Professional Documents
Culture Documents
Directory Services
Directory Services
Examples
n Phone book
n Office directory
n User database
n List of contacts
Directories in Linux
User database Service names
n /etc/passwd, /etc/shadow n /etc/services
Protocol names
n /etc/protocols
Problems
n Performance issues
n Hosts that are down
n Other propagation failures
n Simultaneous updates
What is a directory service
A specialized database
n Attribute-value type information
n No transactions or rollback
n Support for distribution and replication
n Clear patterns to searches
Directory services
Components Common directory services
n A data model n DNS
n A protocol for searching n X.500 Directory Service
n A protocol for reading n Network Information Service
n A protocol for updating n NIS+
n Methods for replication n Active Directory (Windows NT)
n Methods for distribution n NDS (Novell Directory Service)
n LDAP (Lightweight X.500)
Directory services
Global directory service Local directory service
n Context: entire network or entire n Context: intranet or smaller
internet n Namespace: non-uniform
n Namespace: uniform n Examples: NIS, local files
n Distribution: usually
n Examples: DNS, X.500, NIS+,
LDAP
Directory services in Linux
Alias: name services
n /etc/nsswitch.conf selects service
n Modular design/implementation
fo.ida.liu.se
NIS
Protocol Data model
n RPC based n Directories known as maps
n No security n Simple key-value mapping
n No updates n Values have no structure
n Replication support
passwd.byname
arjle 1001:adFrl
Replication donkn 1002:*:203
n Master/slave servers johne 1003:trzQw
alatu 2031:kprrT
johmc 2032:bRelZ
Distribution edwyo 2033:*:204
n No distribution support! ricst 2034:vvldk
petde 2232:*:204
larwa 3021:*:204
NIS
Master server Processes/commands
n Maps built from text files n ypserv Server process
n Maps in /var/yp n ypbind Client process
n Maps built with make n ypcatTo view maps
n Maps stored in binary form n ypmatch To search maps
n Replication to slaves with n ypwhich Show status
yppush n yppasswdd Change password
Slave servers
n Receive data from master
n Load balancing and failover
NIS
NIS Client Portmapper NIS Server
NIS client
n Knows its NIS domain GETPORT
Two options
DOMAIN_NONACK
n Broadcast
n Hard coded NIS-server
n ypbind BIND
NIS
Scalability problems Primitive protocol
n Flat namespace n No updates
n No distribution o Hack for password change
n Search only on key
Security problems n Primitive data model
n No access control
n Broadcast for binding
n Patched as an afterthought
Solution: NIS+
NIS+
Scalability New protocol
n Hierarchical namespace n Updates through NIS+
n Distributed administration n General searches
n Data model with real tables
Security
n Authentication of server, client
and user
n Access control on per-cell level
Distribution
n Distributed management is
possible
Example of user
Rule of thumb
Questions n Every zone needs at least two
nameservers
n How does a slave NS know
when there is new information?
n How often should a slave NS
attempt to update?
n How long is replicated data
valid?
DNS: Distribution
Delegation
n A NS can delegate
responsibility for a subtree to
another NS <root>
n Only entire subtrees can be .se zone
delegated com net org se
Zone
n The part of the namespace google ibm ibm liu
that a NS is authoritative for
n Defined by SOA and NS www www www ida tfk
Domain
n A subtree of the namespace .com domain www
DNS: Delegation
Delegating NS Example
n NS record for delegated zone a.example.com NS ns2.x.com
MINIMUM
n How long to cache
NXDOMAIN
DNS: Cacheing
Cacheing creates scalability Cache parameters
n Cacheing reduces tree traversal n TTL – Set per RR
n Cacheing of A and PTR reduce n Negative TTL – Set in
duplicate DNS queries SOA
Example
$TTL 4H SOA (
MNAME RNAME
SERIAL REFRESH
RETRY 1H )
Choosing good cache
24H NS ns
parameters is vital ns 24H A 10.1.2.3
DNS: The server
Recursive/iterative Review
n Does the server offer recursion? n Recursive: the nameserver
n To which clients is it offered? gives a definite answer, but may
ask other nameservers in order
Authoritative/nonauthorit to generate it
… n Iterative: the nameserver gives
n Authoritative: first-hand a definite answer only for
information locally known information;
n Otherwise: cached information otherwise it generates a referral
DNS: The client
Client requirements Partially qualified names
n Use a recursive NS (resolver) n Add suffix if there are fewer
n Use partially qualified names than n dots in the name (ndots)
Name server (resolver)
n Specified in /etc/resolv.conf
APP libc
Example: /etc/resolv.conf
nsswitch.conf nss search ida.liu.se
nameserver ns.ida.liu.se
ndots 2
libnss_dns.so
Iterative NS
resolv.conf Resolver library Recursive NS Iterative NS
Iterative NS
Iterative NS
DNS: Root Name Server
Handles the root zone
n Data generated by ICANN Why no more than 13?
