thinking enterprise.ppt
TRANSCRIPT
Deploying Directory Services in the EnterpriseThe OpenLDAP
Agenda●Introducing ldap●Installing & Configuring FDS●Case Study
oDesign guidelines Data Design Schema Design Directory Tree Design Replication design Security Design Tuning and Optimization
oIntegrating ldapoMaintaining DS
The need to LDAP
●Multiple disparate sources of the same information
●Users need separate logins and passwords to login to
●Heterogeneous systems
●Complex to keep information in synchronized
●Similar data spread around many flat files or in database with different formats
●Inadequacies of NIS ie. Not very extensible
●X.500 is too complicated
Introducing LDAP
●LDAP is a ‘Lightweight Directory Access Protocol’
●LDAP marries a lightweight DAP with the X.500 information model
●Uses an extensible hierarchical object data model
●An LDAP server may implement multiple ‘back-ends’: RDBMS, simple indexes (Berkeley DB), X.500 gateway
●Designed for frequent reads and infrequent writes
Benefits of LDAP●Standardized schemas (data types) exist for
many purposes (well beyond that of NIS)●Allows consolidation of many information
sources●Well defined API, support from many
applications●Easily replicated and distributed●Multiple backends allow integration with existing
data sources (RDBMS, etc)●Much faster than RDBMS (using lightweight
backend like Berkeley DB)
The Basics●Data is organised into an hierarchical tree●Each ‘entry’ (tree node) is identified by a DN (distinguished name) e.g.
uid=ykaram,ou=people,dc=alwataniyagroup,dc=com●Each component of a DN is called an RDN (relative DN) and represents a
branch in the tree●The RDN must be unique within the nodes at the same level of the tree (is
generally equivalent to one of the attributes ie. ‘uid’ or ‘cn’ in the case of a person)
●Each node has 1 or many attribute values associated with it. Each attribute can have 1 or many values
●‘objectClass’ is a mandatory attribute which specifies the schema (attribute constraints) for the given node
●Multiple ‘objectClass’ attributes can be combined together to achieve inheritance
●Example ‘objectClass’ (standard common schema) attributes:dcObject, organizationalUnit, person, organizationalPerson,inetOrgPerson, inetLocalMailRecipient
●CN (Canonical Name) is another common attribute used to provide a unique name for a directory object
LDAP Schemas
●Many standard schemas exist including (inside schema files .ldif):oPeople schemas - person, organisationalPerson,
inetOrgPerson, posixAccount, mailLocalRecpient, strongAuthenticationUser
oGroup schemas – groupOfUniqueNames, posixGroup, organisationalRole, roleMember
oHost / Network schemas – domain, ipHost, ipNetwork, ipProtocol, ipService, ieee802Device, bootableDevice
●An invaluable schema repository from Alan Knowles at the Hong Kong Linux Centre:ohttp://ldap.akbkhome.com/
LDIF File format●LDIF (Lightweight Directory Interchange
Format) is file used to import/export from a
LDAP directory serverdn: dc=alwataniyagroup,dc=com
objectclass: dcObject
objectclass: organization
o: Al Wataniya Group Ltd.
dc: alwataniyagroup
dn: ou=people,dc=alwataniyagroup,dc=com
objectclass: organisationalUnit
ou: people
dn: uid=ykaram,ou=people,dc=alwataniyagroup,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: mclark
cn: Yasir Karam
givenname: Yasir
sn: Karam
o: Al Wataniya Group Ltd.
