Directory Services PRINCIPLES – NIS – LDAP – DNS Labs and deadlines n AMD ->Intel n Just nu uppgraderar vi kernel o Hoppas det löser interupts ->slött nätverk n Deadlines o http://www.ida.liu.se/~TDDI41/timetable/index.en.shtml n Om jag glömmer (vilket jag gör) säg till mig om att lägga ut föreläsningsslides What is a directory? Fundamental properties n Maps keys to values n Relatively frequent lookups n Relatively infrequent updates Examples n Phone book n Office directory n User database n List of contacts Directories in Linux User database Service names n /etc/passwd, /etc/shadow n /etc/services Group database RPC program numbers n /etc/group n /etc/rpc Host names Known ethernet addresses n /etc/hosts n /etc/ethers Network names Automount maps n /etc/network n /etc/auto.master Protocol names n /etc/protocols Standard implementation: local files The scalability problem Example n 13000 users and 5000 hosts n Passwords valid for 30 days n 50% of changes made at 8-10 à One change every 28.8 seconds à Propagation time: 0.00567s Problems n Performance issues n Hosts that are down n Other propagation failures n Simultaneous updates What is a directory service A specialized database n Attribute-value type information n More reads than updates n Consistency problems are sometimes OK n No transactions or rollback n Support for distribution and replication n Clear patterns to searches Directory services Components Common directory services n A data model n DNS n A protocol for searching n X.500 Directory Service n A protocol for reading n Network Information Service n A protocol for updating n NIS+ n Methods for replication n Active Directory (Windows NT) n Methods for distribution n NDS (Novell Directory Service) n LDAP (Lightweight X.500) Directory services Global directory service Local directory service n Context: entire network or entire n Context: intranet or smaller internet n Namespace: non-uniform n Namespace: uniform n Examples: NIS, local files n Distribution: usually n Examples: DNS, X.500, NIS+, LDAP Directory services in Linux Alias: name services n /etc/nsswitch.conf selects service n Several services per directory n Modular design/implementation Examples from /etc/nsswitch.conf users files,nis users nis[notfound=return],files hosts dns,files NIS, NIS+, LDAP Network Information Service Domain (NIS domain) n Systems administered with NIS ida.liu.se n No connection to DNS domain NIS server n Server that has information accessible through NIS n Serves one or more domains NIS client n Host that uses NIS as a directory service for something fo.ida.liu.se NIS Protocol Data model n RPC based n Directories known as maps n No security n Simple key-value mapping n No updates n Values have no structure n Replication support passwd.bynamearjle 1001:adFrl Replication donkn 1002:*:203 n Master/slave servers johne 1003:trzQw alatu 2031:kprrT johmc 2032:bRelZ Distribution edwyo 2033:*:204 n No distribution support! ricst 2034:vvldk petde 2232:*:204 larwa 3021:*:204 NIS Master server Processes/commands n Maps built from text files n ypserv Server process n Maps in /var/yp n ypbind Client process n Maps built with make n ypcatTo view maps n Maps stored in binary form n ypmatch To search maps n Replication to slaves with n ypwhich Show status yppush n yppasswdd Change password Slave servers n Receive data from master n Load balancing and failover NIS NIS Client Portmapper NIS Server NIS client n Knows its NIS domain GETPORT n Binds to a NIS server Two options DOMAIN_NONACK n Broadcast n Hard coded NIS-server n ypbind BIND NIS Scalability problems Primitive protocol n Flat namespace n No updates n No distribution o Hack for password change n Search only on key Security problems n Primitive data model n No access control n Broadcast for binding n Patched as an afterthought Solution: NIS+ NIS+ Scalability New protocol n Hierarchical namespace n Updates through NIS+ n Distributed administration n General searches n Data model with real tables Security n Authentication of server, client and user n Access control on per-cell level So why is NIS+ not used? LDAP Protocol Data model n TCP-based n Based on X.500 n Fine-grained access control n Object-oriented n Support for updates n Objects can be extended freely n Flexible search protocol n Attribute-based data model n Hierarchical namespace Replication n Replication is possible Distribution n Distributed management is possible Example of user NIS+ table ”passwd.org_dir.example.com” name passwd uid gid gecos home shell davby *LK* 1211 1200 David /home/davby /bin/sh fsmith 3x1231v76T89N 1329 1200 Fran /home/fsmith /bin/sh NIS table passwd.byname (user name as key): davby davby:*:1211:1200:David:/home/davby:/bin/sh