Getting Started What do you already know about ldap? . What Do You Want? . . . . . . . . . . . . . . . Argument for LDAP Account Information . . . . . . . . . . . . . . . Network Accounts . . . . . . . . . . . . . . . . . Network Accounts — 2 . . . . . . . . . . . . . Methods of achieving this . . . . . . . . . . . . Directory systems for authentication . . . . Proprietary application directories . . . . . Problem with proprietary directories . . . . Why not buy Microsoft AD? . . . . . . . . . LDAP Why we chose LDAP . . . . . . . . . . . . . . . ldap— Why? . . . . . . . . . . . . . . . . . . . . ldap Terminology . . . . . . . . . . . . . . . . . What is ldap? . . . . . . . . . . . . . . . . . . . The ldap Protocol . . . . . . . . . . . . . . . . Simple Search Examples. . . . . . . . . . . . . Multiple Simultaneous Requests . . . . . . . ldap Protocol Operations . . . . . . . . . . . Typical ldap Exchange . . . . . . . . . . . . . ldap Encoding: ber . . . . . . . . . . . . . . A Case Study at Hong Kong Institute of Vocational LDAP Operations ldap Search Operation . . . . . . . . . . . . . Education (Tsing Yi), Department of ICT Search Scope . . . . . . . . . . . . . . . . . . . . . The Compare Operation. . . . . . . . . . . . . Add Operation . . . . . . . . . . . . . . . . . . . Delete Operation . . . . . . . . . . . . . . . . . . Modify dn (Rename) Operation . . . . . . . Modify Operation . . . . . . . . . . . . . . . . . Nick Urbanik Bind Operation . . . . . . . . . . . . . . . . . . . Copyright Conditions: Open Publication License (see http://www.opencontent.org/openpub/) Utilities and LDIF Command Line Utilities . . . . . . . . . . . . . Sydney Linux Users Group (SLUG) Common Parameters . . . . . . . . . . . . . . . Building 2, Level 4, Room 410, UTS Broadway ldapsearch. . . . . . . . . . . . . . . . . . . . . . ldap Data Interchange Format ldif . . . . . . . . . . . . . . . . slide #3 . . . . . . . . . . . . . slide #4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . slide #6 . slide #7 . slide #8 . slide #9 slide #10 slide #11 slide #12 slide #13 slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide #15 #16 #17 #18 #19 #20 #21 #22 #23 #24 #25 #26 #27 #28 #29 #30 #31 #32 #33 #34 #35 #36 How we implemented an LDAP directory for Laboratories 24 June 2005, 8.20 pm Example ldif . . . . . . . . . . . . . . . . . . . Update Operation in ldif . . . . . . . . . . . Schemas ldap Schemas . . . . . . . . . . . . . . . . . . . . Side track on Object IDs . . . . . . . . . . . . Tree of object IDs . . . . . . . . . . . . . . . . . Attributes — Defined in Schema . . . . . . . ldap objectClass — 1 . . . . . . . . . . . . . . Object Class and Attributes . . . . . . . . . . ldap Object Class Inheritance . . . . . . . . ldap Object Class Type . . . . . . . . . . . . Structural Classes . . . . . . . . . . . . . . . . . Entries: Selecting Object Class Types . . . Rules for ldap Entries . . . . . . . . . . . . . . Namespace of attributes . . . . . . . . . . . . . Example objectTypes. . . . . . . . . . . . . . . Want to support network login . . . . . . . . Supporting network login . . . . . . . . . . . . Authorisation as well as authentication . . LDAP Filters & URLs ldap filters . . . . . . . . . . . . . . . . . . . . . . RFC 2254 — 1 . . . . . . . . . . . . . . . . . . . RFC 2254 — 2 . . . . . . . . . . . . . . . . . . . Examples of Filters from RFC 2254. . . . . More Filter Examples . . . . . . . . . . . . . . Escaping Characters in a Filter. . . . . . . . Using the command line tool ldapsearch . Output of this ldapsearch without staff . Get All the Results . . . . . . . . . . . . . . . . ldapsearch. . . . . . . . . . . . . . . . . . . . . . ldap URLs: RFC 2255 . . . . . . . . . . . . . mod auth ldap with Apache . . . . . . . . . . Authenticating web pages—continued . . . ICT Schema Design Authorisation of Students and Staff. . . . . Other objectTypes for IVE . . . . . . . . . . . The whole schema for IVE . . . . . . . . . . . . . . . . . . . . . . . slide #37 . . . . . . . . . . . . slide #38 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide slide #39 #40 #41 #42 #43 #44 #45 #46 #47 #48 #49 #50 #51 #52 #53 #54 #55 #56 #57 #58 #59 #60 #61 #62 #63 #64 #65 #66 #67 Case Study: ICT laboratories . . . ICT case study . . . . . . . . . . . . . ICT case study — 2. . . . . . . . . . Flat, Hierarchical Structures Directory Structure — 1. . . . . . . Directory Structure — 2. . . . . . . Hierarchical Directory Structure . New VTC ldap Namespace . . . . Hierarchical Directory Structure . Directory Design Guidelines . . . . Designing a Schema . . . . . . . . . . Designing a Schema: Example . . Maintenance Building the original directory . . Problems and solutions How we started up. . . . . . . . . . . Performance Problems . . . . . . . . . . . . . . . . . Solutions. . . . . . . . . . . . . . . . . . The FAM storm problem . . . . . . Problem with automounter . . . . . Problem with shared Gconf data. How the server is now . . . . . . . . Samba Samba gotchas . . . . . . . . . . . . . The Administrator account. . . . . Stuff I didn’t talk about Didn’t include . . . . . . . . . . . . . . References References. . . . . . . . . . . . . . . . . The RFCs . . . . . . . . . . . . . . . . . RFC numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . slide #72 . . . . . . . . . . . . . . . . . . slide #73 . . . . . . . . . . . . . . . . . . slide #74 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . slide slide slide slide slide slide slide slide #75 #76 #77 #78 #79 #80 #81 #82 . . . . . . . . . . . . . . . . . . slide #84 . . . . . . . . . . . . . . . . . . slide #86 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . slide slide slide slide slide slide #88 #89 #90 #91 #92 #93 . . . . . . . . . . . . . . . . . . slide #94 . . . . . . . . . . . . . . . . . . slide #95 . . . . . . . . . . . . . . . . . . slide #96 . . . . . . . . . . . . . . . . . . slide #97 . . . . . . . . . . . . . . . . . . slide #98 . . . . . . . . . . . . . . . . . . slide #99 . . . . . . . . . . . . slide #69 . . . . . . . . . . . . slide #70 . . . . . . . . . . . . slide #71 Ummm, Err, ummm. . . Errrrrr . . . what shall we do? What do you already know about ldap? How many