\errorcontextlines=99 %\documentclass[colorBG,slideColor,troispoints,pdf]{prosper} \documentclass{beamer} %\documentclass[12pt,colorBG,total,slideColor,pdf]{ppr-prv-nick} %\documentclass[colorBG,slideColor,ps]{prosper} \usepackage{alltt,key,xr,cols,rcs,acro,% graphicx,varioref,explanation,booktabs,multicol,yfonts} %\RequirePackage[unknownkeysallowed,a4paper,scale=0.93]{geometry} % \usepackage[nolineno,noindent]{lgrind} % \usepackage[toc,highlight,Tycja]{HA-prosper} \mode { \usetheme{Warsaw} % or ... \setbeamercovered{transparent} % or whatever (possibly just delete it) } \usepackage[english]{babel} % or whatever \usepackage[utf8]{inputenc} % or whatever \usepackage{times} \usepackage[T1]{fontenc} %\definecolor{green}{rgb}{0,1,0} % Copyright (c) 2004 by Nick Urbanik . % This material may be distributed only subject to the terms and % conditions set forth in the Open Publication License, v1.0 or later % (the latest version is presently available at % http://www.opencontent.org/openpub/). \RCS $Revision: 1.4 $ \DeclareRobustCommand*{\link}[2]{\href{\protect#2}{#1} \path{#2}} \newcommand{\blue}{} \newcommand{\red}{} \providecommand*{\bs}{\texttt{\char '134}} % Backslash `\' %\newcommand*{\labTitle}{LDAP Directories} \subject{SLUG} \newcommand*{\emphcolour}[1]{\emph{\red#1}} \providecommand*{\RPM}{\acro{RPM}\xspace} \providecommand*{\CD}{\acro{CD}\xspace} \providecommand*{\IPC}{\acro{IPC}\xspace} \providecommand*{\UID}{\acro{UID}\xspace} \providecommand*{\GID}{\acro{GID}\xspace} \providecommand*{\SMP}{\acro{SMP}\xspace} \providecommand*{\API}{\acro{API}\xspace} \providecommand*{\OK}{\acro{OK}\xspace} \providecommand*{\IETF}{\acro{OK}\xspace} \providecommand*{\MS}{\acro{MS}\xspace} \newlength{\lift} \settoheight{\lift}{$\triangleleft$} \newcommand*{\generalises}{$\triangleleft$\rule[0.5\lift]{1.7\lift}{.4pt}} \title{How we implemented an LDAP directory for Laboratories} \subtitle{A Case Study at Hong Kong Institute of Vocational Education (Tsing Yi), Department of ICT} %% \author{Nick Urbanik \texttt{}\\ %% \footnotesize{}Copyright Conditions: Open Publication License (see %% \url{http://www.opencontent.org/openpub/})}% %% \institution{Department of Information and Communications Technology} \author{Nick Urbanik \texttt{}\\ \footnotesize{}Copyright Conditions: Open Publication License (see \url{http://www.opencontent.org/openpub/})\\ Sydney Linux Users Group (SLUG)\\ Building 2, Level 4, Room 410, UTS Broadway\\ 24 June 2005, 8.20\,pm} %\institution{}}% %\footnotesize{}Copyright Conditions: GNU FDL (see %\url{http://www.gnu.org/licenses/fdl.html})} %\slideCaption{SLUG --- LDAP Directories --- ver. \RCSRevision} %\Logo{\includegraphics[width=15mm]{ict-logo-smaller}} %\DefaultTransition{Wipe} %\TitleSlideNav{FullScreen} %\NormalSlideNav{ShowBookmarks} %\LeftFoot{SLUG --- ver. \RCSRevision} %\RightFoot{LDAP at HKIVE(TY)} % Delete this, if you do not want the table of contents to pop up at % the beginning of each subsection: \AtBeginSubsection[] { \begin{frame} \frametitle{Outline} \tableofcontents[currentsection,currentsubsection] \end{frame} } \begin{document} %\fontsize{17pt}{20pt}\selectfont %\fontsize{14pt}{16pt}\selectfont %\makeatletter\input{size12.clo}\makeatother %\ptsize{17} \maketitle %\part{Introduction to Directories} %% \begin{frame}{Network Design} %% \begin{itemize} %% \item As in our teaching plan, Network Design is our next topic. %% \item I will include some topics from: %% \begin{itemize} %% \item Designing a directory infrastructure %% \item Automating the naming and configuration of network: more %% advanced topics in DHCP and DNS %% \item Designing the routing and switching infrastructure %% \end{itemize} %% \item This first topic is directory infrastructure %% \end{itemize} %% \end{frame} %\part[bm=Getting Started,toc=Getting Started]% \part{Ummm, Err, ummm\ldots\,Errrrrr\ldots\,what shall we do?} %\overlays{6}{% \begin{frame}{What do you already know about \LDAP?} \begin{itemize} \item How many know that a directory is tree shaped? \item How many have worked with a directory before? \item How many know about \SNMP object \ID{}s? \item How many know \ldots \item What\ldots\ is the air-speed velocity of an unladen swallow? \item The \href{http://www.style.org/unladenswallow/}{European swallow appears to do about 11\,ms${}^{-1}$} \end{itemize} \end{frame} %} %\overlays{3}{% \begin{frame}{What Do You Want?} \begin{itemize} \item I could talk for ten hours \item (actually, I could go on for twenty after a few beers) \begin{itemize} \item \ldots\,but we have only an hour \end{itemize} \item What topics do you want us to cover here? \begin{itemize} \item I think we need to understand the basics of \LDAP itself \begin{itemize} \item operations \item some simple tools \end{itemize} \item \ldots\,to make sense of other topics, especially programming \item The basics of the way inheritance works in \LDAP is important when understanding how to design a schema \end{itemize} \end{itemize} \end{frame} %} \part*[bm=Argument for LDAP,toc=Argument for LDAP]% {Reasons for \LDAP and problems with alternatives\\[4ex]\red{}We don't have time for this!} \begin{frame}{Account Information} \begin{itemize} \item The computer uses numbers to refer to users and groups \item Humans prefer to use names (like nicku) \item When you create files in your shared network drive, the client must access them using the same numbers \item The user ID numbers and group ID numbers must be the same on all computers \item Otherwise won't be able to read own files! \end{itemize} \end{frame} \begin{frame}[fragile]{Network Accounts} \begin{itemize} \item \begin{alltt}\footnotesize $ \textbf{ls -ln file} -rw-rw---- 1 500 500 2057 Nov 1 2000 file \end{alltt}%$ \item Now nicku with user \ID number 500 and group \ID 500 can read and write this file \item \ldots{}But nicku with user \ID number 2270 and group \ID number 2270 cannot access the file at all: \begin{alltt}\footnotesize $ \textbf{id} uid=2270(nicku) gid=2270(nicku) groups=2270(nicku),14171(staff) \end{alltt}%$ \end{itemize} \end{frame} \begin{frame}{Network Accounts --- 2} \begin{itemize} \item The user \ID numbers and group \ID numbers on files on a network drive are fixed \item The user \ID numbers should remain unchanged for all users who read/write the network drive. \end{itemize} \end{frame} \begin{frame}{Methods of achieving this} \begin{itemize} \item Have a \emphcolour{directory server} of some kind \item The directory server associates a fixed user \ID number with each login \ID \item \ldots{}and a fixed group \ID number for each group \ID \item On \NT, these are called \acro{SID}{}s (security \ID{}s) \end{itemize} \end{frame} \begin{frame}{Directory systems for authentication} \begin{itemize} \item Proprietary: \begin{itemize} \item Novell Directory Services (\acro{NDS}) \item Microsoft Active Directory (M? \acro{AD}) \item \NT 4 domain \item \NIS+ (Network Information System plus) \item \NIS \end{itemize} \item Open protocols: \begin{itemize} \item \LDAP \item Hessiod \end{itemize} \end{itemize} \end{frame} \begin{frame}{Proprietary application directories} \begin{itemize} \item Application-specific directories: \begin{itemize} \item Lotus Notes \item cc:Mail \item Microsoft Exchange \item Novell GroupWise \end{itemize} \item These directories come bundled with, or, embedded into an application such as email. \item If add another such application, must manage one more directory (``$N + 1$ directory problem'') \item If add another user, must add to all the directories. \end{itemize} \end{frame} \begin{frame}{Problem with proprietary directories} \begin{itemize} \item Need put the same user into many different directories \item Need maintain $N$ times the number of user accounts, where $N$ is the number of directories. \item This is just too much work. \item The accounts get out of sync. \end{itemize} \end{frame} \begin{frame}{Why not buy Microsoft AD?