L THUYT V LDAP V NG DNG TRONG CC DCH V MNG LINUX

Phn 1: L Thuyt 1 Gii thiu chung v LDAP

1.1 Gii thiu c bn Hin nay, xy dng cc h thng ln, iu ti quan trng l phi lm cch no c th tch hp d liu t c th dng chung gia cc h thng khc nhau. Trong , tch hp ti khon ca ngi s dng l vn cn thit nht trong nhng ci "ti quan trng" trn. Hy tng tng mt h thng vi khong 5 - 6 m un khc nhau, mi m un li c thit k trn mt nn tng khc nhau (C ngi th dng Oracle + AS Portal, c ngi th dng DB2 vi WebSphere, ngi khc th dng MySQL vi phpnuke, ngi th dng Window, ngi th ci Linux), do cn c mt h thng ngi dng khc nhau. Vy th vi mi m un, ngi s dng cn phi c mt User Name, mt mt khu khc nhau, l iu khng th chp nhn c. Ngi dng chng my chc m chn ght h thng. Lm cch no c th tch hp c ngi dng gia cc h thng trn? Cu tr li l LDAP. Vy LDAP l g? 1.1.1 LDAP - Lightweight Directory Access Protocol nh ngha v LDAP LDAP (Lightweight Directory Access Protocol) l giao thc truy cp nhanh cc dch v th mc - l mt chun m rng cho nghi thc truy cp th mc. LDAP l mt giao thc tm, truy nhp cc thng tin dng th mc trn server. N dng giao thc dng Client/Server truy cp dch v th mc. LDAP chy trn TCP/IP hoc cc dch v hng kt ni khc. Ngoi ra, LDAP c to ra c bit cho hnh ng "c". Bi th, xc thc ngi dng bng phng tin "lookup" LDAP nhanh, hiu sut, t tn ti nguyn, n gin hn l query 1 user account trn CSDL. C cc LDAP Server nh: OpenLDAP, OPENDS, Active Directory, Gii thch cm t Lightweight Directory Access Protocol

1. Lightweight Ti sao LDAP c coi l lightweight? Lightweight c so snh vi ci g? tr li nhng cu hi ny, bn cn tm hiu ngun gc ca LDAP. Bn cht ca LDAP l mt phn ca dch v th mc X.500. LDAP thc cht c thit k nh mt giao thc nh nhng, dng nh gateway tr li nhng yu cu ca X.500 server. X500 c bit nh l mt heavyweight, l mt tp cc chun. N yu cu client v server lin lc vi nhau s dng theo m hnh OSI . M hnh 7 tng ca OSI m hnh chun ph hp trong thit k vi giao thc mng, nhng khi so snh vi chun TCP/IP th n tr nn khng cn hp l. LDAP c so snh vi lightweight v n s dng gi tin overhead thp, n c xc nh chnh xc trn lp TCP ( mc nh l cng 389) ca danh sch cc giao thc TCP/IP. Cn X.500 l mt lp giao thc ng dng, n cha nhiu th hn, v d nh cc network header c bao quanh cc gi tin mi layer trc khi n c chuyn i trong mng.

Hnh 1. X.500 thng qua m hnh OSI LDAP thng qua TCP/IP Tm li, LDAP c coi l lightweight bi v n lc b rt nhiu nhng phng thc t c dng ca X.500 . 2. Directory Dch v th mc khng c nhm vi mt c s d liu. Th mc c thit k c nhiu hn l ghi vo, cn i vi c s d liu, n ph hp vi c cng vic c v ghi mt cch thng xuyn v lp i lp li. LDAP ch l mt giao thc, n l mt tp nhng thng tin cho vic x l cc loi d liu. Mt giao thc khng th bit d liu c lu tr u. LDAP khng h tr s x l v nhng c trng khc nh ca c s d liu.

 Client s khng bao gi thy c hoc bit rng c mt b my lu tr backend. V l do ny, LDAP client cn lin tc vi LDAP server theo m hnh chun sau:

Hnh 2. Mi quan h gia LDAP client, LDAP server v ni cha d liu 3. Access Protocol LDAP l mt giao thc truy cp. N a ra m hnh dng cy ca d liu, v m hnh dng cy ny c nhc ti khi bn truy cp mt LDAP server. Giao thctruy cp client/server ca LDAP c nh ngha trong RFC, mt client c th a ra mt lot nhng yu cu v nhng tr li cho nhng yu cu li c tr li theo nhng cch sp xp khc nhau. 1.1.2 Phng thc hot ng ca LDAP Ldap dng giao thc giao tip client/sever Giao thc giao tip client/sever l mt m hnh giao thc gia mt chng trnh client chy trn mt my tnh gi mt yu cu qua mng n cho mt my tnh khc ang chy mt chng trnh sever (phc v). Chng trnh server ny nhn ly yu cu v thc hin sau n tr li kt qu cho chng trnh client tng c bn ca giao thc client/server l cng vic c gn cho nhng my tnh c ti u ho thc hin cng vic . Mt my server LDAP cn c rt nhiu RAM(b nh) dng lu tr ni dung cc th mc cho cc thao tc thc thi nhanh v my ny cng cn a cng v cc b vi x l tc cao. y l mt tin trnh hot ng trao i LDAP client/server :

