ldap
play

LDAP LDAPv3, Internet Standard RFC4510 RFC 4510-4521 and about 40 - PowerPoint PPT Presentation

Apr 22, 2023 •467 likes •544 views

What is LDAP Lightweight Directory Access Protocol Phonebook Based on X.500 DAP on OSI stack Developed in '93 @ UMich LDAP LDAPv3, Internet Standard RFC4510 RFC 4510-4521 and about 40 others for extensions Many implementations OpenLDAP

  1. What is LDAP Lightweight Directory Access Protocol Phonebook Based on X.500 DAP on OSI stack Developed in '93 @ UMich LDAP LDAPv3, Internet Standard RFC4510 RFC 4510-4521 and about 40 others for extensions Many implementations OpenLDAP Getting Started with LDAP for small Apache Directory Server and large setups. Sun Java System Directory (SunONE/iPlanet/Netscape) Novell eDirectory Microsoft Active Directory many others... What is a directory... What can be stored in LDAP Directory is a tree of entries Basically anything you can think of Basic operations: Mostly used for: Search User accounts and group related data Compare Phone and address book Add Mail accounts Modify Configuration data for various systems Delete Other examples: Optimized for quick access, read performance Sudo configuration LDAP server can serve multiple trees Evolution Addressbook Schema's define and describe the contents of the directory Bitlbee configuration and buddy-list Collection of Attributes and Classes: CUPS configuration Syntax ... Globally unique Object Identifiers (ASN.1)

  2. Example LDAP Data A sample schema ... attributetype ( 1.3.6.1.4.1.15953.9.1.5 LDAP data is usually presented in LDIF (LDAP Data NAME 'sudoOption' Interchange Format). DESC 'Options(s) followed by sudo' dn: o=Snow, c=nl EQUALITY caseExactIA5Match o: Snow SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # IA5String (7-bit ascii) objectclass: organization dn: cn=Mark Janssen, o=Snow, c=nl cn: Mark Janssen objectclass ( 1.3.6.1.4.1.15953.9.2.1 sn: Janssen NAME 'sudoRole' SUP top STRUCTURAL mail: m.janssen@snow.nl DESC 'Sudoer Entries' objectclass: person MUST ( cn ) MAY ( sudoUser $ ... $ sudoCommand $ ... $ sudoOption $ description ) ) ... OpenLDAP Building OpenLDAP Open source LDAP directory (slapd), interface library Requirements: (libldap, liblber) and client utilities (ldapadd, ldapsearch, BerkeleyDB 4.7 ldapmodify, etc) OpenSSL Open Source / Free Software, basically BSD-style license Configure: ./configure --with-tls=openssl --enable-overlays -- (OpenLDAP License) enable-crypt --enable-modules --enable-monitor -- Front-end server (ldap interface) with various back-ends: prefix=/opt/openldap --enable-syslog --enable-proctitle -- Storage backend (bdb,hdb, mysql, ldif) without-subdir Proxy backends (passwd, ldap, sql, ...) Installing Misc/Dynamic (config, monitor, perl, null, ...) Gathering additional schema's Overlay support http://web.singnet.com.sg/~garyttt/solaris.schema.txt Change presentation of data http://www.sudo.ws/cgi- Logging bin/cvsweb/~checkout~/sudo/schema.OpenLDAP? Custom stuff rev=1.3 Kernel-like versioning, current stable versions 2.2 and 2.4 Or use you distro-provided package if available

