Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
Home Page
Title Page
Contents
JJ II
J I
Page 1 of 20
Go Back
Full Screen
Close
Quit
Directory enabled NetworksLDAP and related technologies
G. SivakumarComputer Science Department
Indian Institute of Technology, BombayMumbai 400076, India
[email protected]://www.cse.iitb.ac.in/∼siva
Outline of Talk
• Illustrative Applications
– Squid, Qmail, PAM, ...
– Mapping Static IPs
• Directory Services
– Need
– Functional Requirements
• LDAP Fundas
Home Page
Title Page
Contents
JJ II
J I
Page 2 of 20
Go Back
Full Screen
Close
Quit
IIT Network Overview• Campus Network
– Academic Area
– Hostels
– Residential
• Hardware and Network(theeasypart!)
– Gigabit L3 switches
– 10 Mbps Internet (4 Links)
– 6000+ nodes
• Applications and Security(Complexenough)
• Users and Management(Nightmarebegins)
– MisUse (mp3, movie, porn, hacking, fake mails, ...)
– CCTeam
∗ We carry your Bytes∗ Our T-shirt (cows, dogs, leopards!)
– LDAP to the rescue!
Home Page
Title Page
Contents
JJ II
J I
Page 3 of 20
Go Back
Full Screen
Close
Quit
Sample E-mail issues• E-mail still most critical service.
• Centralized vs. Distributed Solution
• Mail is not a Login Account! (Hotmail/Yahoo)
• Spam, Virus, Impostors, Harassment, Admissions/Schols
• Assume your are postmaster (postbox.iitb.ac.in)
– Who [email protected]?
∗ Real User (where is his mailbox?)∗ Simple Mail Alias (Dean, Head, ...)∗ Mailing List∗ Unknown user(can be real problem)
• From Client Side
– AddressBook
– MailForwarding
– Choosing Unique ID
– Lifelong ID
Home Page
Title Page
Contents
JJ II
J I
Page 4 of 20
Go Back
Full Screen
Close
Quit
Sample Issues in WebBrowsing
• World Wide Wait! (Bandwidth)
• What’s the good stuff?
– Research reports
– Books, Software, ...
• What’s the bad stuff?
– Pirated Entertainment
– Pornography
– ...
• Controlled access via Caching Proxy
– Squid (the best)
• User Management Nightmare
– A recent suicide threat!
– Adding/Deleting
– Locking Passwords (why?)
– Need for Static IP mappings
Home Page
Title Page
Contents
JJ II
J I
Page 5 of 20
Go Back
Full Screen
Close
Quit
User Accounts• Public Access Terminals (spread out including Hostels, Depts)
• How to create/delete logins?
• Forgotten Passwords!
• Home Directories
• Access Restrictions (Timings)
• PAM (Pluaggable Authentication Modules)
• NIS and its disadvantages
• Kerberos (complex solution)
• Can LDAP help?
Home Page
Title Page
Contents
JJ II
J I
Page 6 of 20
Go Back
Full Screen
Close
Quit
Static IP Mappings• You live in Hostel 6. Room 322.
• Alloted IPs 10.6.3.22, 10.6.13.22, 10.6.23.22, ...
• What’s your netmask? (255.255.0.0)
• Who’s your gateway? (10.6.250.1)
• 64K IPs available per Hostel (400 students)
• Why fix a static IP-MAC binding?
– Virus (bombarding proxy, mail servers etc.)
– Who downloaded the mp3/porn?
– Accountabiltiy (CCTeam is not too popular!)
– Chess Funda (Threat is stronger than execution!)
• But, how to do the mapping?
– New Computer.
– Change Ethernet card.
– CCTeam should not be the bottleneck!
– Centralize data/knowledge, not work!
– Delegate authority (LDAP to rescue).
Home Page
Title Page
Contents
JJ II
J I
Page 7 of 20
Go Back
Full Screen
Close
Quit
What can LDAP do?
• Create and Manage User Info centrally
• Allow Access Control in Applications
• Allow a Policy BasedFramework
• Caution: LDAP is only atool
• You still need a good design/implementation.
