Current Articles | RSS Feed
A directory service stores information about users and other entities, such as clients and printers, in a database that maps values to names and vice versa. This data offers a centralized repository that you can use to simplify network security management. Directory services, properly implemented, lessen the possibility of chaos and disorder on a large network.
How does a directory service simplify an administrator's job? Imagine a hundred-user network where people come and go, and you, the systems administrator, have to create and delete users not only for access to the operating system but on the many applications that also require authorization. This can become a time-consuming nightmare. One important use of directory services is storing usernames and passwords in a centralized location, relieving you of a significant burden.
I'll focus here on OpenLDAP, one widely used directory service. Like that of any directory service, the OpenLDAP database is relatively small, and read and searched much more than it's written. You can use LDAP in conjunction with DNS, email, or Samba servers, but our examples will focus on basic username/password management.
To install OpenLDAP on a CentOS server, run
yum install openldap-servers openldap-clients nss_ldap
slapd is the binary for the OpenLDAP server. I recommend you also install software for time synchronization (NTP), since accurate time is essential to authentication if you plan to use Kerberos for authentication services.
To see what an OpenLDAP entry looks like, type slapcat as root to get a look at the contents of the slapd database.
slapcat
Once the software is installed, open /etc/openldap/ldap.conf and edit some basic settings for your clients. There are two commented lines, one starting with "BASE," the other with "URI." Uncomment them and replace the values below with your domain and server address:
BASE dc=mydom,dc=ainURI ldap://ldap.mydom.ain #You can use ldap://ldap.mydom.ain:portnumber if you need to change the default port, which is 389
Test the settings you altered with ldapsearch -x. If the command exits gracefully with no error messages, you can move on. But before creating slapd.conf, the file with the server settings, let's take care of some essential terminology.
ldapsearch -x
You have seen in the example before the use of what is known in the LDAP world as entries (the "dc=..." part). An entry is nothing but a pair of labels in the form "attribute=value." For example, a list of employees in a company might take the same pair form: "CEO=John Doe,CFO=Jane Doe,CTO=Joe Hack" and so on. This format is called LDAP Data Interchange Format (LDIF). To implement a simple "telephone book" system with LDAP, a sample entry for one user might look like:
uid: jdoecn: John DoeuserPassword: {crypt}$!(*^*(&*!^*&^*&!^*%%465465143 # you generate this with slappaswd. and of course, the password will look way different.loginShell: /bin/kshuidNumber: 1234gidNumber: 1234homeDirectory: /home/jdoe
A couple of other important attributes are distinguished name – a name that uniquely identifies an entry in the directory – and domain component – a "piece by piece" representation of a domain name. You've seen what a dc entry might look like; here's a dn entry for our John Doe:
dn: uid=jdoe,ou=Programming,dc=mydom,dc=ain
What does this tell you about John Doe? Since ou stands for "organizational unit," it means he's a programmer. The dc part will help some other systems that might use OpenLDAP, such as a mail server that will know that the address of John Doe is jdoe@mydom.ain. When creating headers for new email messages, the mailserver can use the common name (cn) as needed, so the recipient of John's messages will see "From: John Doe (jdoe@mydom.ain)."
Here's a sample slapd.conf, heavily commented.
######################################################################## Global Directives:include /etc/ldap/schema/core.schemainclude /etc/ldap/schema/cosine.schemainclude /etc/ldap/schema/inetorgperson.schemapidfile /var/run/slapd/slapd.pidargsfile /var/run/slapd/slapd.argsloglevel nonemodulepath /usr/lib/ldap# I recommend you don't alter the above settings unless neededmoduleload back_bdb # Berkeley DB backendsizelimit 500tool-threads 1backend bdb # Berkeley DB######################################################################## Specific Directives for database #1, of type bdb:database bdbdirectory "/var/lib/ldap"dbconfig set_cachesize 0 2097152 0dbconfig set_lk_max_objects 1500dbconfig set_lk_max_locks 1500dbconfig set_lk_max_lockers 1500index objectClass eqlastmod on# Tweak if/as neededsuffix "dc=mydom,dc=ain"# Please change the password with the result of "slappasswd"rootdn "cn=admin,dc=mydom,dc=ain"rootpw {crypt}$!&*@JHM@%$GH@SA* # again, this is a dummy passwordcheckpoint 512 30# Allow users to create private usersaccess to dn.one="ou=private,ou=addrbook,dc=mydom,dc=ain" attrs=userPassword by dn="cn=jdoe,ou=addrbook,dc=mydom,dc=ain" write by anonymous auth by self write by * none# For user authentication and password changeaccess to attrs=userPassword by dn="cn=admin,dc=mydom,dc=ain" write by anonymous auth by self write by * none# Grant users access to their private addressbooksaccess to dn.regex="^.*cn=([^,]+),ou=private,ou=addrbook,dc=mydom,dc=ain$" by dn="cn=admin,dc=mydom,dc=ain" write by dn="cn=jdoe,ou=addrbook,dc=mydom,dc=ain" write by dn.exact,expand="cn=$1,ou=private,ou=addrbook,dc=mydom,dc=ain" write# Grant the user access to the whole addressbookaccess to dn.subtree="ou=addrbook,dc=mydom,dc=ain" by dn="cn=admin,dc=mydom,dc=ain" write by dn="cn=jdoe,ou=addrbook,dc=mydom,dc=ain" write# For direcory accessaccess to * by dn="cn=admin,dc=mydom,dc=ain" write
This small example should be enough to get you going.
OpenLDAP books and documentation, such as the manual on IBM's site, have a tendency to be cryptic, but they become invaluable once you start grasping the basic concepts. Besides manual pages, here are a few tools you might use. ldapsearch allows users to do complex searches in the "address book" created with OpenLDAP. Some of the essential command-line flags of this utility are:
-h [host]
-A
-p [number]
-b "base_entry"
So, for instance, the command below uses ldap.mydom.ain running on port 3986 as an LDAP server to search for John Doe in addrbook, making sure the search returns only attribute names:
ldapsearch -h ldap.mydom.ain -A -p 3986 -b "ou=addrbook,o=MyDomain,cn=John Doe"
Another useful tool, phpLDAPadmin, is a good way to administer an OpenLDAP server from a web interface, in the same vein as tools like phpMyAdmin for MySQL servers or phpPgAdmin for PostgreSQL administrators. The slapcat utility that comes with the server-side LDAP utilities (the package is openldap-servers on CentOS) displays the entire LDAP database, so after adding or removing entries, you can check whether the changes are there.
The procedure for configuring clients to authenticate against an OpenLDAP server is shorter and easier. Install libnss-ldap on Debian systems or openldap-clients on CentOS. If using Debian, after answering the appropriate questions at package configuration time, all you have to do is edit /etc/nsswitch.conf so the authentication system knows that it should use LDAP by altering the entries so they read ldap as the first option. If you're not working on a Debian system, edit /etc/ldap.conf and fill in the same information you entered in ldap.conf on the server before editing /etc/nsswitch.conf and all should be working.
ldap
Using directory services can save you time and improve your efficiency. Depending on the size and complexity of your network, implementing directory services could be the most important administration improvement you make all year.
Allowed tags: <a> link, <b> bold, <i> italics