Spring 2009Expanding our capabilities: Authentication,Authorization, and LDAPUp to now, we have talked about using flat files to do+ Simple authentication+ Simple authorizationCNT 4603Spring 2009Expanding our capabilities: Authentication,Authorization, and LDAPWe will now look at some ways to go beyond the worldof flat files on single machines to provide homogenousauthentication and authorization environments for manymachines. We will start with LDAP.CNT 4603Spring 2009Simple authenticationWe talked earlier about simple authentication.In the Linux world, this simple authentication data isstored in /etc/passwd and /etc/shadow.In OpenSolaris, this data is also stored in /etc/passwdand /etc/shadow.CNT 4603Spring 2009Simple authenticationIn FreeBSD, this data is stored in /etc/passwd and/etc/master.passwd.In the Windows world, passwords are stored in theregistry hive HKLM “SAM” (Security Accounts Manager)database.CNT 4603Spring 2009YP/NIS: First steps at extendingAuthentication to cover more areaWe have already briefly touched on YP/NISauthentication, which was a simple extension to thetraditional flat file /etc/passwd schema.CNT 4603Spring 2009YP/NIS: First steps at extendingAuthentication to cover more areaBecause of its similarity to flat file access, YP/NIS wasan easy fit into authentication schemes. Plugging NISinto the existing getpwent(3) scheme was reasonablysimple; doing a ypcat passwd was both in concept andin implementation very similar to cat passwd.CNT 4603Spring 2009YP/NIS: First steps at extendingAuthentication to cover more areaHowever, it wasn’t very secure – in its original form itcertainly didn’t even solve problems such as obscuring theencrypted password.CNT 4603Spring 2009YP/NIS: First steps at extendingAuthentication to cover more areaNIS+ did solve some of these problems, but it iscomplex, and Sun has deprecated NIS+ in favor of LDAP.There are automated tools to aid in this transition. Solet’s look at LDAP.CNT 4603Spring 2009LDAP: Extending AuthenticationLDAP (lightweight directory access protocol) can belikened to an object-oriented database rather than arelational one. Unlike a database built on a pure relationalmodel, it can support records that have multiple instancesof the same field (as, oddly enough, can some “relational”databases that do not strictly follow the original relationalmodel.)CNT 4603Spring 2009LDAP: Extending AuthenticationMore interestingly for system and networkadministration, LDAP can be used for authentication inthe Unix/Linux world and in the Microsoft world.We will talk about how LDAP hooks into authenticationvia methodologies such as PAM, but first let’s look at ldapitself.CNT 4603Spring 2009posixAccountRFC2307 proposed a standard for moving from the NISworld to the LDAP world.CNT 4603Spring 2009posixAccountFor system administrators, the most important partof the standard was probably the objectClass ofposixAccount (found by default in a schema file callednis.schema); that’s the bit with a schema that has theattributes that you want.CNT 4603Spring 2009posixAccountobjectclass ( 1.3.6.1.1.1.2.0 NAME ’posixAccount’DESC ’Abstraction of an account with POSIX attributes’SUP top AUXILIARYMUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )MAY ( userPassword $ loginShell $ gecos $ description ) )CNT 4603Spring 2009Example: Bob Betterman accountLDAP records for such POSIX user accounts look like:# bob, my-domain.comdn: uid=bob,dc=my-domain,dc=comobjectClass: personobjectClass: organizationalPersonobjectClass: inetOrgPersonobjectClass: posixAccountsn: Bettermancn: Bob Bettermanuid: bobuidNumber: 1000gidNumber: 1000homeDirectory: /home/bobuserPassword: {crypt}X5/DBrWPOQQaIloginShell: /bin/bashCNT 4603Spring 2009Example: Ted Williams’ acountOr like:# ted, my-domain.comdn: uid=ted,dc=my-domain,dc=comobjectClass: personobjectClass: organizationalPersonobjectClass: inetOrgPersonobjectClass: posixAccountsn: Williamscn: Ted Williamsuid: teduidNumber: 1001gidNumber: 1001homeDirectory: /home/teduserPassword: {crypt}X5/DBrWPOQQaIloginShell: /bin/bashCNT 4603Spring 2009Adding entriesWhile various GUI tools exist, you can also use simplecommand lines to modify the ldap database; for instance,slapadd is useful for initializing a database (as, for that,is slapcat if you have an existing database.)CNT 4603Spring 2009PrepworkTo do this, we have to install and configureboth openldap-servers and openldap-clients. Once wehave done that, we can use the configuration file13-slapd.conf to help us set up the ldap server (theactual process is called slapd.)CNT 4603Spring 2009Installing packages[root@localhost ~]# yum install openldap-servers openldap-clientsLoaded plugins: refresh-packagekitSetting up Install ProcessParsing package install argumentsResolving Dependencies--> Running transaction check---> Package openldap-clients.x86_64 0:2.4.12-1.fc10 set to be updated---> Package openldap-servers.x86_64 0:2.4.12-1.fc10 set to be updated--> Finished Dependency ResolutionCNT 4603Spring 2009Installing packagesDependencies Resolved================================================================================Package Arch Version Repository Size================================================================================Installing:openldap-clients x86_64 2.4.12-1.fc10 fedora 291 kopenldap-servers x86_64 2.4.12-1.fc10 fedora 2.5 MCNT 4603Spring 2009Installing packagesTransaction Summary================================================================================Install 2 Package(s)Update 0 Package(s)Remove 0 Package(s)Total download size: 2.8 MIs this ok [y/N]: yDownloading Packages:(1/2): o(2/2): oCNT 4603Spring 2009Installing packagesRunning rpm_check_debugRunning Transaction TestFinished Transaction TestTransaction Test SucceededRunning TransactionInstalling : openldap-servers 1/2Installing : openldap-clients 2/2Installed:openldap-clients.x86_64 0:2.4.12-1.fc10openldap-servers.x86_64 0:2.4.12-1.fc10Complete!CNT 4603Spring 2009ldap manipulation commands...First, let’s look at the script 13-slapadd-initialization.shto initialize the database.Second, we’ll look at the script 13-ldapadd.sh to addnew users.CNT 4603Spring 2009ldap manipulation commands...Now let’s run them# bash -x 13-slapadd-initialization.sh[ lots of output ]# bash -x 13-ldapadd.sh[ even more !]CNT 4603Spring 2009ldap manipulation commands...By looking at the results of ldapsearch at the end ofthe ldapadd script, we can see what’s in the