Hnh 3. M hnh kt ni gia client/server

Client m mt kt ni TCP n LDAP server v thc hin mt thao tc bind. Thao tc bind bao gm tn ca mt directory entry ,v u nhim th s c s dng trong qu trnh xc thc, u nhim th thng thng l pasword nhng cng c th l chng ch in t dng xc thc client. Sau khi th mc c c s xc nh ca thao tc bind, kt qu ca thao tc bind c tr v cho client. Client pht ra cc yu cu tm kim. Server thc hin x l v tr v kt qu cho client. Server gi thng ip kt thc vic tm kim. Client pht ra yu cu unbind, vi yu cu ny server bit rng client mun hu b kt ni. Server ng kt ni.

LDAP l mt giao thc hng thng ip Do client v sever giao tip thng qua cc thng ip, Client to mt thng ip (LDAP message) cha yu cu v gi n n cho server. Server nhn c thng ip v x l yu cu ca client sau gi tr cho client cng bng mt thng ip LDAP. V d: Khi LDAP client mun tm kim trn th mc, client to LDAP tm kim v gi thng ip cho server. Sever tm trong c s d liu v gi kt qu cho client trong mt thng ip LDAP.

Hnh 4. Thao tc tm kim c bn Nu client tm kim th mc v nhiu kt qu c tm thy, th cc kt qu ny c gi n client bng nhiu thng ip

Hnh 5. Nhng thng ip Client gi cho server Do nghi thc LDAP l giao thc hng thng ip nn client c php pht ra nhiu thng ip yu cu ng thi cng mt lc. Trong LDAP, message ID dng phn bit cc yu cu ca client v kt qu tr v ca server.

Hnh 6. Nhiu kt qu tm kim c tr v Vic cho php nhiu thng ip cng x l ng thi lm cho LDAP linh ng hn cc nghi thc khc. V d nh HTTP, vi mi yu cu t client phi c tr li trc khi mt yu cu khc c gi i, mt HTTP client program nh l Web browser mun ti xung cng lc nhiu file th Web browser phi thc hin m tng kt ni cho tng file, LDAP thc hin theo cch hon ton khc, qun l tt c thao tc trn mt kt ni. 1.1.3 Cu trc file Ldif Khi nim LDIF LDIF ( LDAP Interchange Format) c nh ngha trong RFC 2849, l mt chun nh dng file text lu tr nhng thng tin cu hnh LDAP v ni dung th mc. File LDIF thng c s dng import d liu mi vo trong directory ca bn hoc thay i d liu c. D liu trong file LDIF cn phi tun theo mt lut c trong schema ca LDAP directory. Schema l mt loi d liu c nh ngha t trc trong directory ca bn. Mi thnh phn c thm vo hoc thay i trong directory ca bn s c kim tra li trong schema m bo s chnh xc. Li vi phm schema s xut hin nu d liu khng ng vi cc lut c. Gii php Import d liu ln vo LDAP. Nu d liu c lu trong excel khong vi chc ngn mu tin, vit tool chuyn thnh nh dng trn ri import vo LDAP Server. Cu trc tp tin Ldif Thng thng mt file LDIF s theo khun dng sau: o Mi mt tp entry khc nhau c phn cch bi mt dng trng o S sp t tn thuc tnh : gi tr o Mt tp cc ch dn c php lm sao x l c thng tin Nhng yu cu khi khai bo ni dung file LDIF : o Li ch gii trong file LDIF c g sau du # trong mt dng o Thuc tnh c lit k pha bn tri ca du (:) v gi tr c biu din bn phi. Du c bit c phn cch vi gi tr bng du cch trng o Thuc tnh dn nh ngha duy nht mt DN xc nh trong entry

 Di y l v d v cu trc mt file Ldif:

dn: dc=hcmuaf,dc=edu,dc=vn objectClass: domain objectClass: top dc: hcmuaf entryUUID: a1255ce5-2710-388c-95a6-3c030a59a8d3
Node root: dc=hcmuaf,dc=edu,dc=com

dn: o=it,dc=hcmuaf,dc=edu,dc=vn objectClass: top objectClass: organization description: information technology o: it entryUUID: fbcb85d5-e17c-494e-a36d-5932fb503125 createTimestamp: 20100326000527Z creatorsName: cn=Directory Manager,cn=Root DNs,cn=config

Node child : o=it, [Node root]

dn: uid=mai,o=it,dc=hcmuaf,dc=edu,dc=vn objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top givenName: mai uid: mai cn: mai telephoneNumber: 0633649470 sn: mai userPassword: {SSHA}EI41fLuan5bQ1FQA0u8Nvg4/hqRF+i51yrAnNA== mail: mai facsimileTelephoneNumber: 123i entryUUID: b9cb6886-263d-4a0c-bd1f-e315dde47b30 createTimestamp: 20100326000919Z creatorsName: cn=Directory Manager,cn=Root DNs,cn=config pwdChangedTime: 20100326000919.471Z