Home Page
Title Page
Contents
JJ II
J I
Page 8 of 20
Go Back
Full Screen
Close
Quit
What is LDAP• Lightweight Directory Access Protocol
• Based on X.500
• Directory service (RFC1777)
• Stores attribute based data
• Stores attribute based data
• Data generallly read more than written to
– No transactions
– No rollback
• Hierarchical data structure
– Entries are in a tree-like structure called Directory Information Tree(DIT)
Home Page
Title Page
Contents
JJ II
J I
Page 9 of 20
Go Back
Full Screen
Close
Quit
Some JargonAttribute abbreviations (See RFC2256)
• uid (User id)
• cn (Common Name)
• sn (Surname)
• ou (Organisational Unit)
• dc (Domain Component)
• st (State)
• c (Country)
dc=iitb,dc=ac,dc=in
Home Page
Title Page
Contents
JJ II
J I
Page 10 of 20
Go Back
Full Screen
Close
Quit
IIT LDAP Structure
Home Page
Title Page
Contents
JJ II
J I
Page 11 of 20
Go Back
Full Screen
Close
Quit
LDAP Schema• Set of rules that describes what kind of data is stored
• Helps maintain consistancy and quality of data
• Reduces duplication of data
• Object class attribute determines schema rules the entry must follow
• Schema contains the following:
– Required attributes
– Allowed attributes
– How to compare attributes
– Limit what the attributes can store - ie, restrict to integer etc
– Restrict what information is stored - ie, stops duplication etc
Home Page
Title Page
Contents
JJ II
J I
Page 12 of 20
Go Back
Full Screen
Close
Quit
Schema Example
Home Page
Title Page
Contents
JJ II
J I
Page 13 of 20
Go Back
Full Screen
Close
Quit
Another Object Class
Home Page
Title Page
Contents
JJ II
J I
Page 14 of 20
Go Back
Full Screen
Close
Quit
Simple Mail Alias
Home Page
Title Page
Contents
JJ II
J I
Page 15 of 20
Go Back
Full Screen
Close
Quit
Mailing Lis
Home Page
Title Page
Contents
JJ II
J I
Page 16 of 20
Go Back
Full Screen
Close
Quit
Managing LDAP itselfDelegation is the key!
Home Page
Title Page
Contents
JJ II
J I
Page 17 of 20
Go Back
Full Screen
Close
Quit
Creating Groups forApplications
Home Page
Title Page
Contents
JJ II
J I
Page 18 of 20
Go Back
Full Screen
Close
Quit
The Static-Mapping Scriptsub verifyusername{
my $admin = shift;my $valid = 0;my $why = ’Username not found’;
my $ldap = Net::LDAP->new($ldaphost) or die "can’t make new LDAP object: $@ ";$ldap->bind();my $mesg = $ldap->search(base => $basedn, filter => "(uid=$admin)");if(0 < $mesg->count){
$binddn = ($mesg->entry)->dn;$valid = 1;
}( $valid, $why ) ;}
sub verifypass{my $pass = shift;my $ldap = Net::LDAP->new($ldaphost) or die "can’t make new LDAP object: $@
";my $bound = $ldap->bind( $binddn, password => $pass);
my $valid = 1;my $why = ’’;if ($bound->code !=0) {
if($ldap->bind()){ # anon bind succeeded, thus their pass is wrong$valid = 0;$why = ’Wrong Password’;}
}( $valid, $why ) ;}
Home Page
Title Page
Contents
JJ II
J I
Page 19 of 20
Go Back
Full Screen
Close
Quit
Script Continuedsub on_valid_record {
my %field = @_ ;my $valid = 1 ;my $why = ’’ ;my %hostelnametonum = (H1=>1,H2=>2,H3=>3,H4=>4,H5=>5,H6=>6,H7=>7,
H8=>8,H9=>9,H10=>10,H11=>11,Tansa=>21);my $pass = $field{’Password’};my $hostel = $field{’Hostel’};my $ldap = Net::LDAP->new($ldaphost)
or die "can’t make new LDAP object: $@ ";my $searchdn = "cn=$hostel,ou=Hostel System Administrators,ou=Groups,dc=iitb,dc=ac,dc=in";my $bound = $ldap->bind( $binddn, password => $pass);my $compared = ($ldap->compare ($searchdn,
attr => ’uniquemember’,value => "$binddn" ))->code;
if ($compared == LDAP_COMPARE_TRUE) {my @iparr = split (’\.’,$field{’IP Address’});if ($hostelnametonum{$hostel} != $iparr[1]) {
$valid = 0;$why = "You can only enter IPs for your hostel\n";
}}elsif ($compared == LDAP_COMPARE_FALSE){
$valid = 0;$why = "You are not authorized to do this for $hostel\n";
}else {$valid = 0;my $fokat = LDAP_NO_SUCH_OBJECT;$why = "LDAP compare bugged with $compared and $fokat and $searchdn\n";
}( $valid, $why ) ;
}
Home Page
Title Page
Contents
JJ II
J I
Page 20 of 20
Go Back
Full Screen
Close
Quit
Conclusion• Slapd
– University of Michigan
– Openldap
• Netscape Directory Server
• Microsoft Active Directory (AD)
• Novell Directory Services (NDS)
• Sun Directory Services (iPlanet)
• Lucent’s Internet Directory Server (IDS)
• ...
LDAP is a very valuable tool to implement effective network management.One starting pointldapguru.org