linsol.org red hat enterprise linux variants server: red hat enterprise linux advanced platform ...

LINSOL.ORGLINSOL.ORG

Red Hat Enterprise Linux VariantsRed Hat Enterprise Linux Variants

Server:Server:

Red Hat Enterprise Linux Advanced PlatformRed Hat Enterprise Linux Advanced Platform

Red Hat Enterprise LinuxRed Hat Enterprise Linux

Client:Client:

Red Hat Enterprise Linux DesktopRed Hat Enterprise Linux Desktop

with Workstation optionwith Workstation option

with Multi-OS optionwith Multi-OS option

with Workstation and Multi-OS optionswith Workstation and Multi-OS options


Red Hat NetworkRed Hat Network

A comprehensive software delivery, system management, and A comprehensive software delivery, system management, and

monitoring frameworkmonitoring framework

Update Module: Update Module: Provides software updates Included with all Provides software updates Included with all

Red Hat Enterprise Linux subscriptionsRed Hat Enterprise Linux subscriptions

Management Module: Management Module: Extended capabilities for large Extended capabilities for large

deploymentsdeployments

Provisioning Module: Provisioning Module: Bare-metal installation, configuration Bare-metal installation, configuration

management, and multi-state configuration rollback management, and multi-state configuration rollback

capabilitiescapabilities

Monitoring Module Monitoring Module provides infrastructure health mon~Loring of provides infrastructure health mon~Loring of

network's, systems, applications, etc.network's, systems, applications, etc.


Other Red Hat Supported SoftwareOther Red Hat Supported Software

Red Hat Application StackRed Hat Application Stack

JBoss Enterprise Middleware SuiteJBoss Enterprise Middleware Suite

Red Hat Directory ServerRed Hat Directory Server

Red Hat Certificate SystemRed Hat Certificate System

Red Hat Global File SystemRed Hat Global File System


Objectives of RH423Objectives of RH423

Develop skills required to manage and deploy directory services Develop skills required to manage and deploy directory services

on Red Hat Enterprise Linux systemson Red Hat Enterprise Linux systems

Gain a better understanding of PAM and user authentication on Gain a better understanding of PAM and user authentication on

Red Hat Enterprise LinuxRed Hat Enterprise Linux


Audience and PrerequisitesAudience and Prerequisites

Audience: Senior Red Hat Linux and Red Hat Enterprise Linux Audience: Senior Red Hat Linux and Red Hat Enterprise Linux

system administrators and other IT professionals who need to system administrators and other IT professionals who need to

provide enterprise-wide authentication or information servicesprovide enterprise-wide authentication or information services

Prerequisites: RHCE certification or comparable skills and Prerequisites: RHCE certification or comparable skills and

knowledgeknowledge


Classroom NetworkClassroom Network

example.com network (192 . 168 .0. 0/24)example.com network (192 . 168 .0. 0/24)

serveri .example.com (192.l6e.o.254)serveri .example.com (192.l6e.o.254)

Main classroom server: Provides DHCF, DNS, routing and other Main classroom server: Provides DHCF, DNS, routing and other

servicesservices

stationx.example.com (192.168.0 .x)stationx.example.com (192.168.0 .x)

Student systemsStudent systems

serverx-i-100.example.com (192. 168 .0 serverx-i-100.example.com (192. 168 .0 .x+ioo).x+ioo)

virtual server hosted on student stationsvirtual server hosted on student stations

serverx-r200.example.com (192 .168 .0. serverx-r200.example.com (192 .168 .0. X.i-200)X.i-200)

Secondary virtual server hosted on student stationsSecondary virtual server hosted on student stations


Notes on InternationalizationNotes on Internationalization

Red Hat Enterprise Linux supports nineteen languagesRed Hat Enterprise Linux supports nineteen languages

Default language can be selected:Default language can be selected:

During installationDuring installation

With system-config-languageWith system-config-language

System->Administration-~LanguageSystem->Administration-~Language

Alternate languages can be used on a per-command basis:Alternate languages can be used on a per-command basis:

$ LANG=en_US.OTFS date$ LANG=en_US.OTFS date

Language settings are stored in /etc/sysconfigLanguage settings are stored in /etc/sysconfig


ObjectivesObjectives

Upon completion of this unit, you should be able to:Upon completion of this unit, you should be able to:

Explain what a directory service isExplain what a directory service is

Explain the history of LDAP and X500Explain the history of LDAP and X500

Understand the LDAP information modelUnderstand the LDAP information model

Read and write simple LDIFRead and write simple LDIF

Explore issuesExplore issues


What is a Directory?What is a Directory?