Node leaf : uid=mai, [path parrent] hoc cn=mai,[path parent]

Ch : Nhng tn trng m ng sau c du :: th gi tr ca n c m ha theo chun BASE64 Encoding, vi charset UTF-8.Nu g ting vit th khi import vo LDAP Server s khng hiu, v th bt buc ta phi m ha theo chun BASE64. o V d: cn:Phm Thi Thy cn:: VHLhuqduIFRow6FpIExvbmc= (du :: cho bit trng ny s dng basecode64) Ni dung mt entry th mc dng Ldif: Di y l ni dung mt entry trong tp tin Ldif.

dn: uid=tuanh,ou=Teacher,o=it,dc=hcmuaf,dc=edu,dc=vn objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top givenName: tuanh uid: tuanh cn: tuanh telephoneNumber: 125698742 sn: tuanh userPassword: {SSHA}WixBYpdCo4bEZPRPwUriImctcWZ9sDgQQ/WElg== mail: tuanh facsimileTelephoneNumber: 5426 entryUUID: bc95b0ee-6e3e-480d-83c1-2c1e13c89dc9 createTimestamp: 20100326001110Z creatorsName: cn=Directory Manager,cn=Root DNs,cn=config pwdChangedTime: 20100326001110.323Z

Mt entry l tp hp ca cc thuc tnh, tng thuc tnh ny m t mt nt t trng tiu biu ca mt i tng. Mt entry bao gm nhiu dng : o dn : distinguished name - l tn ca entry th mc, tt c c vit trn mt dng. o Sau ln lt l cc thuc tnh ca entry, thuc tnh dng lu gi d liu. Mi thuc tnh trn mt dng theo nh dng l kiu thuc tnh : gi tr thuc tnh. o Th t cc thuc tnh khng quan trng, tuy nhin d c c thng tin chng ta nn t cc gi tr objectclass trc tin v nn lm sao cho cc gi tr ca cc thuc tnh cng kiu gn nhau. Mt s cc thuc tnh c bn trong file Ldif: ST T 1 2 3 4 Tn M t

dn c o ou

Distinguished Name : tn gi phn bit country 2 k t vit tt tn ca mt nc organization t chc organization unit n v t chc

ST T

Tn

M t Mi gi tr objectClass hot ng nh mt khun mu cho cc d liu c lu gi trong mt entry. N nh ngha mt b cc thuc tnh phi c trnh by trong entry (V d : entry ny c gi tr ca thuc tnh objectClass l eperson, m trong eperson c quy nh cn c cc thuc tnh l tn, email, uid ,th entry ny s c cc thuc tnh ), cn b cc thuc tnh ty chn c th c hoc c th khng c mt.

objectClass

6 7 8 9 10 11 12 13 14 15 16 17

givenName uid cn telephoneNumber sn userPassword mail facsimileTelephoneNu mber createTimestamp creatorsName pwdChangedTime entryUUID

tn id ngi dng common name tn thng gi s in thoi surname h mt khu ngi dng a ch email s phch thi gian to ra entry ny tn ngi to ra entry ny thi gian thay i mt khu id ca entry

1.2 M hnh LDAP LDAP cn nh ngha ra bn m hnh, cc m hnh ny cho php linh ng trong vic sp t cc th mc: M hnh LDAP information - xc nh cu trc v c im ca thng tin trong th mc. M hnh LDAP Naming - xc nh cch cc thng tin c tham chiu v t chc. M hnh LDAP Functional - nh ngha cch m bn truy cp v cp nht thng tin trong th mc ca bn. M hnh LDAP Security - nh ngha ra cch thng tin trong th mc ca bn c bo v trnh cc truy cp khng c php. 1.2.1 M hnh thng tin Ldap (LDAP information model) Khi nim M hnh LDAP Information nh ngha ra cc kiu ca d liu v cc thnh phn thng tin c bn m bn c th cha trong th mc. Hay n m t cch xy dng ra cc khi d liu m chng ta c th s dng to ra th mc. M hnh thng tin Ldap Thnh phn c bn ca thng tin trong mt th mc gi l entry. y l tp hp cha cc thng tin v i tng (Object).

Hnh 7. Mt cy th mc vi cc entry l cc thnh phn c bn

Hnh 8. Mt entry vi cc thuc tnh c bn Thng tin m t d liu c lu tr theo cu trc trong tp tin *.ldif. Cu trc file Ldif c gii thiu phn trn.

