Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007
Transcript of Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007
![Page 1: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/1.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
FUDConBrusselsFedora/ RedHat Directory Server
by Jens Kühnel (Germany)
FUDCon2007 @ Fosdem 2007
![Page 2: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/2.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
About Jens Kühnel● Stating the computer “carrier” with 8● Linuxuser and Linuxadmin since 1995● Freelancing Trainer since 1999● Certified RedHat, SuSE and Microsoft Trainer● RHCE, RHCA#8, RHCX, SCLT, NCLE10,
MCSE, MCT● Author of a German Samba3 book
![Page 3: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/3.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Index● Introduction● Architecture● Tree● Branch and Leave● Compare
![Page 4: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/4.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
RedHat buys Netscape products– Directory server– Certificate server– Mail server– Messaging server
● Only Directory server is GPL´ed at the moment● Netscape DS was developed together with sun
for some time aka iPlanet.– SunDS and FDS are quite similar
![Page 5: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/5.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Fedora vs. RedHat● Fedora Directory Server (FDS)
– Improved by the community– No commercial support from RedHat– Needs external Java (Sun/IBM)
● RedHat Directory Server (RHDS)– Commercial supported by RedHat– The RPM includes everything (incl. Java)
![Page 6: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/6.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Documentation● Very extensive Documentation
– RedHat directory server handbook are 2000 Pages strongUsable for FDS as wellhttp://www.redhat.com/docs/manuals/dirserver/
– Wiki for FedoraDirectoryServerhttp://directory.fedora.redhat.com/
![Page 7: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/7.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Architecture● Introduction● Architecture● Tree● Branch and Leave● Compare
![Page 8: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/8.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Architecture Overview● AdminConsole● AdminServer● DirectoryServer (NSSLAPD)● Berkley DB with BTree
![Page 9: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/9.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
AdminConsole and Server● AdminServer
– Uses httpd.worker– One Admin Server for every machine
![Page 10: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/10.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
DirectoryServer● Extensible with PlugIns● SSL inclusive Login with Certificate possible● Backup and restore online● Syslogfree logging
![Page 11: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/11.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
DirectoryServer 2● Very big Databases possible (multi Gbs)● FDS stores everything in LDAP
– ACIs– Configuration for LDAP trees– Replication configuration
![Page 12: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/12.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Plugins● Possibility to improve Server without changing
the core● A lot of functions are really plugins:
– Password hashes– Syntax Checkers etc.
● Other interesting plugins (needs activation)– Referential Integrity plugin– Attribute Uniqness plugin
![Page 13: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/13.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Tree● Introduction● Architecture● Tree● Branch and Leave● Compare
![Page 14: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/14.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Replication● MultiMasterReplication
– Every master can write and syncs with other masters
– Up to 4 masters are possible– High availability
● even when a master is down writes are possible
![Page 15: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/15.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Replication 2● As many slaves as you like● Replication can be time controlled or
uninterrupted● Replication can be limited at attribute level:
– Bandwidth limitation (like JPEGPictures)– Security (no password in DMZ)
![Page 16: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/16.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Chaining and Referrals● Referrals
– Informs the requesting client where the inforation can be found
– LDAP standard● Chaining
– Asks an other server in the name of the client and gives the information to the client
– FDS specific
![Page 17: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/17.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Virtual Views● Makes it possible to change the Tree without
changing it● Existing objects can be rearrange in a virtual
tree
![Page 18: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/18.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Sync with ADS● FDS can synchronize User/Groups with
Microsoft Servers● Supports Windows DAS and NT4● Needs SSL and a small Program at the MS
Server● Single trees can synchronized● Some limitations applies at ADS and NT4
![Page 19: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/19.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Branch and Leave● Introduction● Architecture● Tree● Branch and Leave● Compare
![Page 20: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/20.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Group● Defining the group membership inside the
group– UniqueMember = usera– UniqueMember = userb
● Client has to search for every member attribute individual
![Page 21: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/21.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Roles● Every object gets extended with a special
attribute● For example: nsRole:admin● Client can search for every user with
nsRole=admin● Different “kinds” are available
– Managed, Filtered, Nested
![Page 22: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/22.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Multi language● Multiple Entries for the same Attribute is
possible for different languages:●
● Full Name; langde: Jens Kühnel● Full Name; langen: Jens Kuehnel
![Page 23: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/23.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Attribute encryption● Encryption of single attribute at the hard disc● Secures against theft of hard disc and of
backupmedia● Only possible with activated SSL● Uses the server private key for encryption● Please secure private key with PIN/Password
![Page 24: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/24.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Password policy● Automatic locking/unlocking of accounts● Password history● Selectable password hashes
![Page 25: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/25.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Class of Services● Makes it possible to save an attribute only once
and uses it at a lot of objects● For example: fax number● Different kind:
– Simple– Indirect– Classic
![Page 26: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/26.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Userattr● Creates ACI´s based on the attributes of the
target● Typical case: the boss
– Object/user Carl has an object likemanager: cn=Peter, ...
– Userattr make it possible to allow Peter to change all object he is manager of
![Page 27: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/27.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Compare● Introduction● Architecture● Tree● Branch and Leave● Compare
![Page 28: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/28.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
“Problems” with FDS● SSL”Problem”
– Is prepared for RedHat Certification Server● OpenSSL/GnuTLS have to be converted to PKCS#12
● Needs a lot of ram (256MB/1024MB)● No /etc/init.d/ start script shipped● Configuration is saved in LDAP, problem at
troubleshooting● License (Contributor License agreement)
![Page 29: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/29.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
And OpenLDAP?● Smaller memory footprint● Faster on slow machines● Performance problems when not tuned● Standard conformity above all
![Page 30: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/30.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
SunDS● Shared ancestor IPlanet● Real different between FDS and SUN DS5 is
– Sun DS 5.2 uses different replication protocol ● Legacy replication still works
– Internal DB Format has changed● Complete backup and restore works
![Page 31: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/31.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
eDir and ADS● Both Directory's have extensive addons● Highly integrated in there environment
– ZEN etc.– Exchange, MSSQL etc.
● Both are using Multi master replication with a lot of masters (async)
![Page 32: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/32.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Novell eDir● Basis for the own authentication server● LDAP is an add on
– They directory's exist longer then LDAP● Extensive replication control● Closed Source● Price
![Page 33: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/33.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
Microsoft ADS● ADS = LDAP + Kerberos + ActiveSync● LDAP with very extensive and “strange”
schema● synchronization with FDS is possible● Closed Source● price
![Page 34: Fedora Project – 24 February 2007 FUDCon2007 @ Fosdem 2007](https://reader036.fdocuments.in/reader036/viewer/2022071600/613d12c7736caf36b758ff84/html5/thumbnails/34.jpg)
FUDConBrussels 2007 [email protected]
FUDConBrusselsFedora Project – 24 February 2007
Jens Kühnel
The team