A directory is a specialized database that normally stores small A directory is a specialized database that normally stores small

pieces of informationpieces of information

Special-purpose directories are common:Special-purpose directories are common:

A telephone book is a directory of names to telephone numbersA telephone book is a directory of names to telephone numbers

DNS is a directory of host names to IP addressesDNS is a directory of host names to IP addresses

NIS is a directory of system information; username to password NIS is a directory of system information; username to password

file data, name to e-mail alias, mount point to device, and so onfile data, name to e-mail alias, mount point to device, and so on


Ideal Directory DataIdeal Directory Data

Small pieces of information will be storedSmall pieces of information will be stored

Potentially Potentially many many small pieces of information small pieces of information

Data will be frequently read but rarely writtenData will be frequently read but rarely written

Individual entries are based on collections of attributes (phone Individual entries are based on collections of attributes (phone

number, address, etc.)number, address, etc.)

Information will need to be searched for or looked up by multiple Information will need to be searched for or looked up by multiple

client usersclient users


Uses of a DirectoryUses of a Directory

Look up e-mail addresses and contact information in mail clients Look up e-mail addresses and contact information in mail clients

and web browsersand web browsers

Manage and synchronize user authentication centrally from a Manage and synchronize user authentication centrally from a

network servernetwork server

Centrally coordinate informational databases used by various Centrally coordinate informational databases used by various

network servicesnetwork services

Store and search for arbitrary dataStore and search for arbitrary data


X.500 Directory ServiceX.500 Directory Service

General-purpose directory service designed by ISO and CCITT General-purpose directory service designed by ISO and CCITT

starting in the 1980sstarting in the 1980s

The Directory: a The Directory: a fully-connected global directory, information fully-connected global directory, information

organized in aorganized in a treetree

Flexible information modelFlexible information model

Intended for "white pages" telephone and X.400 e-mail Intended for "white pages" telephone and X.400 e-mail

directories, OSI name servicedirectories, OSI name service

DAP: clientlserver communication protocolDAP: clientlserver communication protocol


X.500 ProblemsX.500 Problems

X.500 (and DAP) is complex and resource hungry to X.500 (and DAP) is complex and resource hungry to

implementimplement

The standards process did not require test The standards process did not require test

implementations to prove feasibility!implementations to prove feasibility!

Early implementations were slow, buggy, and did not Early implementations were slow, buggy, and did not

interoperate wellinteroperate well

X.500 is tied to the OSI network modelX.500 is tied to the OSI network model

The Internet is based on TCP/IP, not OSI The Internet is based on TCP/IP, not OSI

Deployment was therefore slowDeployment was therefore slow


Lightweight Directory Access Protocol Lightweight Directory Access Protocol

Originally for use by desktop computer clientsOriginally for use by desktop computer clients

LDAP improves X.500 DAP in several ways:LDAP improves X.500 DAP in several ways:

Uses TOP transport in place of 051 networkingUses TOP transport in place of 051 networking

Simplifies protocol to nine basic operationsSimplifies protocol to nine basic operations

Uses a subset of X.500 message encoding rulesUses a subset of X.500 message encoding rules

Data elements are simple text stringsData elements are simple text strings


LDAP Directory ServiceLDAP Directory Service

Initial ldapd daemon acted as a gatewayInitial ldapd daemon acted as a gateway

In 1995, UMich LDAP group realized over 99% of X.500 queries came In 1995, UMich LDAP group realized over 99% of X.500 queries came

through ldapcithrough ldapci

A standalone LDAP daemon (slapd) replaced ldapd and theA standalone LDAP daemon (slapd) replaced ldapd and the

X.500 serviceX.500 service

Removed overhead of LOAP-to-DAP translationRemoved overhead of LOAP-to-DAP translation

Improved performance and reduced directory service complexityImproved performance and reduced directory service complexity


LDAP ModelsLDAP Models

Information ModelInformation Model

How individual entries in the directory are structuredHow individual entries in the directory are structured

Naming ModelNaming Model

Where entries are stored in the hierarchical directory treeWhere entries are stored in the hierarchical directory tree

Functional ModelFunctional Model

What operations can be performed on the directoryWhat operations can be performed on the directory

Security ModelSecurity Model

How directory information is protected from unauthorized accessHow directory information is protected from unauthorized access


Information ModelInformation Model

An An entry entry stores information about an object of interest in the stores information about an object of interest in the

directorydirectory

The basic unit of information storageThe basic unit of information storage

Each entry is made up of Each entry is made up of attributes attributes which describewhich describe

characteristics of the objectcharacteristics of the object

Each attribute in an entry has a Each attribute in an entry has a type type and takes one or more and takes one or more

valuesvalues

The unique The unique distinguished name distinguished name of an entry is based on one of its of an entry is based on one of its

attributesattributes


Directory SchemaDirectory Schema

The The schema schema defines rules on what attributes can be used in defines rules on what attributes can be used in

which entries and how their values are formatted and comparedwhich entries and how their values are formatted and compared