n Data distributed by Verisign
n Distribution from hidden master
Thirteen services
n Some are anycast
n Over 60 servers
Operator Locations
A VeriSign Dulles VA
B ISI Marina Del Rey CA
C Cogent Communications Herndon VA; Los Angeles; New York City; Chicago
D University of Maryland College Park MD
E NASA Ames Mountain View CA
F Internet Systems Ottawa; Palo Alto; San Jose, CA; New York City; San Francisco;
Consortium, Inc. Madrid; Hong Kong; Los Angeles; Rome; Auckland; Sao Paulo;
Beijing; Seoul; Moscow; Taipei; Dubai; Paris; Singapore; Brisbane;
Toronto; Monterrey; Lisbon; Johannesburg;Tel Aviv; Jakarta;
Munich;
G U.S. DOD NIC Vienna VA
H U.S. Army Research Lab Aberdeen MD
I Autonomica/NORDUnet Stockholm; Helsinki; Milan; London; Geneva; Amsterdam; Oslo;
Bangkok; Hong Kong; Brussels; Frankfurt
J VeriSign Global Registry Dulles VA (2 locations); Mountain View CA; Seattle WA;
Services Amsterdam; Atlanta GA; Los Angeles CA; Miami; Stockholm;
London; Tokyo; Seoul; Singapore; Sterling VA (2 locations, standby)
K RIPE NCC London; Amsterdam; Frankfurt; Athens; Doha (Quatar)
L ICANN Los Angeles
M WIDE Project Tokyo; Seoul (KR); Paris (FR)
DNS: CNAME
Canonical name CNAME Whoopsie 1
n Pointer within namespace www CNAME informatix
www A 130.236.177.12
n Johansson: See Johnson
CNAME Whoopsie 2
ida.liu.se. NS ns.ida.liu.se.
ns CNAME vitalstatistix
vitalstatistix A 130.236.177.12
ida
www informatix
Address-to-name mapping
com arpa se
n Same RR type for IPv4 och IPv6
n ”A big reverse zone in the sky”
google ibm in-addr liu
0 … 15 … 255
15.189.236.130.in-addr.arpa. PTR sysi-05.sysinst.ida.liu.se.
DNS: Delegation in in-addr.arpa.
<root>
Delegation
n Delegering of entire subtrees arpa se
n Subtrees at each dot
in-addr liu
n In in-addr.arpa a dot after each octet of the address
10
ida
17
Q: How to delegate partial subtrees sysinst
corresponding to small subnets, e.g. 1
10.17.1.0/26? rv4
0 1 2 3 4 5 … 63
A: Use CNAME to create a new 0 1 2 3 4 5 … 63
zone that can be delegated!
A: Delegate each address as a separate zone
DNS packet
n Header section Flags etc.
n Query section Queries to the server
n Answer section Replies to the queries
n Authority section Referrals to other NS
n Additional section Extra data that may be useful (e.g. glue)
DNS: The protocol
Header section: flags Flags
n QR Query or response n Set RD for recursive quer
n OPCODE Type of quer n If AA is not set, reply is from
n AA Authoritative Answer cache
n TC TrunCation n If TC it set, the reply is too large
n RD Recursion Desired for UDP
n RA Recursion Available
n Z Reserved RCODE
n RCODE Result code n SERVFAIL Problem with NS
n NXDOMAIN No such name
n REFUSED Refuse to reply
DNS: The protocol
Question section Authority section
n Contains questions n Indicates authoritative NS
n Also included in reply n Never empty in referrals
Additional section
Answer section n RR related to response, but not
n Contains requested RRs part of response
n Empty in referral replies n E.g. A for NS in authority
section
sysi-00:~# dig www.ida.liu.se @a.ns.se
; <<>> DiG 9.2.4rc5 <<>> www.ida.liu.se @a.ns.se
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7059
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;www.ida.liu.se. IN A
;; AUTHORITY SECTION:
liu.se. 86400 IN NS ns2.liu.se.
liu.se. 86400 IN NS sunic.sunet.se.
liu.se. 86400 IN NS nsauth.isy.liu.se.
liu.se. 86400 IN NS ns1.liu.se.
