Upload
phungkhanh
View
216
Download
0
Embed Size (px)
Citation preview
Directory ServicesPRINCIPLES – NIS – LDAP – DNS
Labs and deadlinesn AMD ->Intel n Just nu uppgraderar vi kernel
o Hoppas det löser interupts ->slött nätverkn Deadlines
o http://www.ida.liu.se/~TDDI41/timetable/index.en.shtmln Om jag glömmer (vilket jag gör) säg till mig om att lägga ut
föreläsningsslides
What is a directory?Fundamental propertiesn Maps keys to valuesn Relatively frequent lookupsn Relatively infrequent updates
Examplesn Phone bookn Office directoryn User databasen List of contacts
Directories in LinuxUser databasen /etc/passwd, /etc/shadowGroup databasen /etc/groupHost namesn /etc/hostsNetwork namesn /etc/networkProtocol namesn /etc/protocols
Service namesn /etc/servicesRPC program numbersn /etc/rpcKnown ethernet addressesn /etc/ethersAutomount mapsn /etc/auto.master
Standard implementation: local files
The scalability problemExamplen 13000 users and 5000 hostsn Passwords valid for 30 daysn 50% of changes made at 8-10à One change every 28.8 secondsà Propagation time: 0.00567s
Problemsn Performance issuesn Hosts that are downn Other propagation failuresn Simultaneous updates
What is a directory serviceA specialized databasen Attribute-value type informationn More reads than updatesn Consistency problems are sometimes OK
n No transactions or rollbackn Support for distribution and replicationn Clear patterns to searches
Directory servicesComponentsn A data modeln A protocol for searchingn A protocol for readingn A protocol for updatingn Methods for replicationn Methods for distribution
Common directory servicesn DNSn X.500 Directory Servicen Network Information Servicen NIS+ n Active Directory (Windows NT)n NDS (Novell Directory Service)n LDAP (Lightweight X.500)
Directory servicesGlobal directory servicen Context: entire network or entire
internetn Namespace: uniformn Distribution: usuallyn Examples: DNS, X.500, NIS+,
LDAP
Local directory servicen Context: intranet or smallern Namespace: non-uniformn Examples: NIS, local files
Directory services in LinuxAlias: name servicesn /etc/nsswitch.conf selects servicen Several services per directoryn Modular design/implementation
Examples from /etc/nsswitch.confusers files,nisusers nis[notfound=return],fileshosts dns,files
NIS, NIS+, LDAP
Network Information ServiceDomain (NIS domain)n Systems administered with NISn No connection to DNS domain
NIS servern Server that has information
accessible through NISn Serves one or more domains
NIS clientn Host that uses NIS as a directory
service for something
ida.liu.se
fo.ida.liu.se
NISProtocoln RPC basedn No securityn No updatesn Replication support
Replicationn Master/slave servers
Distributionn No distribution support!
Data modeln Directories known as mapsn Simple key-value mappingn Values have no structure
arjle 1001:adFrldonkn 1002:*:203johne 1003:trzQwalatu 2031:kprrTjohmc 2032:bRelZedwyo 2033:*:204ricst 2034:vvldkpetde 2232:*:204larwa 3021:*:204
passwd.byname
NISMaster servern Maps built from text filesn Maps in /var/ypn Maps built with maken Maps stored in binary formn Replication to slaves with
yppush
Slave serversn Receive data from mastern Load balancing and failover
Processes/commandsn ypserv Server processn ypbind Client processn ypcatTo view mapsn ypmatch To search mapsn ypwhich Show statusn yppasswdd Change password
NISNIS clientn Knows its NIS domainn Binds to a NIS server
Two optionsn Broadcastn Hard coded NIS-server
n ypbind
NIS Client Portmapper NIS Server
GETPORT
DOMAIN_NONACK
BIND
NISScalability problemsn Flat namespacen No distribution
Security problemsn No access controln Broadcast for bindingn Patched as an afterthought
Primitive protocoln No updates
o Hack for password changen Search only on keyn Primitive data model
Solution: NIS+
NIS+Scalabilityn Hierarchical namespacen Distributed administration
Securityn Authentication of server, client
and usern Access control on per-cell level
New protocoln Updates through NIS+n General searchesn Data model with real tables
So why is NIS+ not used?
