Bài giảng LPI202 - Chapter 06 Advanced Linux Network Administration

Tài liệu Bài giảng LPI202 - Chapter 06 Advanced Linux Network Administration: Network Client Management Chapter 06Advanced Linux Network Administration ObjectivesDynamic Host Configuration ProtocolDHCP configurationNIS configurationLDAP configurationPAM authentication Dynamic Host Configuration ProtocolDHCP is network protocol for automatically assigning TCP/IP information to client machines. Each DHCP client connects to the centrally-located DHCP server to get:IP addressSubnet maskGatewayDNS serversDomainConfiguring a DHCP ServerThe configuration file /etc/dhcpd.confThe file /var/lib/dhcp/dhcpd.leases to store the client lease database.Global options can be declared for all clients, or options can be declared for each client system.The keywords are case-insensitive, and lines beginning with a hash mark (#) are considered commentsRead the dhcpd.conf man page for details about the different modes.If you change the configuration file, the changes will not take effect until you restart the DHCP daemon with the command service dhcpd restart.Configuring a DHCP Server...

ppt66 trang | Chia sẻ: honghanh66 | Lượt xem: 974 | Lượt tải: 0download
Bạn đang xem trước 20 trang mẫu tài liệu Bài giảng LPI202 - Chapter 06 Advanced Linux Network Administration, để tải tài liệu gốc về máy bạn click vào nút DOWNLOAD ở trên
Network Client Management Chapter 06Advanced Linux Network Administration ObjectivesDynamic Host Configuration ProtocolDHCP configurationNIS configurationLDAP configurationPAM authentication Dynamic Host Configuration ProtocolDHCP is network protocol for automatically assigning TCP/IP information to client machines. Each DHCP client connects to the centrally-located DHCP server to get:IP addressSubnet maskGatewayDNS serversDomainConfiguring a DHCP ServerThe configuration file /etc/dhcpd.confThe file /var/lib/dhcp/dhcpd.leases to store the client lease database.Global options can be declared for all clients, or options can be declared for each client system.The keywords are case-insensitive, and lines beginning with a hash mark (#) are considered commentsRead the dhcpd.conf man page for details about the different modes.If you change the configuration file, the changes will not take effect until you restart the DHCP daemon with the command service dhcpd restart.Configuring a DHCP Servernotes onlyDNS update schemesTwo DNS update schemes are currently implementedThe ad-hoc DNS update modeddns-update-style ad-hoc;The interim DHCP-DNS interaction draft update modeddns-update-style interim;Subnet DeclarationMust include a subnet declaration for every subnet in networkExample:subnet 192.168.1.0 netmask 255.255.255.0 { option routers 192.168.1.254; option subnet-mask 255.255.255.0; option domain-name "example.com"; option domain-name-servers 192.168.1.1; option time-offset -18000; # Eastern Standard Time range 192.168.1.10 192.168.1.100;}Static IP Address using DHCPTo assign an IP address to a client based on the MAC address of the network interface cardExamplehost apex { option host-name "apex.example.com"; hardware ethernet 00:A0:78:8E:9E:AA; fixed-address 192.168.1.4;}Starting and Stopping the DHCP ServerTo start the DHCP server for the first time, it will fail unless there is an existing dhcpd.leases file. touch /var/lib/dhcp/dhcpd.leasesTo start the DHCP service/etc/init.d/dhcpd startTo stop the DHCP server/etc/init.d/dhcpd stopIf there are more than one network interface attached to the system, and start the DHCP server on one of the interfaceIn /etc/sysconfig/dhcpd, add the name of the interface to the list of DHCPDARGS:# Command line options hereDHCPDARGS=eth0Starting and Stopping the DHCP Servernotes onlyStarting and Stopping the DHCP Servernotes onlyNIS ConfigurationMaster Server ConfigurationOn a Linux system the network information system (NIS) server is called ypserv (package name: ypserv). The RPM package has the same name and installs the following main files /etc/rc.d/init.d/yppasswdd/etc/rc.d/init.d/ypserv/etc/rc.d/init.d/ypxfrd/etc/ypserv.conf/var/yp/MakefileNIS ConfigurationChoose a nisdomain name In /etc/sysconfig/network set the variable NISDOMAIN. For example we can set the nisdomain to linis as followsNISDOMAIN=linis # entry in /etc/sysconfig/networkThe file /etc/sysconfig/network will be sourced by the ypserv initscript.Make sure the master server will push map changes to the slave servers. For this you need to edit the file/var/yp/Makefile and put NOPUSH=falseNIS ConfigurationStart the ypserv daemon/etc/init.d/ypserv restartCheck that