CH 25-26 NIS/LDAP/KERBEROS REVIEW

Question 1

History and Background info

Answer 1

1. Linus maintains local passwords via the /etc/passwd file.
2. For obvious reasons, there is a challenge with having local passwords stored on each server.
3. As a results, distributed directory information (Directory Services) came to being.

Question 2

Distributed Directory Information

Answer 2

1. Directory Service - “software system that stores, organizes and provides access to information in a directory” per Wikipedia.
2. Considered an integral component of identity management.
3. Uses concepts SIMILAR to relational databases (ex. MYSQL, Access) - but is not considered one because write operations are limited.
4. DNS is considered a directory service, but does not handle user identity information.
5. Multiple choices for user authentication via distributed directory services.

Question 3

Network Information Service (NIS)

Answer 3

1. An early attempt at directory services.
2. Originally referred to as “Yellow Pages’ but was forced to change the name due to a lawsuit per Wikipedia.
3. Made up of tables composed of text files (basically a large, shared /etc/passwd) referred to as maps.
4. Architecture is “master/slave” 5. NIS looks at local machine /etc/passwd first, then checks the directory.

Question 4

Network Information Service (NIS)

DAEMONS

Answer 4

Made up of three daemons.

1. ypserv - listens for queries from clients and responds accordingly.
2. ypxfrd - used for propagating and transferring to secondary (“slave”) servers.
3. ypbind - client-side component of NIS; used for finding a NIS server and transmitting information. NIS divides security into domains.

Question 5

Network Information Service (NIS)

Answer 5

1. NIS is inherently insecure - everything, including passwords is saved and transmitted over unencrypted plain text.
2. Attempt to create secure NIS, NIS+ was made as early as 1992 but was abandoned.
3. Implementation of NIS is NOT recommended.

Question 6

Lightweight Directory Access Protocol (LDAP)

Answer 6

1. LDAP is considered a “successor technology” to NIS.
2. LDAP is a subset protocol of the larger X.500 protocol.
   a. Multiple software implementation exist.
   b. Many are true LDAP, but others extend the standard for their own implementation.
3. Essentially, LDAP is a globally-accessible distributed directory service.

Question 7

Lightweight Directory Access Protocol (LDAP) STRUCTURE

Answer 7

1. LDAP is structured in a tree format.
   a. The structure is known as the Directory Information Tree (DIT).
   b. Each object in the tree is known as a node.
   c. The complete path to a node - which uniquely identifies it - is known as its Distinguished Name (DN).
2. The DIT can be structured in any number of ways. a. Geographical or Organizational (functional)

Question 8

Lightweight Directory Access Protocol (LDAP) STRUCTURE continued …

Answer 8

LDAP adheres to the client/server structure:

1. LDAP client connects to a LDAP server (also referred to as binding)
2. Based on access restrictions, the LDAP server either accepts or refuses the bind request.
3. Assuming it accepts, the client issues the appropriate command (query, update, etc)
4. Based on access restrictions, the LDAP server accepts the command and returns output or rejects it.

Question 9

Lightweight Directory Access Protocol (LDAP) SCHEMAS

Answer 9

1. LDAP was designed with the logical structure of an organization and its assets in mind:
   
   • People
   • Devices
   • Locations
2. While designed for basic identity information, a LDAP’s schema can be extended to store basically any information.
   
   • Employee data: addresses, phone number, photos.

Question 10

Lightweight Directory Access Protocol (LDAP) SCHEMAS uses …

Answer 10

Over the years, various LDAP implementations have created schemas to allow for storage of various pieces of information.

1. LDAP can serve as a complete identity management solution for an organization and can even support federated identity management.
2. DNS records can be stored in LDAP.
   
   • Microsoft’s Active Directory encompasses concepts of both LDAP and DNS.
3. LDAP can be used to provide “yellow pages”
4. LDAP can be used to store mail routing information.
5. Samba and LDAP can be connected to work with each other seamlessly.