know that a directory is tree shaped? How many have worked with a directory before? How many know about snmp object ids? How many know . . . What. . . is the air-speed velocity of an unladen swallow? The European swallow appears to do about 11 ms−1 LDAP at HKIVE(TY) — slide #3 We don’t have time for this! Account Information The computer uses numbers to refer to users and groups Humans prefer to use names (like nicku) When you create files in your shared network drive, the client must access them using the same numbers The user ID numbers and group ID numbers must be the same on all computers Otherwise won’t be able to read own files! LDAP at HKIVE(TY) — slide #6           SLUG — ver. 1.4 SLUG — ver. 1.4   What Do You Want? I could talk for ten hours (actually, I could go on for twenty after a few beers) ◦ . . . but we have only an hour What topics do you want us to cover here? ◦ I think we need to understand the basics of ldap itself – operations – some simple tools ◦ . . . to make sense of other topics, especially programming ◦ The basics of the way inheritance works in ldap is important when understanding how to design a schema SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #4 Network Accounts $ -rw-rw----               £ ¡§ ¦ 1 500 ¥ ¡¢ ¡¤ 500 2057 Nov 1 2000 file   Now nicku with user id number 500 and group id 500 can read and write this file . . . But nicku with user id number 2270 and group id number 2270 cannot access the file at all: ¨¦   $ uid=2270(nicku) gid=2270(nicku) groups=2270(nicku),14171(staff) SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #7 Network Accounts — 2 The user id numbers and group id numbers on files on a network drive are fixed The user id numbers should remain unchanged for all users who read/write the network drive. LDAP at HKIVE(TY) — slide #8 Reasons for ldap and problems with alternatives SLUG — ver. 1.4         Methods of achieving this Have a directory server of some kind The directory server associates a fixed user id number with each login id . . . and a fixed group id number for each group id On nt, these are called sids (security ids) LDAP at HKIVE(TY) — slide #9 Proprietary application directories Application-specific directories: ◦ Lotus Notes ◦ cc:Mail ◦ Microsoft Exchange ◦ Novell GroupWise These directories come bundled with, or, embedded into an application such as email. If add another such application, must manage one more directory (“N + 1 directory problem”) If add another user, must add to all the directories. LDAP at HKIVE(TY) — slide #11   SLUG — ver. 1.4       SLUG — ver. 1.4 Directory systems for authentication Proprietary: ◦ Novell Directory Services (nds) ◦ Microsoft Active Directory (M? ad) ◦ nt 4 domain ◦ nis + (Network Information System plus) ◦ nis Open protocols: ◦ ldap ◦ Hessiod SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #10   Problem with proprietary directories Need put the same user into many different directories Need maintain N times the number of user accounts, where N is the number of directories. This is just too much work. The accounts get out of sync. LDAP at HKIVE(TY) — slide #12   SLUG — ver. 1.4                 Why not buy Microsoft AD? Microsoft leverage their monopoly on the desktop to “embrace and extend” free software written by others Example: ◦ Kerberos is a “Network Authentication Service”, an ietf standard (see rfc 1510) ◦ Kerberos is written by cooperating programmers round the world ◦ Microsoft took Kerberos, and modified the protocol very slightly (they classified this change as a “trade secret”) ◦ So that ms destops can use ms Kerberos servers, but not non-MS Kerberos servers. Although ms claims to support standards, ms solutions are highly proprietary Designed to lock the user into an all-ms solution. Could be an expensive and insecure mistake. LDAP at HKIVE(TY) — slide #13 LDAP © © © © Why we chose LDAP       © SLUG — ver. 1.4 Single sign on—the   King Arthur and his knights support this quest The knights who say   Ni all concur with a resounding Ni! LDAP at HKIVE(TY) — slide #15 SLUG — ver. 1.4    . ldap— Why? Non-proprietary, IETF standard ◦ No vendor lock-in ◦ Use standard software components Supports authorisation as well as authentication ◦ E.g., access if “staff, or year 3, group W, CSA student” Very general purpose: use for email, system authentication, application authentication, . . . Reasonably secure       What is ldap? The ldap protocol, a standard Internet protocol Four models: ◦ information model—what you can put in directory ◦ naming model—how name directory data       ◦ functional model—what you can do with data ◦ security model—no unauthorised access ldap Data Interchange Format (ldif), a standard text format for representing directory data ldap server software command line utilities (ldapsearch, ldapmodify, . . . ) ldap api LDAP at HKIVE(TY) — slide #18   Robust Extensible Good open source implementation http://www.OpenLDAP.org/ available at SLUG — ver. 1.4   SLUG — ver. 1.4     LDAP at HKIVE(TY) — slide #16 ldap Terminology ldap model is hierarchical, i.e., tree-structured Each object in a directory is an entry Each individual item in an entry is an attribute Each entry has a unique full name called its distinguished name or dn Each entry has a short name that is unique under its parent, called its relative distinguished name, or rdn. The organisation of names in the directory is called the namespace An important initial task is namespace design LDAP at HKIVE(TY) — slide #17   The ldap Protocol ldap is a message-based protocol ◦ client sends one or more requests to server, one message per request – Each message has its own message ID ◦ server replies with one or more replies. Each reply has message id matching that of request. ◦ Can send several messages at once; results can be out of order, no problem SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #19     SLUG — ver. 1.4                 Simple Search Examples ## )01 ## )01 ## )01 ## )01 ## )01 ## )01 ## )01 ## )01 )01 )01 )01 )01 %% )01 %% )01 %% )01 %% )01 %% )01 )01 '' )01 '' )01 ## ## ## ## ## ## ## ## %% %% %% %% %% '' '' #$$ #$$ #$$ #$$ #$$ #$$ #$$ # %&& %&& %&& %&& % '(( '(( $$ $$ $$ $$ $$ $$ $$ && && && && (( (( $$$$$$$ &&&& (( 1. Search operation 2. Returned entry 3. Result code ldap Protocol Operations Interrogation operations: search, compare Update operations: add, delete, modify, modify DN (rename) Authentication and control operations: bind, unbind, abandon operation allows a client to identify itself sending identity and authentication credentials operation allows client to terminate session VU W YV T Y       !" LDAP client LDAP server Here a client gets one single entry from the directory 1. Search operation 2. First entry returned 3. Second entry returned   44 @AB 44 @AB 44 @AB 44 @AB 44 @AB 44 @AB 44 @AB 44 @AB @AB @AB @AB @AB 66 @AB 66 @AB 66 @AB 66 @AB 66 @AB @AB 88 @AB 88 @AB 44 44 44 44 44 44 44 44 66 66 66 66 66 88 88 455 455 455 455 455 455 455 4 677 677 677 677 6 899 899 55 55 55 55 55 55 55 77 77 77 77 99 99 5555555 7777 99 ... 