1.2.2 M hnh t tn Ldap (LDAP naming model) Khi nim M hnh LDAP Naming nh ngha ra cch chng ta c th sp xp v tham chiu n d liu ca mnh. Hay c th ni m hnh ny m t cch sp xp cc entry vo mt cu trc c logic, v m hnh LDAP Naming ch ra cch chng ta c th tham chiu n bt k mt entry th mc no nm trong cu trc . M hnh LDAP Naming cho php chng ta c th t d liu vo th mc theo cch m chng ta c th d dng qun l nht. Cch sp xp d liu V d nh chng ta c th to ra mt container cha tt c cc entry m t ngi trong mt t chc(o), v mt container cha tt c cc group ca bn, hoc bn c th thit k entry theo m hnh phn cp theo cu trc t chc ca bn. Vic thit k tt cn phi c nhng nghin cu tho ng.

Hnh 9. Mt cy th mc LDAP Ta c th thy rng entry trong th mc c th ng thi l tp tin v l th mc.

Hnh 10. Mt phn th mc LDAP vi cc entry cha thng tin

 Ging nh ng dn ca h thng tp tin, tn ca mt entry LDAP c hnh thnh bng cch ni tt c cc tn ca tng entry cp trn (cha) cho n khi tr ln root. Nh hnh trn ta thy node c mu m s c tn l uid=bjensen, ou=people, dc=airius, dc=com, nu chng ta i t tri sang phi th chng ta c th quay ngc li nh ca cy, chng ta thy rng cc thnh phn ring l ca cy c phn cch bi du ,. Vi bt k mt DN, thnh phn tri nht c gi l relative distingguished name (RDN), nh ni DN l tn duy nht cho mi entry trn th mc, do cc entry c cng cha th RDN cng phi phn bit.

Hnh 11. V d nh hnh trn, mc d hai entry c cng RDN cn=Joohn Smith nhng hai entry hai nhnh khc nhau. B danh (Aliases) cch tham chiu n d liu Nhng entry b danh (Aliases entry)trong th mc LDAP cho php mt entry ch n mt entry khc. Chng ta c th xy dng ra cu trc m th bc khng cn chnh xc na, khi nim Aliases entry ging nh khi nim symbolic links trong UNIX hay shortcuts trn Windows9x/NT. to ra mt alias entry trong th mc trc tin bn phi to ra mt entry vi tn thuc tnh l aliasedOjecctName vi gi tr thuc tnh l DN ca entry m chng ta mun alias entry ny ch n. Hnh di y cho ta thy c mt aliases entry tr n mt entry tht s.

Hnh 12. LDAP vi Alias entry Nhng khng phi tt c cc LDAP Directory Server u h tr Aliases. Bi v mt alias entry c th ch n bt k mt entry no, k c cc entry LDAP server khc. V vic tm kim khi gp phi mt b danh c th phi thc hin tm kim trn mt cy th mc khc nm trn cc server khc, do lm tng chi phi cho vic tm kim, l l do chnh m cc phn mm khng h tr alias. 1.2.3 M hnh chc nng Ldap (LDAP function model) Khi nim y l m hnh m t cc thao tc cho php chng ta c th thao tc trn th mc. M hnh LDAP Functional cha mt tp cc thao tc chia thnh 3 nhm: o Thao tc thm tra (interrogation) cho php bn c th search trn th mc v nhn d liu t th mc. o Thao tc cp nht (update): add, delete, rename v thay i cc entry th mc. o Thao tc xc thc v iu khin(authentiaction and control) cho php client xc nh mnh n ch th mc v iu kin cc hot ng ca phin kt ni. Vi version 3 nghi thc LDAP ngoi 3 nhm thao tc trn, cn c thao tc LDAP extended, thao tc ny cho php nghi thc LDAP sau ny c th m rng mt cch c t chc v khng lm thay i n nghi thc. M t cc thao tc 1. Thao tc thm tra (LDAP Interrogation) Cho php client c th tm v nhn li thng tin t th mc. Thao tc tm kim (LDAP search operation) yu cu 8 tham s (V d: search (o=people,dc=airius,dc=com,base,derefInsearching,10,60,Filter,ArrayAttrib ute)

o Tham s u tin l i tng c s m cc thao tc tm kim thc hin trn , tham s ny l DN ch n nh ca cy m chng ta mun tm. o Tham s th hai l phm vi cho vic tm kim, chng ta c 3 phm vi thc hin tm kim: Phm vi base ch ra rng bn mun tm ngay ti i tng c s. Phm vi onelevel thao tc tm kim din ra ti cp di (con trc tip ca i tng c s) Phm vi subtree thao tc ny thc hin tm ht trn cy m i tng c s l nh.