  3. Server configuration: slapd.conf slapd.conf database bdb include schema/core.schema suffix "dc=company,dc=nl" include schema/cosine.schema rootdn "cn=Manager,dc=company,dc=nl" include schema/nis.schema Include schema definitions include schema/solaris.schema rootpw {SSHA}PassWordHash include schema/ppolicy.schema SSL configuration include schema/duaconf.schema # Indices to maintain ACL's include schema/sudo.schema Database definition index objectClass,uid,uidNumber,index \ # TLS Certificate gidNumber,ou eq Indexes TLSCACertificateFile cacert.pem index cn,mail,surname eq,subinitial Overlays TLSCertificateFile servercrt.pem index memberUid eq TLSCertificateKeyFile server.key index nisDomain eq Sizing/Tuning TLSVerifyClient never index uniqueMember pres # ACL's # OVERLAY definitions: access to * overlay ppolicy by self read ppolicy_default "cn=default, by * read ou=policies, dc=company,dc=nl" password-hash {SSHA} Loading initial content Interacting with your directory dn: dc=company,dc=nl dn: cn=proxyagent,ou=People,... associatedDomain: company.nl userPassword:: PASSWORDHASH dc: company objectClass: top objectClass: top objectClass: person Command-line tools (ldapsearch, ldapadd, ldapmodify) objectClass: dcObject sn: proxyagent LBE: Ldap Browser and Editor (missing in action) objectClass: domain cn: proxyagentdn: cn=Manager, dc=company,dc=nl objectClass: domainRelatedObject Apache Directory Studio: http://directory.apache.org/studio/ userPassword:: PASSWORDHASH objectClass: nisDomainObject objectClass: person nisDomain: company.nl objectClass: top o: Your Company Namedn: sn: Manager ou=People,dc=company,dc=nl cn: Manager ou: People $ ldapadd -D binddn -w secret \ objectClass: top -b dc=company,dc=nl -f initial.ldif objectClass: organizationalUnit dn: cn=Users,ou=Group,dc=com... gidNumber: 1000 objectClass: top objectClass: posixGroup cn: Users

  4. Access control considerations Based on first match Specify subtree and/or attributes Rights: None/Auth/Read/Write User specifier: Wildcard, Anonymous, Self or specified. Allow access to public data Limit access to sensitive data Disallow access to private data Allow users to modify some fields (contact info) Allow system-tools access to posix account fields Apache Directory Studio ACL Examples Client configuration - generic/linux Generic access to dn.subtree="ou=People,dc=domain,dc=tld" \ Limit access to fields Install pam-ldap and nss-ldap attrs=userPassword,shadowLastChange place your cacert.pem file and certificates in /etc/ldap/ userPassword and by dn="cn=proxyagent,ou=profile,dc=domain,dc=tld" write edit pam.conf, nsswitch.conf, /etc/ldap/ldap.conf shadowLastChange by dn="cn=webagent,ou=profile,dc=domain,dc=tld" auth Red Hat Enterprise 4 or 5 by self write pre-populate /etc/ldap.conf with binddn and bindpw values (can't by anonymous auth specify these in config-tool yet) by * read Prevent users from authconfig or system-config-authentication access to attrs=uid,uidNumber,gidNumber,memberUid changing their unix Check 'Use LDAP', 'Use TLS', specify server/basedn by * read account rights Check 'Cache Information' (enable nscd) Check 'Use LDAP Authentication' and 'Local autentication is sufficient' access to dn.subtree="ou=SUDOers,dc=domain,dc=tld" Limit a tree to a specific Further ldap.conf, pam.conf and nsswitch.conf configuration is done for by dn="cn=sudoagent,ou=profile,dc=domain,dc=tld" read user or authorization. you by authconfig. by * none End-all passthrough rule. access to * by * read