userPassword:
{SSHA}D3DT4BJyKicf+PJ1+eqkWMNRG/B28xt+
mail: [email protected]
dn: uid=mohannad.saidawi,cn=waseetabudhabi.ae
mail: [email protected]
uid: mohannad.saidawi
hostServer: waseetabudhabi.ae
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: CommuniGateAccount
sn: Saidawi
cn: Mohannad Mahmoud Yousef Ahmed Saidawi
Custom schemas
●LDAP schemas uses SNMP style OIDs (Object Ids) for uniquely defining schema elements
●Apply for IANA enterprise number (RFC’s) here:ohttp://www.iana.org/cgi-bin/enterprise.pl
●Private enterprise number OID prefix is 1.3.6.1.4.1 eg. Metaparadigm uses 1.3.6.1.4.1.11137
●Information on custom schemas can be found here: ohttp://www.openldap.org/doc/admin/schema.html
Linux LDAP servers
●OpenLDAP is the primary open-source LDAP implementation based on Univ. Michigan LDAP http://www.openldap.org/
●Sun provides the iPlanet Directory Server●Oracle provides an LDAP server using an Oracle
database backend●Many others available (Innosoft)●Linux can also integrate with LDAP servers
running on other platforms such as Microsoft Active Directory or Novell eDirectory
Scalability and Fault Tolerance
●OpenLDAP supports real-time directory replication to provide load-balancing and high availability
●OpenLDAP supports single master, multiple slaves
●Most LDAP aware applications can be configured to use multiple LDAP servers (providing fallback servers)
●Multiple master support is in the works (currently alpha)
●OpenLDAP can be integrated with ‘heartbeat’ and ‘mon’ to provide fault tolerance ohttp://www.linux-ha.org/
Setting up OpenLDAP
●Configuration is located in:
/etc/openldap/slapd.conf
●We need to include the schemas we are
using
●Next we specify a database
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
database bdb
suffix "dc=itofficerlaptop,dc=com"
rootdn "cn=admin,dc=ITOFFICERLAPTOP,dc=com "
rootpw {crypt}mvRCcD3ajNmf2
Directory /var/lib/ldap
index objectClass eq,pres
Setting up OpenLDAP (cont.)
●We can now start slapd (Standalone LDAP
daemon)
●Next step is to add data to the directory
using the ldapadd
example presented earlier# ldapadd -D cn=Manager,dc=ITOFFICERLAPTOP,dc=com -W < init.ldif
Enter LDAP Password: xxxxx
adding new entry "dc=ITOFFICERLAPTOP,dc=com"
adding new entry "ou=people,dc=ITOFFICERLAPTOP,dc=com"
adding new entry "uid=ykaram,ou=people,dc=ITOFFICERLAPTOP,dc=com"
# service ldap start
Tuning OpenLDAP
●We need to add additional indexes for
performance to slapd.conf
●We need to add ACLs for security
index uidNumber,gidNumber,mailLocalAddress pres,eq
index cn,sn,givenName,memberUid,uid,mail pres,eq,sub
access to attr=userPassword
by self write
by anonymous auth
by * none
access to dn="" by * read
access to *
by self write
by users read
by anonymous auth
Tuning OpenLDAP (cont.)●Setup logging in syslog.conf (default is
LOCAL4)
●Make sure ‘slapd’ runs as non privileged user
●Make ‘slapd’ bind to SSL port for securityoneed signed certificates with openSSL and
modify slapd.conf
modify init script to bind to SSL port
local4.* /var/log/ldap.log
TLSCertificateFile /etc/openldap/cacerts/ldap.ITOFFICERLAPTOP.com.cer
TLSCertificateKeyFile /etc/openldap/cacerts/ldap.ITOFFICERLAPTOP.com.key
/usr/libexec/slapd -h 'ldap://ldap.ITOFFICERLAPTOP.com/ ldaps://ldap.ITOFFICERLAPTOP.com/' \
-l LOCAL4 -u ldap -g ldap
LDAP Search Filters
●LDAP uses a simple ‘search filters’ syntax (RFC2254)●LDAP queries return all attributes of matching entries (or
specifically selected attributes) which match the search filter
●LDAP query particles are enclosed within parenthesis in the form of ( attribute <matching rule> value ) ie. (cn=Yasir Karam)
