Embed Size (px)
Citation preview
Curs 2Administrarea LDAP
Servicii avansate pentru ISP
27 februarie 2017
SAISP Curs 2, Administrarea LDAP 1/34
Moto
Simplicity is a great virtue but it requires hard work to achieve itand education to appreciate it. And to make matters worse:
complexity sells better.
Edsger Dijkstra
SAISP Curs 2, Administrarea LDAP 2/34
Reminder
OpenLDAP
Securitate ın OpenLDAP
Incheiere
Intrebari
SAISP Curs 2, Administrarea LDAP 3/34
Suport
I “Unix and Linux System Administration”I Chapter 19 – Sharing System Files
I Section 19.3 – LDAP: The Lightweight Directory AccessProtocol
I “Professional Linux System Administration”I Chapter 16 – Directory Services
SAISP Curs 2, Administrarea LDAP 4/34
Outline
Reminder
OpenLDAP
Securitate ın OpenLDAP
Incheiere
Intrebari
SAISP Curs 2, Administrarea LDAP 5/34
LDAP
I director
I baza de date
I acces citire s, i scriere, frecvent de citire
I DN, RDN, DC, CN, OU
I LDAP URI
I atribute, filtre
SAISP Curs 2, Administrarea LDAP 6/34
LDAP
I director
I baza de date
I acces citire s, i scriere, frecvent de citire
I DN, RDN, DC, CN, OU
I LDAP URI
I atribute, filtre
SAISP Curs 2, Administrarea LDAP 6/34
Utilitare LDAP
I apt-get install ldap-utils
I /etc/ldap/ldap.conf
I ldapsearch, ldapadd, ldapdelete, ldapmodify,
ldappasswd
SAISP Curs 2, Administrarea LDAP 7/34
Utilitate LDAP
I centralizare informat, ii (autentificare, SSO)
I organizare, flexibilitate
I interfat,a unica de acces la date organizate/structurate
I acces rapid pentru citire
I funct, ionare peste ret,ea
I distributable
SAISP Curs 2, Administrarea LDAP 8/34
Outline
Reminder
OpenLDAP
Securitate ın OpenLDAP
Incheiere
Intrebari
SAISP Curs 2, Administrarea LDAP 9/34
OpenLDAP
I implementare de server LDAP
I ruleaza pe Linux, BSD, Mac OS X, Solaris, WindowsI instalare
I dpkg-reconfigure debconfI dialog, lowI permite configurarea bazei de date
I apt-get install slapd ldap-utilsI sau dpkg-reconfigure -plow slpad (dupa apt-get
install)
I /etc/init.d/slapd start | stop | restart
SAISP Curs 2, Administrarea LDAP 10/34
Tool-uri de interact, iune OpenLDAP
I slap* – tool-uri offlineI serverul trebuie sa fie oprit
I ldap* – tool-uri onlineI validare
I slaptestI slapcat
SAISP Curs 2, Administrarea LDAP 11/34
Configurare de baza OpenLDAP – pre v2.3
I /etc/ldap/slapd.conf
I /etc/default/slapd
I man slapd.conf
I loglevel 256 sau loglevel stats
I index uid eq
SAISP Curs 2, Administrarea LDAP 12/34
Configurare de baza OpenLDAP – post v2.3
I /etc/ldap/slapd.d/
I /etc/default/slapd
I man slapd-config
I configurare prin fis, iere LDIF
SAISP Curs 2, Administrarea LDAP 13/34
URI-uri OpenLDAP
I ldap:/// – LDAP simplu (portul 389)
I ldaps:/// – LDAP securizat (portul 636)
I ldapi:/// – LDAP local (socket, i Unix), folosit pentruautentificare SASL de tip EXTERNAL
I SLAPD_URI ın /etc/default/slapd
SAISP Curs 2, Administrarea LDAP 14/34
Ierarhia de configurare OpenLDAP – post v2.3
I directivele documentate ın pagina de manual slapd-config
I radacina ın /etc/ldap/slapd.d/
I cn=config – opt, iuni de configurare globale (GLOBALCONFIGURATION OPTIONS ın manual)