Keeps directory data consistent and usefulKeeps directory data consistent and useful

Reduces redundant or inappropriate information stored in Reduces redundant or inappropriate information stored in

entriesentries

Constraints on size and format help avoid bogus data values Constraints on size and format help avoid bogus data values

being assigned to attributesbeing assigned to attributes


Commonly Seen AttributesCommonly Seen Attributes

d.nd.n The unique DN identifying the entryThe unique DN identifying the entry

cncn The entryThe entry11s common name (full name)s common name (full name)

snsn The surname (last name) of a user uid Login nameThe surname (last name) of a user uid Login name

cc Two letter country codeTwo letter country code

oo Name of an organization ou Name of an organizational unit mail Name of an organization ou Name of an organizational unit mail

Internet e-mail addressInternet e-mail address


Object ClassesObject Classes

An An object class object class groups related informationgroups related information

Defines which attributes are mandatory and which are permitted Defines which attributes are mandatory and which are permitted

in an entryin an entry

obj ectclass attributes specify which object classes an entry obj ectclass attributes specify which object classes an entry

belongs tobelongs to

There are different kinds of object classesThere are different kinds of object classes

An entry trust have one An entry trust have one structural structural object classobject class

An entry may add one or more additional aux//iaty object classesAn entry may add one or more additional aux//iaty object classes


Derived Object ClassesDerived Object Classes

An object class may be a subclass derived from another object An object class may be a subclass derived from another object

classclass

The derived class inherits the required and optional attribute The derived class inherits the required and optional attribute

lists from its superclasslists from its superclass

The derived class may then add additional required and optional The derived class may then add additional required and optional

attributesattributes


Sample Entry in LDIF FormSample Entry in LDIF Form

dn: dc=ds,dc=nust,dc=comdn: dc=ds,dc=nust,dc=com

objectclass: dcObjectobjectclass: dcObject

objectclass: topobjectclass: top

dc: dsdc: ds

dn: ou=People,dc=ds,dc=nust,dc=comdn: ou=People,dc=ds,dc=nust,dc=com

objectclass: organizationalUnitobjectclass: organizationalUnit

objectclass: topobjectclass: top

ou: Peopleou: People


Troubleshooting an LDIF EntryTroubleshooting an LDIF Entry

Does the RDN match an attribute-value pair?Does the RDN match an attribute-value pair?

Is there exactly one structural class, not counting parent Is there exactly one structural class, not counting parent

superclasses?superclasses?

Do all mandatory attributes have a value?Do all mandatory attributes have a value?

Are there any attributes set which the object class or classes for Are there any attributes set which the object class or classes for

this entry do not allow?this entry do not allow?

Do any single-value attributes have multiple values?Do any single-value attributes have multiple values?


Managing Directory DataManaging Directory Data

What attributes do your applications need?What attributes do your applications need?

Are they hard-wired to use a particular schema?Are they hard-wired to use a particular schema?

Do applications have conflicting needs?Do applications have conflicting needs?

Correct object class selection is importantCorrect object class selection is important

Helps avoid poor quality or badly formatted dataHelps avoid poor quality or badly formatted data

An entry cannot change its structural object class after creation!An entry cannot change its structural object class after creation!


Managing Directory DataManaging Directory Data

Use standard schema definitions if possibleUse standard schema definitions if possible

Auxiliary classes may helpAuxiliary classes may help

Avoid storing identical or redundant data in multiple attributesAvoid storing identical or redundant data in multiple attributes

Otherwise, ensure the values stay synchronizedOtherwise, ensure the values stay synchronized

Plan for changePlan for change

What attributes might you need in the future?What attributes might you need in the future?

How will current data be kept up to date?How will current data be kept up to date?