  5. Client configuration - Unix Config files: /etc/(ldap)/ldap.conf Solaris 10 Create or update certificate store binddn cn=proxyagent,dc=domain,dc=tld certutil -N -d /var/ldap bindpw secret certutil -A -d /var/ldap -n 'CA Name' -i /path/to/cacert.pem -a -t CT base dc=domain,dc=tld Edit /etc/nsswitch.ldap, making sure to change the entries for hosts timelimit 120 and ipnodes to ‘files dns’ ldapclient init -v -a proxyDN=cn=proxyagent,dc=domain,dc=tld -a bind_timelimit 120 proxyPassword=secret -a domainName=domain.tld -a idle_timelimit 3600 profileName=tls_profile ldapserver.domain.tld ldapserver2.domain.tld nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon, Modify pam.conf to support ldap dbus,nscd,gdm AIX 5.3 / 6.1 uri ldap://ldapserver1.domain.tld ldap://ldapserver2 Use gsk7ikm to convert cacert.pem to a keydb Install client binaries (idsldap.clt32bit61.rte, idsldap.clt64bit61.rte, ssl start_tls idsldap.cltbase61.adt, idsldap.cltbase61.rte) tls_cacertfile /path/to/cacert.pem mksecldap -c -h ldapserver1.domain.tld,ldapserver2 -a cn=proxyagent, pam_password md5 dc=domain,dc=tld -p secret -k /path/to/your-keydb.kdb -w keydbpassword -A ldap_auth Config files: /etc/nsswitch.conf Config files: Sample pam config passwd: files ldap # Sufficient samples are included with pam_ldap and pam is hightly # OS/System dependant, this is just an example, don't just start using this. shadow: files ldap # /etc/pam.d/login group: files ldap hosts: files dns #%PAM-1.0 netgroup: files ldap auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so automount: files ldap auth sufficient /lib/security/pam_ldap.so sudoers: files ldap auth required /lib/security/pam_unix_auth.so try_first_pass account sufficient /lib/security/pam_ldap.so account required /lib/security/pam_unix_acct.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_ldap.so password required /lib/security/pam_pwdb.so use_first_pass session required /lib/security/pam_unix_session.so

Recommend

Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP

Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP

Introduction to LDAP Frank A. Kuse Introduction to LDAP AGENDA Understanding LDAP LDAP Servers Information Structure Protocol Overview LDAP operations UNDERSTANDING LDAP LDAP stands for Lightweight Directory Access

268 views • 12 slides
How we implemented an LDAP directory Multiple Simultaneous Requests . . . . . . . . . . . . . . .

How we implemented an LDAP directory Multiple Simultaneous Requests . . . . . . . . . . . . . . .

Getting Started What do you already know about ldap ? . . . . . . . . . . . . . . slide #3 What Do You Want? . . . . . . . . . . . . . . . . . . . . . . . . . . . . slide #4 Argument for LDAP Account Information . . . . . . . . . . . . . . . . .

442 views • 26 slides
LDB and the LDAP server in Samba4 Simo Sorce Samba Team idra@samba.org simo.sorce@quest.com

LDB and the LDAP server in Samba4 Simo Sorce Samba Team idra@samba.org simo.sorce@quest.com

LDB and the LDAP server in Samba4 Simo Sorce Samba Team idra@samba.org simo.sorce@quest.com http://www.samba.org/~idra What is LDB ? LDB is an LDAP-like database interface LDAP-like data model support LDAP like search expressions but it

1.03k views • 24 slides
DESIRE II LDAP Indexing System 45 IETF, Oslo LDAP Service Deployment - Take 2 BoF 15. July 1999

DESIRE II LDAP Indexing System 45 IETF, Oslo LDAP Service Deployment - Take 2 BoF 15. July 1999

DESIRE DESIRE II LDAP Indexing System 45 IETF, Oslo LDAP Service Deployment - Take 2 BoF 15. July 1999 Peter Gietz, University of Tbingen Peter.Gietz@directory.dfn.de DESIRE LDAP Index system

855 views • 12 slides
Security with LDAP Andrew Findlay Skills 1st Ltd www.skills-1st.co.uk February 2002

Security with LDAP Andrew Findlay Skills 1st Ltd www.skills-1st.co.uk February 2002

Security with LDAP Andrew Findlay Skills 1st Ltd www.skills-1st.co.uk February 2002 andrew.findlay@skills-1st.co.uk Security with LDAP Applications of LDAP White Pages NIS (Network Information System) Authentication

257 views • 15 slides
KDC LDAP Schema IETF 11/02 Donna Skibbie, IBM Overview KDC LDAP Schema draft: Defines all KDC