I olcDatabase=0config,cn=config – configurarea bazei dedate de configurare
I olcDatabase=1hdb,cn=config – configurarea bazei de dateLDAP
I cn=schema,cn=config – configurarea schemei
I pentru baze de date – GLOBAL DATABASE OPTIONS s, iGENERAL DATABASE OPTIONS ın manual
SAISP Curs 2, Administrarea LDAP 15/34
Configurare baze de date de configurare
I init, ial cu ajutorul formei de autentificare SASL externe(EXTERNAL)
I foloses, te URI-ul ldapi:///I ldapsearch -LLL -Y EXTERNAL -H ldapi:///I ldapadd -Y EXTERNAL -H ldapi:/// -f test.ldif
I configurarea parolei pentru rootdn pentru baza de date deconfigurare (cn=admin,cn=config)
I ldapadd -Y EXTERNAL -H ldapi:/// -f admin.ldif
1 dn: olcDatabase={0}config,cn=config2 changetype: modify
3 add: olcRootPW
4 olcRootPW: {SSHA}rARaJcrMxKH+e1INIhGt5Pjqf7+bS8pm
SAISP Curs 2, Administrarea LDAP 16/34
Configurare parola noua pentru admin baza de date LDAP
1 dn: olcDatabase={1}hdb,cn=config2 changetype: modify
3 replace: olcRootPW
4 olcRootPW: {SSHA}gOoL0jqP2roPeRjDG6ki1BdDqCFxhdWp
I ldapadd -x -D cn=admin,cn=config -w password -f
rootdn-passwd.ldif
SAISP Curs 2, Administrarea LDAP 17/34
Configurare niveluri de logging
1 dn: cn=config
2 changetype: modify
3 replace: olcLogLevel
4 olcLogLevel: stats
I se configureaza o lista de evenimente ce se doresc jurnalizate
I ldapadd -x -D cn=admin,cn=config -w password -f
change-logging.ldif
SAISP Curs 2, Administrarea LDAP 18/34
Schemas
SAISP Curs 2, Administrarea LDAP 19/34
Outline
Reminder
OpenLDAP
Securitate ın OpenLDAP
Incheiere
Intrebari
SAISP Curs 2, Administrarea LDAP 20/34
Securizare OpenLDAP
I “selective listening”: /etc/default/slapd
I autentificare la server (bind): simple, SASL
I controlul accesului (ACL)
I suport TLS
I SSF (Security Strength Factors)
SAISP Curs 2, Administrarea LDAP 21/34
Controlul accesului ın LDAP
I man slapd.access
I access to * by * readI tot, i utilizatorii pot citi (chiar s, i cei anonimi)
I access to *
by self write
by anonymous auth
by * read
I utilizatorul curent ıs, i poate actualiza informat, iaI utilizatorul anonim se poate autentifica peste intrarile existenteI utilizatorii obis,nuit, i care au facut bind pot citi cont, inutulI util pentru gestiunea parolelorI prima intrare gasita este cea selectata (vezi anonymous)
SAISP Curs 2, Administrarea LDAP 22/34
Controlul accesului ın LDAP (2)
I access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=swarm,dc=cs,dc=pub,dc=ro" write
by anonymous auth
by self write
by * none
I gestiunea parolelorI utilizatorul privilegiat are drepturi completeI utilizatorul anonim se poate autentificaI utilizatorul curent poate sa ıs, i schimbe parolaI utilizatorii obis,nuit, i care au facut bind nu au acces
I forma generica: access to <what> by <who><access>
SAISP Curs 2, Administrarea LDAP 23/34
Controlul accesului ın LDAP – LDIF
1 dn: olcDatabase={1}hdb,cn=config2 changetype: modify
3 replace: olcAccess
4 olcAccess: {0}to attrs=userPassword,shadowLastChange by
anonymous auth by dn="cn=admin,dc=test,dc=ro" write by * none
5 olcAccess: {1}to * by self read by