●Matching rules include (=, =~, >=, <=)●* can be used as a wildcard within the value●These can be combined together using the Boolean
operators:and, or and not (&, |, !) eg:
● (&(cn=Yasir Karam)(objectClass=posixAccount))● (&(objectClass=inetOrgPerson)(!(o=Microsoft*)))● (|(cn=Yasir*)(cn=Karam*))
LDAP Search Filters
●The following example ldap search retrieves the
names and email address of all users with a
given name of ‘Yasir’ or ‘Karam’
●Very easy to incorporate this into shell scripts
# ldapsearch -LLL -h ldap1-prd -b dc=abudhabi,dc=alwataniyagroup,dc=com \
'(&(|(givenname=Yasir)(givenname=Karam))(objectClass=inetOrgPerson))' cn mail
dn: uid=karam_ahmed,ou=people,dc=abudhabi,dc=alwataniyagroup,dc=com
mail: [email protected]
cn: Karam Ahmed
dn: uid=Yasir,ou=people,dc=beirut,dc=alwataniyagroup,dc=com
mail: [email protected]
cn: Yasir Hassan
dn: uid=ykaram,ou=people,dc=abudhabi,dc=alwataniyagroup,dc=com
mail: [email protected]
cn: Yasir Karam
Unix Name service●LDAP integrates with NSS (Name Service
Switch) using the nss_ldap module http://www.padl.com/OSS/nss_ldap.html
●Requires configuration of /etc/ldap.conf
●Unix lookups are redirected in the same way as NIS: /etc/nsswitch.conf
host ldap.alwataniyagroup.com
base dc=alwataniyagroup,dc=com
ldap_version 3
binddn cn=Manager,dc=alwataniyagroup,dc=com
bindpw secret
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
nss_base_passwd ou=people,dc=alwataniyagroup,dc=com?one
nss_base_group dc=alwataniyagroup,dc=com?sub
passwd: files nisplus ldap
shadow: files nisplus
group: files nisplus ldap
hosts: files nisplus dns ldap
LDAP authentication
●LDAP integrates with PAM (Pluggable
Authentication Modules) using pam_ldap
http://www.padl.com/OSS/pam_ldap.htmlopam_ldap shares /etc/ldap.conf with nss_ldap.conf
oWe create a pam definition file: /etc/pam.d/ldap-auth
●We point a services auth at LDAP eg. /etc/pam.d/imap
#%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
auth required /lib/security/pam_stack.so service=ldap-auth
account required /lib/security/pam_stack.so service=ldap-auth
session required /lib/security/pam_stack.so service=ldap-auth
Integrating OpenLDAP
objectClass=anakondaDistributed backup systemCn=people
objectClass=Web based payroll systemPayroll and HR management cn=people
objectClass=PHP web based task
management
Role and task managementcn=people
objectClass=Shared Address BookDistributed Address Bookcn=people
objectClass=OpenSSLSecured Authenticationcn=people
objectClass=proFTPDFTPcn=people
objectClass=OpenLDAP API Distributed inventory system cn=people
httpd
Jabber
SNMP-trap-agent
Shorewall
Squid
Samba
Samba
SIP Proxy
postfix
Application
objectClass=Extranetcn=people
objectClass=Messagingcn=people
cn=people
cn=people
cn=people
cn=people
cn=people
cn=people
cn=people
Resources
objectClass=SNMP
objectClass=Firewall
objectClass=VOIP
objectClass=Proxy
objectClass=Windows group policy
objectClass=Email
objectClass=Directory group policy
PolicyService
Mail routing - sendmail
●We use the ‘inetLocalMailRecipient’ schema
which extends ‘inetOrgPerson’
●Additional attributes ‘mailLocalAddress’,
‘mailHost’ and ‘mailRoutingAddress’. Users can
have multiple ‘mailLocalAddress’ attributes.
●Allows for easily distributed multiple back-end
mail stores
●Below are changes to sendmail.mc (tested in
8.11.x)define(`confLDAP_DEFAULT_SPEC',`-h ldap. alwataniyagroup.com -b
dc=alwataniyagroup,dc=com')dnl
FEATURE(ldap_routing)dnl
LDAPROUTE_DOMAIN(alwataniyagroup.com)
Mail routing – sendmail (cont.)●Any sendmail map can be defined using
LDAP.
