curs 1 - serviciul ldap · inut curs (cont.) i continuarea cursului de gsr i platform a suport:...
TRANSCRIPT
Curs 1Serviciul LDAP
Servicii avansate pentru ISP
20 februarie 2017
SAISP Curs 1, Serviciul LDAP 1/47
Outline
Prezentare curs
Serviciul LDAP
Directory Services
LDAP
Clientul LDAP
Integrare client de LDAP
Incheiere
Intrebari
SAISP Curs 1, Serviciul LDAP 2/47
Servicii Avansate pentru ISP
I fancy name pentru Advanced Network System Administration
I LDAP, virtualizare, volume management, scalabilitate,automatizare
I destinat profilului de sysdevops (system administration /development / operations)
SAISP Curs 1, Serviciul LDAP 3/47
Servicii de ret,ea pentru ISP (cont.)
I http://ocw.cs.pub.ro/saisp/
I curs, luni, 18-20, PR706
I laborator, luni, 16-18, 20-22, PR706
I primul curs are loc luni, 20 februarie 2017
I primul laborator are loc luni, 27 februarie 2017
SAISP Curs 1, Serviciul LDAP 4/47
Cont, inut curs
1. Serviciul LDAP
2. Administrarea LDAP
3. Monitorizare
4. Gestiunea scalabila a dispozitivelor de stocare
5. Redundant, a s, i load balancing
6. Sisteme de fis, iere ın ret,ea
7. Containere
8. Virtualizare nativa
9. Accelerarea accesului web
10. Automatizarea scalabila a sistemelor
11. Limitarea traficului
12. Recapitulare
SAISP Curs 1, Serviciul LDAP 5/47
Cont, inut curs (cont.)
I continuarea cursului de GSR
I platforma suport: Debian s, i solut, ii de virtualizare (KVM)I cerint,e
I familiarizarea cu mediul LinuxI elemente de baza de ret,elisticaI elemente de administrareI concepte de virtualizareI cunos, tint,e de baza de programareI cunos, tint,e de baza de inginerie software
SAISP Curs 1, Serviciul LDAP 6/47
Notare
I laborator – 2p (activitate)I teste practice – 5p
I test practic 1 – 2.5p (dupa laboratorul 5)I test practic 2 – 2.5p (ın sesiune)
I teste de curs – 2p (5 teste x 0.4 puncte/test)
I test grila – 2p (ın sesiune)
SAISP Curs 1, Serviciul LDAP 7/47
Outline
Prezentare curs
Serviciul LDAP
Directory Services
LDAP
Clientul LDAP
Integrare client de LDAP
Incheiere
Intrebari
SAISP Curs 1, Serviciul LDAP 8/47
Moto
The secret of all victory lies in the organization of the non-obvious.
Marcus Aurelius
If you don’t know how to do something, you don’t know how to doit with a computer.
SAISP Curs 1, Serviciul LDAP 9/47
Prezentare curs
Serviciul LDAP
Directory Services
LDAP
Clientul LDAP
Integrare client de LDAP
Incheiere
Intrebari
SAISP Curs 1, Serviciul LDAP 10/47
Suport
I “Unix and Linux System Administration”I Chapter 19 – Sharing System Files
I Section 19.3 – LDAP: The Lightweight Directory AccessProtocol
I “Professional Linux System Administration”I Chapter 16 – Directory Services
SAISP Curs 1, Serviciul LDAP 11/47
Outline
Prezentare curs
Serviciul LDAP
Directory Services
LDAP
Clientul LDAP
Integrare client de LDAP
Incheiere
Intrebari
SAISP Curs 1, Serviciul LDAP 12/47
Directory
I mecanism de organizare a informat, iei
I mapare/asociere ıntre nume s, i valoare
I ın general o organizare ierarhicaI noduri (nodes) de informat, ie s, i tipuri de date
I ın telefonie: nume s, i numere de telefonI ın DNS: nume de domeniu (nod) s, i adrese IP, alias-uri, servere
de mail (tipuri de date)
I directory service / naming service
I DIT – Directory Information Tree
SAISP Curs 1, Serviciul LDAP 13/47
Directory Services
I naming services
I localizarea unei resurse ın ret,ea pe baza unui nume
I informat, ii despre o resursa – obiect cu atributeI interfat, a de localizare s, i gestiune a resurselor ıntr-o ret,ea
I directoare, fis, iere, utilizatori, grupuri, dispozitive, numere detelefon
