Red Hat RH423 Red Hat Enterprise Directory Services and Authentication RH423-RHELS.1-EN-20080905 redhatRH423 Red Hat Enterprise Directory Services and Authentication FRH23-RHELSut-en-2-20080005Table of Contents RH423 - Red Hat Enterprise Directory Services and Authentication RH423: Red Hat Enterprise Directory Services and Authentication Copyright Welcome Participant Introductions Red Hat Enterprise Linux Red Hat Enterprise Linux Variants Red Hat Network Other Red Hat Supported Software The Fedora Project Objectives of RH423 Audience and Prerequisites Classroom Network Notes on Internationalization Unit 1 - Introduction to Directory Services Objectives What is a Directory? Ideal Directory Data Uses of a Directory X.500 Directory Service X.500 Problems LDAP LDAP Directory Service LDAP Models Information Model Directory Schema Directory Schema Directory Schema Standard Schema Definitions Example Attribute Definition Sample Attribute Syntaxes Sample Matching Rules Commonly Seen Attributes Object Classes Example Object Class Derived Object Classes Example Object Class extensibleObject LOIF Copyright © 2008 Red Hat, Inc. All rights reserved xi xil xili xiv xv xvi xvii xviii xix xx xxii RH423-RHELSut-en-2-20080905, Table of ContentsLDIF 27 Sample Entry in LDIF Form 28 Troubleshooting an LDIF Entry 29 Managing Directory Data 30 Managing Directory Data 34 Developing a Data Policy 32 End of Unit 1 33 Lab 1: Directory Schema and LDIF 34 Sequence 1: Reading Schema 35 Sequence 2: Reading LDIF files 38 Unit 2 - The LDAP Naming Model Objectives 43 LDAP Naming Model 44 The Directory Information Tree 45 Distinguished Names 46 Escaped Characters 47 The Directory Suffix 48 Choosing a Suffix 49 X.500 Suffixes 50 Internet Domain Suffixes 51 Structure of the Name Space 52 Flat Name Space 53 Flat Name Space Issues 54 Deep Name Space 55 Designing the Name Space 56 One Compromise Name Space 57 Designing the Name Space 58 Defining the Name Space 59 Name Space Definition LDIF 60 Planning the Directory 61 End of Unit 2 62 Lab 2: Preparing Directory Data 63 Sequence 1: Selecting a schema and naming plan 64 Sequence 2: Converting Data 69 Unit 3 - Red Hat Directory Server: Basic Configuration Objectives 75 Red Hat Directory Server 76 Components 77 System Requirements 78 Installation Overview 79 Preparing for Installation 80 User and Configuration Directory 81 Admin Server and Management 82 Copyright © 2008 Red Hat, Inc. RH423-RHEL5u1-en-2-20080905, Table of Contents Allrights reservedUsing setup-ds-admin.pl 83 Using setup-ds-admin.pl 84 Starting and Stopping Services 85 Using Red Hat Console 86 Red Hat Directory Server File Locations 87 dse.ldif 88 The schema Directory 89 The errors Log 90 The access Log 91 Administration Server File Locations 92 Backing up the Directory Data 93 Restoring the Directory Data 94 Export Directory DB to LDIF 95 Import LDIF to Directory DB 96 Indexes 97 Working With Indexes 98 End of Unit 3 99 Lab 3: Installing Red Hat Directory Server 100 Sequence 1: Controlling the default host-based firewall 101 Sequence 2: Installing Red Hat Directory Server 102 Sequence 3: Loading the directory data and testing the server 104 Unit 4 - Searching and Modifying the LDAP Directory Objectives 107 LDAP Functional Model 108 Command-Line Utilities 109 OpenLDAP Client Utilities 110 OpenLDAP Client Configuration 14 Common Options 112 ldapsearch 113 LDAP Search Filters 114 LDAP Search Filters 115 LDAP Search Filters 116 Search Filter Escapes 17 The Root DSE 118 Other Directory Specific Entries 119 Idapdelete 120 Idapmodrdn 121 Idappasswd 122 Idapadd 123 Idapmodity 124 LDIF Update Format 125 LDIF Update Format 126 LDIF Update Example 127 Combined Attribute Updates 128 ‘Schema Updates over LDAP 129 Copyright © 2008 Red Hat, Inc. RH423-RHEL5u1-en-2-20080905, Table of Contents All rights reservedDirectory Server CLI Differences 130 Red Hat Console 131 Graphical Address Books 132 The Dirty Secret 133 Practical Address Books 134 End of Unit 4 135 Lab 4: Using the LDAP Directory 136 Sequence 1: Searching the LDAP directory 137 ‘Sequence 2: Modifying the directory 138 Sequence 3: Graphical address book clients 141 Challenge Sequence 4: Converting Between LDAP Schemas 143 Unit 5 - Red Hat Directory Server: Authentication and Security Objectives 146 Directory Server Security 147 Authentication and Access Control 148 User Authentication 149 Transport Layer Security 150 TLS Configuration 151 Installing TLS Certificates 152 Using certutil 153 Enabling TLS Security 154 Enabling Client TLS Security 155 Access Control Instructions 156 ‘Access Control Instructions 157 Anatomy of an ACI 158 Example ACIs 159 Targets of an ACI 160 Permissions of an ACI 161 Bind Rules of an ACI 162 User Bind Rules 163 Groups 