KDC LDAP Schema IETF 11/02 Donna Skibbie, IBM Overview KDC LDAP Schema draft: Defines all KDC

KDC LDAP Schema IETF 11/02 Donna Skibbie, IBM Overview KDC LDAP Schema draft: Defines all KDC attributes except for those used to store key data Keys Extension draft: Defines attributes used to store key data Flow of Data to LDAP

798 views • 10 slides
From LDAP to IdM Presentation at the Athens Eurocamp 2008 by Roland Hedberg

From LDAP to IdM Presentation at the Athens Eurocamp 2008 by Roland Hedberg

From LDAP to IdM Presentation at the Athens Eurocamp 2008 by Roland Hedberg <roland.hedberg@adm.umu.se> The transition -starting point Admin interface LDAP Scripts The transition - toward nirvana Admin interface LDAP Scripts

497 views • 22 slides
Testing LDAP Implementations Emmanuel Lcharny Do who need tests anyway ? OSS projects don't

Testing LDAP Implementations Emmanuel Lcharny Do who need tests anyway ? OSS projects don't

Testing LDAP Implementations Emmanuel Lcharny Do who need tests anyway ? OSS projects don't need it... We have users ! We have users ! LDAP project phases Initial analysis Development + tests Costs Conformance tests Tests are

501 views • 27 slides
dCache and LDAP AuthN Ron Trompert SURFsara A :ny Bit

dCache and LDAP AuthN Ron Trompert SURFsara A :ny Bit

dCache and LDAP AuthN Ron Trompert SURFsara A :ny Bit of History Number of systems Own user administra:on system Some users had access

519 views • 10 slides
UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity System UCSBnetID authentication UCSB-wide student and employee info http://www.identity.ucsb.edu/ LDAP Overview Lightweight Directory Access Protocol

604 views • 24 slides
Towards a Common Java LDAP API Emmanuel Lecharny Apache Directory elecharny@apache.org Ludovic

Towards a Common Java LDAP API Emmanuel Lecharny Apache Directory elecharny@apache.org Ludovic

Towards a Common Java LDAP API Emmanuel Lecharny Apache Directory elecharny@apache.org Ludovic Poitou OpenDS ludovic.poitou@sun.com A poor man's choice: JNDI or JLDAP/Netscape LDAP SDK Good News: Apache Directory Client API OpenDS

678 views • 20 slides
Logistics E-mail UML 2 Should have received mail from me. If not: Check LDAP

Logistics E-mail UML 2 Should have received mail from me. If not: Check LDAP

Logistics E-mail UML 2 Should have received mail from me. If not: Check LDAP entry Indicate on attendance sheet Announcements Plan for today Its Co-op time Building a software system Orientation

475 views • 3 slides
How we implemented an LDAP directory for Laboratories A Case Study at Hong Kong Institute of

How we implemented an LDAP directory for Laboratories A Case Study at Hong Kong Institute of

How we implemented an LDAP directory for Laboratories Nick Urbanik How we implemented an LDAP directory for Laboratories A Case Study at Hong Kong Institute of Vocational Education (Tsing Yi), Department of ICT Nick Urbanik

1.17k views • 106 slides
Logistics The never-ending LDAP problems Latest Developments Dave, got your e-mail

Logistics The never-ending LDAP problems Latest Developments Dave, got your e-mail

Logistics The never-ending LDAP problems Latest Developments Dave, got your e-mail (Cant change in mycourses) Jon, your mail bounced March 17 Lets settle things after class Enter stage left Spacethe final

382 views • 5 slides
The LDAP Directory Schema AGENDA Why do we need a good schema? From the White Pages to

The LDAP Directory Schema AGENDA Why do we need a good schema? From the White Pages to

The LDAP Directory Schema AGENDA Why do we need a good schema? From the White Pages to Access Control The Design Process The available Standards Best Practices The User object The plumbing Implementing the Schema

494 views • 47 slides
EuroCAMP Summary (in 15 mins) Diego We are at the teenager stage of IDM IDM is maturing