Question 11

LDAP TERMINOLOGY

OBJECT

Answer 11

OBJECT (ENTRY) - one unit in a LDAP directory, indentifiable by its distinguished name (DN).

Question 12

LDAP TERMINOLOGY

COMMON (CANONOICAL) NAME

Answer 12

COMMON (CANONOICAL) NAME - base name (domain name) for the DIT.

Question 13

LDAP TERMINOLOGY

ATTRIBUTES

Answer 13

ATTRIBUTES - metadata for an object.

Question 14

LDAP TERMINOLOGY

SCOPE

Answer 14

SCOPE - similar to domain in NIS (or Active Directory) as it allows for logical divisions of the directory information tree (DIT).

Question 15

LDAP TERMINOLOGY

OBJECT CLASS

Answer 15

OBJECT CLASS - defined what type of object Ex. person or computer.

Question 16

LDAP TERMINOLOGY

FILTER

Answer 16

FILTER - when performing a search, this tells the server how to limit the search to specific entries.

Question 17

LDAP TERMINOLOGY

SCHEMA

Answer 17

SCHEMA - collection of rules that determine the structure and contents of the directory.

Question 18

LDAP TERMINOLOGY

LDIF

Answer 18

LDIF - LDAP Data Interchange Format - allows for flat file imports and exports to/from a LDAP directory.

Question 19

LDAP Implementations

Answer 19

1. There are several LDAP or LDAP-like implementation.
   
   • Microsoft Active Directory
   • Novell eDirectory
   • OpenLDAP
2. OpenLDAP is the open-source implementation of LDAP that runs on UNIX/Linux systems.

Question 20

OpenLDAP

Answer 20

1. OpenLDAP runs with daemons to perform its functions.
   
   • slapd - stand-alone LDAP daemon that listens for LDAP connections and responds appropriately.
   • slurpd - stand-alone LDAP replication daemon that propagates changes between multiple LDAP servers in a domain.
2. OpenLDAP functions as a provider/consumer model as opposed to “master/slave” meaning that the roles aren’t rigidly defined as to which server is “in charge”

Question 21

OpenLDAP Utilities

Answer 21

OpenLDAP has several utilities for querying, viewing, updating, and modifying the data stored in the OpenLDAP directory.

• ldapmodify - used for modifying info in the directory, either directly or via flat file import.
• ladpadd - used to add new entries to the LDAP database.
• ldapdelete - used to delete existing entries in the LDAP database.
• ldappasswd - sets password for an LDAP user.
• ldapsearch - used for querying an LDAP directory.
• slapadd - populates LDAP directory from LDIF file.
• slapcat - dumps entire LDAP directory to LDIF file.
• slapindex - used for generating properly hashed/encrypted passwords that can be used with various privileged directory operations.

Question 22

INSTALLING OPENLDAP

Answer 22

You can install OpenLDAP using the following command:

$yum install openldap-servers openldap-clients

$apt-get install slapd

$apt-get install ldap-utils

You can start OpenLDAP using the following command:

$systemctl start slapd.service

Question 23

CONFIGURING OPENLDAP

Answer 23

The /etc/openldap/slapd.conf file is the main configuration file for the slapd daemon on OpenLDAP.

1) # See sladp.conf (5) for details on configuration options.
2) # This file should NOT be world-readable.
3) include /etc/openldap/schema/core.schema
4) include /etc/openldap/schema/cosine.schema
5) include /etc/openldap/schema/nis.schema

The ldap.conf file is used from the client side of the OpenLDAP implementation.

Question 24

KERBEROS

Answer 24

• Kerberos is not a replacement or alternative to LDAP, but a complementary technology.
• Kerberos “is used to manage credentials securley while LDAP is used for holding authoritative information about the accounts”
• Kerberos works on the principle of claims-based authentication.
• Goal is to eliminate the number of username-password exchanges over the network by using concepts similar to the public key cyrptography.