Hnh 13. Thao tc tm kim vi phm vi base

Hnh 14. Thao tc tm kim vi phm vi onelevel

Hnh 15. Thao tc tm kim vi phm vi subtree o Tham s th ba derefAliases , cho server bit rng liu b danh aliases c b b qua hay khng khi thc hin tm kim, c 4 gi tr m derefAliases c th nhn c: nerverDerefAliases - thc hin tm kim v khng b qua b danh (aliases) trong lc thc hin tm kim v p dng vi c i tng c s. derefInsearching - b qua cc aliases trong trong cc entry cp di ca i tng c s, v khng quan tm n thuc tnh ca i tng c s. derefFindingBaseObject - tm kim s b qua cc aliases ca i tng c s, v khng quan tm n thuc tnh ca cc entry thp hn i tng c s. derfAlways - b qua c hai nu vic tm kim thy i tng c s hay l cc entry cp thp l cc entry aliases. o Tham s th bn cho server bit c ti a bao nhiu entry kt qu c tr v. o Tham s th nm qui nh thi gian ti a cho vic thc hin tm kim. o Tham s th su: attrOnly l tham s kiu bool, nu c thit lp l true, th server ch gi cc kiu thuc tnh ca entry cho client, nhng sever khng gi gi tr ca cc thuc tnh i, iu ny l cn thit nu nh client ch quan tm n cc kiu thuc tnh cha trong. o Tham s th by l b lc tm kim(search filter) y l mt biu thc m t cc loi entry s c gi li. o Tham s th tm: danh sch cc thuc tnh c gi li vi mi entry.

2. Thao tc cp nht (update) Chng ta c 4 thao tc cp nht l add, delete, rename(modify DN), v modify Add Delete Rename Update 3. Thao tc xc thc v iu khin (authentiaction and control) Thao tc xc thc gm: thao tc bind v unbind: Bind : cho php client t xc nh c mnh vi th mc, thao tc ny cung cp s xc nhn v xc thc chng thc Unbind : cho php client hu b phn on lm vic hin hnh Thao tc iu kin ch c abandon: Abandon : cho php client ch ra cc thao tc m kt qu client khng cn quan tm n na. 4. Cc thao tc m rng Ngoi 9 thao tc c bn, LDAP version 3 c thit k m rng thng qua 3 thao tc : Thao tc m rng LDAP (LDAP extended operations) o y l mt nghi thc thao tc mi. Trong tng lai nu cn mt thao tc mi, th thao tc ny c th nh ngha v tr thnh chun m khng yu cu ta phi xy dng li cc thnh phn ct li ca LDAP. o V d mt thao tc m rng l StarTLS, ngha l bo cho sever rng client mun s dng transport layer security(TLS) m ho v tu chn cch xc thc khi kt ni.

LDAP control o L nhng phn ca thng tin km theo cng vi cc thao tc LDAP, thay i hnh vi ca thao tc trn cng mt i tng. Xc thc n gin v tng bo mt (Simple Authentication and Security Layer SASL) o L mt m hnh h tr cho nhiu phng thc xc thc. o Bng cch s dng m hnh SASL thc hin chng thc, LDAP c th d dng thch nghi vi cc phng thc xc thc mi khc. o SASL cn h tr mt m hnh cho client v server c th m phn trn h thng bo mt din ra cc tng thp (dn n an ton cao).

1.2.4 M hnh bo mt Ldap (LDAP Security model) Vn cui cng trong cc m hnh LDAP l vic bo v thng tin trong th mc khi cc truy cp khng c php. Khi thc hin thao tc bind di mt tn DN hay mt ngi v danh th vi mi user c mt s quyn thao tc trn th mc entry. V nhng quyn no c entry chp nhn tt c nhng iu trn gi l truy cp iu khin (access control). Hin nay LDAP cha nh ngha ra mt m hnh Access Control, cc iu kin truy cp ny c thit lp bi cc nh qun tr h thng bng cc server software. 1.3 Chng thc trong LDAP Vic xc thc trong mt th mc LDAP l mt iu cn thit v khng th thiu. Cc qu trnh xc thc c s dng thit lp cc quyn ca khch hng cho mi ln s dng. Tt c cc cng vic nh tm kim, truy vn, vv c s kim sot bi cc mc u quyn ca ngi c xc thc. Khi xc nhn mt ngi dng ca LDAP cn tn ngi dng c xc nh nh l mt DN (v d cn = tuanh, o = it, dc = nlu, dc = info) v mt khu tng ng vi DN . Mt s phng thc xc thc ngi dng Xc thc ngi dng cha xc nh (Anonymous Authentication) o Xc thc ngi dng cha xc nh l mt x l rng buc ng nhp vo th mc vi mt tn ng nhp v mt khu l rng. Cch ng nhp ny rt thng dng v uc thng xuyn s dng i vi ng dng client. Xc thc ngui dng n gin ( Simple Authtication) o i vi xc thc ngui dng n gin, tn ng nhp trong DN c gi km cng vi mt mt khu di dng clear text ti my ch LDAP. o My ch s so snh mt khu vi gi tr thuc tnh userPassword hoc vi nhng gi tr thuc tnh c nh ngha truc trong entry cho DN . o Nu mt khu uc lu di dng b bm( m ho), my ch s s dng hm bm tung ng bin i mt khu a vi v so snh vi gi tr vi gi tr mt khu m ho t trc. o Nu c hai mt khu trng nhau, vic xc thc client s thnh cng. Xc thc n gin qua SSL/TLS o Nu vic gi username v mt khu ca bn qua mng khin bn khng cm thy yn tm v tnh bo mt, s l an ton hn khi truyn thng tin trong mt lp truyn ti c m ha.