I similar cu un RDBMS, dar . . .I citiri mult mai frecvente decat scrieriI redundant,a datelor pentru performant, a (de exemplu DNS
caching)
SAISP Curs 1, Serviciul LDAP 14/47
Exemple de directory services
I DNS – Domain Name SystemI NIS – Network Information Service
I ınlocuit din ce ın ce mai mult cu LDAP
I LDAP/X.500I Directory Access ProtocolI A set of such systems, together with the directory information
that they hold, can be viewed as an integrated whole, calledthe Directory
SAISP Curs 1, Serviciul LDAP 15/47
Folosire directory services pe Unix
I /etc/nsswitch.confI Name Service SwitchI serviciile/fis, ierele folosite de ,,baze de date” ale sistemuluiI /lib/libnss_*
I system databasesI passwd, group, hosts, networks, protocols, services, shadow
I getent – interogarea bazelor de dateI getent passwdI getent passwd razvanI getent networksI getent services ldaps
SAISP Curs 1, Serviciul LDAP 16/47
X.500
I set de standarde pentru servicii de director
I DAP, DSP, DISP, DOP
I foloses, te stiva OSII alternative care sa foloseasca stiva TCP/IP
I alternativa la DAP – Lightweight Directory Access Protocol(LDAP)
I un singur DIT – Directory Information TreeI a hierarchical organization of entries which is distributed across
one or more servers
I fiecare intrare identificata unic de un DN (DistinguishedName)
I prea complex
SAISP Curs 1, Serviciul LDAP 17/47
Implementari LDAP/X.500
I ActiveDirectory (Microsoft)
I eDirectory (Novell)
I Red Hat Directory Server
I OpenLDAP
I OpenDirectory (Apple) – construit peste OpenLDAP
I Apache Directory Server
I 389 Directory Service (RedHat) – fork din OpenLDAP
SAISP Curs 1, Serviciul LDAP 18/47
Active Directory
I bazat pe Novell eDirectory
I LDAP, Kerberos
I zona centrala de administrare s, i delegare de autoritate
I scalabilitate
I ın Windows Server 2008 – Active Directory Domain ServicesI ierarhie de obiecte
I resourcesI security principals (utilizatori s, i grupuri) – au asociat un
identificator unic (SID – security identifier)
I OU – Organization Unit – container de obiecte aferente unuidomeniu
I ıntr-un domeniu un utilizator dispune de un atribut cu valoareunica (sAMAccountName pre-2000, userPrincipalName)
SAISP Curs 1, Serviciul LDAP 19/47
Outline
Prezentare curs
Serviciul LDAP
Directory Services
LDAP
Clientul LDAP
Integrare client de LDAP
Incheiere
Intrebari
SAISP Curs 1, Serviciul LDAP 20/47
LDAP
I Lightweight Directory Access Protocol
I ,,Lightweight” ın contextul X.500
I forma simplificata a DAP ın X.500
I organizare ierarhica
I foloses, te DNS pentru nivelurile topmost
I cont, ine intrari reprezentand persoane, grupuri, imprimante,documente etc.
I LDAPv3 – RFC 4510
I peste 30 de RFC-uri
SAISP Curs 1, Serviciul LDAP 21/47
Operat, ii client, i
I TCP 389I TCP 636 pentru LDAP over SSL (ldaps)
I Operat, iiI Start TLS – disponibil de la LDAPv3I Bind (autentificare)I SearchI CompareI Add entryI Delete entryI Modify entryI Unbind (ınchide conexiunea; nu este opusul Bind)
SAISP Curs 1, Serviciul LDAP 22/47
Directory Information Tree
I organizarea informat, iei – schema
I ierarhie
I fiecare intrare identificata de un DN (Distinguished Name)
I ın general, numele cont, ine o componenta ımprumutata dinDNS (dc=test,dc=cs,dc=pub,dc=ro)
I ın general, flat namespacesI namespace pentru persoane – cont, ine lista de persoaneI namespace pentru grupuri – cont, ine lista de grupuri
SAISP Curs 1, Serviciul LDAP 23/47
Intrari s, i atribute
I un director este o colect, ie de intrariI o intrare este data de o colect, ie de atribute
I un atribut cont, ine un nume s, i una sau mai multe valoriI atributele sunt definite ın schemaI atributele pot fi de forma MUST sau MAY
