OpenLDAP, LDAP 서버 설치 및 관리

LDAP 서버설치및관리 (OpenLDAP, PAM auth) 2014 SPARCS WHEEL SEMINAR CHOCHO 조현성

LDAP 이란? Lightweight Directory Access Protocol TCP/IP 위에서디렉터리서비스를조회하고수정하는응용프로토콜 경량 DAP! DAP 는 OSI 프로토콜스택에서작동 + 컴퓨팅자원을많이사용하는무거운프로토콜

Directory Services OS 의디렉터리안에있는정보를저장, 정리, 제공하는소프트웨어시스템 Directory: 파일시스템을관리하고, 각파일이있는장소를쉽게찾도록디스크의요소를분할 / 검색하는정보를포함하는레코드의집합 Ex. 전화번호부 : Name Number 사전 : Word Definition DNA: Domain name IP address 유저, 시스템, 네트워크, 서비스, 어플리케이션등의정보를공유하여 intranet 및 internet applications 발전에기여

X.500 전자디렉터리서비스를전달하는일련의네트워크표준 다음과같은프로토콜을정의 : DAP (Directory Access Protocol) DSP (Directory System Protocol) DISP (Directory Information Shadowing Protocol) DOP (Directory Operational Bindings Management Protocol)

LDAP X.500 의경량판 DAP. + - 타서비스간통합인증에용이 Transaction 과같은개념 X - 관리 : 유지보수비용감소 게시판처럼내용수정이잦은곳에서쓰기어려움 - 관리 : 더욱수월한보안문제대응통합인증과같은서비스에적용하면보안상리스크가큼 - 사용자 : 재가입에대한피로도감소 쓰기보다읽기에특화된 DB 간단한조건으로빠른검색가능 한번에한개의정보를찾는데적합 ( 사용자로그인처리, 직원정보조회등등 )

LDAP 의사용 Centralization of user and group information Authenticate users locally Authenticate users in a web application Create a shared address directory for mail agents

LDAP 의구조 DIT (Directory Information Tree) 계층적구조 (hierarchical architecture) Entry 트리구조에서의노드 (Node) 하나의데이터를나타냄 DN(distinguished name) 으로구분 자신의위치와고유성을나타냄

Entry 속성 (attribute) 들을가지고, 속성값 (attribute value) 들은하나이상의값을가질수있다 DN은간결하게축약하여표시

Schema, objectclass, & attribute objectclass: Schema 에서정의되는 attribute 들의 collection 이러한 schema 들은 /etc/ldap/schema 에정의되어있다 ( 나중에설치하면서살펴보자 )

주로사용되는엔트리 cn (Common Name) : HYUNSUNG CHO 와같은일반적인이름 sn (Sir Name) : 우리나라성에해당 ou (Organization Unit) : 그룹에해당 dc (Domain Component) : 도메인의요소 ara.kaist.ac.kr 의 dc 는 kaist.ac.kr 또는 ara.kaist.ac.kr dn (Distinguished Name) : 고유의이름 o : organization c : country uid : user id

Directory Information Tree ou=people ou=member uid=chocho uid=onion dc=sparcs, dc=org ou=guest uid=gon ou=wheel uid=suckzoo DN : uid=chocho,ou=member,ou=people,dc=sparcs,dc=org RDN : ou=wheel, uid=onion

OpenLDAP LDAP 의오픈소스 implementation Linux 뿐만아니라다른 OS 도지원 frontend 와 backend 로나눠짐 frontend : network access 와 protocol processing 을관리 backend : data storage 를관리

Available Backends 현재 OpenLDAP 에서는크게세부분으로나뉘어진 16 개의 backend 가지원된다. Data Storage Backends ( 직접데이터를저장 ) back-bdb, hdb, ldif, mdb, ndb Proxy Backends ( 다른 data storage 시스템으로연결하는게이트웨이역할 ) back-ldap, meta, passwd, relay, sql Dynamic Backends ( 그때그때데이터를생성하는방식 ) back-config, dnssrv, monitor, null, perl, shell, sock 참조 : http://en.wikipedia.org/wiki/openldap

Overall Concept LDAP request Decodes LDAP request Decoded LDAP request Processes LDAP request LDAP Client Frontend Backend Result Processed LDAP request

Installation slapd : stand-alone LDAP daemon 을설치해야한다 $ sudo apt-get install slapd ldap-utils Administrative credentials: credentials for rootdn

Post-install Inspection /etc/ldap/slapd.d 를살펴보자 $ sudo ldapsearch Q LLL Y EXTERNAL H ldapi:/// -b cn=config dn 를하면 slapd-config DIT 가어떻게생겼는지볼수있다