164 Other Bind Rules 166 ACIs and Red Hat Console 167 Default ACIs 168 Get Effective Rights 169 Tips on ACI Design 170 End of Unit 5 171 Lab 5: Red Hat Directory Server and TLS/SSL 172 Sequence 1: Creating and installing a CA-signed server certificate 173 Sequence 2: Enabling TLS in Directory Server 175 Sequence 3: Confirming Directory Server TLS Operation 176 Unit 6 - Linux User Authentication with NSS and PAM Objectives 178 Copyright © 2008 Red Hat, Inc. RH423-RHELSu1-en-2-20080908, Table of Contents All rights reserved vAuthentication and Authorization 179 Users and Groups 180 Standard C Library 181 Simple UNIX Authentication 182 C Library Name Services 183 Name Service Switch 184 /etc/nsswitch.cont 185 Name Service Lookup Results 186 Result Actions 187 getent 188 Other Authentication Methods 189 PAM 190 PAM Authentication 191 PAM Configuration 192 PAM Configuration 193 Simple Control Values 194 Basic PAM Modules 195 Example /etc/pam.d File 196 include Control Value 197 pam_stack.so 198 pam_cracklib.so 199 Lists of Items 200 Utilities and Authentication 201 Advanced Control Syntax 202 Advanced Control Syntax 203 Advanced Control Syntax 204 /etc/pam.d/other 205 End of Unit 6 208 Lab 6: PAM and NSS 207 Sequence 1: Name Service Switch (NSS) and NIS 208 Sequence 2: Pluggable Authentication Modules (PAM) and NIS. 210 Sequence 3: PAM-based authentication and local administrative tools 212 Unit 7 - Centralized User Authentication with LDAP Objectives 215 Central Account Management 216 10rfc2307.1dif 217 posixAccount 218 User Structural Classes 219 Choosing a User Object Class 220 shadowAccount 221 posixGroup 222 posixGroup and Static Groups 223 Arbitrary NIS Maps 224 Automount Map Review 225 LDAP auto.master Example 226 Copyright © 2008 Red Hat, Inc. RH423-RHELSu1-en-2-20080905, Table of Contents All rights reserved v/misc/data Automount Example 227 Using the Schema 228 Migration Scripts 229 migrate_common.ph 230 Migration Peri Scripts 231 Migration Shell Scripts 232 Linux Client Integration 233 /etc/1dap.cont 234 /etc/1dap.conf 235 /etc/1dap.conf 236 Simple Bind Security 237 LDAP NSS Configuration 238 LDAP PAM Configuration 239 pam_Idap Authentication 240 pam_Idap Password Changes 241 Example PAM Configuration 242 LDAP Authentication Issues 243 NIS-like LDAP Authentication 244 userPassword Hashes 245 Security Issues 246 End of Unit 7 247 Lab 7: Network Authentication with LDAP 248 ‘Sequence 1: Preparing the LDAP directory server 249 ‘Sequence 2: Preparing and migrating NIS users to LDAP 251 Sequence 3: Configuring clients for LDAP authentication 253 Challenge Sequence 4: Storing other NIS information in LDAP 255 ‘Sequence 5: LDAP authentication with pam_idap 258 Unit 8 - Kerberos and LDAP Objectives 260 Kerberos 261 Kerberos and LDAP 262 Principals 263 Initial Authentication 264 Ticket Authentication 265 Service Profile: Kerberos 266 Jetc/krbS.cont 267 Installing a Master KDC 268 kde.cont 269 kadm5.acl 270 Using kadmin 271 Installing Application Servers 272 Kerberos Clients 273 Debugging Kerberized Services 274 Slave KDCs 275 Configuring Slave KDCs 276 Copyright © 2008 Red Hat, Inc. RH423-RHELSut-en-2-20080905, Table of Contents All rights reserved viKerberos Security 277 Preauthentication 278 Ticket Validation 279 LDAP and Kerberos 280 Directory Server Configuration 281 Access Control Issues 282 Mapping SASL Entries 283 End of Unit 8 284 Lab 8: Kerberos and LDAP 285 Sequence 1: Configuring the Kerberos KDC 286 Sequence 2: Configuring a Kerberos application server 288 Sequence 3: Making the LDAP server Kerberos-aware 290 Sequence 4: Troubleshooting Kerberos authentication 292 Unit 9 - Directory Referrals and Replication Objectives 299 Directory Partitions 300 Referrals and Replication 301 Referrals 302 Smart Referrals 303 Default Referrals 304 Replication 305 Benefits of Replication 306 Replication Protocol 307 Directory Server Replication 308 Consumer Configuration 309 Single Master Configuration 310 Multi-Master Configuration 3tt Aggregating Servers 312 High-Availability Clusters 313 Directory Service Planning 314 End of Unit 9 315 Lab 9: LDAP Directory Replication 316 Sequence 1: Installing a slave LDAP server 317 ‘Sequence 2: Creating and installing a CA-signed server certificate 319 Sequence 3: Enabling TLS in Directory Server 321 Sequence 4: Preparing the slave server's Kerberos keytab 322 Sequence 5: Configuration of the master LDAP server 323 Sequence 6: Testing replication 324 Challenge Sequence 7: Multi-Master Replication 326 Unit 10 - Cross-Platform Centralized Identity Management Objectives 328 Centralized Identity Management 329 Microsoft Active Directory 330 Copyright © 2008 Red Hat, Inc. RH423-RHEL5u1-en-2-20080905, Table of Contents All rights reserved vii