LDAP Unified authentication solution under Linux

LDAP Unified authentication solution under Linux

--http://www.cangfengzhe.com/wangluoanquan/3.html

Enterprises need to authenticate a lot of services, employees need to remember a lot of passwords, even if the same password settings for these services, there is a great security risk. The author of the current work of the enterprise is so, every new employee to the arrival of the administrator to initialize a lot of passwords, and these passwords are set to "888888" and other weak passwords, due to the certification mechanism of various software does not use a unified standard, employees can not modify the password of all services at once, This has led to the use of this "well-known" password by many employees, even if they have been in the workforce for a long time.

Another serious problem arises when companies are adding internal services, such as leading to the delivery of mail services within the company or replacing existing proftpd with more efficient vsftpd, and administrators need to re-initialize new account information for all employees, which would be a " Disaster. "

If you can provide a standard certification mechanism for various software, all software can no longer use a unique user management method, but through this unified authentication mechanism for user authentication, which solves the problems that many enterprises have encountered at present. LDAP is such a standard protocol, the history of LDAP can be traced back to the 1988, after the birth of many software basically support this protocol. With the increasing demand for LDAP in recent years, most of the software that has authentication mechanism will first provide support to LDAP. This article will introduce the method of LDAP unified identity authentication to simplify this complex management process.

LDAP overview

LDAP is the abbreviation for light weight Directory Access Protocol (Lightweight Directory Access Protocol), which was formerly the older DAP protocol. It is based on the X.500 standard, but it is simple and can be customized as needed. Unlike X.500, LDAP supports TCP/IP, which is required to access the Internet. The core specification of LDAP is defined in the RfC, in general, the LDAP protocol defines the method of communicating with the background database and the communication standard between the client software and the LDAP protocol, as shown in 1 (more detailed instructions can be found in the relevant RFC documentation).

Figure 1 Relationship between the client and LDAP server

In Figure 1, the LDAP client refers to a variety of software that requires authentication, such as Apache, PROFTPD, and samba. LDAP sever refers to the software that implements the LDAP protocol, such as OpenLDAP. Datastorage refers to OPENLDAP data storage, such as relational database (MySQL) or query-efficient embedded database (BERKELEYDB), or even a flat text database (a txt text file). As can be seen, the OpenLDAP software is only a form of implementation of the LDAP protocol and does not include background database storage. But in many cases, administrators often put LDAP server and datastorage on the same server, resulting in what people commonly call "LDAP database." Although the background database (backend) can be varied, the LDAP protocol also specifies how the data is stored. The LDAP database is a tree-like structure, similar to DNS, as shown in 2.

Figure 2 A tree-like logical structure of employees ' information in multinational corporations

In the diagram, one of the greatest benefits of storing data in this way is that the query is fast, the LDAP database is optimized for read operations, and the OPENLDAP with Berkeley DB makes it much more efficient to read. Another benefit of the tree structure of the LDAP database is the ease of distributed management, which is described later in this section.

Implementation ideas

Unified identity authentication is mainly to change the original authentication strategy, so that the software needs to be certified through LDAP authentication, 3 shows. After unified authentication, all of the user's information is stored in the LDAP server. The end user needs to authenticate with the LDAP server when they need to use the company's internal services. Each employee needs to remember only one password, and the information in the LDAP server can be modified directly from the Web interface provided by the administrator when the user information needs to be modified.

Figure 3 The modified authentication policy

Most of the mainstream software currently provides good support for LDAP, but because of the varying degrees of support for LDAP, different kinds of software should be treated differently when implemented. Software support for LDPA can be divided into two main categories:

One is full support, that is, adding LDAP-related options to the software configuration file. The benefit of this approach is that there is no need for other tools or software to support LDAP directly by the software development team. Possible flaws are also here, as the level of each software development team and the developer experience are different, although the same support for LDAP, but a little more complex advanced features can not be provided, and sometimes even a running error caused the whole software problems. I have encountered a web-based CVS browsing software, the installation documentation describes the support of LDAP, but the actual use of a lot of problems caused by the entire software crash. Some of the more mainstream software, such as the Apache 2.X support for LDAP, is almost perfect.

Another type of software for many reasons does not directly support LDAP, but rather through the use of PAM authentication, because Pam itself supports LDAP, this can also be implemented using LDAP authentication. This approach also has the advantage of LDAP support, software developers do not need to modify the code to support the LDAP protocol, reducing the software itself to create a security vulnerability. The disadvantage is that in some systems that do not want to use Pam, such software is not user-authenticated through LDAP, and although Pam's support for LDAP is perfect, some advanced and complex features are not possible. For these reasons, this kind of software is few, the more typical is vsftpd and CVS.