Post-install Inspection: Explanation of entries cn=config: global settings cn=module{0},cn=config: a dynamically loaded module cn=schema,cn=config: contains hard-coded system-level schema cn={0}core,cn=schema,cn=config: the hard-coded core schema cn={1}cosine,cn=schema,cn=config: the cosine schema cn={2}nis,cn=schema,cn=config: the nis schema cn={3}inetorgperson,cn=schema,cn=config: the inetorgperson schema olcbackend={0}hdb,cn=config: the 'hdb' backend storage type olcdatabase={-1}frontend,cn=config: frontend database, default settings for other databases olcdatabase={0}config,cn=config: slapd configuration database (cn=config) olcdatabase={1}hdb,cn=config: your database instance (dc=examle,dc=com)

Post-install Inspection Default 값으로 dc=nodomain 이설정되어있다 $ ldapsearch x LLL H ldap:/// -b dc=nodomain dn 으로확인 $ sudo dpkg-reconfigure slapd 로바꿔주자 $ ldapsearch x LLL H ldap:// -b dc=wseminar4,dc=sparcs,dc=org dn 로재확인

Modifying/Populating your Database (1) Add Database 에추가해보자 1. a node called People (to store users) 2. a node called Groups (to store groups) 3. a group called wheel 4. A user called yourid

Modifying/Populating your Database (1) Add $ vi add_content.ldif

LDIF (LDAP Data Interchange Format) LDAP 은원래 binary protocol! LDIF 가 LDAP content 를다음과같은형태의텍스트로바꿔줌

LDIF 데이터변경형식 dn: cn=hyunsung Cho, ou=people, dc=sparcs, dc=org changetype: modify replace:cn cn: Chocho Cho <DN of the entry> Changetype: [modify add delete] (if changetype is modify)[replace add delete]: <attribute>

Modifying/Populating your Database (1) Add LDAP 에추가하기 $ ldapadd x D cn=admin, dc=wseminar4,dc=sparcs,dc=org W f add_content.ldif -D : 뒤에사용자의 entry dn 을적는다. ID 와비슷한개념이다. -W : 이명령어를사용시비밀번호를물어본다. -f : 뒤에 ldif 파일을받게한다.

Modifying/Populating your Database (1) Add ldapsearch 를사용해서제대로추가되었는지확인 $ ldapsearch x LLL b dc=wseminar4,dc=sparcs,dc=org uid=chocho cn gidnumber -x: "simple" binding; will not use the default SASL method -LLL: disable printing extraneous information uid=chocho: a "filter" to find the john user cn gidnumber: requests certain attributes to be displayed (the default is to show all attributes)

More about ldapsearch Filter Equality ( 완전매칭 ) : uid=chocho Substring ( 부분문자열매칭 ) : uid=ch* Approximate ( 유사한단어매칭 ) : uid~=choch Less than, greater than ( 사전순서상의크기로매칭 ) : uid>=chocho And: &(uid=chocho)(gidnumber=1000) Or: Not:!

MigrationTools DB 의양이많으면일일이 ldif 파일로옮겨적기귀찮으니까쓰는툴 $ sudo apt-get install migrationtools $ vi /etc/migrationtools/migrate_common.ph #Edit default domain & base # Default DNS domain $DEFAULT_MAIL_DOMAIN = wseminar4.sparcs.org ; # Default base $DEFAULT_BASE = dc=wseminar4,dc=sparcs,dc=org ;

MigrationTools 이용해서전체 DB 옮기기 ($ sudo service slapd start) $ cd /usr/share/migrationtools $ sh./migrate_all_online.sh 1. dc=wseminar4,dc=sparcs,dc=org 2. wseminar4 3. cn=admin,dc=wseminar4,dc=sparcs,dc=org 4. cn=admin,dc=wseminar4,dc=sparcs,dc=org 5. [password] 6. No

MigrationTools: 기존계정 Import 하기 /usr/share/migrationtools 폴더를보면여러스크립트들이있다 이스크립트와 piping 을이용해서간단하게 import 가가능하다 ex.) authentication을 import 해보자 $ cd /usr/share/migrationtools $./migrate_passwd.pl /etc/passwd >passwd.ldif 시스템계정은공유하면안되니 passwd.ldif 에서미리지우도록한다. $ ldapadd h localhost x W D cn=admin,dc=wseminar4,dc=sparcs,dc=org c f passwd.ldif

Modifying the slapd Configuration DB ldapmodify 를이용해 {1}hdb,cn=config DB 에 Index 를추가해보자 $ vi uid_index.ldif dn: olcdatabase={1}hdb,cn=config add: olcdbindex olcdbindex: uid eq,pres,sub $ sudo ldapmodify Q Y EXTERNAL H ldapi:/// -f uid_index.ldif $ sudo ldapsearch Q LLL Y EXTERNAL H ldapi:/// -b \ #Confirm the change > cn=config (olcdatabase={1}hdb) olcdbindex