} \label{sld:why-not-microsoft-ad} \begin{itemize}\small \item Microsoft leverage their monopoly on the desktop to ``embrace and extend'' free software written by others \item Example: \begin{itemize} \item Kerberos is a ``Network Authentication Service'', an \acro{IETF} standard (see \RFC 1510) \item Kerberos is written by cooperating programmers round the world \item Microsoft took Kerberos, and modified the protocol very slightly (they classified this change as a ``trade secret'') \item So that \MS destops can use \MS Kerberos servers, but not non-MS Kerberos servers. \end{itemize} \item Although \MS claims to support standards, \MS solutions are highly proprietary \item Designed to lock the user into an all-\MS solution. \item Could be an expensive and insecure mistake. \end{itemize} \end{frame} \part{LDAP} \begin{frame}{Why we chose LDAP} \label{sec:why-chose-ldap} \vspace*{-2ex} \begin{itemize} \item Single sign on---the \raisebox{-0.5\height}{\includegraphics[width=0.08\slideWidth]{cut-cup}} \textgoth{\huge\red{}Holy Grail}. \end{itemize} \vspace{2ex} \includegraphics[width=\slideWidth]{g-arthur} \begin{itemize} \item King Arthur and his knights support this quest \item The knights who say \emphcolour{\Large{}Ni} all concur with a resounding \emphcolour{\LARGE{}Ni!} \end{itemize} \end{frame} \begin{frame}{\LDAP --- Why?} \begin{itemize} \item Non-proprietary, IETF standard \begin{itemize} \item No vendor lock-in \item Use standard software components \end{itemize} \item Supports authorisation as well as authentication \begin{itemize} \item E.g., access if ``staff, or year 3, group W, CSA student'' \end{itemize} \item Very general purpose: use for email, system authentication, application authentication, \ldots \item Reasonably secure \item Robust \item Extensible \item Good open source implementation available at \url{http://www.OpenLDAP.org/} \end{itemize} \end{frame} \begin{frame}{\LDAP Terminology} \begin{itemize} \item \LDAP model is \emphcolour{hierarchical}, i.e., tree-structured \item Each object in a directory is an \emphcolour{entry} \item Each individual item in an entry is an \emphcolour{attribute} \item Each entry has a unique full name called its \emphcolour{distinguished name} or \emphcolour{dn} \item Each entry has a short name that is unique under its parent, called its \emphcolour{relative distinguished name}, or \emphcolour{rdn}. \item The organisation of names in the directory is called the \emphcolour{namespace} \item An important initial task is \emphcolour{namespace design} \end{itemize} \end{frame} \begin{frame}{What is \LDAP?} \begin{itemize} \item The \LDAP \emphcolour{protocol}, a standard Internet protocol \item Four \emphcolour{models}: \vspace{-3ex} \begin{multicols}{2} \begin{itemize} \item \emphcolour{information~model}---what you can put in directory \item \emphcolour{naming~model}---how name directory data \item \emphcolour{functional~model}---what you can do with data \item \emphcolour{security~model}---no unauthorised access \end{itemize} %\setcounter{unbalance}{-1} \end{multicols} \vspace{-2.5ex} \item \LDAP Data Interchange Format ({\red\LDIF}), a standard text format for representing directory data \item \LDAP \emphcolour{server software} \item \emphcolour{command line utilities} (\texttt{ldapsearch}, \texttt{ldapmodify},\,\ldots) \item {\mbox{}\red\LDAP \API} \end{itemize} \end{frame} \begin{frame}{The \LDAP Protocol} \begin{itemize} \item \LDAP is a \emphcolour{message-based} protocol \begin{itemize} \item client sends one or more requests to server, one message per request \begin{itemize} \item Each message has its own \emphcolour{message ID} \end{itemize} \item server replies with one or more replies. Each reply has message \ID matching that of request. \item Can send several messages at once; results can be out of order, no problem \end{itemize} \end{itemize} \end{frame} \begin{frame}{Simple Search Examples} \begin{center} \includegraphics[width=0.7\slideWidth]{single-request} \end{center} \vspace*{-\baselineskip} \begin{itemize} \item Here a client gets one single entry from the directory \end{itemize} \begin{center} \includegraphics[width=0.7\slideWidth]{multiple-response} \end{center} \vspace*{-\baselineskip} \begin{itemize} \item A client gets multiple responses from the directory \end{itemize} \end{frame} \begin{frame}{Multiple Simultaneous Requests} \begin{center} \includegraphics[width=0.7\slideWidth]{multiple-request} \end{center} \begin{itemize} \item A client sends multiple requests to the directory \item Note that each request has its own \texttt{msgid} \item Responses may come out of order (see last two result codes); that's okay. \begin{itemize} \item These details are hidden from programmer by the \acro{SDK} (software development kit) \end{itemize} \end{itemize} \end{frame} \begin{frame}{\LDAP Protocol Operations} \begin{itemize} \item \emphcolour{Interrogation operations}: \texttt{search}, \texttt{compare} \item \emphcolour{Update operations}: \texttt{add}, \texttt{delete}, \texttt{modify}, \texttt{modify~DN} (rename) \item \emphcolour{Authentication and control operations}: \texttt{bind}, \texttt{unbind}, \texttt{abandon} \begin{description} \item[\texttt{\red{}bind}] operation allows a client to identify itself sending identity and authentication credentials \item[\texttt{\red{}unbind}] operation allows client to terminate session \item[\texttt{\red{}abandon}] operation allows a client to tell the server it does not need the results of an operation it had requested earlier \end{description} \end{itemize} \end{frame} \begin{frame}{Typical \LDAP Exchange} \label{sld:typical-ldap-exchange} \begin{center} \includegraphics[width=0.7\slideWidth]{typical-ldap-request} \end{center} \begin{itemize} \item The \emphcolour{bind operation} provides a \emphcolour{distinguished name} (\DN) and other credentials to authenticate against the directory \item The \emphcolour{unbind operation} is a request to disconnect \end{itemize} \end{frame} \begin{frame}{\LDAP Encoding: \BER} \begin{itemize} \item The \LDAP protocol uses the \emphcolour{Basic Encoding Rules}, \BER to encode various data types in a platform independent way \item These are the same rules as used in \SNMP \item Therefore it is not a simple text-based protocol, like \acro{HTTP} or \acro{SMTP}. \end{itemize} \end{frame} \section{LDAP Operations} \begin{frame}{\LDAP Search Operation} \label{sld:ldap-search-operation} \begin{itemize} \item Used to