Use LDAP for identity authentication

The introduction here may be a lot of readers will ask why use LDAP database? Is it possible to use a traditional relational database? As can be seen from the above, the LDAP server is the role of an authentication server, from the technology itself, the specific use of this authentication server database is not important, if the use of a relational database can also achieve the purpose of unified authentication, but the LDAP Their own advantages make many companies ultimately choose it. The following author lists some important reasons for choosing LDAP:

LDAP is an open standard protocol, unlike SQL databases, where LDAP clients are cross-platform and have standard API interfaces for almost all programming languages. Even if the provider of the LDAP database product is changed, the developer does not have to worry about modifying the program to accommodate the new database product. This advantage is difficult to achieve with relational databases that use SQL language for querying.

Because the LDAP database data storage is a tree structure, any branch of the whole tree can be placed in a single server for distributed management, not only for server load balancing, but also facilitates the deployment of servers across geographies. This advantage in the query load or enterprises in different regions have a branch office is particularly evident.

LDAP supports a strong authentication method, which can achieve a high level of security. In terms of internationalization, LDAP uses UTF-8 encoding to store characters in a variety of languages.

More flexible to add data types, LDAP defines the dependencies and matching patterns between various attributes based on the contents of the schema. For example, in a relational database, if you want to add a property to a user, you would add a field to the user table, which would be difficult to have with a large number of users and change the table structure. However, LDAP only needs to add new attributes to the schema, and will not affect query performance due to the increase in user attributes.

An LDAP database is a database that optimizes read operations, and LDAP shows very high performance when read and write ratios are greater than 7:1. This feature is suitable for the needs of identity authentication.

At present, many companies combine LDAP with their own products and technologies to increase the effectiveness of LDAP in all fields, all from LDAP being an open protocol that can easily coexist with other standard protocols.

Selection of LDAP software

At present, almost all big it vendors have their own commercial LDAP products, each vendor's LDAP products have its characteristics, many times users choose more open source OpenLDAP.
OpenLDAP has many advantages over other commercial software, the software version of the business is very slow, the response to the bug is much worse than the open source software, OpenLDAP also contains a lot of creative new features to meet the requirements of the majority of users. I have used many commercial LDAP products, OpenLDAP is one of the most portable and consumes the least system resources. OpenLDAP is open source software, in recent years, many companies in the domestic development of LDAP products are based on the development of OpenLDAP.

OpenLDAP source code can be downloaded to the official website (http://www.openldap.org), the installation process is also very simple. Since the OPENLDAP needs Berkeley DB to hold the data, it is necessary to install the Berkeley DB 4.4.20, which can be downloaded to its website, on the Web site.

# TAR-ZXVF Db-4.4.20.tar.gz

After the pressure is finished, a db-4.4.20 directory is generated to enter the Build_unix directory under that directory. Execute the following command to configure the installation.

# .. /dist/configure
# make
# make Install
# TAR-ZXVF Openldap-stable-20090411.tgz

When the decompression is complete, a OpenLDAP directory is generated. Enter the directory and execute the following command to configure the installation.

#env cppflags= "-i/usr/local/berkeleydb.4.2/include" ldflags= "-l/usr/local/berkeleydb.4.4/lib"./configure-prefix= /usr/local/openldap--enable-ldbm

Note the above configuration statement, to set the include and LIB paths of the repository, or to be prompted for Berkeley DB version incompatibility and interrupt configuration when configuring to repository-related content. If you do not have the--ENABLE-LDBM option, you will be prompted LDBM to not find it when make test. In order to reduce the error, or add as well.

#make Depens
#make
#make Test

It takes a long time to test during the make test, as if there were 16 items. You can relax, this time should be the most tense.

#make Install

By configuring the command, we can see that we have installed the OpenLDAP into the/usr/local/openldap directory. It is recommended that the software installed in the source code should be placed in a separate directory, not in the default directory of the software. The benefits are easy to manage and control, all files in a unified directory, uninstall the software as long as the entire directory is deleted. There are several areas to note in this process:

Before executing configure, make sure Berkeley DB is installed, although OpenLDAP can use many databases for Back-end, BerkeleyDB is strongly recommended by the OpenLDAP development team.

If you need a more secure way to access OpenLDAP, make sure that CYRUS-SASL is installed before you configure the execution configure.

Some users have ignored the final make test when installing OpenLDAP. Experience tells us that many errors will be exposed during the execution of make test, the OpenLDAP development team is very careful to maintain the software test case, the whole test is very comprehensive, many of the functions that are seldom used in daily use will be tested, It is very good to ensure the stability of the software after it is put into use.

