & OpenLDAP. David M. O Rourke Engineering Manager

Allowing Linux to Authenticate to a Windows 2003 AD Domain. Prepared by. Thomas J. Munn, CISSP 11-May-06

Securing SAS Web Applications with SiteMinder

Quality Center LDAP Guide

How To Manage A Network On A Linux Computer (Vnx) On A Windows 7 Computer (Windows) On An Ipod Or Ipod (Windows 7) On Your Ipod Computer (For Windows) On The Network (For Linux)

How-to Access RACF From Distributed Platforms

Identity Management in Quercus. CampusIT_QUERCUS

Authentication in a Heterogeneous Environment

To integrate Oracle Application Server with Active Directory follow these steps.

OpenLDAP in High Availability Environments

Integrating Lustre with User Security Administration. LAD 15 // Chris Gouge // 2015 Sep

Sample. Configuring the RADIUS Server Integrated with ProCurve Identity Driven Manager. Contents

SSSD. Client side identity management. LinuxAlt 2012 Jakub Hrozek 3. listopadu 2012

H3C SSL VPN Configuration Examples

Adeptia Suite LDAP Integration Guide

Windows Enterprise OU Administrator Tips. Integrating RHEL5 Systems with Active Directory

GL-275: Red Hat Linux Network Services. Course Outline. Course Length: 5 days

Security Provider Integration LDAP Server

Transcription:

OpenLDAP Linux Systems Authentication Dr. Giuliano Taffoni IASFBO

Layout Introduction to LDAP Authentication based on LDAP Linux on Linux LDAP over SSL Fault Tolerance: basic replication.

LDAP Overview LDAP is a Lightweight Directory Access Protocol (RFC 4510) LDAP marries a lightweight DAP with the X.500 information model Uses an extensible hierarchical object data model

What is LDAP LDAP is a directory service: information tree Front end to a DB. Implement multiple back-ends : LDBM, RDBMS, simple indexes (Berkeley DB), X.500 gateway Designed for frequent reads and infrequent writes

Authentication - LDAP username+passwd repository Store objects (ex. Jpegs, ssh certificates) Replication Load balancing (replicas) Not a db: no rollback, no transactions

Some terminology DN: distinguish name (RFC 2253) Identify entry a0 root a1 b1 c1 a2 b2 a2 dn: a3,a2,a1,a0 a3 b3 dn: a2,b1,a0

Some terminology <attribute><value> Attribute has: Name (unique, case insensitive) OID (int = 1.3.6.1.4.1.1466.115.121.1.27) DN root identify the whole tree RDN (relative distinguish name) Unique for the same progenitor ex. a2 DN = sequence of RDNs

Naming Traditional naming: c=it, l=bologna, o=iasf RFC naming dc=it, dc=bologna, dc=inaf dc=domain component

Schema and classes objectclass Set of functional attributes Each attribute is described by a class Required attribute Optional attribute objectclass: Person Required Optional cn description sn seealso telephonenumber userpassword

Schema and classes organizationalunit Required ou Optional businesscategory description telephonenumber PostalAddress postalcode street etc...

Example dn: cn=mario, ou=iasf, dc=inaf, dc=it objectclass: top objectclass: person cn: mario sn: rossi ou = iasf description: fannullone telephonenumber: 051 telephonenumber: 051 ou = personale ou = grid dc=inaf, dc=it ou = oats cn = mario cn = anna

OpenLDAP Version 2.4.20 Packages for Linux openldap, openldap-servers, openldapclients 2.3.4 RHEL 5 2.4 Ubuntu 9.10 2.3.43 Gentoo 2009

OpenLDAP protocol client-server (message-oriented) client is able to make more than one request simultaneously (identified by a message ID) Messages are not exchanged in plain text but with a simplified version of BER (Basic Encoding Rules

OpenLDAP security ACL to support granularity access to the tree SSL mode TLS mode (StartTLS) Note: If your server has SSL options loaded, this will launch a StartTLS capable daemon on port 389 (which is also capable of unencrypted communication) and a SSL only daemon on port 636. Under StartTLS you are leaving the security of the system to the clients because the ldap:// is capable of unencrypted communication.