dn="cn=admin,dc=garm,dc=cs,dc=pub,dc=ro" write by * none
SAISP Curs 2, Administrarea LDAP 24/34
Suport SSL/TLS ın OpenLDAP
I TLS(v1)/SSL(v3)I ın doua moduri
I automat: pe portul 636 (LDAPS), URI de forma ldaps://I prin definit, ie: pe portul standard 389 (LDAP), clientul
pornes, te TLS (StartTLS)
SAISP Curs 2, Administrarea LDAP 25/34
Directive TLS
I TLSCACertificateFile – certificatele CA-urilor de ıncredere
I TLSCertificateFile – certificatul serverului
I TLSCertificateKeyFile – cheia privata a serveruluiI serverul trebuie sa aiba acces la cheia privata
I din cauza permisiunilor pe /etc/ssl/private/, utilizatorulopenldap trebuie adaugat la grupul ssl-cert
SAISP Curs 2, Administrarea LDAP 26/34
Configurare TLS ın OpenLDAP
1 dn: cn=config
2 changetype: modify
3 add: olcTLSCACertificateFile
4 olcTLSCACertificateFile:
/etc/ssl/certs/ssl-cert-snakeoil.pem
5 -
6 add: olcTLSCertificateFile
7 olcTLSCertificateFile: /etc/ssl/certs/ssl-cert-snakeoil.pem
8 -
9 add: olcTLSCertificateKeyFile
10 olcTLSCertificateKeyFile:
/etc/ssl/private/ssl-cert-snakeoil.key
11 -
12 add: olcTLSVerifyClient
13 olcTLSVerifyClient: never
SAISP Curs 2, Administrarea LDAP 27/34
Configurare client pentru folosire TLS
I /etc/ldap/ldap.conf sau /.ldaprc
I TLS_REQCERT none ın cazul ın care nu se s, tie care este CA-ul
I TLS_CACERT /path/to/cert pentru a indica CA-ul
I TLS_CACERTDIR /path/to/cert/dir/ pentru a indicadirectorul cu certificate de CA
I ldapsearch -x -LLL -Z ...
SAISP Curs 2, Administrarea LDAP 28/34
Configurare TLS-only
I /etc/default/slapdI SLAPD_SERVICES="ldapi:/// ldaps:///"
I ın /etc/ldap/ldap.conf – BASE ldaps://...
I sau ldapsearch -x -LLL -H ldaps://...
SAISP Curs 2, Administrarea LDAP 29/34
Replicare LDAP
I tolerant, a la defecte s, i fiabilitate
I init, ial slurpd: push mode
I syncrepl
I delta syncrepl
I diverse arhitecturi de replicare (multi-master/master-slave)
I diverse protocoale ın alte solut, ii de director (e.g. 389DS)
SAISP Curs 2, Administrarea LDAP 30/34
Outline
Reminder
OpenLDAP
Securitate ın OpenLDAP
Incheiere
Intrebari
SAISP Curs 2, Administrarea LDAP 31/34
Cuvinte cheie
I OpenLDAP
I slapd
I /etc/ldap/slapd.d/
I /etc/default/slapd
I man slapd-config
I ldapi:///
I cn=config
I cn=admin,cn=config
I -Y EXTERNAL
I root DN
I schema
I SASL
I SSF
I ACL
I oclAccess
I TLS/SSL
I TLS_REQCERT
I TLS_CACERT
I replicare
I syncrepl
SAISP Curs 2, Administrarea LDAP 32/34
Resurse utile
I http://www.debian-administration.org/article/OpenLDAP_
installation_on_Debian
I http://en.wikipedia.org/wiki/LDAP
I http://www.openldap.org/doc/admin24/index.html
I http://www.openldap.org/doc/admin24/sasl.html
I http://www.openldap.org/doc/admin24/access-control.html
I http://www.openldap.org/doc/admin24/tls.html
I http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
I http://www.zytrax.com/books/ldap/
I http://www.zytrax.com/books/ldap/ch5/step2.html#step2
I http://www.zytrax.com/books/ldap/ch15/
SAISP Curs 2, Administrarea LDAP 33/34
Outline
Reminder
OpenLDAP
Securitate ın OpenLDAP
Incheiere
Intrebari
SAISP Curs 2, Administrarea LDAP 34/34