5. Nth entry returned 6. Result code 23 LDAP client LDAP server SLUG — ver. 1.4 V W` T VU W VX T operation allows a client to tell the server it does not need the results of an operation it had requested earlier LDAP at HKIVE(TY) — slide #22 A client gets multiple responses from the directory LDAP at HKIVE(TY) — slide #20   SLUG — ver. 1.4 Typical ldap Exchange 1. Open connection and bind 2. Result of bind operation 3. Search operation 4. First entry returned 5. Second entry returned 6. Result code for search operation 6. Unbind operation Multiple Simultaneous Requests 1. Search operation, msgid=1 2. Search operation, msgid=2 3. Returned entry, msgid=1 4. Returned entry, msgid=2 5. Result code, msgid=2 6. Result code, msgid=1 LDAP client 6. Close connection EEQRS EEQRS EEQRS EEQRS EEQRS EEQRS EEQRS EEQRS QRS QRS QRS QRS GG QRS GG QRS GG QRS GG QRS GG QRS QRS II QRS II QRS EE EE EE EE EE EE EE EE GG GG GG GG GG II II EFF EFF EFF EFF EFF EFF EFF E GHH GHH GHH GHH G IPP IPP FF FF FF FF FF FF FF HH HH HH HH PP PP FFFFFFF HHHH PP The bind operation provides a distinguished name (dn) and other credentials to authenticate against the directory The unbind operation is a request to disconnect LDAP at HKIVE(TY) — slide #23 CD LDAP client LDAP server SLUG — ver. 1.4 A client sends multiple requests to the directory Note that each request has its own msgid Responses may come out of order (see last two result codes); that’s okay. ◦ These details are hidden from programmer by the sdk (software development kit)     ldap Encoding: ber The ldap protocol uses the Basic Encoding Rules, ber to encode various data types in a platform independent way These are the same rules as used in snmp Therefore it is not a simple text-based protocol, like http or smtp. LDAP at HKIVE(TY) — slide #24     SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #21 SLUG — ver. 1.4         ccipq ccipq ccipq ccipq ccipq ccipq ccipq ccipq ipq ipq ipq ipq ee ipq ee ipq ee ipq ee ipq ee ipq ipq gg ipq gg ipq cc cc cc cc cc cc cc cc ee ee ee ee ee gg gg cdd cdd cdd cdd cdd cdd cdd c eff eff eff eff e ghh ghh dd dd dd dd dd dd dd ff ff ff ff hh hh ddddddd ffff hh LDAP server ab ldap Search Operation Used to search for entries and retrieve them ◦ This is the only way to read the directory Takes eight parameters, including: ◦ dn of base object for search — see slide 14 ◦ search scope — see slide 14 r r     The Compare Operation Not very useful I use it for determining if a user belongs to a particular group main difference from search: ◦ If compare on an attribute that does not exist in a particular entry, returns code indicating this ◦ If search for an attribute that does not exist in a particular entry, then get nothing returned. LDAP at HKIVE(TY) — slide #25 SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #27 ◦ search filter — see slide 28 ◦ list of attributes to return SLUG — ver. 1.4 r Add Operation Search Scope dc=ict,dc=edu,dc=hk ou=people dc=ict,dc=edu,dc=hk ou=people dc=ict,dc=edu,dc=hk ou=people           Creates a new entry, given two parameters: ◦ dn of new entry ◦ list of attributes and their values to put in the new entry Will succeed if and only if: ◦ parent of new entry exists Search scope = base   Search scope = one Search scope = subtree ◦ no entry of same name exists ◦ new entry matches requirements of schemas ◦ access control allows operation SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #28 In each case, the search base is ou=People,dc=ict,dc=edu,dc=hk LDAP at HKIVE(TY) — slide #26 SLUG — ver. 1.4 Delete Operation Deletes an entry Takes dn of entry to delete Succeeds if: ◦ entry exists ◦ entry has no children ◦ access control allows operation SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #29 Modify Operation Allows updating existing entry Can add, delete or replace attributes Can modify many attributes in one modify operation Succeeds if and only if: ◦ entry exists ◦ all attribute modifications must succeed ◦ resulting entry obeys schemas ◦ access control permits modification SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #31       Modify dn (Rename) Operation Used to rename or move an entry from one place in tree to another Has four parameters: ◦ Old dn ◦ New dn ◦ New rdn for entry ◦ optional flag indicating whether to delete the old rdn attribute from the entry Succeeds if: ◦ entry exists ◦ new name not already used ◦ access control allows operation SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #30 Bind Operation authenticates client to the directory Three bind types: ◦ simple bind, where send dn and password in clear text to server – Need to use tls to encrypt communication in this case ◦ sasl bind – sasl = Simple Authentication and Security Layer – A standard protocol independent way of negotiating and performing authentication ◦ anonymous bind, where send no dn and no password Client can bind, perform operations, bind again, and perform other operations LDAP at HKIVE(TY) — slide #32       SLUG — ver. 1.4               Command Line Utilities With Openldap, the main utilities (in RH Linux, in the package openldap-clients) are: Query directory Perform the modify operation on an entry — see 20 r W Ytuv Ywx y   ‡ ˆ…† ‰‘ ‡ Specify base of search with -b DN of search base ◦ Default can be specified as a line in /etc/openldap/ldap. conf, e.g., BASE dc=tyict,dc=vtc,dc=edu,dc=hk HOST ldap.tyict.vtc.edu.hk Specify