o LDAP s vt qua lp truyn ti c m ha ny trc khi thc hin bt c hot ng kt ni no. Do , tt c thng tin ngi dng s c m bo an ton (t nht l trong sut session ) o C hai cch s dng SSL/TSL vi LDAPv3 1. LDAP vi SSL LDAP vi SSL (LDAPs-tcp/636) c h tr bi rt nhiu bi cc my ch LDAP (c phin bn thng mi v m ngun m). Mc d c s dng thng xuyn, n vn khng chp nhn qu trnh m rng LDAP vi StartTLS. SSL s dng mt lp chng trnh nm gia cc lp ca Internet Hypertext Transfer Protocol (HTTP) v Transport Control Protocol (TCP).

Trong iu khon ca layman, d liu c m ha trong trnh duyt web ca ngi dng, s dng mt kho mt m m thuc v trang web. D liu c chuyn t trnh duyt web vo trang web nh dng c m ha. iu ny m bo rng thng tin c nhn ca ngi s dng khng c chuyn giao trong nh dng c th c c cho bt c ai nm bt v c khi n truyn trn Internet. 2. LDAP vi TSL RFC 2830 a ra mt phng thc m rng i vi LDAPv3 cho vic x l TLS qua cng tiu chun tcp/389. Phng thc ny c bit n nh l mt StartTLS, gip cho my ch c th h tr cc vic m ha v gii m cc phin giao dch trn cng mt cng. Khi my ch v my khch giao tip, TLS m bo rng khng c bn th ba c th nghe trm hoc gi mo tin nhn bt k. TLS cho php cc my ch v khch hng xc thc ln nhau v thng lng mt thut ton m ha v kha m ha trc khi d liu c trao i. TLS l s k tha ca Secure Sockets Layer (SSL), v da trn cng ngh . Bng cch ny, c th ni rng SSL pht trin thnh cc giao thc TLS. 1.4 Mt s dch v s dng nghi thc LDAP Bng cch kt hp cc thao tc LDAP n gin ny. Th mc client c th thc hin cc thao tc phc tp nh cc v d sau y. 1. M hnh lu tr d liu

 Mt chng trnh mail c th thc hin dng chng ch in t cha trong th mc trn server LDAP k, bng cch gi yu cu tm kim cho LDAP server. LDAP server gi li cho client chng ch in t ca n. Sau chng trnh mail dng chng ch in t k v gi cho Message sever. Nhng gc ngi dng th tt c qu trnh trn u hot ng mt cch t ng v ngi dng khng phi quan tm.

Hnh 16. Mt m hnh lu tr n gin 2. Qun l th Netscape Message server c th s dng LDAP directory thc hin kim tra cc mail. Khi mt mail n t mt a ch, messeage server tm kim a ch email trong th mc trn LDAP server lc ny Message server bit c hp th ngi s dng c tn ti.

Hnh 17. Dng LDAP qun l th

3. Xc thc dng LDAP Dng LDAP xc thc mt user ng nhp vo mt h thng qua chng trnh thm tra, chng trnh thc hin nh sau : o u tin chng trnh thm tra to ra mt i din xc thc vi LDAP thng qua (1) o Sau so snh mt khu ca user A vi thng tin cha trong th mc. Nu so snh thnh cng th user A xc thc thnh cng.

Hnh 18. Xc thc dng LDAP

Phn 2: ng dng:
LDAP (Lightweight Directory Access Protocol) l giao thc dng xc thc ngi dng. Giao thc LDAP hot ng tng Application trong m hnh mng TCP/IP cho php xc thc, truy xut thng tin ca ngi dng nh tn, a ch, s in thoi, email LDAP l giao thc c pht trin t giao thc DAP vi nhiu u im vt tri nh s dng t b nh v hiu sut x l ca CPU. OPENLDAP l phn mm min ph, ngun m thc thi giao thc LDAP. OPENLDAP c pht trin bi d n OPENLDAP, chy trn nhiu h iu hnh nh BSD, AIX, Android, HP-UX, Mac OS X, Solaris v Windows. M hnh minh ha kin trc ca giao thc LDAP:

A. CI T V CU HNH OPENLDAP Trong bi thc hnh ny chng ta s xy dng 2 my o Linux chy CentOS-5 v 1 my tht Windows kt ni theo m hnh bn di :

Ni dung ca bi thc hnh:

- Ci t v cu hnh dch v LDAP trn my LDAP-Server s dng phn mm OpenLDAP. - To LDAP domain c tn ipmac.lab v to cc i tng qun tr (user, group) trong domain ny. - Ci t cng c qun tr LDAP Admin trn my Windows v tm hiu cc tnh nng ca cng c ny. - Cu hnh my LDAP-Client xc thc ngi dng thng qua dch v LDAP. a ch IP s dng trong bi thc hnh: - My LDAP-Server : 192.168.1.1 - My LDAP-Client : 192.168.1.2 - My Windows : 192.168.1.100

