%include default.mgp
%page
%nodefault
%size 7, font "standard", fore "white", vgap 20

%center

System Authentication using LDAP
or
My Adventures through RFC2307

%size 4
Brad Marshall
brad.marshall@member.sage-au.org.au
%font "typewriter"
http://quark.humbug.org.au/

%page
%bgrad 0 0 256 0 0 "blue" "black"

System Authentication using LDAP

More and more users into network
	Many users x many machines = lots of password changes
Needed centralized authentication solution
Wanted to integrate easily with existing network

%page
%bgrad 0 0 256 0 0 "blue" "black"

Options for Authentication

Options
	NIS / NIS+
	Custom scripts
	Replication password files
	LDAP

%page
%bgrad 0 0 256 0 0 "blue" "black"

Why LDAP?

NIS / NIS+
	Not supported well under Linux
Custom scripts
	Not real maintainable
	Don't get advantage of others using it
	Non-standard
Replicating password files
	Need procedures for changing passwords
		Do it right, or change is overwritten
	Replication delays
	Confusion

%page
%bgrad 0 0 256 0 0 "blue" "black"

Background

Plugged In is a Java development consulting business
See ``Linux in a Commercial Environment'' - SAGE-AU'98
Everyone has a Linux box
Everyone has an account on all boxes

%page
%bgrad 0 0 256 0 0 "blue" "black"

What is LDAP

Lightweight Directory Access Protocol
	Smaller version of X.500
Directory service (RFC1777)
Stores attribute based data
Optimized for reading
Hierarchical data structure
Client-server model
Consistent view of data
	Answers request
	Refer to server with answer
Based on entries
	Collection of attributes
	Has a distinguished name (DN)

%page
%bgrad 0 0 256 0 0 "blue" "black"

LDAP Structure

Entries referenced by distinguished name - DN (RFC1779)
Can be referenced by relative distinguished name - RDN
	DN without the base
Top level or base (RFC2377)
	Use DNS domainname - eg dc=pisoftware,dc=com
Object class
	Determines schema rules the entry must obey
		Required attributes
		Allowed attributes
	Describes what type of object
		domain
		posixAccount
		posixGroup
		etc

%page
%bgrad 0 0 256 0 0 "blue" "black"

What is LDIF

LDAP Data Interchange Format
	Represents LDAP entries in text
	Human readable format
	Allows easy modification of data
ldbmcat converts ldbm database to ldif
ldif2ldbm converts ldif back to ldbm database

%page
%bgrad 0 0 256 0 0 "blue" "black"

Example User Schema

dn: uid=bmarshal,ou=People,dc=pisoftware,dc=com
uid: bmarshal
cn: Brad Marshall
objectclass: account
objectclass: posixAccount
objectclass: top
loginshell: /bin/bash
uidnumber: 500
gidnumber: 120
homedirectory: /mnt/home/bmarshal
gecos: Brad Marshall,,,,
userpassword: {crypt}KDnOoUYN7Neac

%page
%bgrad 0 0 256 0 0 "blue" "black"

Example Group Schema

dn: cn=sysadmin,ou=Group,dc=pisoftware,dc=com
objectclass: posixGroup
objectclass: top
cn: sysadmin
gidnumber: 160
memberuid: bmarshal
memberuid: dwood
memberuid: jparker

%page
%bgrad 0 0 256 0 0 "blue" "black"

Search filters

Criteria for attributes
Directory base to search
Prefix notation

Eg
	(|(uid=bmarshal)(uid=jparker)

See RFC2254 for more details

%page
%bgrad 0 0 256 0 0 "blue" "black"

Schema

Describes data layout
People in ou=People
	dn is uid=<uid>,ou=People,dc=pisoftware,dc=com
	objectClass of posixAccount
	userid in uid attribute
	primary group number in gidnumber attribute
	password in userpassword attribute
	home directory in homedirectory attribute
Groups in ou=Group
	dn is cn=<gid>,ou=Group,dc=pisoftware,dc=com
	objectClass of posixGroup
	group id number in gidnumber attribute
	group members in memberuid attribute
		memberuid attribute for each member
	group name in cn attribute

%page
%bgrad 0 0 256 0 0 "blue" "black"

Implementation

Uses RFC2307
Applications query LDAP server
	PAM (Pluggable Authentication Modules)
	NSS (Name Service Switch)

Eg
	login -> pam -> pam_ldap -> ldap server

%page
%bgrad 0 0 256 0 0 "blue" "black"

Library calls

Library calls as defined by RFC2307
%font "typewriter", size 4
getpwnam()    (&(objectClass=posixAccount)(uid=%s))
getpwuid()    (&(objectClass=posixAccount)
              (uidNumber=%d))
getpwent()    (objectClass=posixAccount)

getspnam()    (&(objectClass=shadowAccount)(uid=%s))
getspent()    (objectClass=shadowAccount)

getgrnam()    (&(objectClass=posixGroup)(cn=%s))
getgrgid()    (&(objectClass=posixGroup)
              (gidNumber=%d))
getgrent()    (objectClass=posixGroup)

%page
%bgrad 0 0 256 0 0 "blue" "black"