Developing a Data PolicyDeveloping a Data Policy

What data will and will not be stored in the directory serviceWhat data will and will not be stored in the directory service

Who has the ability to modify which entriesWho has the ability to modify which entries

Who has the ability to access which entriesWho has the ability to access which entries

Legal considerations affecting the aboveLegal considerations affecting the above

How exceptions may be made if neededHow exceptions may be made if needed


Unit 2Unit 2

The LDAP Naming ModelThe LDAP Naming Model


ObjectivesObjectives

Upon completion of this unit, you should be able to:Upon completion of this unit, you should be able to:

Use the LDAP naming modelUse the LDAP naming model

Use and construct LDAP distinguished names (DNs)Use and construct LDAP distinguished names (DNs)

Interpret directory suffixesInterpret directory suffixes

Organize entries in the directoryOrganize entries in the directory

Define a name space in LDIFDefine a name space in LDIF


LDAP Naming ModelLDAP Naming Model

The naming model defines how entries are organized and The naming model defines how entries are organized and

identified in the directoryidentified in the directory

Every entry must have a unique name that may be referenced Every entry must have a unique name that may be referenced

unambiguouslyunambiguously

The The distinguished name distinguished name or or DNDN

A well-designed name space is criticalA well-designed name space is critical

Easier retrieval and maintenance of dataEasier retrieval and maintenance of data

Easier to apply access control policiesEasier to apply access control policies


The Directory Information TreeThe Directory Information Tree

Directory entries are arranged in a hierarchyDirectory entries are arranged in a hierarchy

The The directory information tree, directory information tree, or or DITDIT

Similar to a file system or DNS hierarchySimilar to a file system or DNS hierarchy

Each entry has one parent entryEach entry has one parent entry

An entry may have any number of childrenAn entry may have any number of children

The DN of an entry specifies its position in the directory hierarchyThe DN of an entry specifies its position in the directory hierarchy

uid=lee,ou=sales,dc=foo,dc=comuid=lee,ou=sales,dc=foo,dc=com


Distinguished NamesDistinguished Names

The leftmost component of the DN is the The leftmost component of the DN is the relative distinguished name, relative distinguished name,

or or RDNRDNThe RDN must be Selected from the attributes of the entryThe RDN must be Selected from the attributes of the entry

Unique among entries that share the same immediate parent entryUnique among entries that share the same immediate parent entry

Two entries may have the same RDN if they have different parent Two entries may have the same RDN if they have different parent

entries (and therefore their full DNS are different)entries (and therefore their full DNS are different)


Escaped CharactersEscaped Characters

Some characters must be escaped with a backslash Some characters must be escaped with a backslash (\) (\) if they if they

appear in a component of a cTh attributeappear in a component of a cTh attribute

Comma, pius, double quote, backslash, less-than, greater-than, Comma, pius, double quote, backslash, less-than, greater-than,

or semicolon at the start of a componentor semicolon at the start of a component

White space at the start or end of a component White space at the start or end of a component

dn: o=Example\, Inc.,st=Delaware,c=usdn: o=Example\, Inc.,st=Delaware,c=us


The Directory SuffixThe Directory Suffix

The global LDAP name space IS distributed among multiple The global LDAP name space IS distributed among multiple

directory partitionsdirectory partitions

The The suffix suffix is the DN of the highest entry in the LDAP directory is the DN of the highest entry in the LDAP directory

hierarchy which is stored in a directory partitionhierarchy which is stored in a directory partition

The node below which your name space livesThe node below which your name space lives

The DNS of all entries in that directory partition end with the The DNS of all entries in that directory partition end with the

suffixsuffix


Choosing a SuffixChoosing a Suffix

LDAP does not place restrictions on the suffix you may use or the LDAP does not place restrictions on the suffix you may use or the

structure of your directorystructure of your directory

Your suffix should be unique in case your server ever needs to Your suffix should be unique in case your server ever needs to

coexist with otherscoexist with others

There are two standard approachesThere are two standard approaches

The X.500 naming modelThe X.500 naming model

The Internet domain naming modelThe Internet domain naming model


X.500 SuffixesX.500 Suffixes

X.500-style suffixes are geographically and organizationally X.500-style suffixes are geographically and organizationally

basedbased

o=Example\, Inc. ,st=Delaware,c=USo=Example\, Inc. ,st=Delaware,c=US

Useful if X.500(93) compatibility is neededUseful if X.500(93) compatibility is needed

In practice, it has proved hard to find and manage names using In practice, it has proved hard to find and manage names using

this naming schemethis naming scheme


Internet Domain SuffixesInternet Domain Suffixes

The preferred method is to use components of the organizationThe preferred method is to use components of the organization

tts s

DNS domainDNS domain

For example.com: dc=exarnple, dc=comFor example.com: dc=exarnple, dc=com

Since we know the DNS domain is unique, then the LDAP suffix is Since we know the DNS domain is unique, then the LDAP suffix is

also uniquealso unique

Can simplify deployment and configurationCan simplify deployment and configuration