scope of search with -s [base|one|sub] ◦ Default scope is subtree scope See 31 for more examples. r LDAP at HKIVE(TY) — slide #35 s W ‚ U Yt€ s W ` Delete an entry Rename an entry Compare operation     s W vW s W s W Yt Y W Ytx s W `€ Change ldap password using LDAPv3 Password Modify (RFC 3062) extended operation Yu„ W LDAP at HKIVE(TY) — slide #33 Yt s t W u t v Yw VW Yt€ ` Ww W vs ƒ Ytv Add an entry SLUG — ver. 1.4 Each one has a detailed man page SLUG — ver. 1.4 Common Parameters All commands use the sasl (Simple Authentication and Security Layer) protocol by default ◦ But won’t work in HKIVE Tsing Yi: ◦ . . . we use simple authentication here (we send plain text passwords over link encrypted with Transport Layer Security i.e., tls or ssl) “-x” use simple authentication instead of sasl specify hostname of server with -h, e.g., -h ldap.vtc.edu.hk Specify a dn to bind with using -D (see 20) r     ldap Data Interchange Format ldif A standard defined in rfc 2849 Used to import, export directory data in a standard way ◦ A bit like how all spreadsheets understand tab-delimited text files Can also specify update operations to directory entries. LDAP at HKIVE(TY) — slide #36 SLUG — ver. 1.4       Specify a password on command line with -w password or interactively prompt using -W ◦ See 20, 33 for examples r r LDAP at HKIVE(TY) — slide #34   SLUG — ver. 1.4         ’“ ” Example ldif dn: uid=nicku,ou=People,dc=ict,dc=vtc,dc=edu,dc=hk uid: nicku cn: Nick Urbanik givenName: Nick sn: Urbanik mail: nicku@sysadmin.no-ip.com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top loginShell: /bin/sh uidNumber: 1000 gidNumber: 1000 homeDirectory: /opt/nicku mail: nicku@nickpc.tyict.vtc.edu.hk description: Interested in free software SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #37 ldap Schemas The directory has a set of rules that determine the allowed objectclasses and attributes Called the schemas Can be defined in ◦ ASN.1, or ◦ University of Michigan style, or ◦ ldapv3 style Each object, and its syntax, are both defined using oids, as in snmp. LDAP at HKIVE(TY) — slide #39 SLUG — ver. 1.4 Update Operation in ldif $ dn: uid=nicku,ou=People,dc=ict,dc=vtc,dc=edu,dc=hk changetype: modify replace: mail mail: nicku@nicku.org add: title title: No longer a lecturer in Hong Kong add: jpegPhoto jpegPhoto:< file:///tmp/penguin.jpg delete: description $ d —™ ˜ edf˜ –¨ •¦ h ig ¡¨ ¥¦ •– — £¤ —§ Side track on Object IDs ldap uses a tree structure of Object IDs (OIDs), the same as snmp, to identify objects and attributes Better not to invent your own to avoid clashing with those used in other schemas Apply to Internet enterprise number Assigned Numbers for your own choose     m             no £¥ e p ¨¦ d —™ ˜ ¤ ed q f˜ f• ¦ ge – ¨ jep —§ £ ¤ jd r§ •¦ h ig q ¡§ ¡¨ p ¨ ¥¦ • q • —¦ ps• ¨ q— •¨ p• § q e¨ p• ¨ tog ◦ from Application Forms Private Enterprise Numbers (SNMP) d– ¡¨ ™j ¥k ¦ ¨ £ u £ £ l m Enter LDAP password: modifying entry "uid=nicku,ou=People,dc=ict,dc=vtc,dc=edu,dc=hk" SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #38 See ours (11400) at IANA http://www.iana.org/assignments/ enterprise-numbers, grep for nicku. LDAP at HKIVE(TY) — slide #40 SLUG — ver. 1.4 Tree of object IDs (root node) ccitt (0) iso (1) iso−ccit (2) ldap objectClass — 1 Each attribute belongs to one or more objectClasses objectClasses are defined in schemas Defines what attributes must, or may be present in an entry objectClass definition includes: ◦ Name of objectClass private (4) security (5) snmpV2 (6) standard (0) registration− authority (1) member− body (2) dod (6) identified− organisation (3) internet (1) directory (1) mgmnt (2) experimental (3)   LDAP at HKIVE(TY) — slide #41       enterprise (1) Dept of Info. & Comms. Tech. HKIVE(TY) (11400) ◦ What subclass this is derived from ◦ The type of objectClass: structural, auxiliary or abstract ◦ Description ◦ List of required attributes ◦ List of allowed attributes SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #43 mib−2 (1) ibm (2) cisco (9) SLUG — ver. 1.4 Attributes — Defined in Schema For each attribute, schema defines: ◦ Name ◦ Description ◦ Permitted compare operations ◦ Syntax (i.e., data type). ldap server ensures that all added data matches the schema LDAP at HKIVE(TY) — slide #42 SLUG — ver. 1.4   Object Class and Attributes The entry can use all the attributes allowed in all the objectClasses. ◦ See in slide 25 how ldap attributes differ from attributes in, say, a Java class SLUG — ver. 1.4     r LDAP at HKIVE(TY) — slide #44 ldap Object Class Inheritance ldap implements a limited form of object oriented inheritance One entry may contain many objectClasses ◦ We say, “an entry belongs to many classes” Cannot override any schema rules defined in superior class Example: top son person organizationalPerson inetOrgPer    Structural Classes Rule of ldap standards: if an entry belongs to more than one structural class, they must be related by inheritance ◦ Openldap 2.0.x does not implement this restriction, but Openldap 2.1.x and later versions (including 2.2.x) do. To get around this, can either: ◦ Implement a new objectClass that is of type auxiliary that allows the attributes you require—see http://www.openldap.org/faq/data/cache/883.html ◦ Implement a new objectClass that inherits from both unrelated structural classes and use that—See http://www.openldap.org/faq/data/cache/807.html . SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #47     ◦ In /etc/openldap/schema, core.schema defines person, organizationalPerson; inetorgperson.schema defines inetOrgPerson A class derived from another class includes the attributes of its superior class(es) LDAP at HKIVE(TY) — slide #45   SLUG — ver. 1.4 Entries: Selecting Object Class Types Entries contain one or more objectClasses Choose the attributes you need Select the objectClasses that provide these attributes Add the objectClass to your entry. LDAP at HKIVE(TY) — slide #48 ldap Object Class Type objectClass has a type: structural, auxiliary, or abstract Default is structural Structural is for the fundamental, basic aspects of the object, e.g., person, posixGroup, device. Auxiliary classes place no restrictions on where an entry is stored, and are used to