Configuring LDAP-UX
Download
Report
Transcript Configuring LDAP-UX
Configuring LDAP-UX
Module 13
H3065S F.00
© 2005 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice
Managing Users via /etc/passwd
The HP-UX operating system utilizes a variety of configuration files to manage
users, groups, and other critical information.
Traditionally, each HP-UX host on a network maintained an independent copy of
/etc/passwd, /etc/group, /etc/hosts and other configuration files.
As a result, adding a user, group, or host often required manual updates to
multiple configuration files on multiple hosts.
H3065S F.00
/etc/passwd
/etc/group
/etc/hosts
/etc/passwd
/etc/group
/etc/hosts
/etc/passwd
/etc/group
/etc/hosts
/etc/passwd
/etc/group
/etc/hosts
© 2005 Hewlett-Packard Development Company, L.P.
How can I ensure
that all of my hosts
are configured
consistently?
2
Managing Users via NIS or LDAP
HP-UX now offers several alternative solutions for managing configuration information.
Of these solutions, LDAP provides the greatest scalability, security, and flexibility.
Solution
Complexity
Scalability
Security
Interoperability
Local Config Files
Low
One Host
High
UNIX only
NIS
Medium
Hundreds of Hosts
Low
UNIX only
LDAP Protocol
High
Thousands of Hosts
High
Most OSes
Many Applications
H3065S F.00
© 2005 Hewlett-Packard Development Company, L.P.
3
How Does LDAP Work?
• A directory server maintains a database of user, group, and other information
• Clients use the LDAP protocol to issue queries to the directory server
• The directory server retrieves the requested information from the database
• The directory server sends a reply back to the client via the LDAP protocol
LDAP client
What is user1’s UID?
LDAP client
Who belongs to the users group?
LDAP client
What is sanfran’s IP?
LDAP client
What is telnet’s standard port#?
Database Containing:
• User entries
• Group entries
• Other entries
Directory Server
LDAP Protocol Queries/Replies
H3065S F.00
© 2005 Hewlett-Packard Development Company, L.P.
4
Schema
• Multiple applications and operating systems utilize directory services
• Each application may need to store different types of information in the directory
• Directory schema determine what types of information may be stored in a directory
• Directory server schema are extensible, to support various clients and applications
• eg: RFC 2256 defines a schema for representing general information about individuals
• eg: RFC 2307 defines a schema for representing UNIX users, groups, hosts, etc.
LDAP alternative to /etc/passwd
LDAP alternative to /etc/group
RFC 2307
Schema
LDAP alternative to /etc/hosts
LDAP alternative to /etc/services
LDAP alternative to /etc/networks
And others...
H3065S F.00
© 2005 Hewlett-Packard Development Company, L.P.
5
Object Classes and Attributes
• Every schema defines one or more object classes
• Every object class includes one or more object attributes
• Some attributes are required
• Some attributes are optional
• Some attributes may be included in multiple object classes
• Schema, object classes, and attributes may be customized to meet your needs
Schema
RFC 2307
H3065S F.00
Object Classes
posixAccount
Attributes
uidNumber
posixGroup
gidNumber
ipHost
gecos
ipService
homeDirectory
ipNetwork
loginShell
and others..
and others...
© 2005 Hewlett-Packard Development Company, L.P.
6
Directory Entries
• A directory server database contains one or more directory entries
• Each entry contains a list of object classes
• Each entry’s object class(es) determines which attributes are allowed in the entry
• Each attribute has one or more values
A sample abbreviated directory entry for user1:
objectClass: top
objectClass: account
objectClass: posixAccount
cn: user1
uid: user1
uidNumber: 101
gidNumber: 101
homeDirectory: /home/user1
loginShell: /usr/bin/sh
H3065S F.00
© 2005 Hewlett-Packard Development Company, L.P.
7
Directory Information Trees
• Directory servers organize entries in a hierarchical Directory Information Tree (DIT)
• A directory’s tree structure may be customized as desired
o=hp.com
ou=western
ou=people
uid=user1 uid=user2
entry for uid=user1
uid=user1
uidNumber=101
...
H3065S F.00
ou=eastern
ou=groups
cn=users
cn=adm
ou=people
uid=user3 uid=user4
ou=groups
cn=users
cn=adm
entry for uid=user3
uid=user3
uidNumber=103
...