OpenLDAP Client cli ldaptools: ldapsearch, ldapadd, ldapmodify Slapadd, slapindex, slappasswd Scripts (/usr/share/openldap) Server Slapd (stand-alone LDAP daemon) Slurpd (replication Daemon) Configuration /etc/openldap

Configuration /etc/openldap/schema - for schemas /etc/openldap/slapd.conf for slapd /etc/openldap/ldap.conf - for clients that uses the system /etc/ldap.conf

Schema File that collects classes Examples: /etc/openldap/schema/core.schema Person, orgunit, etc. /etc/openldap/schema/samba.schema Samba attributes /etc/openldap/schema/nis.schema homedirectory, loginshell

slapd.conf First include schemas include include include include include include /etc/openldap/schema/core.schema /etc/openldap/schema/cosine.schema /etc/openldap/schema/inetorgperson.schema /etc/openldap/schema/nis.schema /etc/openldap/schema/samba.schema /etc/openldap/schema/autofs.schema

slapd.conf backend definitions # Load dynamic backend modules: modulepath /usr/lib/openldap/openldap moduleload back_hdb.so backend hdb database hdb suffix "ou=oats,dc=inaf,dc=it" This specifies the DIT to manage rootdn rootpw "cn=manager,ou=oats,dc=inaf,dc=it" {MD5}... overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 directory /var/lib/openldap-data # Indices to maintain index cn,sn,uid eq,approx,sub index objectclass,entrycsn,entryuuid eq The database directory MUST exist prior to running slapd AND should only be accessible by the slapd and slap tools. Mode 700 recommended.

back-ends back-ldbm (classic) obsolete back-dbd Back-bdb is a back end that is optimized for the Berkeley DB and takes advantage of its page locking features to improve concurrency. Load times are substantially improved and database sizes are halved. back-hdb Back-hdb is a back end that is based on back-bdb, but which organizes its data in a true hierarchical fashion. Because of this, back-hdb supports the subtree rename operation, allowing subtrees to be quickly and efficiently moved within the same database (a requirement of the LDAPv3 standard which most other Directory Services packages fail to provide). Another advantage of back-hdb is that its hierarchical design makes for higher write throughput. This is especially good for applications that frequently modify the LDAP database.

indexing index : index the tree to increase performance index {list_attr} [pres,eq,approx,sub,none] Recommend: index objectclass eq pres eq approx sub none Present (index per attributes (which object contains which attr)) Equality (value equals to the filter) Approximate (similar) Substring (value that contains the search) No index

ACL access to * by * read slapd.conf More details in slide #Slide 23 Rootdn: necessary in slapd because at first startup there is no entry in the tree, neither the root one (we need to specify it somewhere). Later we can move it it the tree. slappasswd -h {MD5} -s the_password

Suggestions rootdn is mandatory proxyuser (suggested) Can be any user (ex. Morgan) Assign reading root capacities from ACLs Use it to query the tree (more secure) NOTE: Use root to insert and modify

ldap.conf Client configuration (/etc/openldap) NOTE: /etc/ldap.conf (used by PAM_LDAP, NSS_LDAP base URI ou=oats,dc=inaf,dc=it ldap://127.0.0.1/ note: URI ldaps:// for TLS BASE: maybe a rootdn subtree LDAP server IP

Start the server service ldap start (slapd start) chkconfig ldap on Or other ways according to the distribution

Populate the tree Ldaptools (cli) PhpLDAPadmin (http://phpldapadmin.sourceforge.net/wiki/) Webmin (http://www.webmin.com/) ldapvi (http://www.lichteblau.com/ldapvi/)

LDIF Ldap data exchange format (ASCII) <dn:><distinguish_name> <objectclass><value> <attribute_rdn><value> <attribute><value> dn: uid=morgan,ou=oats,dc=inaf,dc=it objectclass: top objectclass: posixaccount objectclass: inetorgperson objectclass: organizationalperson objectclass: person uid: morgan loginshell: /bin/bash uidnumber: 2001 gidnumber: 10 sn: Taffoni cn: Giuliano Taffoni homedirectory: /home/morgan

LDIF format <dn:><distinguish_name> <objectclass><value> <attribute_rdn><value> <attribute><value> <dn:><distinguish_name> <objectclass><value> <attribute_rdn><value> <attribute><value> Empty line Empty line <dn:><distinguish_name> <objectclass><value> <attribute_rdn><value> <attribute><value>

LDIF with Italian names Note that LDIF does not support accents (ex. sn: Cartellà) Transform in to UTF-8 iconv -f iso-8859-1 -t utf-8 source.ldif > dest.ldif May add images: jpegphoto: < file://path/name.jpg