add more attributes to structural classes. Abstract classes are not usually created by users; the class top and alias are abstract. LDAP at HKIVE(TY) — slide #46 SLUG — ver. 1.4 Rules for ldap Entries Each entry must be a member of the objectClass top Each entry must be a member of the objectClass that provides the attributes Exactly one objectClass should be structural, the rest auxiliary (or abstract) ◦ An entry may belong to more than one structural class if all structural classes are related by inheritance SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #49       SLUG — ver. 1.4                       Namespace of attributes There is only one namespace for attributes The definition of the attribute cn (common name) is the same for all objectClasses that support the cn attribute. LDAP at HKIVE(TY) — slide #50 Want to support network login Does the objectClass person provide what is needed for network login? For network accounts, need replace (at minimum): ◦ /etc/passwd ◦ /etc/shadow       SLUG — ver. 1.4     ◦ /etc/group So in addition to attributes of person, need: ◦ User id name (log in name) ◦ User id number ◦ Primary group id number ◦ Gecos information (fifth field of /etc/passwd) ◦ Home directory ◦ Login shell LDAP at HKIVE(TY) — slide #52 Also the password aging information from /etc/shadow SLUG — ver. 1.4 Example objectTypes Here is the definition for person from core.schema: objectclass ( 2.5.6.6 NAME ’person’ SUP top STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) ) This says a person entry must contain: ◦ a surname (sn) and ◦ common name (cn), and may contain a userPassword, a telephoneNumber, a description, and a reference to another ldap entry. LDAP at HKIVE(TY) — slide #51   Supporting network login Use the existing objectClass posixAccount: objectclass ( 1.3.6.1.1.1.2.0 NAME ’posixAccount’ SUP top AUXILIARY DESC ’Abstraction of an account with POSIX attributes’ MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) )           SLUG — ver. 1.4 Provides fields from /etc/passwd LDAP at HKIVE(TY) — slide #53 SLUG — ver. 1.4 Authorisation as well as authentication Suppose you have an online web-based quiz, want only staff, or year 3, group W, CSA student to be allowed to log in. For this to work: Each person entry has attributes including: ◦ Course, e.g., 41300 ◦ classCode, e.g., W ◦ Year, e.g., 3 ◦ acType, e.g., STU or STF SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #54 RFC 2254 — 1 Find this in /usr/share/doc/openldap-devel-2.2.23/rfc/rfc2254. txt filter filtercomp and or not filterlist item simple filtertype equal approx greater less = = = = = = = = = = = = = "(" filtercomp ")" and / or / not / item "&" filterlist "|" filterlist "!" filter 1*filter simple / present / substring attr filtertype value equal / approx / greater / less "=" "~=" ">=" "<=" LDAP at HKIVE(TY) — slide #56       SLUG — ver. 1.4 ldap filters ldap provides a standard method for selecting authenticated users who match authorisation criteria The filter to select staff or students in year 3, CSA, group W is: (|(acType=STF) (&(year=3)(course=41300)(classcode=W))) (This line is wrapped to fit on the slide, but normally given on one line) All filters are enclosed in parentheses Filters can be combined with OR ‘|’, AND ‘&’ LDAP at HKIVE(TY) — slide #55 RFC 2254 — 2 present substring initial any final attr value = = = = = = attr "=*" attr "=" [initial] any [final] value "*" *(value "*") value AttributeDescription from Section 4.1.5 of [1] = AttributeValue from Section 4.1.6 of [1]     [1] is rfc 2251. Grammar is defined in rfc 822 LDAP at HKIVE(TY) — slide #57 © © SLUG — ver. 1.4 SLUG — ver. 1.4     Examples of Filters from RFC 2254 Return all entries in the scope of the search with attribute cn having the value “Babs Jensen”: (cn=Babs Jensen) Return all entries in the scope of the search which do not have the attribute cn with the value “Tim Howes”: (!(cn=Tim Howes)) Return all entries in the scope of the search which have the attibute (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*))) Return all entries having an attribute o (i.e., organisation) which contains the strings univ, of, mich with zero or more of any characters between, and with any number of any characters at the end. (o=univ*of*mich*) SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #58 Escaping Characters in a Filter Character * (asterisk) ( (left parenthesis) ) (right parenthesis) \ (backslash) NUL (the null byte) SLUG — ver. 1.4 xv u v Yt v v \2A \28 \29 \5C \00 LDAP at HKIVE(TY) — slide #60 More Filter Examples Note that a filter such as (age>21) is not allowed. Use (!(age<=21)) instead. Similarly, instead of (age<21), use (!(age>=21)). search for all students in group X, year 3, csa course, who enrolled this year: (&(year=3)(course=41300)(classcode=W) (registrationDate=*-03)) Note that there is a substring match on registrationDate here. A substring match is like a wildcard in filename matching. SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #59   Using the command line tool ldapsearch y zy ƒ | XW y{ „ y~€ †… y u ‡‚ s v W  ƒU | zYt †ˆ }x | vƒ ‡ |W X ‡ x ‡‚ ‡ Yu x `v  W   $ x w X Vxv Yw €v x‚ ‹‡ †Šw V }x ƒ ƒ |v Ywx y~      y € T€ x‚ Y ‚v ‚ ƒ‚ v t †‚ ‚‰ ƒ‚ v‚ W t x   W Ytuv s W us  Yw ` Xwuv  The result is a list of all the DNs that match the filter, with the students’ and staff names. Can filter out the DNs and blank lines by piping the command though grep ’ cn:’ | sort LDAP at HKIVE(TY) — slide #61 SLUG — ver. 1.4     x € ‡‡ V Œ  ‹Ž Ž ‡ Output of this cn: cn: cn: cn: cn: cn: cn: cn: cn: cn: cn: cn: cn: cn: cn: cn: cn: cn: cn: without staff Get All the Results ± ¦ œ —• •’– §¦ “ ‘¦ ’¦ • ’– •© ” —“ ž± • £œ ´ ­ ˜ ¢ ­ œ —• ‡ ˆ…† ‰‘ ‡ ’“ ” CHAN Kwok Kam CHEUK Suk Lai CHUNG Ming Kit LAI Man Chiu LAM Lai Hang LAU Siu Ying LAW Yuk Woon LI Kim Wah LI Siu Kai LI Yuet Cheung MA Hei Man MO Hoi Yu POON Chun Chung TAM Kin Fai TSO Yee Yee WONG Chi Man WONG Hoi Shan WONG Siu Fai WOO Kin Fan LDAP at HKIVE(TY) — slide #62 $ ’“ ‘ — ™ š˜ ’“ ‘ ˜ ˜  ž ¡¢ ‘ ™› £ ž ”•’– ‘Ÿ — œ ­ ¦ ¦° œ ™ ¬« ž £ª £ ¬¯ ¦ ° —µŸ– ¦ ¶­ ­ SLUG — ver. 1.4 Andy LAI CHAN CHIN PANG CHAN Kwok Kam CHAN KWOK KEUNG CHAN SHIU CHUAN CHAN TAI HING CHAN TAI MING R Charles Wu CHEUK Suk Lai CHEUNG KAM HOI