© 2005 Hewlett-Packard Development Company, L.P.
8
DNs and RDNs
• Every entry in a DIT is identified by a Relative Distinguished Name (RDN)
• An RDN consists of one or more attribute/value pairs from the entry
• An entry’s RDN must distinguish the entry from other entries in the local subtree
• Every entry in a DIT also has a Distinguished Name (DN)
• An entry’s DN is a concatenation of RDNs leading to the entry
• An entry’s DN must be globally unique across the entire tree
o=hp.com
ou=western
ou=people
uid=user1
uid=user2
ou=eastern
ou=groups
cn=users
cn=admins
RDN: uid=user1
DN: uid=user1, ou=people, ou=western, o=hp.com
H3065S F.00
Common RDN attributes:
• c = country
• st = state or province
• l = locality (county or city)
• dc = DNS domain component
• o = organization
• ou = organizational unit
• uid = user ID
• cn = common name
© 2005 Hewlett-Packard Development Company, L.P.
9
LDIF Files
Directory entries are commonly displayed, edited, imported, and exported
using Lightweight Data Interchange Format (LDIF) files.
• The first line in the LDIF identifies the entry’s globally unique DN
• The next few lines identify the object classes represented in the entry
• The remaining lines list the entry’s attribute/value pairs
/tmp/user1.ldif
dn: uid=user1, ou=people, ou=western, o=hp.com
objectClass: top
uidNumber: 101
objectClass: person
gidNumber: 101
objectClass: organizationalPerson
homeDirectory: /home/user1
objectClass: inetOrgPerson
loginShell: /usr/bin/sh
objectClass: posixAccount
gecos: Instructor
uid: user1
telephoneNumber: 111-222-3333
cn: Darren Miller
mail: [email protected]
sn: Miller
givenName: Darren
continued at right
H3065S F.00
© 2005 Hewlett-Packard Development Company, L.P.
10
Servers, Replicas, and LDAP Clients
A host may play one of several roles in an LDAP implementation
• A master server maintains the master copy of the directory database
• One or more replica servers may be configured for load balancing and redundancy
• LDAP Clients query directory servers via the LDAP protocol
Replica Server
Master Directory Server
Updates
Updates
Clients
H3065S F.00
Replica Server
Clients
© 2005 Hewlett-Packard Development Company, L.P.
Clients
11
Referrals
•
•
•
•
•
In smaller organizations, the organization’s entire DIT may reside in single database
In larger organizations, the DIT may be distributed among multiple databases/servers
Each server typically takes responsibility for one or more directory sub-trees
Servers use referrals to redirect clients to other servers as needed
Some servers use chaining to query other servers on behalf of clients
o=hp.com
I’m looking for an entry in
ou=eastern,o=hp.com
ou=western
ou=eastern
Contact ldap://nyc.ny.hp.com:389/
ou=eastern,o=hp.com
H3065S F.00
© 2005 Hewlett-Packard Development Company, L.P.
12
Security
LDAP-compliant Directory servers provide several mechanisms for securing directory data
• Password policies enforce password aging and format policies
• Resource limits prevent denial of service attacks
• Access Control Instructions (ACIs) determine who can access/edit each subtree/attribute
• Directory servers typically support several client authentication/encryption alternatives
• Anonymous Access: allows anyone to view/search the directory
• Simple Password Authentication: authenticates users via cleartext usernames/passwords
• SSL Simple Authentication: simple password authentication, but via an SSL connection
• SASL Authentication: provides an extensible, secure authentication mechanism
H3065S F.00
© 2005 Hewlett-Packard Development Company, L.P.
13
LDAP Software Solutions for HP-UX
Several LDAP-compliant directory server products are available free for HP-UX
• Netscape Directory Server
• Novell eDirectory Server
• OpenLDAP (unsupported, but included on the Internet Express DVD)
HP’s LDAP-UX client product is included on the Applications DVD
• LDAP-UX allows HP-UX to authenticate users via any LDAP compliant directory server
• LDAP-UX even allows HP-UX clients to authenticate users via MS Windows ActiveDirectory!