LDAPProtocoln TCP-basedn Fine-grained access controln Support for updatesn Flexible search protocol
Replicationn Replication is possible
Distributionn Distributed management is
possible
Data modeln Based on X.500n Object-orientedn Objects can be extended freelyn Attribute-based data modeln Hierarchical namespace
Example of user
name passwd uid gid gecos home shelldavby *LK* 1211 1200 David /home/davby /bin/shfsmith 3x1231v76T89N 1329 1200 Fran /home/fsmith /bin/sh
NIS+ table ”passwd.org_dir.example.com”
davby davby:*:1211:1200:David:/home/davby:/bin/shfsmith fsmith:*:1329:1200:Fran:/home/fsmith:/bin/sh
NIS table passwd.byname (user name as key):
Example of userdn: uid=fsmith,ou=employees,dc=example,dc=com objectclass: person objectclass: organizationalPersonobjectclass: inetOrgPersonuid: fsmithgivenname: Fran sn: Smith cn: Fran Smith cn: Frances Smith telephonenumber: 510-555-1234 roomnumber: 122G o: Example Corporation International mailRoutingAddress: [email protected] mailhost: mail.example.com userpassword: {crypt}3x1231v76T89N uidnumber: 1329 gidnumber: 1200 homedirectory: /home/fsmithloginshell: /bin/sh LDAP
The futureLDAP is taking overn NIS is too insecure, doesn’t scale and is inflexiblen NIS+ is hard to implement and doesn’t exist on many OSesn X.500 is too complex and has a bad reputationn Other options have similar problems
DNS
DNS: Data modeln Functional: NAME à { TYPE à RDATA }n Relational: (NAME, TYPE, RDATA)
NAME TYPE RDATAida.liu.se A 130.236.177.25ida.liu.se MX 0 ida.liu.seida.liu.se NS ns.ida.liu.seida.liu.se NS ns1.liu.seida.liu.se NS ns2.liu.seida.liu.se NS nsauth.isy.liu.se
DNS: TYPE & RDATATYPEn SOA – Start of authorityn NS – Name servern MX – Mail exchangern A – Addressn AAAA – IPv6 addressn PTR – Domain name pointern CNAME – Canonical namen TXT – Text
… and many more
RDATAn Binary data, hardcoded formatn TYPE determines format
DNS: NamespaceNamesn Dot-separated parts
o one.part.after.another
FQDNn Fully Qualified Domain Namen Complete namen Always ends in a dot
Partial namen Suffix of name implicitn Does not end in a dot
Namespacen Global and hierarchical
<root>
com net org se
google ibm liuibm
tfkidawwwwwwwww
www
DNS: ReplicationSecondary/slave
nameservern Indicated by NS RRn Data transfer with AXFR/IXFR
Questionsn How does a slave NS know
when there is new information?n How often should a slave NS
attempt to update?n How long is replicated data
valid?
Example
Rule of thumbn Every zone needs at least two
nameservers
sysi-00:~# host -t ns ida.liu.seida.liu.se NS nsauth.isy.liu.seida.liu.se NS ns.ida.liu.seida.liu.se NS ns1.liu.se
DNS: DistributionDelegationn A NS can delegate
responsibility for a subtree to another NS
n Only entire subtrees can be delegated
Zonen The part of the namespace
that a NS is authoritative forn Defined by SOA and NS
Domainn A subtree of the namespace
<root>
com net org se
google ibm liuibm
tfkidawwwwwwwww
www.com domain
.se zone
DNS: DelegationDelegating NSn NS record for delegated zonen A record (glue) for NS when
needed
Delegated-to NSn SOA record for the zone
Examplea.example.com NS ns2.x.com
b.x.com NS ns.b.x.comns.b.x.com A 10.1.2.3
b.x.com SOA (ns.b.x.comdns.x.com2004090900124H 2H 1W 2D)
DNS: DelegationFormat of SOAn MNAME Master NSn RNAME Responsible
(email)n SERIAL Serial numbern REFRESH Refresh intervaln RETRY Retry intervaln MINIMUM TTL for negative
reply
SERIALn Increase for every updaten Date format common
o 2004090901
REFRESH/RETRYn How often secondary NS
updates the zone
MINIMUMn How long to cache
NXDOMAIN
DNS: CacheingCacheing creates scalabilityn Cacheing reduces tree traversaln Cacheing of A and PTR reduce
duplicate DNS queries
Choosing good cacheparameters is vital
Cache parametersn TTL – Set per RRn Negative TTL – Set in
SOA
Example$TTL 4H SOA (
MNAME RNAMESERIAL REFRESH RETRY 1H )24H NS ns
ns 24H A 10.1.2.3
DNS: The serverRecursive/iterativen Does the server offer recursion?n To which clients is it offered?
Authoritative/nonauthorit…
n Authoritative: first-handinformation
n Otherwise: cached information
Reviewn Recursive: the nameserver
gives a definite answer, but mayask other nameservers in order to generate it
n Iterative: the nameserver gives a definite answer only for locally known information; otherwise it generates a referral
DNS: The clientClient requirementsn Use a recursive NS (resolver)n Use partially qualified names
Partially qualified namesn Add suffix if there are fewer
than n dots in the name (ndots)
Name server (resolver)n Specified in /etc/resolv.conf
Example: /etc/resolv.confsearch ida.liu.senameserver ns.ida.liu.sendots 2
APP libc
nss
libnss_dns.so
Resolver library Recursive NSIterative NS
Iterative NSIterative NS
Iterative NS
nsswitch.conf
resolv.conf
DNS: Root Name ServerHandles the root zonen Data generated by ICANNn Data distributed by Verisignn Distribution from hidden master
Thirteen servicesn Some are anycastn Over 60 servers
Why no more than 13?