CHEUNG SAI MING CHIK FUNG YING CHIU SUET FAN J Chou Siu Chuen CHUNG Ming Kit CHU SHING TSU J Clarence Lau Clarence Lo SLUG — ver. 1.4 { } C M Ho LEE HUNG KIN Curtis H.K. Tsa LEE KOON HUNG K Esther YUEN LEUNG KAM SHEK Eva Chung LI Kim Wah FONG CHI KIT LI Siu Kai Henry Leung LI Yuet Cheung HO CHUN WAH MA Hei Man HO KIM MAN ALBE MA SUI WAH Josephine Wan MICHAEL LEUNG Karl Leung MO Hoi Yu Ken LI MONTAGUE NIGEL Kit K. KO NG HOI KOW LAI HING BIU NG SZE CHIU EDD LAI Man Chiu Nick Urbanik LAM Lai Hang PATRICK K.S. TO LAU KWOK ON POON Chun Chung LAU Siu Ying Rick Liu LAW Yuk Woon SCOTT ALBERT HE ¾ ‘ ”¼ ¢ ”• ©½ — ¾­ ¿ š¾ ¥ ¼” ©— ¾ ¤¤ œ¦ ¤ À¸ ¤ ¤­ œ Á ¾ ¤ ¢¸ ¾ ° –”µ •‘ £ —’ ” ” —µ º »° ”• £ ·¸  ´¹ ¹ ­ ­ £ ž¨ ž• ¬³² ¥ §¦ ® ­ ‘Ÿ ¤ ž° ¢¼ ¢ SIU CHONG PUI SIU WAI CHEUNG Stella Chu TAM CHI HO TAM Kin Fai TSANG KWOK TUNG TSO Yee Yee WONG Chi Man WONG Hoi Shan WONG Siu Fai WONG WAI YIP FR Wong Y.L. Lawre WOO HUNG CHEUNG WOO Kin Fan YIM KWOK HO Y.K. Leung LDAP at HKIVE(TY) — slide #63 ‡ ˆ…† ‰‘ ‡ Needs the -x option to work here Check ssl works with the -ZZ option Can “bind” as a user to get all the info you are allowed to see after binding: $       ’“ ” –d ¡¨ t u ¢§ – • £ £ l £ n m Ãe eÄ p ¨¦ p ¨¦ ¤ ¤¦ q • ¦ f•j ge ge o Å ep jd r§ q • —¦ ps• ¨ p• ¨ q— •¨ p •§ q fe ¨ p• ¨ q ¡§ o Can then see own passwords LDAP at HKIVE(TY) — slide #64 SLUG — ver. 1.4   —k tg à m ¨©  —µ Ÿ – “• ©½ — ldap URLs: RFC 2255 Have the form: ldap:// host : port / base ? attr ? scope ? filter ldapurl = ldap://" [hostport] ["/" [dn ["?" [attributes] ["?" [scope] ["?" [filter] ["?" extensions]]]]]] Authenticating web pages—continued Unfortunately, mod auth ldap disappeared from Red Hat 8.0 and 9, to reappear in Fedora Core but not RHEL 3, where another module was provided that did not work the same. I ended up modifying Apache::AuthNetLDAP (available with my changes from cpan) I used that on our servers in the department. ◦ . . . a more portable method of authentication, provided we are using mod perl I haven’t tried it with the final mod perl version 2 on FC4 yet. LDAP at HKIVE(TY) — slide #67 SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #65     The base or dn is the distinguished name of the starting entry for your search. scope is one of base, one or sub Examples: ldap://ictlab/ou=People,dc=tyict,dc=vtc,dc=edu,dc=hk?uid?one?(uid=nicku)     SLUG — ver. 1.4   with Apache ICT Schema Design Authorisation of Students and Staff We need a new schema to support the required attributes We create three new objectClasses and associated attributes: The first is common to students and staff: objectclass ( 1.3.6.1.4.1.11400.2.2.1 NAME ’institute’ SUP top AUXILIARY DESC ’Any person in the institute, staff or student’ MAY ( acOwner $ acType $ answer1 $ answer2 $ answer3 $ batchUpdateFlag $ department $ site $ instituteEmail ) ) and also ‡† ‡ ˆ…† ÆÇ È É ” mod auth ldap is part of the httpd rpm package on Fedora Core versions 1 to 4. Here we allow staff or students from group W, year 3 csa to access the web pages under http://hostname/group-w/ if the user provides a correct password: AuthType Basic AuthName "\LDAP authentication to class W only" AuthLDAPURL ldap://ldap.tyict.vtc.edu.hk/ ou=People,dc=tyict,dc=vtc, dc=edu,dc=hk?uid?one?(|(acType=STF)(&(course=41300) (classCode=W)(year=3))) require valid-user     ‰   See http://httpd.apache.org/docs-2.0/mod/mod auth ldap.html , http://httpd.apache.org/docs- 2.0/mod/mod ldap.html for manual.           SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #66       See slides 21–21 for more about the funny numbers. LDAP at HKIVE(TY) — slide #69 SLUG — ver. 1.4 Other objectTypes for IVE Then on top of this, we have attributes for students: objectclass ( 1.3.6.1.4.1.11400.2.2.2 NAME ’student’ SUP top AUXILIARY DESC ’A student in the institute’ MAY ( academicYear $ award $ classCode $ course $ courseDuration $ FinalYear $ registrationDate $year $ fullPartTime ) ) Case Study: ICT laboratories Old system: An ancient dec Alpha running nis Hardware insufficient for demand Very expensive maintenance, stopped paying Technician reported a hardware failure close to first day of term New system: We were planning to introduce ldap authentication gradually Failure required planning move faster Needed to maintain old legacy accounts, plus introduce new accounts LDAP at HKIVE(TY) — slide #72   . . . and staff:   objectclass ( 1.3.6.1.4.1.11400.2.2.3 NAME ’staff’ SUP top AUXILIARY DESC ’A staff member of the insitute.’ MAY ( titleDes $ employerID ) ) SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #70 SLUG — ver. 1.4 ICT case study We chose Openldap on Linux Running on an Acer Altos dual cpu P-III Migrated from the nis using the migration scripts provided with Openldap Migrated from the vtc ldap accounts using a Perl program, written (quickly!) for the purpose, Uses the Net::LDAP Perl modules LDAP at HKIVE(TY) — slide #73 The whole schema for IVE The whole schema can be seen here:   http://ictlab.tyict.vtc.edu.hk/oids/institute.schema If planets are alligned, then this local link will work. SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #71 Ê SLUG — ver. 1.4                             ICT case study — 2 After migrating the legacy accounts, and creating new accounts for staff, full and part time students, had more than 5000 accounts The ldap server was using a high cpu load Was able to solve this using caching: Use nscd (name service caching daemon) on client Use memory in server to increase local cache size drastically.   