LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL

03 AUGUST 2005

LINUX SYSTEM ADMINISTRATION AND SECURITY

VINEET BHARDWAJ

VINAY KUMAR THOTA

INTRODUCTION

CONFIGURATION

INSTALLATION

SECURITY ISSUES

CONCLUSION

DIRECTORY SERVICE

LDAP

DESIGNED AT UNIVERSITY OF MICHIGAN

EXIST AT THREE LEVELS

BIG PUBLIC SERVERS

LARGE ORGANIZATIONAL SERVERS

SMALLER WORK GROUP SERVERS

INFORMATION

ARRANGEMENT

KIND

REFERENCE

ACCESS

A Directory service structure for the internet. It has many features that make it ideal for providing network information services, including encryption support, access control lists, fast read access, etc.. LDAP will combine several systems that normally have to be maintained separately , such as NT authentication, UNIX authentication, MTA routing information, services/protocols/hosts information, network address books, etc.

The structure of an LDAP directory tree

LDAP directory servers store their data hierarchically.

As with DNS host names, an LDAP directory record's Distinguished Name (DN for short) is read from the individual

entry, backwards through the tree, up to the top level.

Prerequisite Software Versions

THE ORGANIZATION

ORGANIZATIONAL UNIT

PERSON

COUNTRY

STATE

A DIRECTORY TREE STRUCTURE

HOW DOES LDAP WORK ????

CLIENT SERVER MODEL

TCP/IP OR ANY OTHER CONNECTION ORIENTED

X.500,THE OSI DIRECTORY SERVICE

ABOUT Slapd Slurpd

Slapd

Supports strong authentication and data security SASL

Transport layer security

Topology control – TCP Wrappers

Access Control

Choice of database back ends

Threads

Replication

Single Configuration file

Slurpd

Replicated service

Failed requests

Installing the LDAP Server

Five steps are necessary to install the server:• Install the pre-required packages (if not already

installed).• Download the server.• Unpack the software.• Configure the Makefiles.• Build the server.

Downloading the package• There are two free distributed LDAP servers:

University of Michigan LDAP server and Open LDAP server

• It's latest tar gzipped version is available on the following address:

http://www.openldap.org

• If you want to get the latest version of University of Michigan Server, go to this address:

ftp://terminator.rs.itd.umich.edu/ldap

Installation contd.

Unpacking the software

• First copy the package to a desirable directory, for example /usr/local. Next use the following command:

tar xvzf openldap-2.2.5.tgz

• You can use this command too, as well:

gunzip openldap-2.2.5.tgz | tar xvf –

Installation contd.

Configuring the software

• Type the following command on the directory where you unpacked the software:./configure --help

This will print all options that you can customize with the configure script before you build the software.

• Normally if you run configure without options, it will auto-detect the appropriate settings and prepare to build things on the default common location. So just type:./configure

Installation contd.

Building the server

• After configuring the software you can start building it. First build the dependencies, using the command:make depend

• Build the server after that, using the command:make

• To ensure a correct build, you should run the test suitemake test

• Now install the binaries and man pages. You may need to be superuser to do this (depending on where you are installing things): su root -c 'make install'

Installation contd.

Configuration

• All slapd (LDAP directory server) runtime configuration is accomplished through the slapd.conf file, installed in the prefix directory one specifies in the configuration script or by default in /usr/local/etc/openldap

• First create an /etc/openldap/slapd.confg file. You need to change the following linesuffix “dc=mydomain, dc=com”rootdn “cn=admin, dc=mydomain, dc=com”rootpw {crypt}abjnggxhB/yWI

Configuration contd.• The suffix is your “LDAP basename”. Common

practice is to use your DNS domain name as your LDAP basename.

• The rootdn is adminstrator’s name, and rootpw is administrator’s password.

• You also need to change the /etc/ldap.conf and etc/openldap/ldap.conf to change the name of your LDAP server and your basename.

Configuration contd.

Populating your server

The easiest way to populate your LDAP server is that Padl Software which provides a free set of Perl scripts that migrate existing flat files. They are available from www.padl.com/tools.html

Configuration contd.

Setting up a LDAP client

• Edit the LDAP config files (/etc/ldap.conf and etc/openldap/ldap.conf ) to specify the server and your site’s basename.

• You can verify that you are connecting to the LDAP server correctly by running ldapsearch – x, which dumps the entire database.

• Finally, change the appropriate lines in /etc/nsswitch.conf to use the LDAP server as a data source.

USING LDAP

CONNECTING LDAP SERVER

NORMAL LDAP CONNECTION WORKS BY THE PORT 389

AUTHENTICATION METHODS

DATA INTEGRITY AND CONFIDENTIALITY PROTECTION

NETWORK SECURITY

LDAPS

DATA INTEGRITY AND CONFIDENTIALITY PROTECTION

LDAPv3 AND TSL

NETWORK SECURITY

SELECTIVE LISTENING

IP FIREWALL

AUTHENTICATION METHODSSIMPLE AND SASL

TCP WRAPPERS

LDAPS

VERIFICATION

X.509 CERTIFICATES

ALGORITHMS IN OPENSSL

LDAPv3 AND TLS

RFC 2246 DESCRIBES TLS

CLEANED UP AND STANDARDIZED VERSION OF SSL

SWITCHING

DATA INTEGRITY AND CONFIDENTIALITY PROTECTION

SECURITY STRENGHT FACTORS SSF

AUTHENTICATION METHODS

SIMPLE

ANONYMOUS

UNAUTHENTICATED AND

USER/PASWORD AUTHENTICATED

SASL

AN AUTHENTICATION FRAME WORK

SNIFFING

MECHANISMS LIKE CRAM-MD5 AND EXTERNAL

LDAP has broader applications, such as looking up services and devices on the Internet (and intranets). Netscape Communicator can store user

preferences and bookmarks on an LDAP server. There is even a plan for linking all LDAP servers into a worldwide hierarchy, all searchable from

your client.

LDAP promises to save users and administrators time and frustration, making it easy for everyone to connect with people without frustrating

searches for email addresses and other trivia.

Most LDAP servers are simple to install, easily maintained, and easily optimized

The LDAP protocol is both cross-platform and standards-based

LDAP is particularly useful for storing information that you wish to read from many locations, but update infrequently

If the answer to each of the following questions is Yes, then storing your data in LDAP is a good idea.

Would you like your data to be available cross-platform?

Do you need to access this data from a number of computers or applications?

Do the individual records you're storing change a few times

a day or less, on average?

Does it make sense to store this type of data in a flat database instead of a relational database? That is, could

you effectively store all the data for a given item in a single record?