search for entries and retrieve them \begin{itemize} \item This is the only way to read the directory \end{itemize} \item Takes eight parameters, including: \begin{itemize} \item \DN of base object for search --- see slide~\S\pageref{sld:search-scope} \item search scope --- see slide~\S\pageref{sld:search-scope} \item search filter --- see slide~\S\pageref{sld:filters} \item list of attributes to return \end{itemize} \end{itemize} \end{frame} \begin{frame}{Search Scope} \label{sld:search-scope} \newcommand*{\scale}{0.27} \begin{center} \begin{minipage}[t]{0.3\slideWidth} \begin{tabularx}{\linewidth}{X} \includegraphics[scale=\scale]{scope-base}\\ Search scope = \emphcolour{base} \end{tabularx} \end{minipage}% \hspace{1ex}% \begin{minipage}[t]{0.3\slideWidth} \begin{tabularx}{\linewidth}{X} \includegraphics[scale=\scale]{scope-one}\\ Search scope = \emphcolour{one} \end{tabularx} \end{minipage}% \hspace{1ex}% \begin{minipage}[t]{0.3\slideWidth} \begin{tabularx}{\linewidth}{X} \includegraphics[scale=\scale]{scope-sub}\\ Search scope = \emphcolour{subtree} \end{tabularx} \end{minipage} \end{center} \begin{itemize} \item In each case, the search base is \path{ou=People,dc=ict,dc=edu,dc=hk} \end{itemize} \end{frame} \begin{frame}{The Compare Operation} \label{sld:compare-operation} \begin{itemize} \item Not very useful \item I use it for determining if a user belongs to a particular group \item main difference from search: \begin{itemize} \item If compare on an attribute that does not exist in a particular entry, returns code indicating this \item If search for an attribute that does not exist in a particular entry, then get nothing returned. \end{itemize} \end{itemize} \end{frame} \begin{frame}{Add Operation} \label{sld:add-operation} \begin{itemize} \item Creates a new entry, given two parameters: \begin{itemize} \item \DN of new entry \item list of attributes and their values to put in the new entry \end{itemize} \item Will succeed if and only if: \begin{itemize} \item parent of new entry exists \item no entry of same name exists \item new entry matches requirements of schemas \item access control allows operation \end{itemize} \end{itemize} \end{frame} \begin{frame}{Delete Operation} \label{sld:delete-operation} \begin{itemize} \item Deletes an entry \item Takes \DN of entry to delete \item Succeeds if: \begin{itemize} \item entry exists \item entry has no children \item access control allows operation \end{itemize} \end{itemize} \end{frame} \begin{frame}{Modify \DN (Rename) Operation} \label{sld:modify-dn-operation} \begin{itemize} \item Used to rename or move an entry from one place in tree to another \item Has four parameters: \begin{itemize} \item Old \DN \item New \DN \item New \RDN for entry \item optional flag indicating whether to delete the old \RDN attribute from the entry \end{itemize} \item Succeeds if: \begin{itemize} \item entry exists \item new name not already used \item access control allows operation \end{itemize} \end{itemize} \end{frame} \begin{frame}{Modify Operation} \label{sld:modify-operation} \begin{itemize} \item Allows updating existing entry \item Can add, delete or replace attributes \item Can modify many attributes in one modify operation \item Succeeds if and only if: \begin{itemize} \item entry exists \item all attribute modifications must succeed \item resulting entry obeys schemas \item access control permits modification \end{itemize} \end{itemize} \end{frame} \begin{frame}{Bind Operation} \label{sld:bind-operation} \begin{itemize} \item authenticates client to the directory \item Three bind types: \begin{itemize} \item \emphcolour{simple bind}, where send \DN and password in clear text to server \begin{itemize} \item Need to use \TLS to encrypt communication in this case %\item with \texttt{ldapsearch} utility, specify using option \texttt{-x} \end{itemize} \item {\mbox{}\red\acro{SASL} bind} \begin{itemize} \item \acro{SASL} = Simple Authentication and Security Layer \item A standard protocol independent way of negotiating and performing authentication \end{itemize} \item \emphcolour{anonymous bind}, where send no \DN and no password \end{itemize} \item Client can bind, perform operations, bind again, and perform other operations \end{itemize} \end{frame} \section{Utilities and LDIF} \begin{frame}{Command Line Utilities} \label{sld:command-line-utilities} \begin{itemize} \item With Open\LDAP, the main utilities (in RH Linux, in the package \texttt{openldap-clients}) are: \begin{description} \item[\texttt{ldapsearch}] Query directory \item[\texttt{ldapmodify}] Perform the modify operation on an entry --- see \S\pageref{sld:ldapmodify-ldif} \item[\texttt{ldapdelete}] Delete an entry \item[\texttt{ldapadd}] Add an entry \item[\texttt{ldapmodrdn}] Rename an entry \item[\texttt{ldapcompare}] Compare operation \item[\texttt{ldappasswd}] Change \LDAP password using LDAPv3 Password Modify (RFC 3062) extended operation \end{description} \item Each one has a detailed \texttt{man} page \end{itemize} \end{frame} \begin{frame}{Common Parameters} \label{sld:command-line-utilities-common-pcarameters} \begin{itemize} \item All commands use the \acro{SASL} (Simple Authentication and Security Layer) protocol by default \begin{itemize} \item But won't work in HKIVE Tsing Yi: \item \ldots\,we use simple authentication here (we send plain text passwords over link encrypted with Transport Layer Security i.e., \TLS or \SSL) \end{itemize} \item ``\texttt{-x}'' use simple authentication instead of \acro{SASL} \item specify hostname of server with \texttt{-h}, e.g., \texttt{-h~ldap.vtc.edu.hk} \item Specify a \DN to bind with using \texttt{-D} (see \S\pageref{sld:ldapmodify-ldif}) \item Specify a password on command line with \texttt{-w~\meta{password}} or interactively prompt using \texttt{-W} \begin{itemize} \item See \S\pageref{sld:ldapmodify-ldif}, \S\pageref{sld:using-ldapsearch-3-bind} for examples \end{itemize} \end{itemize} \end{frame} \begin{frame}{\texttt{ldapsearch}} \label{sld:ldapsearch} \begin{itemize} \item Specify \emphcolour{base} of search with \texttt{-b~\meta{DN~of~search~base}} \begin{itemize} \item Default can be specified as a line in \path{/etc/openldap/ldap.conf}, e.g., \begin{verbatim} BASE dc=tyict,dc=vtc,dc=edu,dc=hk HOST ldap.tyict.vtc.edu.hk \end{verbatim} \end{itemize} \item Specify \emphcolour{scope} of search with \texttt{-s~[base|one|sub]} \begin{itemize} \item Default scope is subtree scope \end{itemize} \item See \S\pageref{sld:using-ldapsearch-with-filter} for more examples. \end{itemize} \end{frame} \begin{frame}{\LDAP Data Interchange Format \LDIF} \label{sld:ldif-1} \begin{itemize} \item A standard defined in \RFC 2849 \item Used to import, export directory data in a standard way \begin{itemize} \item A bit like how all spreadsheets understand tab-delimited text files \end{itemize} \item Can also specify update operations to directory entries. \end{itemize} \end{frame} \begin{frame}{Example \LDIF} \label{sld:example-ldif} \ptsize{10}\footnotesize \begin{verbatim} dn: uid=nicku,ou=People,dc=ict,dc=vtc,dc=edu,dc=hk uid: nicku cn: Nick Urbanik givenName: Nick sn: Urbanik mail: nicku@sysadmin.no-ip.com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top