Hierarchical Directory Structure This directory structure is hierarchical:     dc=tyict,dc=vtc,dc=edu,dc=hk   ou=TY ou=ICT ou=MH ou=ENG ou=ICT ou=TM ou=ICT   ... ... ou=ENG ... ou=ENG   cn=people cn=devices cn= group cn=people cn= group cn=devices cpu load reduced to a very acceptable level. LDAP at HKIVE(TY) — slide #74 uid=albertho SLUG — ver. 1.4   ... cn=staff ... cn=ictlab uid=nicku cn=students ... cn=printer7 SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #77 Directory Structure — 1 The ICT ldap server namespace design:   dc=tyict,dc=vtc,dc=edu,dc=hk ou=people ou=group ou=devices New VTC ldap Namespace uid=albertho ... uid=nicku cn=staff ... cn=students cn=ictlab ... cn=printer7 SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #75 This new vtc ldap namespace was introduced in April 2003:   Directory Structure — 2 We chose a fairly flat directory structure Recommended by reference, pages 239, 249. Reason: flexibility: allows for change without major reorganisation of data. LDAP at HKIVE(TY) — slide #76 ou=TY ou=ICT dc=vtc.edu.hk   o=ftstudents ... o=staff ... o=ptstudents   ... ou=TY ou=ICT ... ou=ENG ou=ICT ou=MH ... ... ou=ENG ou=ICT ou=TM ... ... ou=ENG ou=TY ... ... ... ou=ENG ... ou=ENG   ou=ICT ... uid=nicku uid=albertho uid=000123456 uid=922123412 ... ... uid=022121232 uid=000123123 SLUG — ver. 1.4   SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #78 Hierarchical Directory Structure This is an alternative data arrangement Divide into different campuses Advantage: can easily delegate management to local campus But: suppose ENG changes to EE? Suppose staff move from one department to another? Suppose equipment is transferred? Not only need change the attributes in the entry, but also move the entry. Overall, a flatter structure is easier to manage. LDAP at HKIVE(TY) — slide #79 Designing a Schema After selecting the schema attributes needed for your application, you may find that not all are available with the server Search web for more schemas If none provide all you need, Select a suitable structural base class Create an auxiliary class to be used with the base class Define the objectClass and its attributes LDAP at HKIVE(TY) — slide #81               SLUG — ver. 1.4 SLUG — ver. 1.4   Designing a Schema: Example For our ict ldap server, we use enough attributes to be able to log in But we also want to select users on the basis of course, year, class Want to add these attributes to the existing objectClasses Create three object classes: Institute Student Staff LDAP at HKIVE(TY) — slide #82 Directory Design Guidelines Design as flat as possible given constraints: Replication Access Control Limitations of directory software Requirements of applications that use the directory LDAP at HKIVE(TY) — slide #80     SLUG — ver. 1.4 SLUG — ver. 1.4                                 Maintenance Building the original directory I built the original directory from the old failing nis data, using some modified padl import scripts Then quickly wrote a nasty Perl script that reads the ldap data from the vtc directory server, and builds posix accounts from that data The nasty Perl script stuck around, and we used it ever since. I extended it to read the student enrollment data directly. ◦ . . . this was only available in “unparseable” pdf files with about 7–10 students per A3 page! Henry now uses the Perl programs written by Gerald Carter that come with samba. LDAP at HKIVE(TY) — slide #84 Performance Problems cpu load would get very high when assignments were left with tight, infinite loops (a load average of 10 or so) cpu load would get very high when classes logged in (a load average of about 4–6. Occasionally the cpu would go up to 10 and stay there solidly for a while, and the load would be all from slapd. LDAP at HKIVE(TY) — slide #88       SLUG — ver. 1.4   Solutions Openldap came with a tiny default value of memory and disk caching. Needed to increase this to a much higher level. In /etc/openldap/slapd.conf: cachesize 100000 dbcachesize 25600000 timelimit 60 index for all the common searches your system will do ◦ Enable logging of all search filters ◦ index almost every attribute you see being searched for. Enable caching on the clients ◦ Turn on the Name Service Caching Daemon (nscd) Add ram to the directory server (We added to a total of 1GB) We didn’t do this, but obviously, use replication to two or more ldap servers, one master, others slaves, and round-robin dns to select directory server. LDAP at HKIVE(TY) — slide #89 SLUG — ver. 1.4 Problems and solutions How we started up The original machine was an Asus Altos P-III with 256 mb ram Running Red Hat 7.1, openldap 2.0.x. Was providing: ◦ Home directories by nfs ◦ Web service to the Internet ◦ telnet :-( and ssh login to students to do their programming assignments on ◦ . . . and now ldap accounts for all our students (there were 5000 accounts). SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #86         SLUG — ver. 1.4                 The FAM storm problem An amazing problem occurred when older Red Hat (about 7.2) client machines were booted: the fam daemon (file alteration monitor) on the client would be involved in causing a storm of ldap requests that would drive the cpu usage of the server to stratospheric limits. Used cricket http://cricket.sourceforge.net/ to monitor cpu and network usage on server ◦ See my notes on cricket, snmp, snmp version 3 and all my free network management notes http://nicku.org/snm/ Wrote a perl program to watch the ldap logs and send me an email if any problems. Upgraded clients to a later version of Red Hat, or turned off the fam service. LDAP at HKIVE(TY) — slide #90 Problem with shared Gconf data When people log in twice both using Gnome, then things go horribly weird From memory: panel does not work properly, clicking on some things don’t work. The problem appears to be that the same Gconf data is shared out over nfs, and there is a file lock to ensure exclusive access. I haven’t found a work around except KDE or something that does not use GConf. I’d be very grateful for ideas here. LDAP at HKIVE(TY) — slide #92       SLUG — ver. 1.4 SLUG — ver. 1.4   How the server is now It is now running nicely on a single P4 system that my friend Henry built, running a rhel 3 clone (actually, the Department paid for a rhel license, but never perhaps got around to using it) Just before I left, I tendered for an Adaptec hardware cluster system suitable for running the Red Hat cluster manager My friend Henry has been too busy to get it up and running. Besides, the old P4 system works well. Students do not log into the server very often any more. Better to ban this completely right from the start! If I started from scratch again, I would use a shorter DN suffix: dc=tyict,dc=vtc,dc=edu,dc-hk simply adds unnecessary bulk to the directory storage on disk. I would have used o=ICT. At home I use dc=nicku,dc=org which is not too much to type. LDAP at HKIVE(TY) — slide #93 Problem with automounter We used the automounter to mount home directories when people log in The automounter uses ldap version 2 OpenLDAP 2.x.y, where x > 0 defaults to version 3 only Need enable ldap version 2 in /etc/openldap/slapd.conf with allow bind_v2 bind_anon_dn SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #91         SLUG — ver. 1.4                       Samba gotchas Refer to the latest version of   Samba-3 by Example: Practical Exercises in Successful Samba Deployment The Administrator account The biggest concern to me has been putting a root account in the directory My conscience screams at me! Latest samba supports non-root administrators for joining machines to the domain. I haven’t tried that yet. Other concern: smbldap tools need to read administrator password So does samba samba reads it from /etc/samba/secrets.tdb Nice to write a program to read it from there for smbldap tools, so only need maintain it in one place. My crude attempt used tdbdump, part of samba. LDAP at HKIVE(TY) — slide #95 http://samba.mirror.aarnet.edu.au/samba/docs/man/ Samba-Guide/ Carefully follow the steps in the section   Samba Domain with Samba Domain Member Server Using LDAP http://samba.mirror.aarnet.edu.au/samba/docs/man/ Samba-Guide/unixclients.html#sdcsdmldap. You need to set up the smbldap tools so that they do not get overwritten as your samba setup is updated. The computers needed to be put in the same place (in the directory tree) as user accounts (this was true for recent versions of samba) You don’t need winbind if you are running a samba pdc, only if you want to authenticate Linux machines to a Windows server. LDAP at HKIVE(TY) — slide #94       SLUG — ver. 1.4 SLUG — ver. 1.4                   Didn’t include replication distributed directories access control lists (for examples, slapd.conf on ictlab, slapd.conf on nicku, and program to make ACLs for student ldap workshops). How the automounter is set up to run from ldap simplicity of client setup using authconfig (or kickstart) with Red Hat/Fedora Setting up local user accounts and network user accounts Use of GQ or directory administrator, ldap Account Manager high availability the fabulous new Fedora Directory Server Life, the Universe and Everything. LDAP at HKIVE(TY) — slide #96 References LDAP System Administration, Gerald Carter, ISBN 1-565-92491-6, O’Reilly, March 2003 Understanding and Deploying LDAP Directory Services (2nd Edition), Tim Howes, Timothy A. Howes, Mark C. Smith, Gordon S. Good, ISBN: 0672323168, Publisher: Addison Wesley Professional, May 2, 2003 Understanding and Deploying LDAP Directory Services, Timothy Howes, Mark Smith and Gordon Good, Macmillan, 1999. Tsing Yi library: TK 5105.595.H69 1999 LDAP Programming, Management and Integration, Clayton Donley, ISBN: 1-930110-40-5, Manning Publications, 2003 LDAP Directories Explained: An Introduction and Analysis, Brian Arkills, ISBN 0-201-78792-X, Addison-Wesley, 2003. Understanding LDAP Redbook (registration http://www.redbooks.ibm.com/abstracts/sg244986.html LDAP Implementation Cookbook Redbook (registration http://www.redbooks.ibm.com/abstracts/sg245110.html Implementing LDAP, Mark Wilcox, Wrox Press, 2000 LDAP at HKIVE(TY) — slide #97 required): required):     see the               The many rfcs are helpful. SLUG — ver. 1.4 SLUG — ver. 1.4   Ê Ê Ê Ê Ê Ê Ê Ê Ê The RFCs You could get a list of (most) of the relevant RFCs with something like this: o Ü æÒ ÔÔ ÖÚ Ñ Î Õ ÒÎ ÑÖ Õ Í Ö× Ö âÔ Ò Øç ØÙ Ô âÖÌ ä Ï ÚÛ ÖÚ ÍË Î è Í× Î ÍÑ ÒÓ Î ÒÍ ä ËÌÍ Ü Ú ÐÏ ååÏ âÏ ÎÏ ÖÌ ÔÜ $ RFC numbers And while we’re crazy, let’s see the RFC numbers: ¡¦¢ — h — l— dì §Â ¡ £¤ íí £§ } 2253 2739 3112 3687 4104 { 2254 2798 3296 3698 { 1823 2649 2926 3663 3829 $  Äî •– ¥— •p Å –d ¡¨ ¢d  £ ¡¦ ¥ d —ï • £ $ m 1823 The LDAP Application Program Interface. T. Howes, M. Smith. August 1995. (Format: TXT=41081 bytes) (Status: INFORMATIONAL) 2164 Use of an X.500/LDAP directory to support MIXER address mapping. S. Kille. January 1998. (Format: TXT=16701 bytes) (Obsoletes RFC1838) (Status: PROPOSED STANDARD) 2247 Using Domains in LDAP/X.500 Distinguished Names. S. Kille, M. Wahl, A. Grimstad, R. Huber, S. Sataluri. January 1998. (Format: TXT=12411 bytes) (Status: PROPOSED STANDARD) 2251 Lightweight Directory Access Protocol (v3). M. Wahl, T. Howes, S. Kille. December 1997. (Format: TXT=114488 bytes) (Updated by RFC3377, RFC3771) (Status: PROPOSED STANDARD) 2252 Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions. M. Wahl, A. Coulbeck, T. Howes, S. Kille. December 1997. (Format: TXT=60204 bytes) (Updated by RFC3377) (Status: PROPOSED STANDARD) 2253 Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names. M. Wahl, S. Kille, T. Howes. December 1997. (Format: TXT=18226 bytes) (Obsoletes RFC1779) (Updated by RFC3377) (Status: PROPOSED STANDARD) 2254 The String Representation of LDAP Search Filters. T. Howes. December 1997. (Format: TXT=13511 bytes) (Obsoletes RFC1960) (Updated by RFC3377) (Status: PROPOSED STANDARD) 2255 The LDAP URL Format. T. Howes, M. Smith. December 1997. (Format: TXT=20685 bytes) (Obsoletes RFC1959) (Updated by RFC3377) (Status: PROPOSED STANDARD) 2164 2657 2927 3671 3866 2247 2696 3045 3672 3876 2251 2713 3062 3673 3909 2252 2714 3088 3674 3928 2255 2820 3352 3703 2256 2829 3377 3712 2307 2830 3383 3727 2587 2849 3384 3771 } 2589 2891 3494 3828 Âî ¥ • òó dn  Πè Ô Ï ÑÝ çÚ Ö ÍÞ ØÖÚ Õ ÚÛ Ø Þ Î Û Î Ô Îàß Û é× Íá Ø Ô Íâ Í Î Ù ÔÚ Ø ã× ââ ê éë ã Ô æÖ q Ãà rfc3703.txt rfc3712.txt rfc3727.txt rfc3771.txt rfc3829.txt rfc3866.txt rfc3876.txt rfc3909.txt rfc3928.txt q e f˜ ¢˜ j ¨˜ j•d ˜ INDEX rfc1274.txt rfc2079.txt rfc2247.txt rfc2251.txt rfc2252.txt rfc2253.txt rfc2254.txt rfc2255.txt rfc2256.txt rfc2293.txt rfc2294.txt rfc2307.txt rfc2377.txt rfc2587.txt rfc2589.txt rfc2649.txt rfc2696.txt rfc2713.txt rfc2714.txt rfc2798.txt rfc2829.txt rfc2830.txt rfc2849.txt rfc2891.txt rfc2926.txt rfc3045.txt rfc3062.txt rfc3088.txt rfc3112.txt rfc3296.txt rfc3377.txt rfc3383.txt rfc3663.txt rfc3671.txt rfc3672.txt rfc3673.txt rfc3674.txt rfc3687.txt rfc3698.txt SLUG — ver. 1.4 SLUG — ver. 1.4 LDAP at HKIVE(TY) — slide #98 hõ  õö ˜ ¥ • –d ¡¨ £¡ hõ £ s§ ¨ § ¡¢ ¢Â  t– § §¤ LDAP at HKIVE(TY) — slide #99 q à ¤m oà j —ô tðñ e ¢ ðñ ¦¤ ¦¤