Migration

Used PADLs MigrationTools
Can migrate
	fstab
	hosts
	networks
	protocols
	rpc
	services
Initially migrated
	group
	password

%page
%bgrad 0 0 256 0 0 "blue" "black"

LDAP Server architecture

LDAP daemon called slapd
	Choice of backend databases
		LDBM - high performance disk based db
		SHELL - db interface to unix commands
		PASSWORD - simple password file db
	Multiple database instances
	Access control
	Threaded
	Replication

Replication daemon called slurpd
	Frees slapd from worrying about hosts being down etc
	Communicates with slapd through text file

%page
%bgrad 0 0 256 0 0 "blue" "black"

Server Configuration: slapd.conf

/etc/openldap/slapd.conf

%font "typewriter", size 3
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/slapd.at.conf
include         /etc/openldap/slapd.oc.conf
schemacheck     off

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args

defaultaccess read

access to attr=userpassword
   by self write
   by * read

access to *
   by self write
   by dn=".+" read
   by * read

%page
%bgrad 0 0 256 0 0 "blue" "black"

Server Configuration: slapd.conf cont

/etc/openldap/slapd.conf cont

%font "typewriter", size 3
#######################################################################
# ldbm database definitions
#######################################################################

database        ldbm
suffix          "dc=pisoftware, dc=com"
rootdn          "cn=Manager, dc=pisoftware, dc=com"
rootpw          {crypt}lAn4J@KmNp9
replica host=cox.staff.plugged.com.au:389
    binddn="cn=Manager,dc=pisoftware,dc=com"
    bindmethod=simple credentials=d0nTe1l
    replogfile /var/lib/openldap/replication.log
# cleartext passwords, especially for the rootdn, should
# be avoid.  See slapd.conf(5) for details.
directory       /var/lib/openldap/

%page
%bgrad 0 0 256 0 0 "blue" "black"

Client Configuration: ldap.conf

/etc/ldap.conf
	Symlink of /etc/openldap/ldap.conf

%font "typewriter", size 3
BASE        dc=pisoftware,dc=com
HOST        ldap
pam_crypt   local

%page
%bgrad 0 0 256 0 0 "blue" "black"

Client Configuration: PAM

/etc/pam.d/ssh
	Need similar for every app you want to use ldap

%font "typewriter", size 3
#%PAM-1.0
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_pwdb.so shadow nullok try_first_pass
auth       required     /lib/security/pam_nologin.so
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   sufficient   /lib/security/pam_ldap.so
password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
session    sufficient   /lib/security/pam_ldap.so
session    required     /lib/security/pam_pwdb.so

%page
%bgrad 0 0 256 0 0 "blue" "black"

Client Configuration: nsswitch.conf

%font "standard", size 5
/etc/nsswitch.conf

%font "typewriter", size 3
passwd:     ldap files
shadow:     ldap files
group:      ldap files

%page
%bgrad 0 0 256 0 0 "blue" "black"

Usage

%font "standard", size 5
ldappasswd
%font "typewriter", size 4
    ldappasswd -W -D 'uid=bmarshal,ou=People,dc=pisoftware,dc=com' 'uid=bmarshal'
%pause

%font "standard", size 5
ldapmodify
%font "typewriter", size 4
    ldapmodify -W -r -D "cn=Manager,dc=pisoftware,dc=com" < bmarshal.ldif
%font "typewriter", size 4
    
%cont
%font "standard", size 4
where bmarshal.ldif is ldapsearch -L 'uid=bmarshal'
%pause

%font "standard", size 5
ldapsearch
%font "typewriter", size 3
    ldapsearch -L 'uid=*'
    ldapsearch -L 'objectclass=posixGroup'
    ldapsearch -L 'objectclass=posixAccount'
    ldapsearch -D 'uid=bmarshal,ou=People,dc=pisoftware,dc=com' -W -L 'uid=bmarshal'

%page
%bgrad 0 0 256 0 0 "blue" "black"

Future Directions

Mail
	Use ldap routing with sendmail
Web
	Use for authentication
	Contact details

%page
%bgrad 0 0 256 0 0 "blue" "black"

Conclusions

Some learning curve
Definately worth it
Much easier to
	change passwords
	create accounts
Lots of expansion potential
Saves having multiple authentication databases

%page
%bgrad 0 0 256 0 0 "blue" "black"

Useful Urls

PADL - http://www.padl.com/
	http://www.padl.com/pam_ldap.html
	http://www.padl.com/nss_ldap.html
	http://www.padl.com/tools.html

UMich LDAP Server - http://www.umich.edu/~dirsvcs/ldap/

OpenLDAP - http://www.openldap.org/

SLAPD and SLURPD Admin Guide - http://www.umich.edu/~dirsvcs/ldap/doc/guides/slapd/

%page
%bgrad 0 0 256 0 0 "blue" "black"

RFCs

RFC1777 - Lightweight Directory Access Protocol

RFC1779 - A String Representation of Distinguished Names

RFC2254 - The String Representation of LDAP Search Filters

RFC2377 - Naming Plan for Internet Directory-Enabled Applications

RFC2307 - An Approach for Using LDAP as a Network Information Service