Operator Locations A VeriSign Dulles VA B ISI Marina Del Rey CA C Cogent Communications Herndon VA; Los Angeles; New York City; Chicago D University of Maryland College Park MD E NASA Ames Mountain View CA F Internet Systems
Consortium, Inc. Ottawa; Palo Alto; San Jose, CA; New York City; San Francisco; Madrid; Hong Kong; Los Angeles; Rome; Auckland; Sao Paulo; Beijing; Seoul; Moscow; Taipei; Dubai; Paris; Singapore; Brisbane; Toronto; Monterrey; Lisbon; Johannesburg;Tel Aviv; Jakarta; Munich;
G U.S. DOD NIC Vienna VA H U.S. Army Research Lab Aberdeen MD I Autonomica/NORDUnet Stockholm; Helsinki; Milan; London; Geneva; Amsterdam; Oslo;
Bangkok; Hong Kong; Brussels; Frankfurt J VeriSign Global Registry
Services Dulles VA (2 locations); Mountain View CA; Seattle WA; Amsterdam; Atlanta GA; Los Angeles CA; Miami; Stockholm; London; Tokyo; Seoul; Singapore; Sterling VA (2 locations, standby)
K RIPE NCC London; Amsterdam; Frankfurt; Athens; Doha (Quatar)L ICANN Los Angeles M WIDE Project Tokyo; Seoul (KR); Paris (FR)
DNS: CNAMECanonical namen Pointer within namespacen Johansson: See Johnson
CNAME Whoopsie 1www CNAME informatixwww A 130.236.177.12
CNAME Whoopsie 2ida.liu.se. NS ns.ida.liu.se.ns CNAME vitalstatistixvitalstatistix A 130.236.177.12
ida
www informatix
www.ida.liu.se CNAME informatix.ida.liu.se
DNS: PTRAddress-to-name mappingn Same RR type for IPv4 och IPv6n ”A big reverse zone in the sky”
IPv4: in-addr.arpa.n Reverse address and add in-addr.arpa.n A.B.C.D à D.C.B.A.in-addr.arpa.n Same as any other name in DNS!
o Same lookup, cache etc.o CNAME works too
15.189.236.130.in-addr.arpa. PTR sysi-05.sysinst.ida.liu.se.
<root>
com arpa se
google ibm liu
tfkida
www
in-addr
0 130 255… …
0 236 255… …
0 189 255… …
0 15 255… …
DNS: Delegation in in-addr.arpa.Delegationn Delegering of entire subtreesn Subtrees at each dotn In in-addr.arpa a dot after each octet of the address
Q: How to delegate partial subtrees corresponding to small subnets, e.g. 10.17.1.0/26?
A: Use CNAME to create a new zone that can be delegated!
A: Delegate each address as a separate zone
10
17
1
0 63…1 2 3 4 5
$GENERATE 1-63 $ CNAME $.rv4.sysinst.ida.liu.se.
se
liu
ida
sysinst
rv4
0 63…1 2 3 4 5
arpa
in-addr
<root>
DNS: The protocolTCP or UDPn Normally UDP port 53n TCP if the reply is too large
DNS packetn Header section Flags etc.n Query section Queries to the servern Answer section Replies to the queriesn Authority section Referrals to other NSn Additional section Extra data that may be useful (e.g. glue)
DNS: The protocolHeader section: flagsn QR Query or responsen OPCODE Type of quern AA Authoritative Answern TC TrunCationn RD Recursion Desiredn RA Recursion Availablen Z Reservedn RCODE Result code
Flagsn Set RD for recursive quern If AA is not set, reply is from
cachen If TC it set, the reply is too large
for UDP
RCODEn SERVFAIL Problem with NSn NXDOMAIN No such namen REFUSED Refuse to reply
DNS: The protocolQuestion sectionn Contains questionsn Also included in reply
Answer sectionn Contains requested RRsn Empty in referral replies
Authority sectionn Indicates authoritative NSn Never empty in referrals
Additional sectionn RR related to response, but not
part of responsen E.g. A for NS in authority
section
sysi-00:~# dig www.ida.liu.se @a.ns.se; <<>> DiG 9.2.4rc5 <<>> www.ida.liu.se @a.ns.se;; global options: printcmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7059;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:;www.ida.liu.se. IN A
;; AUTHORITY SECTION:liu.se. 86400 IN NS ns2.liu.se.liu.se. 86400 IN NS sunic.sunet.se.liu.se. 86400 IN NS nsauth.isy.liu.se.liu.se. 86400 IN NS ns1.liu.se.