the nisdomain has been properly set[root@server]#nisdomainnamelinisCreate the databases, the -m option to ypinit is to indicate the server is a master server/usr/lib/yp/ypinit -mEnter the list of slave servers you will run on this domain. This will create a number of DBM files in /var/yp/linis as well as a file called /var/yp/ypserversNIS ConfigurationSlave Server ConfigurationOn the slave server, we need to install the ypserv package too. This time we run ypinit and point it to the the master server:/etc/rc.d/init.d/ypserv start/usr/lib/yp/ypinit -s MASTER_IPAlso make sure to leave the line NOPUSH=true in /var/yp/MakefileNIS ConfigurationClient SetupOn the client the main service is called ypbind (package name: ypbind). This daemon is responsible for binding to a NIS server and successfully resolves names and passwords as needed.The main configuration file is /etc/yp.conf. If the NISDOMAIN variable is set in /etc/sysconfig/network which is sourced by the rc-script /etc/init.d/ypbind then the NIS server will be detected using the broadcast. One can also configure yp.conf and specify. So all that is needed is to start ypbind /etc/init.d/ypbind startMake sure that the nis keyword is added to /etc/nsswitch.conf.Setting up NFS home directoriesAnybody with an account on the NIS server can log onto a machine setup using ypbind pointing at the correct server.All that is needed is for the user to access a home directory. One implementation using NFS and assume that all the home directories are on a single server with the IP 10.0.0.1All the clients are on the 10.0.0.0/8 network.On the NFS serverEdit /etc/exports and add/home 10.0.0.1/8(rw)Notice that root_squash will apply by default.On the clientEdit /etc/fstab and add10.0.0.1:/home /home defaults 0 0 Basic NIS AdministrationWith the latest versions of ypserv a number of default maps are created using source files in /etc.It is possible to alter the YPPWDDIR and YPSRCDIR variables in the Makefile to build maps from alternative files from custom locations. Updates are made with the Makefile in /var/yp. The targets are all, passwd, group ...Copy the new maps to /var/yp/linis and run yppush to update the slave servers:yppush MAP_NAMELDAPLDAP is a directory access protocolUp to the implementation to use whatever backend it wantsLDAP can be used to store any form of information, but designed for directoriesSmall bits of dataMostly read accessDirectory ServicesA "directory" service is a network accessible database:Small amount of information in each request/reply.Limited functionality (as compared to a complete database system)Updates (changes) are much less frequent than queries.DirectoriesSome typical examples include:telephone directorieslists of addresses (email, network, P.O., etc)Each record is referenced by a unique key:given a name, look up a phone numbergiven a name, look up an email addressApplicationsSome applications simply provide a front-end to a directory service.Electronic phone book.Some applications use a directory service to store configuration information, auxiliary databases,etc.Information StructureTypically, the information in a directory is structured hierarchically (but it doesn't have to be).The structure of the data (the hierarchy) is often useful in finding data and provides some (minimal) relationship between records. Example: DNSThe Domain Name System is an example of a directory:hierarchical structurefor each item there is a unique key (the hostname) and a number of attributes:IP addressMail exchangerHost informationetc...X.500X.500 is a Directory Service that has been used for a while:Based on O.S.I. Protocol Stackrequires upper layers (above transport) of the OSI StackHeavyweight service (protocol).LDAPA number of lightweight front-ends to X.500 have been developed - the most recent is LDAP:Lightweight Directory Access ProtocolBased on TCP (but can be mapped to other protocols).90% of the functionality of X.50010% of the costLDAP & U. of MichiganLDAP originated at the University of Michigan. LDAP can be used as a front-end to X.500 or stand-alone.LDAP is now available commercially from a number of sources (including Netscape)LDAP definitionRFC 1777: data representation schemedefined operations and mapping to requests/response protocol.RFC 1823: Application Programming Interface (has become a standard)LDAP Data RepresentationEach record has a unique key called a distinguished name (dn for short).A distinguished name (RFC 1779) is meant to be used by humans (not just computers).Each dn is a sequence of components.Each component is a string containing an