●Example of custom alias map using 8.11.x
(should also work on 8.12.x only official
map schema support is available)LOCAL_CONFIG
undefine(`ALIAS_FILE')
Kldapaliases ldap -z, -v mailForwardingAddress -k (&(objectClass=mailForwardingAlias)(mailAlias=
%0))
O AliasFile=sequence:ldapaliasesattributetype ( 1.3.6.1.4.1.11137.3.1.48
NAME 'mailAlias' DESC 'alias part of address'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.11137.3.1.47
NAME 'mailForwardingAddress' DESC 'RFC822 address to use'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
objectclass ( 1.3.6.1.4.1.11137.3.2.49
NAME 'mailForwardingAlias' DESC 'Internet local mail recipient'
SUP top AUXILIARY
MAY ( cn $ o $ mail $ mailAlias $ mailForwardingAddress ) )
Mail routing - postfix
●Postfix documentation specifies a non-standard schema. Below example is implemented with same schema as sendmail. (change in /etc/postfix/main.cf)
●Transport map can also be LDAP routed to provide multiple backend support
virtual_maps = ldap:metaroute
metaroute_server_host = ldap.alwataniyagroup.com
metaroute_search_base = dc=alwataniyagroup,dc=com
metaroute_query_filter = (mailLocalAddress=%s)
metaroute_result_attribute = mailRoutingAddress
metaroute_domain = alwataniyagroup.com
metaroute_bind = no
Shared Address book
●LDAP provides a convenient Corporate style shared address book similar to that of Exchange which is not otherwise available with standard Internet e-mail
●Support in almost all email clients:oEvolutionoMozillaoOutlookoEudoraoVarious web mail clientso…
Apache Authentication
●2 Apache modules availableo‘mod_auth_ldap’ apache module
http://nona.net/software/ldap/
o‘auth_ldap’ apache module
http://www.rudedog.org/auth_ldap/
●Example httpd.conf using mod_auth_ldap<Location /secret>
AuthType Basic
AuthName "Secret"
AuthLDAPURL ldap://ldap.alwataniyagroup.com:389/ou=people,dc=alwataniyagroup,dc=com?uid
require valid-user
</Location>
LDAP Browsers and Editors
●Java LDAP Browser
http://www.iit.edu/~gawojar/ldap/ oAllows easy updating and editing of
directory information.
oCan create templates for commonly
used directory objects.
●Huge number of other tools
(web, GTK, …)
Migration to LDAP
●Padl migration toolsohttp://www.padl.com/OSS/MigrationTools.html
●Migrates existing flat files or NIS
databasesopasswd, group, hosts, networks, services,
etc…
Other Application support
●Samba LDAP-PDCohttp://www.unav.es/cti/ldap-smb-howto.html
●LDAP DNS (no more HUPing named)ohttp://www.nimh.org/code/ldapdns/
●RADIUS (various patches floating around)
●Any application that supports PAMossh, netatalk, many others…
Design Guidelines
Design goals●Prepare conventional sync centralized authentication
services for the group resources (members, machines, roles and tasks)
●Develop centralized task flow management system
●Develop centralized payroll, HR system, and workflow forcibly subjected just once an employee enrolled and logged into his machine
●Manage centralized group policies
●Neither employees nor partners should have direct access to organization services and resources
●Present vendor based services to our clients, traders (Ad Agencies) and other information brokers
Design Strategy
●Convolving the following:oA plausible model to achieve resources shared over
our network yet consolidating raw HR and IT
information between network branches
oRole and real time task policy according to position,
time and business process. Though having much
control and monitoring over HR and other resources
oA wider look to the future is recurring to information
merchandising then start to exchange raw information
in a wider market with other information brokers like
IPSOS
●Al Wataniya Grp. Is an Advertising and Marketing organization o2500 employees o1000 machines
600 PCs 250 MAC’s 50 Linux servers
o300 printerso10 countrieso19 brancheso23 branded businesses o6 available regional level serviceso5 available branch level services
●alwataniyagroup.com is a qualified domain name for the group
Organizational Figures
Data Design
●alwataniyagroup.com will be used for the following public centralized services:oMessagingoEmailoExtranet web serveroHuman resource management oPublic white pages addressbookoVOIP SIP gatewayoRole and task management server
●While we have also onsite child node services:oProxy serveroFirewall serveroData backup serveroWindows group policy managementoFile share and directory management oFTP serveroSNMP network monitoring server oSSH secured telnet server
Data design●The messaging server searches on attributes such as:
ouidomailServerNameomailAddress
●alwataniyagroup.com will maintain indexes for these attributes to support searches by messaging serveroThe directory supports the following types of index:
Presence index - The presence index lists entries that possess a particular attribute, such as uid.