By default, the OpenLDAP configuration file is saved in siapd.conf under/usdlocal/etc/openidap, and the administrator password for OpenLDAP is recorded in the configuration file. By default, the password is in clear text, and you can use the SLAPPASSWD command to generate a cipher to replace the plaintext in the configuration file. In Figure 3, for example, the configuration file related items should make the following changes:
Suffix "Dc=ldap_abc,dc=org"
RootDN "Cn=manager,dc=ldap abc,dc=org"
Directory/usr/iocal/var/openldap-data

Where the directory parameter is the location of the data file on the server, the data file is best placed on a separate partition or disk array for stability and performance reasons. The ACL portion of the configuration file is also important, and many of the read or modify operations are not completed properly due to the incorrect syntax of the ACL. The following is the configuration of the ACL section by default:
Access to Attrs=userpassword
by self Write
by * Auth
Access to *
by * Read

Easily handle LDAP account management

Here the notes tell you to use the PHP language to develop a Web-based LDAP manager, and focus on the management of the class attributes and object class inheritance relationship, modify the process of the recursive relationship between the use of relevant techniques and related algorithms, making it easier to use and manage the LDAP account.

Written in PHP 4/5, LDAP account Manager (LAM) is a Web-based management system for LDAP users, user groups, hosts, and LDAP directories, and administrators can operate with SSUTLS encryption to enhance security. Lam supports managed account types such as Samba 2/3, Unix, Kolab 2, Address Book interfaces, and Computer Management, including NIS mappings, email aliases, MAC addresses, and more.

1) The powerful features of LDAP account Manager

With Lam, users, user groups, and computer system accounts stored in the LDAP directory can be managed intuitively and easily through the Web interface.

You can manage UNIX users, user groups, hosts, domain names.

Powerful filtering and sequencing capabilities.

has account attribute management.

Multiple constructed properties.

Intuitive tree view mode.

Plan to view the mode.

An open editor.

Create an account with a file upload.

All accounts can be exported to PDF file format.

You can manage users, user groups, quotas, and auto-creation to delete a user's home directory.

Supports LDAP+SSL encryption mode.

Multi-lingual support, such as Catalan, Chinese (Traditional), Dutch, 中文版, French, German, Hungarian, Italian, Japanese and Spanish.

2) Installation Requirements

PHP4/5 language Environment and Perl locale

Openldap2.0 or later

CSS-enabled Web browsers

Apache webserver, it is recommended to install modules such as SSL, Php-module (Php-module with Ldap,gettext,xml,mcrypt+mhash).

3) Installation and use

First download the lam compression package from http://lam.sourceforge.net/, unzip and modify the PHP configuration file php.ini the following:

* memory_limit=64m

Next, copy the file to the Web server's Html-file directory, such as Apache/htdocs, and set the appropriate read and write permissions to the following file:

-lam/sess: Set to Apache user Write permission;

-LAM/TMP: Set to Apache user Write permission;

-lam/config: (including subdirectories) set to Apache user Write permission;

-lam/lib lamdaemon.pl: Must be set to execute permissions.

Then configure the Conflg.cfg file, create a configuration property, set the password, and copy the Config.cfg_ to the configuration directory. Finally, open index.html in the browser, you can use the default password "LAN" login in the configuration login to do the relevant operation, 4 shows.

Figure 4

4) configuration Management Lam

After successfully logging into the lam system, managing our LDAP in the form of a Web page becomes straightforward and straightforward, with a mouse click to easily view and manage our LDAP, as well as online editing and data export. In the lam system, we can mainly do the following:

The lam system is configured with a specific configuration of Lam, as shown in 5.

Figure 5

Lam Module selection and management: Let Lam list user information.

Modify user information, view and modify user properties in Lam, as shown in 6.

Figure 6

Not only that, Lam's management function is very comprehensive, but also can do a lot of user operations, such as listing user group information, listing the server host information managed, through file upload method to create users, tree view, sambasam information view changes, Open online editing mode and LDAP information PDF file format output, and so on, for the system administrator is very convenient.

Configure Apache to support LDAP

While there are two ways to support LDAP in a variety of software, it is essentially the same, except that some software wants to develop LDAP support natively, while others use Pam's already developed LDAP support. Any software to be user authentication through LDAP, at least in the software configuration file to provide two authentication required information, one is the LDAP server IP address, and the other is required to authenticate users in the LDAP database location. As mentioned earlier, the LDAP database is a tree structure similar to DNS, where each user is placed on the tree as a leaf node, and the parent node of those users is the location of the user in the LDAP database that the authentication is to provide. 3, if an FTP login is to be provided to all employees in the Asian marketing department, the location of the user to be provided in the LDAP database is "Ou=sales,i=asia,o=ldap_ abc.org". The following is an example of Apache to introduce the configuration of the software.

