Understand LDAP for Efficient Data Management
LDAP, or Lightweight Directory Access Protocol, is a powerful tool for organizing and accessing data in directory services. Learn about the differences between directories and databases, LDAP servers, and the structure of LDAP entries. Explore how LDAP can optimize data lookup and search operations for efficient network administration.
Uploaded on | 0 Views
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
USTM17 Linux Network Administration Lesson 6: LDAP Peter CHUNG (cspeter@cse.ust.hk) USTM17 Linux Network Administration - Peter Chung (cspeter) 1
Introduction LDAP stands for Lightweight Directory Access Protocol Protocol for storing and retrieving data from directory services Example: Telephone directory storing your friends name, telephone number ITSC directory storing student name, student ID, email, home address, USTM17 Linux Network Administration - Peter Chung (cspeter) 2
Directory vs. Database Data in directories are often read (lookup, search) rather than written Directories do not usually implement transactions or roll-back schemes Directories are usually optimized to respond quickly to lookup or search operations USTM17 Linux Network Administration - Peter Chung (cspeter) 3
LDAP vs. Directory Servers Protocol LDAP HTTP Server Active Directory, OpenLDAP Apache, IIS, nginx In this lab, we will use OpenLDAP USTM17 Linux Network Administration - Peter Chung (cspeter) 4
Organization of LDAP An LDAP directory is a collection of entries Each entry has one or more attributes Each attribute has one or more values The distinguished name (DN) identifies each entry in the global level dn: uid=bond,ou=users,dc=cse,dc=ust,dc=hk objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson cn: James sn: Bond uid: bond uidNumber: 5000 gidNumber: 5000 homeDirectory: /home/bond loginShell: /bin/sh USTM17 Linux Network Administration - Peter Chung (cspeter) 5
Organization of LDAP dn: dc=cse,dc=ust,dc=hk objectClass: dcObject objectClass: organization objectClass: top o: CSE dc: cse Entries are arranged hierarchically Entries are organized under organizational units (OU) dn: ou=groups,dc=cse,dc=ust,dc=hk objectClass: organizationalUnit objectClass: top ou: groups dc=cse,dc=ust,dc=hk dn: ou=users,dc=cse,dc=ust,dc=hk objectClass: organizationalUnit objectClass: top ou: users ou=groups ou=users ou=system dn: ou=system,dc=cse,dc=ust,dc=hk objectClass: organizationalUnit objectClass: top ou: system uid=bond USTM17 Linux Network Administration - Peter Chung (cspeter) 6
OpenLDAP OpenLDAP is an open source implementation of LDAP slapd: standalone LDAP daemon Libraries implementing the LDAP protocol Utilities, tools and sample clients In this lesson, you will learn setup slapd create user account setup user authentication USTM17 Linux Network Administration - Peter Chung (cspeter) 7
Obtaining OpenLDAP Unfortunately, OpenLDAP is not available in the software repository of CentOS 8, so we need to download and compile the source files. https://www.openldap.org/software/download/OpenLDAP/ope nldap-release/openldap-2.4.52.tgz Follow the instructions in the workbook to compile source files USTM17 Linux Network Administration - Peter Chung (cspeter) 8
OpenLDAP Configuration Configuration files used in this lesson are available at /root/openldap Copy the slapd configuration file slapd.ldif to OpenLDAP directory: /usr/local/etc/openldap Create configuration directory # cd /usr/local/etc/openldap/ # mkdir slapd.d || rm -rf slapd.d/* USTM17 Linux Network Administration - Peter Chung (cspeter) 9
OpenLDAP Configuration Use slapadd to add the configuration # slapadd -n 0 -F slapd.d -l slapd.ldif -n 0 Initialize and add to the first configuration database -F slapd.d Specify the configuration directory -l slapd.ldif Specify the configuration file USTM17 Linux Network Administration - Peter Chung (cspeter) 10
OpenLDAP Database A database (backend) is required to store the LDAP entries Database configuration file: databases.ldif Generate a password hash using slappasswd In databases.ldif, replace PASSWD_HASH by the hash USTM17 Linux Network Administration - Peter Chung (cspeter) 11
OpenLDAP Database Use ldapadd to add the database configuration # ldapadd -Y EXTERNAL -H ldapi:/// -f databases.ldif -Y EXTERNAL Specify the SASL mechanism for authentication https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer -H ldapi:/// Specify the URI connecting to the OpenLDAP server -f databases.ldif Specify the configuration file USTM17 Linux Network Administration - Peter Chung (cspeter) 12
Add directories and test user Follow the instruction in the workbook to add the directories and a test user directories.ldif testuser.ldif Use ldappasswd to set the password for the test user # ldappasswd -Y EXTERNAL -H ldapi:/// -S \ "uid=testuser,ou=users,dc=cse,dc=ust,dc=hk" Enter the root login password USTM17 Linux Network Administration - Peter Chung (cspeter) 13
Using OpenLDAP for Authentication To use OpenLDAP for user authentication, we need to integrate it with the System Security Services Daemon (SSSD) in CentOS # authselect select --force sssd Copy sssd.conf to /etc/sssd USTM17 Linux Network Administration - Peter Chung (cspeter) 14
Using OpenLDAP for Authentication On the OpenLDAP side, we need a proxy user to read and search the LDAP entries for SSSD Configuration of the proxy user: proxy.ldif Generate a password hash using slappasswd (enter root login password) In proxy.ldif, replace PASSWD_HASH by the hash Use ldapadd to add the proxy user # ldapadd -Y EXTERNAL -H ldapi:/// -f proxy.ldif USTM17 Linux Network Administration - Peter Chung (cspeter) 15
Using OpenLDAP for Authentication In line 77 of sssd.conf, replace LDAP_PASSWD with the password (not the hash) of the proxy user Notice the DN in line 73 of sssd.conf. It is the same as the DN of the proxy user. Follow the instructions in the workbook to restart SSSD service USTM17 Linux Network Administration - Peter Chung (cspeter) 16
Using OpenLDAP for Authentication At this point, the test user should exist in the directory Verify this by # id testuser This should return the uid (5000), gid (5000) and the groups (5000) of the test user USTM17 Linux Network Administration - Peter Chung (cspeter) 17
Using OpenLDAP for Authentication Create home directory for the test user, and fix permission # mkdir /home/testuser # chown testuser:testgroup /home/testuser Login as the test user # ssh -l testuser localhost Demo this to the TA USTM17 Linux Network Administration - Peter Chung (cspeter) 18
Any questions so far? USTM17 Linux Network Administration - Peter Chung (cspeter) 19