Equality index - The equality index lists entries that contain a specific attribute value, such as cn=Yasir Karam.
Approximate index - The approximate index allows approximate (or "sounds-like") searches. For example, an entry contains the attribute value of cn=Yasir A. Karam. An approximate search would return this value for searches against cn~=Yasir Karam, cn~=Karam, and cn~=Yasir.
Substring index - The substring index allows searches against substrings within entries. For example, a search for cn=*karam would match common names containing this string (such as Ahmed Ali, Robert Lakis, and Mamoun Eid).
International index - The international index speeds searches for information in international directories. You configure the index to apply a matching rule by associating a locale (internationalization OID) with the attribute being indexed.
Browsing Index - The browsing index, or virtual list view index, speeds up the display of entries in the Directory Server Console. You can create a browsing index on any branch in your directory tree to improve the display performance.
Data design --cont
●Alwataniyagroup.com allows data to be managed locally as per site, for example UAE branch is responsible for managing the Dubai, Sharjah, AlAin and Abu Dhabi branches
●Cause of geographic distribution of the branches data should be distributed 24 hours to all users
●All data will be maintained in one unique language “English”
●Ad agencies will be able to login and manage their contracts with alwataniyagroup.com
●Other publishers and ditribution firms can share material after authenticating services
Schema design
●Alwataniyagroup.com uses standard schemas in repository to support the enterprise
●Also we may add new objects like alwataniyagroupAdAgency and alwataniyagroupPublisher object classes
●We also may add new attributes to standard object classes like internetAccess to contain policy attribs (timing, bandwidth, file access rights..etc)
●Other services led by resources like VOIP SIP gaetway also can be achieved after assigning new object class SIP unique identifier and then extension number, access time, available features, call access rights..etc
Directory Tree Design
●Directory tree is rooted in suffix dc=com●Three leafs under the root DN are:
odc=alwataniyagroup, dc=comodc=alwataniyagroup, dc=netodc=alwataniyagroup, dc=org
●The directory tree for intranet (under dc=alwataniyagroup, dc=com) has 11 main branches each correspond to one of the countries where alwataniyagroup.com has branches while there branches are identified using locality attributes.
●Each main branch under dc=alwataniyagroup, dc=com mimics the original directory tree design of alwataniyagroup.com corporation, under each locality, alwataniyagrouyp.com creates an ou=people, an ou=groups, an ou=roles and ou=resources branch.