loginShell: /bin/sh uidNumber: 1000 gidNumber: 1000 homeDirectory: /opt/nicku mail: nicku@nickpc.tyict.vtc.edu.hk description: Interested in free software \end{verbatim} \end{frame} \begin{frame}{Update Operation in \LDIF} \label{sld:ldapmodify-ldif} \ptsize{10} \begin{alltt}\footnotesize $ \textbf{cat /tmp/update-nick.ldif} dn: uid=nicku,ou=People,dc=ict,dc=vtc,dc=edu,dc=hk changetype: modify replace: mail mail: nicku@nicku.org - add: title title: No longer a lecturer in Hong Kong - add: jpegPhoto jpegPhoto:< file:///tmp/penguin.jpg - delete: description - $ \textbf{ldapmodify -x \bs -D 'uid=nicku,ou=People,dc=ict,dc=vtc,dc=edu,dc=hk' \bs -W -f /tmp/update-nick.ldif} Enter LDAP password: modifying entry "uid=nicku,ou=People,dc=ict,dc=vtc,dc=edu,dc=hk" \end{alltt} \end{frame} \section{Schemas} \begin{frame}{\LDAP Schemas} \begin{itemize} \item The directory has a set of rules that determine the allowed objectclasses and attributes \item Called the \emphcolour{schemas} \item Can be defined in \begin{itemize} \item ASN.1, or \item University of Michigan style, or \item \LDAP{}v3 style \end{itemize} \item Each object, and its syntax, are both defined using \OID{}s, as in \SNMP. \end{itemize} \end{frame} \begin{frame}{Side track on Object IDs} \label{sld:oids} \begin{itemize} \item \LDAP uses a tree structure of \emphcolour{Object IDs} (\emphcolour{OIDs}), the same as \SNMP, to identify objects and attributes \item Better not to invent your own to avoid clashing with those used in other schemas \item Apply to Internet Assigned Numbers for your own \href{run:gedit data/enterprise-numbers}{enterprise number} \begin{itemize} \item from \href{http://www.iana.org/protocols/forms.htm}{Application Forms} choose \href{http://www.iana.org/cgi-bin/enterprise.pl}{Private Enterprise Numbers (SNMP)} \end{itemize} \item See ours (11400) at \link{IANA}{http://www.iana.org/assignments/enterprise-numbers}, grep for \texttt{nicku}. \end{itemize} \end{frame} \begin{frame}{Tree of object IDs} \label{sld:oids-picture} \includegraphics[width=\slideWidth]{smi-object-tree} \end{frame} \begin{frame}{Attributes --- Defined in Schema} \begin{itemize} \item For each attribute, schema defines: \begin{itemize} \item Name \item Description \item Permitted compare operations \item Syntax (i.e., data type). \end{itemize} \item \LDAP server ensures that all added data matches the schema \end{itemize} \end{frame} \begin{frame}{\LDAP objectClass --- 1} \begin{itemize} \item Each attribute belongs to one or more \textbf{objectClass}es \item objectClasses are defined in schemas \item Defines what attributes \emphcolour{must}, or \emphcolour{may} be present in an entry \item objectClass definition includes: \begin{itemize} \item Name of objectClass \item What subclass this is derived from \item The type of objectClass: \emphcolour{structural}, \emphcolour{auxiliary} or \emphcolour{abstract} \item Description \item List of \emphcolour{required} attributes \item List of \emphcolour{allowed} attributes \end{itemize} \end{itemize} \end{frame} \begin{frame}{Object Class and Attributes} \begin{itemize} \item The entry can use all the attributes allowed in all the objectClasses. \begin{itemize} \item See in slide~\S\pageref{sld:namespace-of-atributes} how \LDAP attributes differ from attributes in, say, a Java class \end{itemize} \end{itemize} \end{frame} \begin{frame}{\LDAP Object Class Inheritance} \begin{itemize} \item \LDAP implements a limited form of object oriented inheritance \item One entry may contain many objectClasses \begin{itemize} \item We say, ``an entry belongs to many classes'' \end{itemize} %\item Single, not multiple inheritance---see page 272, % Understanding and Deploying LDAP, second edition, but if you % look in cosine.schema for the definition of pilotOrganization % which inherits from both organization and organizationalUnit. Try % $ grep -i 'sup \+(' /etc/openldap/schema/* \item Cannot override any schema rules defined in superior class \item Example: top~\generalises\ person~\generalises\ organizationalPerson~\generalises\ inetOrgPerson \begin{itemize} \item In \texttt{/etc/openldap/schema}, \texttt{core.schema} defines person, organizationalPerson; \texttt{inetorgperson.schema} defines inetOrgPerson \end{itemize} \item A class derived from another class includes the attributes of its superior class(es) \end{itemize} \end{frame} \begin{frame}{\LDAP Object Class Type} \begin{itemize} \item objectClass has a type: \emphcolour{structural}, \emphcolour{auxiliary}, or \emphcolour{abstract} \item Default is \emphcolour{structural} \item \textbf{Structural} is for the fundamental, basic aspects of the object, e.g., \textbf{person}, \textbf{posixGroup}, \textbf{device}. \item \textbf{Auxiliary} classes place no restrictions on where an entry is stored, and are used to add more attributes to structural classes. \item \textbf{Abstract} classes are not usually created by users; the class \textbf{top} and \textbf{alias} are abstract. \end{itemize} \end{frame} \begin{frame}{Structural Classes} \begin{itemize} \item Rule of \LDAP standards: if an entry belongs to more than one \emphcolour{structural} class, they must be related by inheritance \begin{itemize} \item Open\LDAP 2.0.x does not implement this restriction, but Open\LDAP 2.1.x and later versions (including 2.2.x) do. \end{itemize} \item To get around this, can either: \begin{itemize} \item Implement a new objectClass that is of type auxiliary that allows the attributes you require---see \url{http://www.openldap.org/faq/data/cache/883.html} \item Implement a new objectClass that inherits from both unrelated structural classes and use that---See \url{http://www.openldap.org/faq/data/cache/807.html} . \end{itemize} \end{itemize} \end{frame} \begin{frame}{Entries: Selecting Object Class Types} \begin{itemize} \item Entries contain one or more \emphcolour{objectClass}es \item Choose the attributes you need \item Select the objectClasses that provide these attributes \item Add the objectClass to your entry. \end{itemize} \end{frame} \begin{frame}{Rules for \LDAP Entries} \begin{itemize} \item Each entry must be a member of the objectClass \texttt{\red{}top} \item Each entry must be a member of the objectClass that provides the attributes \item Exactly {\green{}one objectClass should be structural}, the rest auxiliary (or abstract) \begin{itemize} \item An entry may belong to more than one structural class if all structural classes are {\green{}related by inheritance} \end{itemize} \end{itemize} \end{frame} \begin{frame}{Namespace of attributes} \label{sld:namespace-of-atributes} \begin{itemize} \item There is {\green{}only one namespace for attributes} \item The definition of the attribute \texttt{cn} (common name) is the same for all objectClasses that support the \texttt{cn} attribute. \end{itemize} \end{frame} \begin{frame}{Example objectTypes} \begin{itemize} \item Here is the definition for person from core.schema: \begin{verbatim} objectclass ( 2.5.6.6 NAME 'person' SUP top STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) ) \end{verbatim} \item This says a person entry \emphcolour{must} contain: \begin{itemize} \item