fsmith fsmith:*:1329:1200:Fran:/home/fsmith:/bin/sh Example of user dn: uid=fsmith,ou=employees,dc=example,dc=com objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson uid: fsmith givenname: Fran sn: Smith cn: Fran Smith cn: Frances Smith telephonenumber: 510-555-1234 roomnumber: 122G o: Example Corporation International mailRoutingAddress: [email protected] mailhost: mail.example.com userpassword: {crypt}3x1231v76T89N uidnumber: 1329 gidnumber: 1200 homedirectory: /home/fsmith loginshell: /bin/sh LDAP The future LDAP is taking over n NIS is too insecure, doesn’t scale and is inflexible n NIS+ is hard to implement and doesn’t exist on many OSes n X.500 is too complex and has a bad reputation n Other options have similar problems DNS DNS: Data model n Functional: NAME à { TYPE à RDATA } n Relational: (NAME, TYPE, RDATA) NAME TYPE RDATA ida.liu.se A 130.236.177.25 ida.liu.se MX 0 ida.liu.se ida.liu.se NS ns.ida.liu.se ida.liu.se NS ns1.liu.se ida.liu.se NS ns2.liu.se ida.liu.se NS nsauth.isy.liu.se DNS: TYPE & RDATA TYPE RDATA n SOA – Start of authority n Binary data, hardcoded format n NS – Name server n TYPE determines format n MX – Mail exchanger n A – Address n AAAA – IPv6 address n PTR – Domain name pointer n CNAME – Canonical name n TXT – Text … and many more DNS: Namespace Names Namespace n Dot-separated parts n Global and hierarchical o one.part.after.another <root> FQDN n Fully Qualified Domain Name com net org se n Complete name n Always ends in a dot google ibm ibm liu Partial name n Suffix of name implicit www www www ida tfk n Does not end in a dot www DNS: Replication Secondary/slave Example nameserver sysi-00:~# host -t ns ida.liu.se ida.liu.se NS nsauth.isy.liu.se n Indicated by NS RR ida.liu.se NS ns.ida.liu.se n Data transfer with AXFR/IXFR ida.liu.se NS ns1.liu.se Rule of thumb Questions n Every zone needs at least two nameservers n How does a slave NS know when there is new information? n How often should a slave NS attempt to update? n How long is replicated data valid? DNS: Distribution Delegation n A NS can delegate responsibility for a subtree to another NS <root> .se zone n Only entire subtrees can be delegated com net org se Zone n The part of the namespace google ibm ibm liu that a NS is authoritative for n Defined by SOA and NS www www www ida tfk Domain n A subtree of the namespace .com domain www DNS: Delegation Delegating NS Example n NS record for delegated zone a.example.com NS ns2.x.com n A record (glue) for NS when b.x.com NS ns.b.x.com needed ns.b.x.com A 10.1.2.3 Delegated-to NS n SOA record for the zone b.x.com SOA ( ns.b.x.com dns.x.com 20040909001 24H 2H 1W 2D ) DNS: Delegation Format of SOA SERIAL n MNAME Master NS n Increase for every update n RNAME Responsible n Date format common (email) o 2004090901 n SERIAL Serial number n REFRESH Refresh interval REFRESH/RETRY n RETRY Retry interval n How often secondary NS n MINIMUM TTL for negative updates the zone reply MINIMUM n How long to cache NXDOMAIN DNS: Cacheing Cacheing creates scalability Cache parameters n Cacheing reduces tree traversal n TTL – Set per RR n Cacheing of A and PTR reduce n Negative TTL – Set in duplicate DNS queries SOA Example $TTL 4H SOA ( MNAME RNAME SERIAL REFRESH Choosing good cache RETRY 1H ) 24H NS ns parameters is vital ns 24H A 10.1.2.3 DNS: The server Recursive/iterative Review n Does the server offer recursion? n Recursive: the nameserver n To which clients is it offered? gives a definite answer, but may ask other nameservers in order Authoritative/nonauthorit to generate it … n Iterative: the nameserver gives n Authoritative: first-hand a definite answer only for information locally known information; n Otherwise: cached information otherwise it generates a referral DNS: The client Client requirements Partially qualified names n Use a recursive NS (resolver) n Add suffix if there are fewer n Use partially qualified names than n dots in the name (ndots) Name server (resolver) n Specified in /etc/resolv.conf APP libc Example: /etc/resolv.conf nsswitch.conf nss search ida.liu.se nameserver ns.ida.liu.se ndots 2 libnss_dns.so Iterative NS resolv.conf Iterative NS Resolver library Recursive NS Iterative NS Iterative NS DNS: Root Name Server Handles the root zone n Data generated by ICANN Why no more than 13? n Data distributed by Verisign n Distribution from hidden master Thirteen services n Some are anycast n Over 60 servers Operator Locations A VeriSign Dulles VA B ISI Marina Del Rey CA C Cogent Communications Herndon VA; Los Angeles; New York City; Chicago D University of Maryland College Park MD E NASA Ames Mountain View CA F Internet Systems Ottawa; Palo Alto; San Jose, CA; New York City; San Francisco; Consortium, Inc.