Cn=com
Dc=alwataniy
agroup,dc-
comc=UAE c=Kuwait c=Bahrain c=KSA c=Lebanon c=Jordan c=Syria c=Qatar c=Egypt c=Sudan
Dc=dxb,dc=alw
ataniyagroup,d
c=comDc=auh,dc=al
wataniyagroup,
dc=comDc=alain,dc=al
wataniyagroup,
dc=com
Dc=kht,dc=lda
p,dc=alwataniy
agroup,dc=co
m
dc=ryd,dc=alw
ataniyagroup,d
c=com
Dc=dmm,dc=al
wataniyagroup,
dc=comDc=qsm,dc.alw
ataniyagroup,d
c.comDc=jdh,dc=alw
ataniyagroup,d
c=com
Ou=Newspape
rO=Shams
O=hayat
Ou=classifieds
O=waseela
Ou=people
Ou=groups
Ou=roles
Ou=resources
ou=IT
Cn=Mahmoud
Al Qasem
Cn=IT Officer
cn=machine_0
01
Ou=people
Cn=Tareq Al
Fahd
Ou=groups
Cn=Managem
entCn=Accounting
Cn=IT
Cn=Kinan
FahhamCn= Waleed
Hudaithy
Ou=Roles
Cn=DGM
Cn=Chief
Accountant
Replica
Replica
Organizational naming
hierarchal topology
Alwataniyagroup.com
uae.alwataniyagroup.com
auh.uae.alwataniyagroup.com dxb.uae.alwataniyagroup.com
alain.auh.uae.alwataniyagroup.com
sharjah.uae.alwataniyagroup.com
DNS naming topology for UAE
Regional services topology
Ldap0.alwataniyagro
up.com
www.alwataniyagrou
p.com
Jabber.alwataniyagro
up.com
payroll.people.
alwataniyagrou
p.com
Mail.alwataniyagroup.
com
People.alwataniyagro
up.com
Tasks.poeple.
alawataniyagr
oup.comLdap1.alwataniyagro
up.com
Sip1.alwataniyagroup
.com
ftp1.alwataniyagroup.
com
Ns1.alwataniyagroup.
com
LDAP
Delegati
on
LDAP
Delegati
on
LDAP
Sync
LDAP
Delegati
on
LDAP
Delegati
on
LDAP
Delegati
on
LDAP
Delegati
on
LDAP
Delegati
on
Branch level services topology (Dubai branch)
Ldap.dxb.uae.
alwataniyagro
up.com
firewall.dxb.u
ae.alwataniya
group.com
payroll.dxb.ua
e.alwataniyag
roup.com
proxy.dxb.uae
.alwataniyagr
oup.comDirectory.dxb.
uae.alwataniy
agroup.com
ftp1.dxb.uae.a
lwataniyagrou
p.com
ssh.dxb.uae.a
lwataniyagrou
p.com
LDAP
Delegati
onLDAP
Delegati
on
LDAP
Delegati
on
LDAP
Delegati
on
LDAP
Delegati
on
LDAP
Delegati
on
Replication Design
●Data should be managed locally at branch
level
●The quality of network varies from site to
site
●Database links can be used to connect
remote servers
●Hub servers which contain read-only data
will be used to replicate servers.
Database replication topology
beiru
t
kassi
m
Branch level databaseCountry level database
Regional level database
To master
replicas
To master
replicas
Database servers may also depend on number of deployed services at each branch
Security Design●Many issues to care about:
oKind of information that will be stored in the directoryoWays in which clients will be accessing the directoryoWays which will be used to update and manage the directoryoAcceptable administration effort for security
●To add general ACI’s to the rootdn,
●Add restrictive ACI’s to branch admin’s
●Add more tighten macro ACI’s to achieve group policy for all users in order to access their directories on file servers
●Anonymous access to read-only data
dn: ou=IT, o=auh, c=uae, cn=alwataniyagroup, cn=com
objectclass: top
objectclass: organizationalUnit
ou: IT
description: IT Office
entryowner: access-id:cn=admin,o=auh,c=uae
inheritoncreate: TRUE
ownerpropagate: TRUE
aclpropagate: TRUE
ownersource: default
aclsource: OU=IT,O=auh,C=UAE
aclentry: access-id:CN=YAsir
Arnold,OU=IT,in,O=auh,C=us:object:a:normal:rwsc:
sensitive:rwsc:critical:rwsc
aclentry: group:CN=ANYBODY:normal:rsc
Q & A