a surname (\texttt{sn}) and \item common name (\texttt{cn}), \end{itemize} \item and \emphcolour{may} contain a userPassword, a telephoneNumber, a description, and a reference to another \LDAP entry. \end{itemize} \end{frame} \begin{frame}{Want to support network login} \begin{itemize} \item Does the objectClass person provide what is needed for network login? \item For network accounts, need replace (at minimum): \vspace*{-1.5ex} \begin{multicols}{2} \begin{itemize} \item \texttt{/etc/passwd} \item \texttt{/etc/shadow} \item \texttt{/etc/group} \end{itemize} \end{multicols} \vspace*{-1.5ex} \item So in addition to attributes of person, need: \vspace*{-1.5ex} \begin{multicols}{2} \begin{itemize} \item User \ID name (log in name) \item User \ID number \item Primary group \ID number \item Gecos information (fifth field of \texttt{/etc/passwd}) \item Home directory \item Login shell \end{itemize} \end{multicols} \vspace*{-2ex} \item Also the password aging information from \texttt{/etc/shadow} \end{itemize} \end{frame} \begin{frame}{Supporting network login} \begin{itemize} \item Use the existing objectClass \texttt{posixAccount}: {\footnotesize \begin{verbatim} objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) ) \end{verbatim}%$ } \item Provides fields from \texttt{/etc/passwd} \end{itemize} \end{frame} \begin{frame}{Authorisation as well as authentication} \begin{itemize} \item Suppose you have an online web-based quiz, want only staff, or year 3, group W, CSA student to be allowed to log in. \item For this to work: \item Each person entry has attributes including: \begin{itemize} \item \texttt{Course}, e.g., 41300 \item \texttt{classCode}, e.g., W \item \texttt{Year}, e.g., 3 \item \texttt{acType}, e.g., STU or STF \end{itemize} \end{itemize} \end{frame} \section{LDAP Filters \& URLs} \begin{frame}{\LDAP filters} \label{sld:filters} \begin{itemize} \item \LDAP provides a standard method for selecting authenticated users who match authorisation criteria \item The filter to select staff or students in year 3, CSA, group~W is: \begin{verbatim} (|(acType=STF) (&(year=3)(course=41300)(classcode=W))) \end{verbatim} (\small This line is wrapped to fit on the slide, but normally given on one line) \item All filters are enclosed in parentheses \item Filters can be combined with OR `\textbar', AND `\texttt{\&}' \end{itemize} \end{frame} \begin{frame}{RFC 2254 --- 1} Find this in \path{/usr/share/doc/openldap-devel-2.2.23/rfc/rfc2254.txt} \begin{verbatim} filter = "(" filtercomp ")" filtercomp = and / or / not / item and = "&" filterlist or = "|" filterlist not = "!" filter filterlist = 1*filter item = simple / present / substring simple = attr filtertype value filtertype = equal / approx / greater / less equal = "=" approx = "~=" greater = ">=" less = "<=" \end{verbatim} \end{frame} \begin{frame}{RFC 2254 --- 2} \begin{verbatim} present = attr "=*" substring = attr "=" [initial] any [final] initial = value any = "*" *(value "*") final = value attr = AttributeDescription from Section 4.1.5 of [1] value = AttributeValue from Section 4.1.6 of [1] \end{verbatim} \begin{itemize} \item \verb![1]! is \acro{RFC} 2251. \item Grammar is defined in \acro{RFC} 822 \end{itemize} \end{frame} \begin{frame}{Examples of Filters from RFC 2254} Return all entries in the scope of the search with attribute \texttt{cn} having the value ``Babs Jensen'': \begin{verbatim} (cn=Babs Jensen) \end{verbatim} Return all entries in the scope of the search which do \texttt{not} have the attribute \texttt{cn} with the value ``Tim Howes'': \begin{verbatim} (!(cn=Tim Howes)) \end{verbatim} Return all entries in the scope of the search which have the attibute \begin{verbatim} (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*))) \end{verbatim} Return all entries having an attribute \texttt{o} (i.e., organisation) which contains the strings \texttt{univ}, \texttt{of}, \texttt{mich} with zero or more of any characters between, and with any number of any characters at the end. \begin{verbatim} (o=univ*of*mich*) \end{verbatim} \end{frame} \begin{frame}{More Filter Examples} \begin{itemize} \item Note that a filter such as \texttt{(age>21)} is not allowed. \item Use \texttt{(!(age<=21))} instead. \item Similarly, instead of \texttt{(age<21)}, use \texttt{(!(age>=21))}. \item search for all students in group X, year 3, \CSA course, who enrolled this year: \begin{alltt} (&(year=3)(course=41300)(classcode=W) (registrationDate=*-03)) \end{alltt} Note that there is a substring match on \texttt{registrationDate} here. A substring match is like a wildcard in filename matching. \end{itemize} \end{frame} \begin{frame}{Escaping Characters in a Filter} \begin{tabularx}{0.9\slideWidth}{Y>{\ttfamily}c} \toprule% \textbf{Character} & \textbf{Escape Sequence}\\ \midrule% \texttt{*} (asterisk) & \bs2A\\ \texttt{(} (left parenthesis) & \bs28 \\ \texttt{)} (right parenthesis) & \bs29 \\ \texttt{\bs} (backslash) & \bs5C \\ \texttt{NUL} (the null byte) & \bs00 \\ \bottomrule \end{tabularx} \end{frame} \begin{frame}{Using the command line tool ldapsearch} \label{sld:using-ldapsearch-with-filter} \begin{itemize} \item \begin{alltt} $ \textbf{ldapsearch -x -h ldap.vtc.edu.hk \bs -b "dc=vtc.edu.hk" \bs "(&(department=ICT)(site=TY) (|(acType=STF) (&(year=3)(course=41300)(classcode=W))))" cn} \end{alltt}%$ \item The result is a list of all the DNs that match the filter, with the students' and staff names. \item Can filter out the DNs and blank lines by piping the command though \texttt{grep '\wHt{}cn:' | sort} \end{itemize} \end{frame} \begin{frame}{Output of this \texttt{ldapsearch} without staff} \label{sld:using-ldapsearch-output} \ptsize{8} \begin{verbatim} cn: CHAN Kwok Kam cn: CHEUK Suk Lai cn: CHUNG Ming Kit cn: LAI Man Chiu cn: LAM Lai Hang cn: LAU Siu Ying cn: LAW Yuk Woon cn: LI Kim Wah cn: LI Siu Kai cn: LI Yuet Cheung cn: MA Hei Man cn: MO Hoi Yu cn: POON Chun Chung cn: TAM Kin Fai cn: TSO Yee Yee cn: WONG Chi Man cn: WONG Hoi Shan cn: WONG Siu Fai cn: WOO Kin Fan \end{verbatim} \end{frame} \begin{frame}{Get All the Results} \ptsize{8}\begin{alltt}\small $ \textbf{ldapsearch -x -h ldap.vtc.edu.hk -b 'dc=vtc.edu.hk' \bs "(&(department=ICT)(site=TY)(|(actype=STF)(&(year=3) (classcode=W)(course=41300))))" cn \bs | grep '^cn: ' | sed '{s/^cn: //;s/^\bs(.\bs\{15\bs\}\bs).*/\bs1/}' | sort | column} Andy LAI C M Ho LEE HUNG KIN SIU CHONG PUI CHAN CHIN PANG Curtis H.K. Tsa LEE KOON HUNG K SIU WAI CHEUNG CHAN Kwok Kam Esther YUEN LEUNG KAM SHEK Stella Chu CHAN KWOK KEUNG Eva Chung LI Kim Wah TAM CHI HO CHAN SHIU CHUAN FONG CHI KIT LI Siu Kai TAM Kin Fai CHAN TAI HING Henry Leung LI Yuet Cheung TSANG KWOK TUNG CHAN TAI MING R HO CHUN WAH MA Hei Man TSO Yee Yee Charles Wu HO KIM MAN ALBE MA SUI WAH WONG Chi Man CHEUK Suk Lai Josephine Wan MICHAEL LEUNG WONG Hoi Shan CHEUNG KAM HOI Karl Leung MO Hoi Yu WONG Siu Fai CHEUNG SAI MING Ken LI MONTAGUE NIGEL WONG WAI YIP FR CHIK FUNG YING Kit K. KO NG HOI KOW Wong Y.L. Lawre CHIU SUET FAN J LAI HING BIU NG SZE CHIU EDD WOO HUNG CHEUNG Chou Siu Chuen LAI Man Chiu Nick Urbanik WOO Kin Fan CHUNG Ming Kit LAM Lai Hang PATRICK K.S. TO YIM KWOK HO CHU SHING TSU J LAU KWOK ON POON Chun Chung Y.K. Leung Clarence Lau LAU Siu Ying Rick Liu Clarence Lo LAW Yuk Woon SCOTT ALBERT HE \end{alltt} \end{frame} \begin{frame}{\texttt{ldapsearch}} \label{sld:using-ldapsearch-3-bind} \begin{itemize} \item Needs the \texttt{-x} option to work here \item Check ssl works with the \texttt{-ZZ} option \item Can ``bind'' as a user to get all the info you are allowed to see after binding: \begin{alltt}\footnotesize $ \textbf{ldapsearch -x -W -D \bs "uid=nicku,ou=People,dc=tyict,dc=vtc,dc=edu,dc=hk" \bs '(uid=nicku)'} \end{alltt}%$ \item Can then see own passwords \end{itemize} \end{frame} \begin{frame}{\LDAP URLs: RFC 2255} \begin{itemize} \item Have the form: \item \texttt{ldap://\meta{host}:\meta{port}/\meta{base}?