attribute=value pair. Example DNCN=Dave Hollinger,OU=Computer Science,O=Rensselaer Polytechnic Institute,C=US Typically written all on one line.HierarchyLike Domain Names, the name can be interpreted as part of a hierarchy. The last component of the dn is at the highest level in the hierarchy.CN=Joe Integral, OU=Math, O=RPI, C=USSample HierarchyC=USO=RPIO=MITOU=Computer ScienceOU=MathCN=Dave HollingerComponent NamesThe components can be anything, but there is a standard hierarchy used (for a global LDAP namespace):C country nameO organization nameOU organizational unitCN common nameL locality nameST state or provinceSTREET street addressRelative DNsRelative Distinguished Names are the individual components of a Distinguished Name (interpreted as relative to some position in the hierarchy). For example, the RDN "ou=Math" falls in the hierarchy below "o=RPI, c=US".DN usageA distinguished name is a key used to access a record.Each record can contain multiple attribute/value pairs. Examples of attributes:phone number email addresstitle home pagepublic key project 3 gradeSchemasLDAP uses schemas to define what attributes an object can and must haveposixAccount object class corresponds to an entry in a passwd fileposixGroup corresponds to a groupThe same object can implement multiple object classesuid=jheiss,ou=people,dc=example,dc=com might be a posixAccount, inetOrgPerson and pilotPersonSchema Examplesattributetype ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' ) DESC 'RFC1274: user identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) )ObjectClassA commonly used attribute is "objectClass".Each record represents an object, and the attributes associated with that object are defined according to it's objectClassThe value of the objectClass attribute.Object Type examplesExamples of objectClass:organization (needs a name and address)person (needs name, email, phone & address)course (needs a CRN, instructor, mascot)cookie (needs name, cost & taste index)Defining ObjectClass typesYou can define what attributes are required for objects with a specific value for the objectclass attribute.You can also define what attributes are allowed.New records must adhere to these settings!Multiple ValuesEach attribute can have multiple values, for example we could have the following record:DN: cn=Dave Hollinger, O=RPI, C=USCN: Dave HollingerCN: David HollingerEmail: hollingd@cs.rpi.eduEmail: hollid2@rpi.eduEmail: satan@hackers.orgLDAP ServicesAdd, Delete, Change entryChange entry name (dn).Searching (the primary operation)Search some portion of the directory for entries that match some criteria.AuthenticationLDAP authentication can be based on simple passwords (cleartext) or Kerberos. LDAP V3 includes support for other authentication techniques including reliance on public keys.LDAP Requestsbind/unbind (authentication)searchmodifyadddeletecompareOpenLDAP server configurationSoftwareServersKerberosOpenSSLSASL (1.x until OpenLDAP 2.1.x is available)OpenLDAPClientsAll of the above plus nss_ldap and pam_krb5The server is called slapd (Standalone LDAP daemon) and it's configuration file is:/etc/openldap/slapd.confLDAP ServersCreate user and group (ldap/ldap)Make/buy signed SSL certificateCN in SSL certificate should be canonical name of server as reported by reverse DNSI.e. moonshine.example.comIf possible, list user-friendly name in x509v3 Subject Alternative Name fieldWithin usr_cert section of openssl.cnf:subjectAltName=DNS:ldap1.example.comOpenSSL doesn’t have support for prompting for this field, so you’ll have to edit openssl.cnf for each cert you generatechmod 640 slapd-key.pemchgrp ldap slapd-key.pemLDAP ServersCreate service principalkadmin –q “addprinc ldap/hostname”kadmin –q “ktadd –k /etc/openldap/ldap.keytab ldap/hostname”chmod 640 ldap.keytabchgrp ldap ldap.keytabLDAP Server ConfigurationEdit /etc/openldap/slapd.confSchemasDatabase DefinitionImporting schemasan include clause in slapd.conf which tells the LDAP server which schemas should be loaded.We need at least the following:include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/misc.