Apache and LDAP integration can be used to restrict the user's access to files in HTTP mode, Apache uses LDAP as user authentication has a lot of practical significance, first can restrict the user's internal HTTP sensitive content access. In addition, many version management software, such as subversion, provides LDAP support, which allows users to restrict access to files through Apache settings when they need to access files over the web. Apache is starting from 2.0.41 to support LDAP, if you want to use LDAP authentication will install Apache 2.0.41, the Enterprise version of the Red Hat as 3/4/5 default installation of Apache2.0 has put the L The DAP-related modules are compiled, and the user can support L-DAP authentication by simply modifying the Apache configuration file correctly.

The following code sets certain permissions on the protected directory/var/www/htm/internal.
<Directory/var/www/html/internal>
AuthName "Weicome to Linux"
Authldapenabled on
Authldapurl Ldap://192.168.1.2/ou=sales,i=asia,o=ldap_abc.org?uid
Require Valid-user
</Directory>

AuthName is optional, when the user accesses the protected directory, the browser pops up-a prompt window asking for a user name and password, and the contents of the AuthName settings appear in the title bar of the popup window (this content supports Chinese).

The authldapenabled is optional and the default value is on. This can be set to off when the directory/var/www/htm/intemal has been set to require authentication, but the Var/www/htm/internal/pub directory needs to be set to public.

Authldapurl is required, 192.168.1.2 is the IP address of the LDAP server, OU=SAIES,I=ASIA,O=LDAP Abc.org is the user's location in the LDAP database, and the UID represents the user name used in the authentication process using the value of the UID attribute for each user.

Require valid-user indicates that only a successful authenticated user can access the specified resource. The design of the LDAP tree structure The following is a practical case for a brief introduction to the design of the tree structure. A hundred people's it enterprise, headquartered in Beijing, and in Shanghai, Guangzhou branch, the company's marketing department, Development Department, Management department and Human Resources department in three cities have branches, the company requires all employees to update their work in this day of the results, and for each employee with the enterprise internal FTP sharing space, Program developers use CVS to submit code that has multiple Linux servers within the company, allowing only authorized accounts to log in.

Employees need to be authenticated when using these services. In such cases, you can choose to buy several expensive database servers, install large business databases to solve this problem, or choose a cheaper and more efficient way to use open source software solutions. The first thing to consider is the data topology, according to the needs of the enterprise database design is the key. Companies in Beijing, Shanghai and Guangzhou have branch offices, if the database server is only stored in a city, the peak network traffic will affect the certification speed, reduce staff productivity, so the database design can have the following two scenarios: one is to put the primary LDAP server in Beijing, At the same time in Shanghai and Guangzhou with the LDAP server, similar to the DNS regional authorization, the head office of Shanghai and Guangzhou Staff management decentralization, the staff throughout the local LDAP server certification, not only improve efficiency, but also ensure that the server problems will not affect the other two cities certification services. This database design does not divide all employees of the company into three parts that are not connected.
As shown in 7, the LDAP branches on the three servers are connected by a special attribute similar to "reference" on the same tree, and three cities have their own administrators to maintain their branches. Three servers connected together have many benefits and are very handy when you need to search or inquire about all of your company's employee information. If a city has more employees or a heavy load can also increase the LDAP server in this city, the additional server is like the local server mirror, can play the role of load balancing. It is important to note that each LDAP server in this design can be read and write.

Fig. 7 Design of tree structure

Another option is to store a master LDAP server in Beijing, while placing a secondary LDAP server in three cities in Beijing, Guangzhou and Shanghai respectively. The primary LDAP server is only responsible for writing data, the secondary LDAP server is read-only, any database modifications are written to the primary LDAP server before synchronization to three secondary LDAP server, such a topology is also more appropriate for the authentication server needs, because the write operation is less than the read operation, This design has the advantage of being able to flexibly increase or decrease the server depending on the number of employees or the load of each branch office, and the paralysis of any secondary LDAP server will not affect the entire authentication system. In some cases abroad, the secondary LDAP server can be up to dozens of or even hundreds of units. However, this design is also flawed, if there is a problem with the primary LDAP, then all write operations will be affected, the current OpenLDAP does not support multiple primary LDAP servers, because setting up multiple primary LDAP server may cause the entire data inconsistency, only a few commercial LDAP Support for multi-master LDAP functionality.

The future of unified identity authentication

In foreign countries, the application of LDAP to identity authentication has been very mature, in recent years the domestic began to gradually become popular. There are still some deficiencies in the authentication method mentioned earlier, such as the user after using the FTP service, if the use of Samba services will need to re-enter the user name and password, the current Microsoft Active Directory through the management domain users have achieved a perfect single sign-on, Linux enables most of the functionality that Active Directory can achieve with OpenLDAP and samba. Believe that in the near future, the use of LDAP authentication technology will penetrate more areas, including network computers, access control systems, and even intelligent IC card applications.

LDAP Unified authentication solution under Linux