\meta{attr}?\meta{scope}?\meta{filter}} {\footnotesize \begin{verbatim} ldapurl = ldap://" [hostport] ["/" [dn ["?" [attributes] ["?" [scope] ["?" [filter] ["?" extensions]]]]]] \end{verbatim}% } \item The \meta{base} or \texttt{dn} is the distinguished name of the starting entry for your search. \item \meta{scope} is one of \texttt{base}, \texttt{one} or \texttt{sub} \item Examples: {\scriptsize \begin{verbatim} ldap://ictlab/ou=People,dc=tyict,dc=vtc,dc=edu,dc=hk?uid?one?(uid=nicku) \end{verbatim}% } %% \item Can enter this into Netscape 4.7.x to see \LDAP entry for me: %% \item ldap://ictlab/ou=People,dc=tyict,dc=vtc,dc=edu,dc=hk??one?(uid=nicku) \end{itemize} \end{frame} \begin{frame}{\texttt{mod\_auth\_ldap} with Apache} \ptsize{11} \begin{itemize} \item \texttt{mod\_auth\_ldap} is part of the \texttt{httpd} \RPM package on Fedora Core versions 1 to 4. \item Here we allow staff or students from group W, year 3 \CSA to access the web pages under \url{http://hostname/group-w/} if the user provides a correct password: {\scriptsize \begin{verbatim} AuthType Basic AuthName "\LDAP authentication to class W only" AuthLDAPURL ldap://ldap.tyict.vtc.edu.hk/ ou=People,dc=tyict,dc=vtc, dc=edu,dc=hk?uid?one?(|(acType=STF)(&(course=41300) (classCode=W)(year=3))) require valid-user \end{verbatim}% } \item \tiny See {\tiny \url{http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html}}, and also {\tiny\url{http://httpd.apache.org/docs-2.0/mod/mod_ldap.html}} for manual. \end{itemize} \end{frame} \begin{frame}{Authenticating web pages---continued} \begin{itemize} \item Unfortunately, \texttt{mod\_auth\_ldap} disappeared from Red Hat 8.0 and 9, to reappear in Fedora Core but not RHEL 3, where another module was provided that did not work the same. \item I ended up modifying Apache::AuthNetLDAP (available with my changes from \acro{CPAN}) \item I used that on our servers in the department. \begin{itemize} \item \ldots\,a more portable method of authentication, \emphcolour{provided} we are using \texttt{\red{}mod\_perl} \end{itemize} \item I haven't tried it with the final \texttt{mod\_perl} version 2 on FC4 yet. \end{itemize} \end{frame} \part{ICT Schema Design} \begin{frame}{Authorisation of Students and Staff} \begin{itemize} \item We need a new schema to support the required attributes \item We create three new objectClasses and associated attributes: \item The first is common to students and staff: {\scriptsize \begin{verbatim} objectclass ( 1.3.6.1.4.1.11400.2.2.1 NAME 'institute' SUP top AUXILIARY DESC 'Any person in the institute, staff or student' MAY ( acOwner $ acType $ answer1 $ answer2 $ answer3 $ batchUpdateFlag $ department $ site $ instituteEmail ) ) \end{verbatim}% } \item See slides \pageref{sld:oids}--\pageref{sld:oids-picture} for more about the funny numbers. \end{itemize} \end{frame} \begin{frame}{Other objectTypes for IVE} \begin{itemize} \item Then on top of this, we have attributes for students: {\footnotesize \begin{verbatim} objectclass ( 1.3.6.1.4.1.11400.2.2.2 NAME 'student' SUP top AUXILIARY DESC 'A student in the institute' MAY ( academicYear $ award $ classCode $ course $ courseDuration $ FinalYear $ registrationDate $year $ fullPartTime ) ) \end{verbatim}% } \item \ldots and staff: {\footnotesize \begin{verbatim} objectclass ( 1.3.6.1.4.1.11400.2.2.3 NAME 'staff' SUP top AUXILIARY DESC 'A staff member of the insitute.' MAY ( titleDes $ employerID ) ) \end{verbatim}% } \end{itemize} \end{frame} \begin{frame}{The whole schema for IVE} \begin{itemize} \item The whole schema can be seen here: \footnotesize \url{http://ictlab.tyict.vtc.edu.hk/oids/institute.schema} \item If planets are alligned, then this \href{run:gedit institute.schema}{local link} will work. %but \href{run:less institute.schema}{this local link} will not %work at all. \end{itemize} \end{frame} \begin{frame}{Case Study: ICT laboratories} \begin{itemize} \item Old system: \item An ancient \acro{DEC} Alpha running \NIS \item Hardware insufficient for demand \item \emphcolour{Very} expensive maintenance, stopped paying \item Technician reported a hardware failure close to first day of term \item New system: \item We were planning to introduce \LDAP authentication gradually \item Failure required planning move faster \item Needed to maintain old legacy accounts, plus introduce new accounts \end{itemize} \end{frame} \begin{frame}{ICT case study} \begin{itemize} \item We chose Open\LDAP on Linux \item Running on an Acer Altos dual \CPU P-III \item Migrated from the \NIS using the migration scripts provided with Open\LDAP \item Migrated from the \VTC \LDAP accounts using a Perl program, written (quickly!) for the purpose, \item Uses the \texttt{Net::LDAP} Perl modules \end{itemize} \end{frame} \begin{frame}{ICT case study --- 2} \begin{itemize} \item After migrating the legacy accounts, and creating new accounts for staff, full and part time students, had more than 5000 accounts \item The \LDAP server was using a high \CPU load \item Was able to solve this using caching: \item Use \texttt{nscd} (name service caching daemon) on client \item Use memory in server to increase local cache size drastically. \item \CPU load reduced to a very acceptable level. \end{itemize} \end{frame} \section{Flat, Hierarchical Structures} \begin{frame}{Directory Structure --- 1} \begin{itemize} \item The ICT \LDAP server namespace design: \end{itemize} \vspace*{4ex} \begin{center} \includegraphics[width=\slideWidth]{ldap-schema-ict} \end{center} \end{frame} \begin{frame}{Directory Structure --- 2} \begin{itemize} \item We chose a fairly flat directory structure \item Recommended by reference, pages 239, 249. \item Reason: flexibility: \item allows for change without major reorganisation of data. \end{itemize} \end{frame} \begin{frame}{Hierarchical Directory Structure} \begin{itemize} \item This directory structure is hierarchical: \end{itemize} \vspace*{2ex} \begin{center} \includegraphics[width=\slideWidth]{ldap-schema-hierarchical} \end{center} \end{frame} \begin{frame}{New VTC \LDAP Namespace} \begin{itemize} \item This new \VTC \LDAP namespace was introduced in April 2003: \end{itemize} \vspace*{2ex} \begin{center} \includegraphics[width=\slideWidth]{ldap-schema-vtc-2003} \end{center} \end{frame} \begin{frame}{Hierarchical Directory Structure} \begin{itemize} \item This is an alternative data arrangement \item Divide into different campuses \item Advantage: can easily delegate management to local campus \item