• LDAP-UX includes scripts to easily migrate UNIX configuration files to a directory server
• LDAP-UX supports LDAP resolution of users, groups, hosts, and other objects
• LDAP-UX is fully supported by HP
H3065S F.00
© 2005 Hewlett-Packard Development Company, L.P.
14
Installing a Basic Netscape Directory Server
• Installing Netscape Directory Server is a multi-step process.
• This slide provides an overview; see the notes for details.
• More complex configurations are also possible
Install J4258CA and
(optionally) J4269AA
Modify kernel
parameters
Run the server
setup script
Import data into the
directory
Use the console
GUI to customize
configuration
H3065S F.00
© 2005 Hewlett-Packard Development Company, L.P.
15
Verifying a Netscape Directory Server
Use the following commands to verify that a Directory Server is functional
1. Is the directory server daemon running?
# ps –ef | grep slapd
2. Is the directory server listening on port 389?
# netstat –an | grep 389
3. Is the directory server answering user queries?
# /opt/ldapux/bin/ldapsearch
-h 128.1.1.1 \
-b "ou=People,ou=MyOrganizationalUnit,o=hp.com" \
uid=*
4. Is the directory server answering group queries?
# /opt/ldapux/bin/ldapsearch
-h 128.1.1.1 \
-b "ou=groups,ou=MyOrganizationalUnit,o=hp.com" \
cn=*
H3065S F.00
© 2005 Hewlett-Packard Development Company, L.P.
16
Installing a Basic LDAP-UX Client
The LDAP-UX client setup script automates LDAP-UX configuration of the first client
1. Install J4269AA (LDAP-UX Client)
2. Run the menu-based client setup script
3. Review/customize the resulting /etc/opt/ldapux/ldapux_client.conf file
4. Review/customize the resulting /etc/opt/ldapux/ldapclientd.conf file
5. Review the /etc/opt/ldapux/ldapux_profile.ldif profile
6. Verify that the ldapuxclientd daemon is running
7. Add LDAP to the Name Service Switch configuration in /etc/nsswitch.conf
8. Add LDAP to the Pluggable Authentication Module configuration in /etc/pam.conf
9. Remove LDAP users and groups from /etc/passwd and /etc/group
10. Create a tar archive of the client’s configuration files
H3065S F.00
© 2005 Hewlett-Packard Development Company, L.P.
17
Using the LDAP-UX Client
•
•
•
•
•
LDAP is just one of several mechanisms HP-UX uses to obtain configuration information
HP-UX must be told when/if LDAP should be used for lookups
Commands that authenticate users use /etc/pam.conf to select a lookup source
Other commands use /etc/nsswitch.conf to select a lookup source
In either case, if LDAP is selected, the ldapclientd daemon helps process the request
Client
$ login
$ su
$ ssh
pam.conf
libpam_hpsec.so.1
PAM
libpam_unix.so.1
libpam_ldap.so.1
Client
$ ll
$ ps
$ who
H3065S F.00
nsswitch.conf
NSS
LDAP Server
ldapclientd
© 2005 Hewlett-Packard Development Company, L.P.
18
Configuring /etc/nsswitch.conf
Some HP-UX commands such as ll, ps, who, and nsquery use the
/etc/nsswitch.conf file to determine how user, group, and other information
should be resolved.
/etc/nsswitch.conf without LDAP:
passwd:
group:
hosts:
networks:
protocols:
rpc:
publickey:
netgroup:
automount:
aliases:
services:
H3065S F.00
files
files
files dns
files
files
files
files
files
files
files
files
/etc/nsswitch.conf with LDAP:
passwd:
group:
hosts:
networks:
protocols:
rpc:
publickey:
netgroup:
automount:
aliases:
services:
© 2005 Hewlett-Packard Development Company, L.P.
files
files
files
files
files
files
files
files
files
files
files
ldap
ldap
dns ldap
ldap
ldap
ldap
ldap
ldap
19
Configuring /etc/pam.conf
Commands that authenticate users, such as su, login, and ssh, use Pluggable
Authentication Modules (PAM) to access user and password information. Make sure each
service in the /etc/pam.conf file consults libpam_ldap.so.1.