Create the LDIF files Create multiple files to manage multiple info: DC, Users, OU, groups etc. ex. /etc/openldap/ldif/[inaf.ldif, oats.ldif] dn: dc=inaf,dc=it objectclass: top objectclass: organization objectclass: dcobject o: inaf.it dc: inaf dc: ou=oats,dc=inaf,dc=it objectclass: organizationalunit ou: oats

Add Info in the tree # ldapadd -x -D "cn=manager,ou=oats,dc=inaf,dc=it" -W -f /etc/openldap/root.ldif Enter LDAP Password:

users dn: uid=taffoni,ou=oats,dc=inaf,dc=it objectclass: top objectclass: posixaccount objectclass: inetorgperson objectclass: organizationalperson objectclass: person uid: taffoni loginshell: /bin/bash gecos: Taffoni Giuliano sn: taffoni homedirectory: /home/taffoni mail: taffoni@oats.inaf.it cn: Taffoni Giuliano TelephoneNumber: +39040... userpassword: {crypt}... uidnumber: 2002 gidnumber: 2415

Add entries # ldapadd -x -D "cn=manager,ou=oats,dc=inaf,dc=it" -W -f /etc/openldap/users.ldif Enter LDAP Password: This takes a long time!!!!

ldapadd vs slapadd ldapadd slapadd Connects to the frontend and modify back-end On the fly Uses ldif Enters data into the back-end Stop the daemon! Uses ldif

Migrate from other systems dc=inaf, dc=it ou = iasf ou = autofs ou = oats ou = people ou = groups ou = hosts cn = mario cn = anna

Migrate the entries Migration tools (www.padl.com) Perl scripts to migrate from local (YP) to LDAP Install with openldap-server (commonly) migrate-common.ph (conf file) $DEFAULT_MAIL_DOMAIN= inaf.it $DEFAULT_BASE= ou=oats,dc=inaf,dc=it $EXTENDED_SCHEMA=1

tools migrate_base.pl migrate_passwd.pl migrate_group.pl migrate_hosts.pl #./migrate_base.pl > /etc/openldap/ldif/base.ldif Edit the file to verify it.

Ldap in action: PAM and NSS pam_ldap + nss_ldap /etc/pam.d/system-auth /etc/nsswitch.conf /etc/ldap.conf

system-auth auth required pam_env.so auth sufficient pam_ldap.so auth sufficient pam_unix.so likeauth nullok nodelay \ use_first_pass auth required pam_deny.so account sufficient pam_ldap.so account required pam_unix.so password required pam_cracklib.so difok=2 minlen=8 \ dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so session optional pam_ldap.so

ldap.conf ldap_version 3 scope sub timelimit 3 bind_timelimit 3 bind_policy hard idle_timelimit 3600 pam_login_attribute uid pam_member_attribute gid pam_password md5 pam_filter uri ldap://server.hostname suffix "dc=inaf,dc=it" base ou=oats,dc=inaf,dc=it?sub nss_base_passwd ou=oats,dc=inaf,dc=it?sub nss_base_shadow ou=oats,ou=ts,dc=si.inaf,dc=it?sub nss_base_group ou=groups,ou=oats, dc=inaf,dc=it?one?description=client.hostname binddn cn=proxyuser,dc=inaf,dc=it Bindpw...

nsswitch.conf passwd: shadow: group: files ldap files ldap files ldap Name service cache restart # service nscd restart # nscd --invalidate=table to invalidate cache

Test the configuration From client # getent passwd

Increasing performance USUALLY IT IS NOT A PROBLEM 300 users on one server (2 CPUs 3GHz Xeon, 4 GB RAM) 40 users on one server (2 CPUS PIII 2 GB ram) But just in case... tune your HW works on indexes and DB thinks about replication

the role of HW DUAL CPU (note that the threads directive in slapd may be increased for more cpus. default 16) Memory (direct impact in performances) note that it is true for big db cache should be tuned on the size of memory disk access speed use different disks for db and logging

indexing How does it works? If you're searching on a filter that has been indexed, then the search reads the index and pulls exactly the entries that are referenced by the index. If the filter term has not been indexed, then the search must read every single entry in the target scope and test to see if each entry matches the filter. ok: index cn,sn,givenname,mail eq userpassword is useless Presence may be dangerous!!!!! If your client application uses presence filters and if the target attribute exists on the majority of entries in your target scope, then all of those entries are going to be read anyway. The presence index does absolutely NOTHING to benefit the search, just waists CPU and Memory.