Logging 직접 slapd-config DB 를바꿔서 Activity log 를출력할수있다 $ vi logging.ldif dn: cn=config changetype: modify add: olcloglevel olcloglevel: stats $ sudo ldapmodify Q Y EXTERNAL H ldapi:/// -f logging.ldif

Logging 너무많은메시지가출력되면 rsyslog 의 configuration 을수정 /etc/rsyslog.conf 에다음을추가 : # Disable rate limiting # (default is 200 messages in 5 seconds; below we make the 5 become 0) $ SystemLogRateLimitInterval 0 $ sudo service rsyslog restart

Access Control Lists (ACL) ldapsearch 로 ACL 검색! ex) DB 의 ACL 엔트리검색 : $ sudo ldapsearch Q LLL Y EXTERNAL H ldapi:/// -b \ > cn=config (olcdatabase={1}hdb) olcaccess

Access Control Lists (ACL)

LDAP Authentication LDAP server 를만들었으니 client 도만들어보자! NSS 와 PAM 두개로나누어설정

NSS 란? Name Service Switch Does the name lookups to an LDAP directory server /etc/nsswitch.conf 파일을보자

NSS Setup 원래는 libnss-ldap 패키지를사용하는것이일반적이었으나 여러단점들을보완하여사용하기도더욱간편한 libnss-ldapd 가나왔다

NSS Installation Using libnss-ldapd $ sudo apt-get install libnss-ldapd LDAP server 의 URI 와 base DN 설정 (wseminar4.sparcs.org OR dc= wseminar4,dc= sparcs,dc= org ) 잘동작하는지확인하려면? $ sudo getent passwd * libnss-ldap 로설정하는법은여기 https://wiki.debian.org/ldap/nss

NSS Installation Using libnss-ldap $ sudo apt-get install libnss-ldapd $ vi /etc/libnss-ldap.conf # Your LDAP server. Must be resolvable without usint LDAP. uri ldap://wseminar4.sparcs.org # The distinguished name of the search base. base dc=wseminar4,dc=sparcs,dc=org

NSS Installation Using libnss-ldap $ vi /etc/nsswitch.conf

How to Debug # /etc/init.d/nscd stop # /etc/init.d/nslcd start # nslcd d nscd = name service caching daemon nslcd = local LDAP name service daemon

PAM 이란? Pluggable Authentication Module Does authentication to an LDAP server 모든서비스에대해일일이인증할필요없게 중앙집중적으로인증을도와주는모듈 인증방법에대한함수를포함한라이브러리제공 서비스인증설정파일 : /etc/pam.d/* PAM 인증모듈 : /lib/security/* PAM 인증모듈의설정파일 : /etc/security/*

PAM 의원리 1. 사용자가특정서비스에접근할때그서비스는 PAM에게인증을요청 2. PAM은요청한서비스의설정파일 (/etc/pam.d/ 서비스 ) 를확인 3. 설정에맞게인증을수행 4. 결과를서비스에반항 5. 서비스는인증결과 (True/False) 를바탕으로서비스를제공 / 거절

PAM Architecture

PAM Authentication 1. libpam-ldap 패키지를이용해 pam_ldap 모듈을사용 2. LDAP 서버에서 NSS 를사용해 client 로보내진 password hashes 를사용 user 가저장된 directory 에따라로그인이제한됨 LDAP directory 로의 access right 이덜필요 함 getent shadow 를사용해 password hashes 를 return 할수있음 (root 권한으로접근했을때만 ) doesn t expose password hashes

PAM Installation Using libpam-ldapd NSS 처럼 libpam-ldap 와 libpam-ldapd 두가지가있다 libpam-ldapd 와 libnss-ldapd 로업데이트되면서 따로돌아가던 NSS 와 PAM 이 같은 backend (nslcd) 와 configuration file (/etc/nslcd.conf) 를공유 더간편한 libpam-ldapd 를쓰자 $ sudo apt-get install libpam-ldapd libpam-ldap 또는 pam_unix 로설정하는법은여기 https://wiki.debian.org/ldap/pam

Testing $ sudo getent passwd 로 LDAP server 와 client 가잘연결되었는지확인해보자 LDAP server 에서 DB 에추가했던아이디로 client 서버에로그인이되는지확인

References http://en.wikipedia.org/wiki/lightweight_directory_access_protocol - LDAP http://en.wikipedia.org/wiki/openldap - OpenLDAP http://en.wikipedia.org/wiki/pluggable_authentication_module - PAM https://wiki.debian.org/ldap - LDAP 설치 / 설정 https://help.ubuntu.com/14.04/serverguide/openldap-server.html - LDAP 설치 / 설정 2009-2012 LDAP 휠세미나 (casper, harry, logue, chaos)

끝