/etc/pam.conf entries for the login service on an LDAP client
# which
login
login
login
# which
login
login
login
# which
login
login
login
# which
login
login
login
H3065S F.00
modules should be used to authenticate users at login?
auth
required
libpam_hpsec.so.1
auth
sufficient libpam_unix.so.1
auth
required
libpam_ldap.so.1 try_first_pass
modules should be used determine if an account is valid?
account required
libpam_hpsec.so.1
account sufficient libpam_unix.so.1
account required
libpam_ldap.so.1
modules should be used to setup/terminate login sessions?
session required
libpam_hpsec.so.1
session sufficient libpam_unix.so.1
session required
libpam_ldap.so.1
modules should be used to change the user’s password?
password required
libpam_hpsec.so.1
password sufficient libpam_unix.so.1
password required
libpam_ldap.so.1 try_first_pass
© 2005 Hewlett-Packard Development Company, L.P.
20
Updating Passwords
Users can change their own passwords via the ldappasswd command.
$ /opt/ldapux/bin/ldappasswd -h 128.1.1.1 -p 389 \
-b "ou=People, ou=MyOrganizationalUnit, o=hp.com“
Changing LDAP password for user1
Old password: ******
New password: ******
Retype new password: ******
Updating password in LDAP...
The directory server’s Directory Manager user can change anyone’s password.
# /opt/ldapux/bin/ldappasswd -h 128.1.1.1 -p 389 \
-b "ou=People, ou=MyOrganizationalUnit, o=hp.com" \
-D "cn=Directory Manager" -w "*****" \
-l user1
Changing LDAP password for user1
New password: ******
Retype new password: ******
Updating password in LDAP...
H3065S F.00
© 2005 Hewlett-Packard Development Company, L.P.
21
Managing Directory Entries
The directory server’s Directory Manager user can easily add/modify/delete the
most common UNIX directory entry types via the Netscape Directory Server console
GUI, or via the ldapentry command.
1. Define directory server connection information in ~/.profile
# vi ~/.profile
export PATH=/opt/ldapux/bin/:$PATH
export MANPATH=/opt/ldapux/share/man/:$MANPATH
export LDAP_HOST=128.1.1.1
export LDAP_BINDDN="cn=Directory Manager"
export LDAP_BASEDN="ou=MyOrganizationalUnix, o=hp.com"
export EDITOR=vi
# . ~/.profile
2. Add/modify/delete
# ldapentry –a
# ldapentry –m
# ldapentry –d
H3065S F.00
directory entries
type entry
type entry
type entry
via ldapentry
# add a new entry
# modify an existing entry
# delete an entry
© 2005 Hewlett-Packard Development Company, L.P.
22
Example: Managing Directory Entries
The example below shows the interface that ldapentry provides to add a user
# ldapentry –a passwd user25
dn: uid=user25,ou=MyOrganizationalUnit, o=hp.com
uid: user25
cn: user25
sn:
uidnumber: 325
gidnumber: 301
homedirectory: /home/user25
loginshell: /usr/bin/ksh
gecos:
telephonenumber:
givenname:
mail:
Do you want to specify userpassword? (y/n): y
value: ******
repeat: ******
Add entry to directory? (y/n): y
adding new entry uid=user25,ou=MyOrganizationalUnit, o=hp.com
Added.
H3065S F.00
© 2005 Hewlett-Packard Development Company, L.P.
23
For Further Study
LDAP and Netscape Directory Server are both very complex products. In order to
learn more about security, replication, referrals, more complex topologies, and
integration with Microsoft Active Directory see the references below.
On http://www.ietf.org/rfc.html:
• RFCs 2307, 2251-2256, and many others
On http://docs.hp.com:
• LDAP-UX Client Services B.03.30 Administrator's Guide
• HP CIFS Server Administrator’s Guide (includes an LDAP chapter)
On http://www.redhat.com:
•Netscape Directory Server Administrator’s Guide
•Netscape Directory Server Deployment Guide
•Netscape Directory Server Configuration, Command, and File Reference
H3065S F.00
© 2005 Hewlett-Packard Development Company, L.P.
24
Lab
activity
H3065S F.00
© 2005 Hewlett-Packard Development Company, L.P.
25
H3065S F.00
© 2005 Hewlett-Packard Development Company, L.P.
26