I o intrare este identificata de un DN (Distinguished Name)I compus din mai multe elemente, parte din care sunt DC
(domain component)I uid=gsclipici,dc=test,dc=cs,dc=pub,dc=ro
SAISP Curs 1, Serviciul LDAP 24/47
LDIF
I LDAP Data Interchange FormatI format de reprezentare pentru
I cont, inutul directorului (listare, adaugare)
dn: cn=The Postmaster,dc=example,dc=com
objectClass: organizationalRole
cn: The Postmaster
I cereri de actualizare (modificare)
dn: cn=gsclipici,ou=People,dc=test,dc=cs,dc=pub,dc=ro
changetype: modify
replace: mail
mail: [email protected]
-
replace: initials
initials: GS
-
I format numeAtribut: valoare atribut
SAISP Curs 1, Serviciul LDAP 25/47
Acronime LDAP
I DN – Distinguished NameI RDN (Relative Distinguished Name) + Parent DNI dn: cn=Ana Popa,dc=rd,dc=ro
I RDN: cn=Ana PopaI Parent DN: dc=rd,dc=ro
I DC – Domain Componenent
I CN – Common Name
I OU – Organizational Unit
I LDIF – LDAP Data Interchange Format
SAISP Curs 1, Serviciul LDAP 26/47
Cautare/comparare ın LDAP
I se cauta atribute
I uid
I uid=gsclipici
I sn=P*
I (&(sn=P*)(cn=A*))
I (|(&(sn=P*)(cn=A*))(&(sn=C*)(cn=S*)))I Polish notation
SAISP Curs 1, Serviciul LDAP 27/47
URI-uri ın LDAP
I ldap://swarm.cs.pub.ro
I ldaps://swarm.cs.pub.ro:636
I ldap://swarm.cs.pub.ro/ou=People,dc=swarm,dc=cs,dc=pub,dc=ro
I ldap://swarm.cs.pub.ro/ou=People,dc=swarm,dc=cs,dc=pub,dc=ro?uid
I ldap://swarm.cs.pub.ro/ou=People,dc=swarm,dc=cs,dc=pub,dc=ro?uid?base?(givenName=Daniel)
I ldaps:// pentru LDAP peste SSL
I ldap:// pentru LDAP peste TLS (foloses,te STARTTLS)
SAISP Curs 1, Serviciul LDAP 28/47
URI-uri ın LDAP (2)
I ldap://host:port/DN?attributes?scope?filter?extensions
I scope – base (cautare singulara), one – cautare pe nivel, sub –cautare ın ierarhie
I filter – (givenName=Daniel),(&(givenName=Daniel)(sn=Popescu))
SAISP Curs 1, Serviciul LDAP 29/47
Implementari client, i LDAP
I OpenLDAP (server + utilities)
I Apache Directory Server/Studio
I LDAPAdminTool (Linux/Windows, comercial)
I web2ldap (web, Python)
I phpLDAPadmin
SAISP Curs 1, Serviciul LDAP 30/47
Outline
Prezentare curs
Serviciul LDAP
Directory Services
LDAP
Clientul LDAP
Integrare client de LDAP
Incheiere
Intrebari
SAISP Curs 1, Serviciul LDAP 31/47
LDAP CLI
I OpenLDAP
I apt-get install ldap-utils
I ldap*
I /etc/ldap/ldap.confI configurat, iile impliciteI BASE, URII TLS_REQCERT=never: pentru a nu verifica certificatele
SAISP Curs 1, Serviciul LDAP 32/47
ldapsearch
I cautarea informat, iilor ın baza de date LDAP
I ldapsearch -x
I ldapsearch -x uid
I ldapsearch -x uid=gsclipici
I ldapsearch -x &(cn=A*)(sn=B*)
I ldapsearch -x -b dc=test,dc=cs,dc=pub,dc=ro –specificarea base-ului
I ldapsearch -x -H ldap://test.cs.pub.ro – specificareaURI-ului
I ldapsearch -x -D
dc=binder,ou=Gods,dc=test,dc=cs,dc=pub,dc=ro -W –specificarea utilizatorului care face bind (autentificare)
I informat, iile sunt afis,ate ın format LDIF
SAISP Curs 1, Serviciul LDAP 33/47
ldappasswd
I schimbarea parolei pentru intrari de tipul utilizator
I necesita autentificare (binding) (-D, -W)
I ldappasswd -D cn=admin,dc=test,dc=cs,dc=pub,dc=ro
-W uid=gsclipici,dc=test,dc=cs,dc=pub,dc=ro –serverul genereaza parola
I ldappasswd ...-S uid=gsclipici... – solicita parolautilizatorului
I ldappasswd -D cn=admin,dc=test,dc=cs,dc=pub,dc=ro
-w $admin_pass -s $clear_pass
uid=gsclipici,dc=test,dc=cs,dc=pub,dc=ro – utilizareın mod neinteractiv
SAISP Curs 1, Serviciul LDAP 34/47
ldapadd
I adaugarea unei intrariI se specifica ın format LDIF
dn: uid=test,ou=people,dc=swarm,dc=cs,dc=pub,dc=ro
uid: test
cn: test test
sn: test
mail: [email protected]
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