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/inetorgperson.schemaDatabase DefinitionAvailable DBMs (Database Managers) are ldbm or the more recent bdb. In case using bdb:database bdbTo specify the root or base for the LDAP directory, as well as the directory where the database file will be kept:suffix “dc=example,dc=com”directory /var/lib/ldap/The following lines are only needed when modifying the LDAP server online. You can then specify an adminstrator username/password. Use the slappasswd to generate an encrypted hash rootdn "cn=Manager,dc=example,dc=com"rootpw {SSHA}KiXS5htbnVEQp7OrjoteQZHHICs0krBOAdditional LDAP Server ConfigPacket FilteringLDAP, LDAP w/ TLS389/tcpLDAPS636/tcpInitial Database Populationldapadd -x -D “cn=Manager,dc=example,dc=com” -W -f initial.ldifRemove rootdn and rootpw from slapd.conf and restartAll future edits should be authorized via ACLs in slapd.confTesting ServerTest in stagesldapsearch -H ldap://hostname/ -xldapsearch -H ldaps://hostname/ -xldapsearch -H ldap://hostname/ -ZZ -xldapsearch -H ldap://hostname/ldapsearch -H ldaps://hostname/ldapsearch -H ldap://hostname/ -ZZLDAP Clients/etc/ldap.confused by the nss_ldap and pam_ldap modulesEdit /etc/ldap.confhost ldap1.example.com ldap2.example.combase dc=example,dc=comssl start_tlstls_checkpeer yestls_cacertfile /etc/ssl/ca-cert.pemLDAP Clients/etc/openldap/ldap.conf used by the tools ldapsearch and ldapaddEdit /etc/openldap/ldap.confURI ldaps://ldap1.example.com/ ldaps://ldap2.example.com/BASE dc=example,dc=comTesting ClientldapsearchMakes sure /etc/openldap/ldap.conf is setup properly and that connection to server is goodid usernamegetent passwd usernameIf things don’t workTry turning of checkpeer in /etc/ldap.confTry setting ssl to no in /etc/ldap.confTry turning off nscdTroubleshootingSample error messagesldap_sasl_interactive_bind_s: Local error ldap/hostname service principal not setupUser doesn’t have ticket or ticket has expiredldap_sasl_interactive_bind_s: Can't contact LDAP server Checking hostname from CN field of SSL cert failedExampleThe /etc/ldap.conf filehost 10.0.0.1 base dc=example,dc=com ssl no # don't use SSL certificates pam_password md5Next in /etc/pam.d replace the file called login with /usr/share/doc/nss_ldap-207/pam.d/login.This will tell the authentication binary /bin/login to use the pam_ldap.so module. Finally, /etc/nsswitch.conf needs to have the line:passwd ldap filesCheck the /var/log/ldap/ldap.log file on the serverLDAP Authentication SchemeServer ConfigurationCopy the passwd PAM file /etc/share/doc/nss_ldap-version/pam.d/passwd to /etc/pam.dAdd the following access rule in /etc/openldap/slapd.confaccess to attrs=userPassword by self writeby anonymous authby * noneLDAP Authentication SchemeClient ConfigurationNeed to have the nss_ldap package installed (or separate pam_ldap package). The following files and libraries are installed:/etc/ldap.conf/lib/libnss_ldap-2.3.2.so/lib/security/pam_ldap.so/usr/lib/libnss_ldap.so/usr/share/doc/nss_ldap-207/pam.dLDAP ManagementOpenLDAP toolsldapadd, ldapmodify, ldapdeleteNot very user friendlyJason’s toolsldapcat, ldapedit, ldapposixaddUseful for folks used to NISIntegration into centralized toolsPerl and Net::LDAPSample code on web pagePAMServices or applications which need authentication can use the pluggable authentication module (PAM) mechanism which offer a modular approach to the authentication process. For example: if a new hardware authentication scheme is added to a system, using smart cards or prime number generators, and if corresponding PAM library modules are available for this new scheme, then it is possible to modify existing services to use this new authentication scheme. PAM Aware Applications Services which use pluggable authentication modules have been compiled with libpam.For example sshd is such a service: ldd `which sshd` | grep pam libpam.so.0 => /lib/libpam.so.0 (0x00941000)These applications will scan the PAM configuration files which in turn tell the application how the authentication will take place.PAM Configuration/etc/pam.confPAM configuration filecontains a list of services and a set of instructions, ie:service type control module-path module-argumentsIf the directory /etc/pam.d exists then pam.conf is ignored and each service is configured through a separate file in pam.d. These files are similar to pam.conf except that the service name is dropped: type control module-path module-argumentsPAM Configurationtypedefines the “management group type”.PAM modules are classified into four management groups which define different aspects of the authentication process:accountauthpasswordsessionPAM Configurationcontroldefines what action to take if the module fails. The simple controls are:requisiterequiredsufficientoptionalmodule-paththe path to a PAM module (usually in /lib/security)module-argumentslist of arguments for a specific moduleSummaryDHCP ConfigurationNISLightweigh Directory Access ProtocolPAM authentication

Các file đính kèm theo tài liệu này:

  • pptlpi202_c6_network_client_management_4736.ppt
Tài liệu liên quan