Ci t v khi to dch v LDAP trn LDAP-Server

Bc 1: t IP trn 2 my Linux v my Windows theo m hnh trn. Tt dch v iptables trn 2 my Linux [root@LDAP-Server]# ifconfig eth0 192.168.1.1 netmask 255.255.255.0 up [root@LDAP-Server]# service iptables stop [root@LDAP-Client]# ifconfig eth0 192.168.1.2 netmask 255.255.255.0 up [root@LDAP-Client]# service iptables stop

Bc 2: Trn LDAP-Server kim tra 2 package openldap-servers v openldap-clients c ci t hay cha. Nu cha tin hnh ci t 2 packages ny qua yum hoc rpm [root@LDAP-Server]# rpm -qa | grep openldap [root@LDAP-Server]# yum install openldap-servers openldap-clients

[root@LDAP-Server]# rpm -qa | grep openldap

Bc 3:

M file cu hnh tng th ca OpenLDAP Server v xem cc thng tin cu hnh chnh (/etc/openldap/slapd.conf) [root@LDAP-Server]# less /etc/openldap/slapd.conf

Bc 4: Trn LDAP-Server chy lnh slappasswd sinh ra password dng c m ha dng qun tr OpenLDAP v copy li password c m ha ny [root@LDAP-Server]# slappasswd

Bc 5: Trn LDAP-Server sa li domain name l ipmac.lab v a thng tin v password qun tr sinh ra bc 4 trong file cu hnh /etc/openldap/slapd.conf [root@LDAP-Server]# vi /etc/openldap/slapd.conf

Bc 6: Trn LDAP-Server khi ng dch v LDAP [root@LDAP-Server]# service ldap start

Bc 7: Trn LDAP-Server to file c tn ipmac.lab.ldif trong th mc /tmp c ni dung nh bn di [root@LDAP-Server]# vi /tmp/ipmac.lab.ldif dn: dc=ipmac,dc=lab dc: ipmac

o: IPMAC LAB description: root ldap entry for ipmac.lab objectClass: dcObject objectClass: organization dn: ou=People,dc=ipmac,dc=lab ou: People description: all the people in our domain objectClass: organizationalUnit dn: cn=testuser,ou=People,dc=ipmac,dc=lab cn: testuser objectClass: organizationalRole

Bc 8: Trn LDAP-Server a file ipmac.lab.ldif to bc 7 vo kin trc ca LDAP Server bng lnh ldapadd [root@LDAP-Server]# ldapadd -x -D cn=Manager,dc=ipmac,dc=lab -W -f /tmp/ipmac.lab.ldif

Bc 9:

Trn LDAP-Server xem v tm kim ni dung c a vo cu trc ca LDAP Server bc 8 bng lnh ldapsearch [root@LDAP-Server]# ldapsearch -x -b dc=ipmac,dc=lab (objectclass=*) [root@LDAP-Server]# ldapsearch -x -LLL -b dc=ipmac,dc=lab (cn=testuser)

Bc 10: Trn LDAP-Server xa user testuser bng lnh ldapdelete [root@LDAP-Server]# ldapdelete -x -W -D cn=Manager,dc=ipmac,dc=lab cn=testuser,ou=People,dc=ipmac,dc=lab [root@LDAP-Server]# ldapsearch -x -LLL -b dc=ipmac,dc=lab (cn=testuser)

S dng cc Migration Script xy dng kin trc LDAP Server da trn thng tin c sn ca h thng
Bc 11: Trn LDAP-Server chuyn n th mc cha cc migration script (/usr/share/openldap/migration) v chnh sa file cu hnh migrate_common.ph [root@LDAP-Server]# cd /usr/share/openldap/migration [root@LDAP-Server]# vi migrate_common.ph # Default DNS domain $DEFAULT_MAIL_DOMAIN = "ipmac.lab"; # Default base $DEFAULT_BASE = "dc=ipmac,dc=lab";

Bc 12: Trn LDAP-Server chy script migrate_base.pl sinh ra file LDIF cha ni dung v base mi. Xem ni dung file ny [root@LDAP-Server]# ./migrate_base.pl > /tmp/base.ldif [root@LDAP-Server]# less /tmp/base.ldif

Bc 13: Trn LDAP-Server a ni dung file base.ldif vo kin trc ca LDAP bng lnh ldapadd sau kim tra kt qu vi lnh ldapsearch [root@LDAP-Server]# ldapadd -c -x -D cn=Manager,dc=ipmac,dc=lab -W -f /tmp/base.ldif [root@LDAP-Server]# ldapsearch -x -LLL -b dc=ipmac,dc=lab (objectClass=*)

Bc 14: Trn LDAP-Server chy script migrate_passwd.ph to file LDIF cha danh mc user cho LDAP da trn danh sch cc user hin c trn h thng (trong file /etc/passwd). Xem ni dung file LDIF [root@LDAP-Server]# cd /usr/share/openldap/migration [root@LDAP-Server]# ./migrate_passwd.pl /etc/passwd > /tmp/allusers.ldif [root@LDAP-Server]# less /tmp/allusers.ldif