Easier to manage in the long termEasier to manage in the long term


Structure of the Name SpaceStructure of the Name Space

After selecting the suffix, the structure of the directory name After selecting the suffix, the structure of the directory name

space must be designedspace must be designed

At one extreme is a flat name space containing all entries At one extreme is a flat name space containing all entries

directly under the suffix uid=raoit, dc=nust, dc=comdirectly under the suffix uid=raoit, dc=nust, dc=com

At the other is a deep name space dividing entries into fine At the other is a deep name space dividing entries into fine

categories uid=raoit, ou=seecs, ou=it, dc=nust,categories uid=raoit, ou=seecs, ou=it, dc=nust, dc=corndc=corn


Flat Name SpaceFlat Name Space

dc=nust,dc=comdc=nust,dc=com

uid=raoituid=raoit

I~mCa~II~mCa~I

~zng~zng

'S'S

a.a.

uici=jbrown uici=jbrown

FUFU99

BrownBrown

'S 'S

inS inS

uid=jvedder uid=jvedder

Icn=Jetfvedderl ResourcesIcn=Jetfvedderl Resources


Flat Name Space IssuesFlat Name Space Issues

AdvantagesAdvantages

Names do not need to change when job roles change or the Names do not need to change when job roles change or the

organization changesorganization changes

Simple design avoids need to object categorization by directory Simple design avoids need to object categorization by directory

administratorsadministrators

DisadvantagesDisadvantages

Hard to partition the directory later if neededHard to partition the directory later if needed

May be hard to maintain unique DNsMay be hard to maintain unique DNs


Deep Name SpaceDeep Name Space

AA

dc=exdc=ex I do—cornI do—corn

lFMi~lFMi~ l=North~gierical=North~gierica

ou=Peopleou=People

ou=Sales ou=Devel uid=joe uid=rnaraou=Sales ou=Devel uid=joe uid=rnara

ou=People ou=People

ounSalesounSales

uld—jeanneuld—jeanne

ounPeopleounPeople

ou=Sales ou=Sales

uidnpeteuidnpete


Designing the Name SpaceDesigning the Name Space

There is no name space design that is ideal for all situationsThere is no name space design that is ideal for all situations

May help to think about how you planned the DNS name May help to think about how you planned the DNS name

space of hosts and subdomainsspace of hosts and subdomains

Try to keep the hierarchy fairly flatTry to keep the hierarchy fairly flat

Simpler management, good for small directoriesSimpler management, good for small directories

Depth is useful forDepth is useful for

Avoidance of naming collisionsAvoidance of naming collisions

Dividing up directory managementDividing up directory management


One Compromise Name SpaceOne Compromise Name Space

dc=exadc=exa

dc-corndc-corn

i=Nort..~uricai=Nort..~urica

I=EuroDeI=EuroDe

uidnpeteuidnpete

ou=Salesou=Sales

Set the ou attribute on entriesSet the ou attribute on entries

Can still search based on ouCan still search based on ou

changing ou just affects one entry, not directory hierarchychanging ou just affects one entry, not directory hierarchy


Designing the Name SpaceDesigning the Name Space

Place entries in subtrees based on the type of entry, not just by Place entries in subtrees based on the type of entry, not just by

organizational structure or geographyorganizational structure or geography

For example:For example:

inetoryPerson entries under ounPeopleinetoryPerson entries under ounPeople

Entries for groups under ou=GroupsEntries for groups under ou=Groups

Entries for machines under ou=HostsEntries for machines under ou=Hosts

Can use in addition to other schemesCan use in addition to other schemes


Defining the Name SpaceDefining the Name Space

The LDAP server will need to have your name space The LDAP server will need to have your name space

input in LDIF formatinput in LDIF format

You will need an entry for your root nodeYou will need an entry for your root node

You will need entries for any nodes which act only as You will need entries for any nodes which act only as

containers for other entriescontainers for other entries

Various object classes are usefulVarious object classes are useful

domain, dcobject, country, locality, organization, domain, dcobject, country, locality, organization,

organizationalunitorganizationalunit


Planning the DirectoryPlanning the Directory

A well-designed directory tree can make directory A well-designed directory tree can make directory

management much simplermanagement much simpler

Additional references which may be useful:Additional references which may be useful:

Red Hat Directory Administrator's GuideRed Hat Directory Administrator's Guide

Understanding and Dep/oying LDAP Directory Services Understanding and Dep/oying LDAP Directory Services

by Timothy Howes, Mark Smith, and Gordon Good.by Timothy Howes, Mark Smith, and Gordon Good.

linsol.org red hat enterprise linux variants server: red hat enterprise linux advanced platform ...

Documents

red hat enterprise linuxlinsol

orgother red hat

senior red hat linux

orgred hat network

directory of names

directory services

enterprisewide authentication

directory of host names