;; ADDITIONAL SECTION:
ns1.liu.se. 86400 IN A 130.236.6.251
ns2.liu.se. 86400 IN A 130.236.6.243
sunic.sunet.se. 86400 IN A 192.36.125.2
nsauth.isy.liu.se. 86400 IN A 130.236.48.9
sysi-00:~# dig www.ida.liu.se @nsauth.isy.liu.se
; <<>> DiG 9.2.4rc5 <<>> www.ida.liu.se @nsauth.isy.liu.se
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49836
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;www.ida.liu.se. IN A
;; ANSWER SECTION:
www.ida.liu.se. 259200 IN CNAME informatix.ida.liu.se.
informatix.ida.liu.se. 259200 IN A 130.236.177.26
;; AUTHORITY SECTION:
ida.liu.se. 259200 IN NS ns1.liu.se.
ida.liu.se. 259200 IN NS ns2.liu.se.
ida.liu.se. 259200 IN NS nsauth.isy.liu.se.
ida.liu.se. 259200 IN NS ns.ida.liu.se.
;; ADDITIONAL SECTION:
ns.ida.liu.se. 259200 IN A 130.236.177.25
ns1.liu.se. 43200 IN A 130.236.6.251
ns2.liu.se. 43200 IN A 130.236.6.243
nsauth.isy.liu.se. 21600 IN A 130.236.48.9
sysi-00:~# dig www.ibm.com @ns.ida.liu.se
; <<>> DiG 9.2.4rc5 <<>> www.ibm.com @ns.ida.liu.se
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38042
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;www.ibm.com. IN A
;; ANSWER SECTION:
www.ibm.com. 1800 IN A 129.42.21.99
www.ibm.com. 1800 IN A 129.42.16.99
www.ibm.com. 1800 IN A 129.42.17.99
www.ibm.com. 1800 IN A 129.42.18.99
;; AUTHORITY SECTION:
ibm.com. 600 IN NS ns.austin.ibm.com.
ibm.com. 600 IN NS ns.watson.ibm.com.
ibm.com. 600 IN NS ns.almaden.ibm.com.
;; ADDITIONAL SECTION:
ns.austin.ibm.com. 70372 IN A 192.35.232.34
ns.watson.ibm.com. 92202 IN A 129.34.20.80
ns.almaden.ibm.com. 70372 IN A 198.4.83.35
DNS: Commands
nslookup
n Look up names
host
n Look up data in DNS
dig
n Look up data in DNS
n Full access to protocol
whois
n Information about who has registered a domain
n Many versions – jwhois is nice
DNS: Server types
Master Forwarder
n Source of DNS data n Cache only
Secondary Recursive-only
n Authoritative for zone n Performs recursive queries
DNS: Server architecture Slaves
Master
Administrator
Clients Forwarder
Clients
Forwarder Recursive
Firewall
Zone configuration in BIND
Files In Debian: /etc/bind
n named.conf n named.conf
n Zone files n named.conf.local
n named.conf.options
n Zones.rfc1812
n db.0
n db.127
n db.empty
n db.local
n db.root
named.conf
Zone definition (master) Options
n Who can query the server
zone ”sysinst.ida.liu.se” { n Who can update the server
type master; n Which ports to use
file ”/etc/bind/sysinst.zone”; n Which address to use
} … and so on
Other stuff
n Options
n Access control
$TTL 3600
@ IN SOA (
sysinst-gw.ida.liu.se.
davby.ida.liu.se.
2006083100 ; Serial
3600 ; Refresh 1h
1800 ; Retry 30min
604800 ; Expire
3600 ; TTL
)
IN NS sysinst-gw.ida.liu.se.
IN NS ns.ida.liu.se.
IN MX 10 ida-gw.sysinst.ida.liu.se.
ida-gw IN A 130.236.189.1
debian IN CNAME ida-gw
heretix IN A 130.236.189.62
n Dynamic update
n DNSSEC
Directory Service Summary
Properties Common directory services
n Search-optimized database n DNS – Host names etc.
n Attribute-based data n NIS/NIS+ – Replace local files
n Distributed management for n LDAP – General directory
scalability service
n Replication for performance and
reliability
n Search protocol
n Update protocol