Bc 15: Trn LDAP-Server a ni dung file allusers.ldif vo kin trc ca LDAP bng lnh ldapadd sau kim tra kt qu bng lnh ldapsearch [root@LDAP-Server]# ldapadd -c -x -D cn=Manager,dc=ipmac,dc=lab -W -f /tmp/allusers.ldif [root@LDAP-Server]# ldapsearch -x -LLL -b dc=ipmac,dc=lab (uid=root)

Bc 16: Trn LDAP-Server to mt account mi c tn ldapuser thuc nhm users trn h thng v a account ny vo LDAP # To mt user c tn ldapuser, thuc nhm users v t password cho user ny [root@LDAP-Server]# useradd -g users ldapuser [root@LDAP-Server]# passwd ldapuser # Ly thng tin v ldapuser t file /etc/passwd v ghi ra file /tmp/ldapuser.info

[root@LDAP-Server]# grep ldapuser /etc/passwd | tee /tmp/ldapuser.info ldapuser: x:504:100::/home/ldapuser:/bin/bash # Dng script migrate_passwd.pl to file LDIF t file /tmp/ldapuser.info [root@LDAP-Server]# cd /usr/share/openldap/migration [root@LDAP-Server]# ./migrate_passwd.pl /tmp/ldapuser.info /tmp/ldapuser.ldif [root@LDAP-Server]# less /tmp/ldapuser.ldif

>

# a thng tin v user ldapuser trong file ldapuser.ldif vo kin trc ca LDAP [root@LDAP-Server]# ldapadd -c -x -D cn=Manager,dc=ipmac,dc=lab -W -f /tmp/ldapuser.ldif # Kim tra thng tin v user ldapuser trong kin trc ca LDAP [root@LDAP-Server]# ldapsearch -x -LLL -b dc=ipmac,dc=lab (uid=ldapuser)

Cu hnh Client xc thc qua LDAP Server

Bc 17: Kim tra a ch IP trn LDAP-CLIENT v ping th n LDAP-Server kim tra kt ni [root@LDAP-Client]# ifconfig eth0 [root@LDAP-Client]# ping 192.168.1.1

Bc 18: Trn my LDAP-CLIENT kim tra thng tin v account ldapuser m bo cha c account ny [root@LDAP-Client]# finger ldapuser finger: ldapuser: no such user.

Bc 19: Kim tra file /etc/nsswitch.conf v cc file trong th mc /etc/pam.d/ thy vic tm kim thng tin ngi dng ( User Information ) v xc thc ngi dng ( Authentication ) cha c xc thc s dng cho LDAP [root@LDAP-Client]# cat /etc/nsswitch.conf [root@LDAP-Client]# grep ldap /etc/pam.d/*

Bc 20: Chy lnh authconfig-tui m chng trnh Authentication Configuration. Chn User LDAP trong mc User Information v chn User LDAP Authenticaiton trong mc Authentication nh hnh di v chn Next

Nhp thng tin v LDAP Server v Base DN sau chn OK

Bc 21: Kim tra li cc file /etc/nsswitch.conf v file /etc/pam.d/system-auth thy vic tm kim thng tin ngi dng v xc thc ngi dng c cu hnh s dng LDAP [root@LDAP-Client]# grep ldap /etc/nsswitch.conf [root@LDAP-Client]# grep ldap /etc/pam.d/system-auth

Bc 22: Kim tra li thng tin v account ldapuser. Ch rng th mc $HOME ca ldapuser (/home/ldapuser) cha c to sn [root@LDAP-Client]# finger ldapuser [root@LDAP-Client]# cd /home/ldapuser

Bc 23: Cu hnh thm cho PAM t ng to th mc $HOME cho cc user khi login ln u tin vo h thng [root@LDAP-Client]# ls /lib/security | grep pam_mkhomedir [root@LDAP-Client]# vi /etc/pam.d/system-auth # Chn vo cui cng ca file session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022

Bc 24: Chuyn sang mt terminal khc (Ctrl+Alt+F3) v th login s dng account ldapuser. Kim tra thy th mc $HOME ca account ny t ng c to ra trn h thng.

Cu hnh LDAP Server s dng cng c LDAP Admin trn Windows

Bc 25: Trn my Windows download cng c LDAP Admin ti y : http://nchc.dl.sourceforge.net/proje...minExe-1.1.zip

Bc 26: Chy LDAP Admin. Vo Start > Connect... > New Connection v in thng tin kt ni n LDAP Server. Click OK hon tt.

Ch : Sau khi in a ch IP ca Host c th click vo Fetch DNs cng c t ng ly cc thng tin v Base. Bc 27: Double click vo kt ni va to v nhp password (nu yu cu) kt ni n LDAP Server. Sau khi kt ni thnh cng tm hiu giao din v cc tnh nng m cng c LDAP Admin cung cp.