Loglevel use the appropriate loglevel loglevel 256 (default) is ok loglevel 0 increase performances but not suggested logging may be useful: "<= bdb_equality_candidates: (pippo) index_param failed (18)" application are using an equality filter pippo= something. add pippo index

memory and cache BDB cache size (A) necessary to load the database via slapadd in optimal time du -c -h *.bdb (db size) BDB cache size (B) necessary to have a high performing running slapd once the data is loaded id2entry.bdb file, plus about 10% for growth IDL cache which is used for Index Data Lookups Importance issues: what should I fit into memory? cache A + cache B + IDL cache A + cache B entry cache

calculate memory BDB uses 2 files: dn2id.bdb (8KBxpage), id2entry.bdb (16KBxpage) B-tree DB: balanced tree need enough cache to store all the internal nodes of the db db_stat -d (# of pages) cache = # pages + some more for internal leaf data pages (given from db_stat) set_cachesize in DB_CONFIG file

slapd.conf cachesize = number of entries in memory use a number that is comparable with the entries in your tree idlcachesize = cachesize

Adding some security and customization

Restrict access to users Problem: I have one auth server and many clients. I do not want each user to connect to each client. Solution: restrict access thanks to LDAP capabilities

Create a custom schema attributetype ( 1.3.6.1.4.1.22242.1.1.5 NAME 'hostaccess' DESC 'Access Level' EQUALITY caseignorematch SUBSTR caseignoresubstringsmatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 1.3.6.1.4.1.22242.1.1.6 NAME 'gridhomedirectory' DESC 'cluster Homedir' EQUALITY caseignorematch SUBSTR caseignoresubstringsmatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) string objectclass ( 1.3.6.1.4.1.22242.1.2.1 NAME 'inaf' DESC 'INAF LDAP schema' AUXILIARY MAY ( hostaccess $ gridhomedirectory ) ) But you may add your own customization. Verify the OID of the class!!!! Example: wifiaccess

Client ldap.conf ldap_version 3 scope sub timelimit 3 bind_timelimit 3 bind_policy hard idle_timelimit 3600 pam_login_attribute uid pam_member_attribute gid pam_password md5 pam_filter uri ldap://server.hostname suffix "dc=inaf,dc=it" base ou=oats,dc=inaf,dc=it?sub nss_base_passwd ou=oats,dc=inaf,dc=it?sub?hostaccess=client.hostname nss_base_shadow ou=oats,ou=ts,dc=si.inaf,dc=it?sub?hostaccess=client.hostname nss_base_group ou=groups,ou=oats, dc=inaf,dc=it?one?description=client.hostname binddn cn=proxyuser,dc=inaf,dc=it Bindpw...

Users ldif dn: uid=taffoni,ou=oats,dc=inaf,dc=it objectclass: top objectclass: posixaccount objectclass: inetorgperson objectclass: organizationalperson objectclass: person objectclass: inafsi uid: taffoni loginshell: /bin/bash gecos: Taffoni Giuliano sn: taffoni homedirectory: /home/taffoni mail: taffoni@oats.inaf.it cn: Taffoni Giuliano TelephoneNumber: +39040... userpassword: {crypt}... uidnumber: 2002 GidNumber: 2415 hostaccess: client.hostname hostaccess: client2.hostname

Automatic client configuration Modify /etc/pam.d/sshd append at the end of the file this line: session required pam_mkhomedir.so skel=/etc/skel umask=0077 This automatically creates the home at first login

Customize home dn: uid=taffoni,ou=oats,dc=inaf,dc=it objectclass: top objectclass: posixaccount objectclass: inetorgperson objectclass: organizationalperson objectclass: person objectclass: inafsi uid: taffoni loginshell: /bin/bash gecos: Taffoni Giuliano sn: taffoni homedirectory: /home/taffoni gridhomedirectory: /users/taffoni mail: taffoni@oats.inaf.it cn: Taffoni Giuliano TelephoneNumber: +39040... userpassword: {crypt}... uidnumber: 2002 GidNumber: 2415 hostaccess: client.hostname hostaccess: client2.hostname

Client ldap.conf ldap_version 3 scope sub timelimit 3 bind_timelimit 3 bind_policy hard idle_timelimit 3600 pam_login_attribute uid pam_member_attribute gid pam_password md5 pam_filter uri ldap://server.hostname suffix "dc=inaf,dc=it" base ou=oats,dc=inaf,dc=it?sub nss_map_attribute homedirectory gridhomedirectory nss_base_passwd ou=oats,dc=inaf,dc=it?sub nss_base_shadow ou=oats,ou=ts,dc=si.inaf,dc=it?sub nss_base_group ou=groups,ou=oats, dc=inaf,dc=it?one?description=client.hostname binddn cn=proxyuser,dc=inaf,dc=it Bindpw...