EuroCAMP Summary (in 15 mins) Diego We are at the teenager stage of IDM IDM is maturing

EuroCAMP Summary (in 15 mins) Diego We are at the teenager stage of IDM IDM is maturing Welcome to the schema Onion Jasmina Welcome to LDAP [the syntax] Flat tends to be better than hierarchical Feed your LDAP

297 views • 17 slides
5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Injection in PHP

995 views • 73 slides
SER Authentication with Radius and LDAP Nimal Ratnayake <nimalr@learn.ac.lk> Lanka

SER Authentication with Radius and LDAP Nimal Ratnayake <nimalr@learn.ac.lk> Lanka

SER Authentication with Radius and LDAP Nimal Ratnayake <nimalr@learn.ac.lk> Lanka Education and Research Network (LEARN) and Department of Electrical & Electronic Engineering, University of Peradeniya 1 SER Authentication

1.03k views • 22 slides
Dr. Pat Selinger IBM Fellow and VP of Data Management Architecture and Technology IBM, USA DB2

Dr. Pat Selinger IBM Fellow and VP of Data Management Architecture and Technology IBM, USA DB2

Dr. Pat Selinger IBM Fellow and VP of Data Management Architecture and Technology IBM, USA DB2 and e-business Infrastructure DB2 J2EE Support JDBC, SQLJ, JTA DB2 EJB Everyplace Stored Procedures DB2 LDAP Support DB2 LDAP Support Data

478 views • 4 slides
SSO and LDAP Open Mic Webcast Josh Edwards October 7, 2015 Summary Overview of SSO What

SSO and LDAP Open Mic Webcast Josh Edwards October 7, 2015 Summary Overview of SSO What

SSO and LDAP Open Mic Webcast Josh Edwards October 7, 2015 Summary Overview of SSO What kind of SSO mechanisms are supported with Sametime? How does the rich client handle sso settings? How to configure Websphere and Sametime to

493 views • 30 slides
Integrating OpenStack with Active Directory (Because AD != LDAP) Craig Jellick

Integrating OpenStack with Active Directory (Because AD != LDAP) Craig Jellick

Integrating OpenStack with Active Directory (Because AD != LDAP) Craig Jellick Mike Dorman cjellick@godaddy.com mdorman@godaddy.com Go Daddy OpenStack Cloud Platform Group Agenda OpenStack at Go Daddy Keystone

875 views • 28 slides
UNDERSTAND PASSWORD POLICY IN OPENLDAP AND DISCOVER TOOLS TO MANAGE IT Pass the SALT 2020 $

UNDERSTAND PASSWORD POLICY IN OPENLDAP AND DISCOVER TOOLS TO MANAGE IT Pass the SALT 2020 $

UNDERSTAND PASSWORD POLICY IN OPENLDAP AND DISCOVER TOOLS TO MANAGE IT Pass the SALT 2020 $ ldapwhoami LemonLDAP::NG LDAP Tool Box LDAP Synchronization Connector FusionIAM WSweet Clment OUDOT KPTN Identity Solutions Manager

508 views • 24 slides
Best Practices in LDAP Security Andrew Findlay Skills 1st Ltd October 2011 What is

Best Practices in LDAP Security Andrew Findlay Skills 1st Ltd October 2011 What is

Best Practices in LDAP Security Andrew Findlay Skills 1st Ltd October 2011 What is "Security"? ISO/IEC 27000:2009 Information Security is... Confidentiality Integrity Availability And some other things Controls

236 views • 20 slides
Todays Objec2ves Domain Name System LDAP Cluster on Demand Oct 11, 2017 Sprenkle -

Todays Objec2ves Domain Name System LDAP Cluster on Demand Oct 11, 2017 Sprenkle -

10/11/17 Todays Objec2ves Domain Name System LDAP Cluster on Demand Oct 11, 2017 Sprenkle - CSCI325 1 Review How does DNS work? How do we assign names? What are the two ways that DNS can resolve names? How does DNS

516 views • 30 slides

More recommend