Ldap 1

CT 320: Network and System
Administration
LIGHTWEIGHT DIRECTORY ACCESS
PROTOCOL (LDAP)

COLORADO STATE UNIVERSITY
COMPUTER SCIENCE DEPARTMENT
CHRIS WILCOX
FALL 2012

Original slides from Dr. James Walden at Northern Kentucky University.
Topics
CT320: Fall Semester 2012
Slid
e #2
1. What is a directory?
2. NIS
3. LDAP
4. OpenLDAP
5. LDAP Authentication
10/25/12
What is a Directory?
Slid
e #3
Directory: A collection of information that is
primarily searched and read, rarely modified.

Directory Service: Provides access to directory
information.

Directory Server: Application that provides a
directory service.
10/25/12
Directories vs. Databases
Slid
e #4
Directories are optimized for reading.
Databases balanced for read and write.
Directories are tree-structured.
Databases typically have relational structure.
Directories are usually replicated.
Databases can be replicated too.
Both are extensible data storage systems.
Both have advanced search capabilities.
10/25/12
System Administration Directories
Slid
e #5
Types of directory data
Accounts
Mail aliases and lists (address book)
Cryptographic keys
IP addresses
Hostnames
Printers
Common directory services
DNS, LDAP, NIS
10/25/12
Advantages of Directories
Slid
e #6
Make administration easier.
Change data only once: people, accounts, hosts.
Unify access to network resources.
Single sign on.
Single place for users to search (address book)
Improve data management
Improve consistency (one location vs many)
Secure data through only one server.
10/25/12
NIS: Network Information Service
Slid
e #7
Originally called Sun Yellow Pages
Clients run ypbind
Servers run ypserv
Data stored under /var/yp on server.
Server shares NIS maps with clients
Each UNIX file may provide multiple maps
passwd: passwd.byname, passwd.byuid
Slave servers replicate master server content.
Easy to use, but insecure, difficult to extend.
10/25/12
LDAP
Slid
e #8
Lightweight Directory Access Protocol
Lightweight compared to X.500 directories.
Directory, not a database.
Access Protocol, not a directory itself.
10/25/12
LDAP Clients and Servers
Slide
#9
LDAP Clients
Standalone directory browsers.
Embedded clients (mail clients, logins, etc.)
Cfg /etc/nsswitch.conf on UNIX to use LDAP.
Common LDAP servers
OpenLDAP
Fedora Directory Server (formerly Sun, Netscape)
Mac Open Directory
Microsoft ActiveDirectory
Novell eDirectory (NDS)
10/25/12
LDAP Structure
Slide
#10
An LDAP directory is made of entries.
Entries may be employee records, hosts, etc.
Each entries consists of attributes.
Attributes can be names, phone numbers, etc.
objectClass attribute identifies entry type.
Each attribute is a type / value pair.
Type is a label for the information stored (name)
Value is value for the attribute in this entry.
Attributes can be multi-valued.
10/25/12
Tree-structure of LDAP Directories
Slide
#11
10/25/12
LDAP Schemas
Slide
#12
Schemas specify allowed objectClasses and
attributes.
10/25/12
LDAP Client/Server Interaction
Slide
#13
1. Client requests to bind to server.
2. Server accepts/denies bind request.
3. Client sends search request.
4. Server returns zero or more dir entries.
5. Server sends result code with any errors.
6. Client sends an unbind request.
7. Server sends result code and closes socket.
10/25/12
LDAP Operations
Slide
#14
Client Session Operations
Bind, unbind, and abandon
Query and Retrieval Operations
Search and compare
Modification Operations
Add, modify, modifyRDN, and delete
10/25/12
Authentication
Slide
#15
Anonymous Authentication
Binds with empty DN and password.
Simple Authentication
Binds with DN and password. Cleartext.
Simple Authentication over SSL/TLS
Use SSL to encrypt simple authentication.
Simple Authentication and Security Layer
SASL is an extensible security scheme.
SASL mechanisms: Kerberos, GSSAPI, SKEY
10/25/12
Distributed Directories
Slide
#16
Use multiple LDAP servers.
Why distribute?
Throughput
More servers can reduce load on any single server.
Latency
Have local server serve local data to LAN.
Only use WAN for non-local data on other servers.
Administrative Boundaries
Let each side administrate their own directory.
10/25/12
LDAP Authentication
Slide
#17
1. Configure server with schema + user data.
2. Point clients to hostname and rootDN of svr.
/etc/ldap.conf and
/etc/openldap/ldap.conf
3. Verify server access with ldapsearch
4. Configure clients to use LDAP auth
/etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
10/25/12

Ldap 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ldap 1

Uploaded by

Copyright:

Available Formats

CT 320: Network and System

You might also like