But: suppose ENG changes to EE? \item Suppose staff move from one department to another? \item Suppose equipment is transferred? \item Not only need change the attributes in the entry, but also move the entry. \item Overall, a flatter structure is easier to manage. \end{itemize} \end{frame} \begin{frame}{Directory Design Guidelines} \begin{itemize} \item Design as flat as possible given constraints: \item Replication \item Access Control \item Limitations of directory software \item Requirements of applications that use the directory \end{itemize} \end{frame} \begin{frame}{Designing a Schema} \begin{itemize} \item After selecting the schema attributes needed for your application, you may find that not all are available with the server \item Search web for more schemas \item If none provide all you need, \item Select a suitable structural base class \item Create an auxiliary class to be used with the base class \item Define the objectClass and its attributes \end{itemize} \end{frame} \begin{frame}{Designing a Schema: Example} \begin{itemize} \item For our \ICT \LDAP server, we use enough attributes to be able to log in \item But we also want to select users on the basis of course, year, class \item Want to add these attributes to the existing objectClasses \item Create three object classes: \item Institute \item Student \item Staff \end{itemize} \end{frame} \part{Maintenance} \begin{frame}{Building the original directory} \begin{itemize} \item I built the original directory from the old failing \acro{NIS} data, using some modified \texttt{padl} import scripts \item Then quickly wrote a \href{run:gedit programs/migrate-users}{nasty Perl script} that reads the \LDAP data from the \VTC directory server, and builds \POSIX accounts from that data \item The nasty Perl script stuck around, and we used it ever since. \item I extended it to read the student enrollment data directly. \begin{itemize} \item \ldots\,this was only available in ``unparseable'' \acro{PDF} files with about 7--10 students per A3 page! \end{itemize} \item Henry now uses the Perl programs written by Gerald Carter that come with \texttt{samba}. \end{itemize} \end{frame} \part{Problems and solutions} \begin{frame}{How we started up} \begin{itemize} \item The original machine was an Asus Altos P-III with 256\,\acro{MB} \RAM \item Running Red Hat 7.1, openldap 2.0.x. \item Was providing: \begin{itemize} \item Home directories by \NFS \item Web service to the Internet \item telnet \texttt{:-(} and \SSH login to students to do their programming assignments on \item \ldots\,and now \LDAP accounts for all our students (there were 5000 accounts). \end{itemize} \end{itemize} \end{frame} \part{Performance} \begin{frame}{Problems} \begin{itemize} \item \CPU load would get very high when assignments were left with tight, infinite loops (a load average of 10 or so) \item \CPU load would get very high when classes logged in (a load average of about 4--6. \item Occasionally the \CPU would go up to 10 and stay there solidly for a while, and the load would be all from \texttt{slapd}. \end{itemize} \end{frame} \begin{frame}{Solutions} \begin{itemize} \item Openldap came with a tiny default value of memory and disk caching. Needed to increase this to a much higher level. In \url{/etc/openldap/slapd.conf}: \begin{verbatim} cachesize 100000 dbcachesize 25600000 timelimit 60 \end{verbatim} \item index for all the common searches your system will do \begin{itemize} \item Enable logging of all search filters \item index almost every attribute you see being searched for. \end{itemize} \item Enable caching on the clients \begin{itemize} \item Turn on the Name Service Caching Daemon (\texttt{nscd}) \end{itemize} \item Add \RAM to the directory server (We added to a total of 1GB) \item We didn't do this, but obviously, use replication to two or more \LDAP servers, one master, others slaves, and round-robin \DNS to select directory server. \end{itemize} \end{frame} \begin{frame}{The FAM storm problem} \begin{itemize} \item An amazing problem occurred when older Red Hat (about 7.2) client machines were booted: the \texttt{fam} daemon (file alteration monitor) on the client would be involved in causing a storm of \LDAP requests that would drive the \CPU usage of the server to stratospheric limits. \item Used cricket \url{http://cricket.sourceforge.net/} to monitor \CPU and network usage on server \begin{itemize} \item See my notes on \href{http://nicku.org/snm/lab/cricket/cricket.pdf}{cricket}, \href{http://nicku.org/snm/lectures/snmp/snmp-print.ppt}{snmp}, \href{http://nicku.org/snm/lectures/snmp-v3/snmp-v3.pdf}{snmp version 3} and \emphcolour{all} my \emphcolour{free} \link{network management notes}{http://nicku.org/snm/} \end{itemize} \item Wrote a perl program to watch the \LDAP logs and send me an email if any problems. \item Upgraded clients to a later version of Red Hat, or turned off the \texttt{fam} service. \end{itemize} \end{frame} \begin{frame}{Problem with automounter} \begin{itemize} \item We used the automounter to mount home directories when people log in \item The automounter uses \LDAP version 2 \item OpenLDAP 2.$x$.$y$, where $x>0$ defaults to version 3 \emphcolour{only} \item Need enable \LDAP version 2 in \path{/etc/openldap/slapd.conf} with \begin{verbatim} allow bind_v2 bind_anon_dn \end{verbatim} \end{itemize} \end{frame} \begin{frame}{Problem with shared Gconf data} \begin{itemize} \item When people log in twice both using Gnome, then things go horribly weird \item From memory: panel does not work properly, clicking on some things don't work. \item The problem appears to be that the same Gconf data is shared out over \NFS, and there is a file lock to ensure exclusive access. \item I haven't found a work around except KDE or something that does not use GConf. \item I'd be very grateful for ideas here. \end{itemize} \end{frame} \begin{frame}{How the server is now} \begin{itemize} \item It is now running nicely on a single P4 system that my friend Henry built, running a \acro{RHEL} 3 clone (actually, the Department paid for a \acro{RHEL} license, but never perhaps got around to using it) \item Just before I left, I tendered for an Adaptec hardware cluster system suitable for running the Red Hat cluster manager \item My friend Henry has been too busy to get it up and running. Besides, the old P4 system works well. \item Students do not log into the server very often any more. Better to ban this completely right from the start! \item If I started from scratch again, I would use a shorter DN suffix: \path{dc=tyict,dc=vtc,dc=edu,dc-hk} simply adds unnecessary bulk to the directory storage on disk. I would have used \path{o=ICT}. \item At home I use \path{dc=nicku,dc=org} which is not too much to type. \end{itemize} \end{frame} \section{Samba} \begin{frame}{Samba gotchas} \begin{itemize} \item Refer to the latest version of \link{\red\footnotesize{}Samba-3 by Example: Practical Exercises in Successful Samba Deployment}% {http://samba.mirror.aarnet.edu.au/samba/docs/man/Samba-Guide/} \item Carefully follow the steps in the section \href{http://samba.mirror.aarnet.edu.au/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap}{\footnotesize{}Samba