uidNumber: 1230
gidNumber: 100
homeDirectory: /home/test
I necesita autentificare (-D, -W/-w)I ldapadd ...-f /etc/ldap/ldif/test.ldif
SAISP Curs 1, Serviciul LDAP 35/47
ldapdelete
I s, tergerea unei intrari
I necesita autentificare (-D, -W/-w)
I ldapdelete
...uid=gsclipici,dc=test,dc=cs,dc=pub,dc=ro
SAISP Curs 1, Serviciul LDAP 36/47
ldapmodify
I modificarea unei intrari precizata tot printr-un fis, ier LDIF
dn: cn=Modify Me,dc=example,dc=com
changetype: modify
replace: mail
mail: [email protected]
-
add: title
title: Grand Poobah
-
add: jpegPhoto
jpegPhoto:< file:///tmp/modme.jpeg
-
delete: description
I “atribut” de specificare a tipului modificarii (add, delete,replace)
SAISP Curs 1, Serviciul LDAP 37/47
LDAP scripts
I folosite pentru gestiunea facila a conturilor de utilizator ınLDAP
I apt-get install ldapscripts
I ldapaddgroup, ldapadduser, ldapdeleurser,ldapdeletegroup
SAISP Curs 1, Serviciul LDAP 38/47
Outline
Prezentare curs
Serviciul LDAP
Directory Services
LDAP
Clientul LDAP
Integrare client de LDAP
Incheiere
Intrebari
SAISP Curs 1, Serviciul LDAP 39/47
Autentificare Unix prin LDAP
I apt-get install libnss-ldap nscd libpam-ldap
I /etc/libnss-ldap.conf
root@valhalla:/etc/ldap# cat /etc/nsswitch.conf | grep ’^\(passwd\|group\)’
passwd: compat files ldap
group: compat files ldap
I /etc/pam_ldap.conf
I /etc/pam.d/common-session
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
SAISP Curs 1, Serviciul LDAP 40/47
Configurare LDAP ın Apache
AuthType Basic
AuthName "Windows Research Kernel (use curs.cs.pub.ro account)"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldaps://ldap.grid.pub.ro/ou=People,dc=cs,dc=curs,dc=pub,dc=ro?uid"
AuthLDAPBindDN "uid=xxx,ou=yyy,dc=cs,dc=curs,dc=pub,dc=ro"
AuthLDAPBindPassword "zzz"
Require valid-user
SAISP Curs 1, Serviciul LDAP 41/47
Configurare LDAP ın Dokuwiki
$conf[’authtype’] = ’ldap’;
$conf[’auth’][’ldap’][’port’] = 636;
$conf[’auth’][’ldap’][’server’] = ’ldaps://swarm.cs.pub.ro’;
$conf[’auth’][’ldap’][’usertree’] = ’ou=People,dc=swarm,dc=cs,dc=pub,dc=ro’;
$conf[’auth’][’ldap’][’grouptree’] = ’ou=Group,dc=swarm,dc=cs,dc=pub,dc=ro’;
$conf[’auth’][’ldap’][’userfilter’] = ’(&(uid=%{user})(objectClass=posixAccount))’;
$conf[’auth’][’ldap’][’groupfilter’] = ’(&(objectClass=posixGroup)(|(gidNumber=%{gid})(memberUID=%{user})))’;
# This is optional but may be required for your server:
$conf[’auth’][’ldap’][’version’] = 3;
SAISP Curs 1, Serviciul LDAP 42/47
LDAP for developers
I libldap2-dev – C
I http://php.net/manual/en/book.ldap.php – PHP
I http://pypi.python.org/pypi/python-ldap/ – Python
I http://ruby-ldap.sourceforge.net/ – Ruby
SAISP Curs 1, Serviciul LDAP 43/47
Outline
Prezentare curs
Serviciul LDAP
Directory Services
LDAP
Clientul LDAP
Integrare client de LDAP
Incheiere
Intrebari
SAISP Curs 1, Serviciul LDAP 44/47
Cuvinte cheie
I Directory
I DIT
I X.500
I /etc/nsswitch.conf
I getent
I LDAP
I Active Directory
I Distinguished Name (DN)
I intrari
I atribute
I LDIF
I DN, RDN, DC, CN, OU
I cautare
I LDAP URL
I base
I filters
I ldapsearch
I ldapadd
I ldappasswd
I ldapmodify
I ldapdelete
SAISP Curs 1, Serviciul LDAP 45/47
Resurse utile
I http://en.wikipedia.org/wiki/LDAP
I http://tldp.org/HOWTO/LDAP-HOWTO/
I http://www.howtoforge.com/linux_ldap_authentication
I Understanding LDAP – Design and Implementation:http://www.redbooks.ibm.com/pubs/pdfs/redbooks/sg244986.pdf
I http://www.zytrax.com/books/ldap/
SAISP Curs 1, Serviciul LDAP 46/47
Outline
Prezentare curs
Serviciul LDAP
Directory Services
LDAP
Clientul LDAP
Integrare client de LDAP
Incheiere
Intrebari
SAISP Curs 1, Serviciul LDAP 47/47