LDAP with TLS SSL Get the certificates: Server cert, server key, ca cert GARR, INFN, myca (xca) Modify server slapd.conf security tls=1 TLSCertificateFile TLSCertificateKeyFile TLSCACertificateFile /etc/openldap/ssl/cert.pem /etc/openldap/ssl/req.pem /etc/openldap/ssl/cacert.pem

Client configuration Modify /etc/openldap/ldap.conf HOST myserver.com PORT 636 TLS_CACERT /etc/ssl/certs/cacert.pem TLS_REQCERT demand Sometimes it is necessary to set.ldaprc for root (both in /root and in /)

More security Client-server SSL authentication Both client and server needs a server cert/key On server (slapd.conf) TLSVerifyClient demand On client (ldap.conf and.ldaprc) TLS_REQCERT demand # client authentication TLS_CERT /etc/ssl/ldap/client.cert.pem TLS_KEY /etc/ssl/ldap/client.key.pem

testing # openssl s_client -connect localhost:636 -showcerts -state -CAfile <ca cert> If you use client-server SSL # openssl s_client -connect myserver.com:636 -state \ -CAfile /etc/ssl/ldap/cacert.pem \ -cert /etc/ssl/ldap/client.cert.pem \ -key /etc/ssl/ldapclient.key.pem Search the tree # ldapsearch -x -b "ou=oats,dc=inaf,dc=it" -D "uid=morgan,ou=infra,ou=oats,dc=inaf,dc=it" '(uid=morgan)' -H ldaps://localhost -W

Searching the tree ldapsearch [optional_options] [optional_search_filter] [optional_list_of_attributes] # ldapsearch -x -b "dc=inaf,dc=it" -D "uid=morgan,ou=infra,ou=oats,dc=inaf,dc=it" '(uid=morgan)' -H ldaps://localhost -W uid userpassword access to dn.subtree="dc=inaf,dc=it" attrs="userpassword" by dn.subtree="ou=infra,ou=oats,dc=inaf,dc=it" write

Using filters Basic syntax attribute operator value Operators: <, >, ~=,=, *, =* Multiple filters (boolean operators) (Boolean-operator(filter)(filter)(filter)...) examples: description=*x.500* (&(!(objectclass=person))(cn~=printer3b))

ACL in practice slapd.conf access to (what) by (who) access control

what * all attr Specific attributes dn dn.scope dn base children subtree itself Only childrens itself+childrens

who anonymous * all dn dn.scope anonymous A dn See what table

control write read search compare

example access to dn.subtree= ou=ts,dc=inaf,dc=it by dn.subtree= ou=infra,dc=inaf,dc=it... write grid infra ts bo groups sudoers uid uid uid uid

Basic replica slave update Replica server done bind & update req update master Replica server Rep log

Replica master slapd.conf replogfile filename replica host = slave:389 binddn = cn=replicator, dc=inaf, dc=it SSL? tsl = yes NOTE: make a backup of the tree to a file (ldapxxx) and copy it to the slave

Replica slave Use the same slapd.conf of master But: Delete the replica host statement Delete the replogfile statement updateref = masterip updatedn = master binddn (ex. cn=replicator...) Need ACL

Slave setup ACLs: access to dn=.*,dc=inaf,dc=it by dn= cn=replicator,... write LDIF: ldapadd the master ldif But: add the replicator dn: cn=replicator, dc=... cn=replicator objclass= top objclass = simplesecurityobject

OpenLDAP components opendap cli: ldapadd Ldapsearch slap cli: slapadd slapd: server daemon slurpd: replica daemon

Next issue Hyper-security on WAN: client-server double authentication Advanced replication Linux and Windows coexistence SAMBA and LDAP ACTIVE directory and Linux

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information