Domain with Samba Domain Member Server Using LDAP} \path{http://samba.mirror.aarnet.edu.au/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap}. \item You need to set up the smbldap tools so that they do not get overwritten as your samba setup is updated. \item The computers needed to be put in the same place (in the directory tree) as user accounts (this was true for recent versions of samba) \item You don't need \texttt{winbind} if you are running a samba \PDC, only if you want to authenticate Linux machines to a Windows server. \end{itemize} \end{frame} \begin{frame}{The Administrator account} \begin{itemize} \item The biggest concern to me has been putting a root account in the directory \item My conscience screams at me! \item Latest samba supports non-root administrators for joining machines to the domain. \item I haven't tried that yet. \item Other concern: \texttt{smbldap} tools need to read administrator password \item So does samba \item samba reads it from \path{/etc/samba/secrets.tdb} \item Nice to write a program to read it from there for \texttt{smbldap} tools, so only need maintain it in one place. \item My crude attempt used \texttt{tdbdump}, part of samba. \end{itemize} \end{frame} \section{Stuff I didn't talk about} \begin{frame}{Didn't include} \begin{itemize} \item replication \item distributed directories \item access control lists (for examples, see \href{run:gedit data/slapd-ictlab.conf}{slapd.conf on ictlab}, \href{run:gedit data/slapd-nicku.conf}{slapd.conf on nicku}, and the \href{run:gedit programs/gen-acls.pl}{program to make ACLs for student \LDAP workshops}). \item How the automounter is set up to run from \LDAP \item simplicity of client setup using \texttt{authconfig} (or kickstart) with Red Hat/Fedora \item Setting up local user accounts and network user accounts \item Use of GQ or directory\_administrator, \LDAP Account Manager \item high availability \item the \href{http://directory.fedora.redhat.com/wiki/Main_Page}{fabulous new Fedora Directory Server} \item Life, the Universe and Everything. \end{itemize} \end{frame} \section{References} \begin{frame}{References} \ptsize{10}\footnotesize \begin{itemize} \item \emph{LDAP System Administration}, Gerald Carter, ISBN 1-565-92491-6, O'Reilly, March 2003 \item \emph{Understanding and Deploying LDAP Directory Services} (2nd Edition), Tim Howes, Timothy A. Howes, Mark C. Smith, Gordon S. Good, ISBN: 0672323168, Publisher: Addison Wesley Professional, May 2, 2003 \item \emph{Understanding and Deploying LDAP Directory Services}, Timothy Howes, Mark Smith and Gordon Good, Macmillan, 1999. Tsing Yi library: TK 5105.595.H69 1999 \item \emph{LDAP Programming, Management and Integration}, Clayton Donley, ISBN: 1-930110-40-5, Manning Publications, 2003 \item \emph{LDAP Directories Explained: An Introduction and Analysis}, Brian Arkills, ISBN 0-201-78792-X, Addison-Wesley, 2003. \item \emph{Understanding LDAP Redbook} (registration required): \url{http://www.redbooks.ibm.com/abstracts/sg244986.html} \item \emph{LDAP Implementation Cookbook Redbook} (registration required): \url{http://www.redbooks.ibm.com/abstracts/sg245110.html} \item \emph{Implementing LDAP}, Mark Wilcox, Wrox Press, 2000 \item The many \RFC{}s are helpful. \end{itemize} \end{frame} \begin{frame}{The RFCs} You could get a list of (most) of the relevant RFCs with something like this: \begin{alltt}\scriptsize $ \textbf{wget -O - ftp://ftp.isi.edu/in-notes/rfc-index.txt 2>/dev/null \bs | perl -n00 -e "print if /ldap|lightweight/i and not /obsoleted\bs{}s*by/i"}\tiny 1823 The LDAP Application Program Interface. T. Howes, M. Smith. August 1995. (Format: TXT=41081 bytes) (Status: INFORMATIONAL) 2164 Use of an X.500/LDAP directory to support MIXER address mapping. S. Kille. January 1998. (Format: TXT=16701 bytes) (Obsoletes RFC1838) (Status: PROPOSED STANDARD) 2247 Using Domains in LDAP/X.500 Distinguished Names. S. Kille, M. Wahl, A. Grimstad, R. Huber, S. Sataluri. January 1998. (Format: TXT=12411 bytes) (Status: PROPOSED STANDARD) 2251 Lightweight Directory Access Protocol (v3). M. Wahl, T. Howes, S. Kille. December 1997. (Format: TXT=114488 bytes) (Updated by RFC3377, RFC3771) (Status: PROPOSED STANDARD) 2252 Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions. M. Wahl, A. Coulbeck, T. Howes, S. Kille. December 1997. (Format: TXT=60204 bytes) (Updated by RFC3377) (Status: PROPOSED STANDARD) 2253 Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names. M. Wahl, S. Kille, T. Howes. December 1997. (Format: TXT=18226 bytes) (Obsoletes RFC1779) (Updated by RFC3377) (Status: PROPOSED STANDARD) 2254 The String Representation of LDAP Search Filters. T. Howes. December 1997. (Format: TXT=13511 bytes) (Obsoletes RFC1960) (Updated by RFC3377) (Status: PROPOSED STANDARD) 2255 The LDAP URL Format. T. Howes, M. Smith. December 1997. (Format: TXT=20685 bytes) (Obsoletes RFC1959) (Updated by RFC3377) (Status: PROPOSED STANDARD) \end{alltt}%$ \end{frame} \begin{frame}{RFC numbers} And while we're crazy, let's see the RFC numbers: \begin{alltt}\footnotesize $ \textbf{cat ldap-rfc-list.txt | perl -n00 -e \bs '\{($rfc)=split;push @R, $rfc\}END\{print join " ", @R, "\bs{}n"'\}} 1823 2164 2247 2251 2252 2253 2254 2255 2256 2307 2587 2589 2649 2657 2696 2713 2714 2739 2798 2820 2829 2830 2849 2891 2926 2927 3045 3062 3088 3112 3296 3352 3377 3383 3384 3494 3663 3671 3672 3673 3674 3687 3698 3703 3712 3727 3771 3828 3829 3866 3876 3909 3928 4104 $ \textbf{ls /usr/share/doc/openldap-devel-2.2.23/rfc}\scriptsize INDEX rfc2293.txt rfc2798.txt rfc3296.txt rfc3703.txt rfc1274.txt rfc2294.txt rfc2829.txt rfc3377.txt rfc3712.txt rfc2079.txt rfc2307.txt rfc2830.txt rfc3383.txt rfc3727.txt rfc2247.txt rfc2377.txt rfc2849.txt rfc3663.txt rfc3771.txt rfc2251.txt rfc2587.txt rfc2891.txt rfc3671.txt rfc3829.txt rfc2252.txt rfc2589.txt rfc2926.txt rfc3672.txt rfc3866.txt rfc2253.txt rfc2649.txt rfc3045.txt rfc3673.txt rfc3876.txt rfc2254.txt rfc2696.txt rfc3062.txt rfc3674.txt rfc3909.txt rfc2255.txt rfc2713.txt rfc3088.txt rfc3687.txt rfc3928.txt rfc2256.txt rfc2714.txt rfc3112.txt rfc3698.txt \end{alltt}%$ \end{frame} \end{document} TODO for the talk: 1. Install openldap-server, clients, etc. 2. Copy my assignment info 3. Copy my laboratory lab sheets 4. Ensure that all necessary Net::LDAP support modules are installed 5. Install evince, see if it is the best tool to display the slides 6. Turn off all other services on this old notebook so that the machine can boot in a reasonable time, and run a little faster. 7. Ensure that slocate, prelink, ... won't run during the talk. 8. Find out about network access in the lecture theatre. 9. Set up a directory and decide on appropriate demos for the talk. 10. Install Apache::NetAuthLDAP and set up demo. Write up in these slides. Implies that we need apache, and some entertaining web page. 11. Bring a long network cable. 12. Install GQ and Directory-administrator, and the one recommended in the SAMBA books, fiddle enough to produce a short demo with my directory. 13. Set up a suitable SSL certificate. 14. Bring the schemas, and ictlab's slapd.conf, enterprise-numbers. Bring: Samba books LDAP books