;; ADDITIONAL SECTION:ns1.liu.se. 86400 IN A 130.236.6.251ns2.liu.se. 86400 IN A 130.236.6.243sunic.sunet.se. 86400 IN A 192.36.125.2nsauth.isy.liu.se. 86400 IN A 130.236.48.9
sysi-00:~# dig www.ida.liu.se @nsauth.isy.liu.se; <<>> DiG 9.2.4rc5 <<>> www.ida.liu.se @nsauth.isy.liu.se;; global options: printcmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49836;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:;www.ida.liu.se. IN A
;; ANSWER SECTION:www.ida.liu.se. 259200 IN CNAME informatix.ida.liu.se.informatix.ida.liu.se. 259200 IN A 130.236.177.26
;; AUTHORITY SECTION:ida.liu.se. 259200 IN NS ns1.liu.se.ida.liu.se. 259200 IN NS ns2.liu.se.ida.liu.se. 259200 IN NS nsauth.isy.liu.se.ida.liu.se. 259200 IN NS ns.ida.liu.se.
;; ADDITIONAL SECTION:ns.ida.liu.se. 259200 IN A 130.236.177.25ns1.liu.se. 43200 IN A 130.236.6.251ns2.liu.se. 43200 IN A 130.236.6.243nsauth.isy.liu.se. 21600 IN A 130.236.48.9
sysi-00:~# dig www.ibm.com @ns.ida.liu.se; <<>> DiG 9.2.4rc5 <<>> www.ibm.com @ns.ida.liu.se;; global options: printcmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38042;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:;www.ibm.com. IN A
;; ANSWER SECTION:www.ibm.com. 1800 IN A 129.42.21.99www.ibm.com. 1800 IN A 129.42.16.99www.ibm.com. 1800 IN A 129.42.17.99www.ibm.com. 1800 IN A 129.42.18.99
;; AUTHORITY SECTION:ibm.com. 600 IN NS ns.austin.ibm.com.ibm.com. 600 IN NS ns.watson.ibm.com.ibm.com. 600 IN NS ns.almaden.ibm.com.
;; ADDITIONAL SECTION:ns.austin.ibm.com. 70372 IN A 192.35.232.34ns.watson.ibm.com. 92202 IN A 129.34.20.80ns.almaden.ibm.com. 70372 IN A 198.4.83.35
DNS: Commandsnslookupn Look up names
hostn Look up data in DNS
dign Look up data in DNSn Full access to protocol
whoisn Information about who has registered a domainn Many versions – jwhois is nice
DNS: Server typesMastern Source of DNS datan Authoritative for zone
Secondaryn Authoritative for zone
Forwardern Cache onlyn Forwards queries
Recursive-onlyn Performs recursive queries
DNS: Server architecture
Forwarder
Forwarder Recursive
Slaves
Master
Administrator
Clients
Clients
Firewall
Zone configuration in BINDFilesn named.confn Zone files
In Debian: /etc/bindn named.confn named.conf.localn named.conf.optionsn Zones.rfc1812n db.0n db.127n db.emptyn db.localn db.root
named.confZone definition (master)
zone ”sysinst.ida.liu.se” {type master;file ”/etc/bind/sysinst.zone”;
}
Other stuffn Optionsn Access control
Optionsn Who can query the servern Who can update the servern Which ports to usen Which address to use
… and so on
$TTL 3600
@ IN SOA (sysinst-gw.ida.liu.se.davby.ida.liu.se.2006083100 ; Serial3600 ; Refresh 1h1800 ; Retry 30min604800 ; Expire3600 ; TTL)
IN NS sysinst-gw.ida.liu.se.IN NS ns.ida.liu.se.
IN MX 10 ida-gw.sysinst.ida.liu.se.
ida-gw IN A 130.236.189.1debian IN CNAME ida-gwheretix IN A 130.236.189.62
$GENERATE 0-16 sysi-${0,2,d} A 130.236.189.${10,,d}$GENERATE 1-8 a$-gw A 130.236.189.${29,,d}$GENERATE 1-8 b$-gw A 130.236.189.${37,,d}$GENERATE 1-8 c$-gw A 130.236.189.${45,,d}
More stuff in BINDn Views
n Dynamic update
n DNSSEC
Directory Service SummaryPropertiesn Search-optimized databasen Attribute-based datan Distributed management for
scalabilityn Replication for performance and
reliabilityn Search protocoln Update protocol
Common directory servicesn DNS – Host names etc.n NIS/NIS+ – Replace local filesn LDAP – General directory
service