|< Day Day Up >|| |
By default, access to a Linux computer requires a valid username and password. One problem with a large network of Linux systems is that 'normally' each user requires an account on every Linux computer.
There are two services which allow you to set up one centrally managed database of usernames and passwords for Linux and Unix computers. These services are NIS and LDAP. With each of these services, you can maintain one password database on an NIS or LDAP server and configure the other systems on the network as clients. When a user logs into an NIS or LDAP client, that system first checks its local password file, usually /etc/passwd. If it can't find your username, it looks up the corresponding file on the server.
I'll start by showing you how to configure NIS and LDAP clients. First, I'll show you how you can configure these clients using the command line interface and then use the Red Hat Authentication Configuration tool.
|Exam Watch|| |
In the Red Hat Exam Prep guide, the only requirement is to be able to connect a client to a network directory service, such as NIS or LDAP. The prep course outline for the RHCE, RH300, does include NIS (but not LDAP) server configuration. It's possible that LDAP services will become more important in future versions of the RHCE exam. I therefore focus on NIS servers in this chapter.
It's fairly simple to configure an NIS client on a network. Assuming you have an NIS server, you need to do three things. First, specify the server and domain name in /etc/yp.conf. Next, make sure the ypbind client service starts the next time you boot Linux. Finally, make sure the /etc/nsswitch.conf file looks to the NIS service for at least the username and password database.
The change to the /etc/yp.conf configuration file is simple. All you need is a command such as the following, which specifies the name of the NIS domain as nisdomain, and the name of the NIS server as enterprise3:
domain nisdomain server enterprise3
Making sure that the ypbind client service starts the next time you boot Linux is a simple matter. Just as with other Linux services, you can make sure it starts at the appropriate runlevels with a command such as the following:
# chkconfig --level 35 ypbind on
Finally, making sure your computer looks for the NIS server for key files means modifying the /etc/nsswitch.conf configuration file. For example, to make sure your computer looks to the NIS server for the username and password database, you'll want to configure the following commands in that file (you can add other services such as ldap to the list):
passwd: files nis shadow: files nis group: files nis
This assumes that you're using the standard version of NIS that's included with RHEL 3, NIS version 2.
One command you need to know about when running an NIS client is yppasswd. All users can manage their NIS password with this command.
If you want to configure your RHCE 3 computer as an LDAP client, you'll need the openldap-clients, openldap, and nss_ldap RPM packages. The openldap-clients RPM is a default part of the System Tools package group. The other two packages should be installed by default on your RHEL 3 computer.
To configure an LDAP client, you'll need to configure two different ldap.conf configuration files: in the /etc and the /etc/openldap directories. While both files can get quite complex, for the purposes of the exam, I'll keep the definitions simple.
The default version of the /etc/ldap.conf file includes a number of different commands and comments. To set up your RHEL 3 computer as an LDAP client, you'll need to be concerned with four commands in this file, as described in Table 10-1.
Specifies the IP address for the LDAP server. This particular command assumes the LDAP server is on the local computer.
Sets the default base distinguished name, in this case, example.com.
Required if you want Transport Layer Security (TLS) support to encrypt passwords that are sent to the LDAP server.
Supports the MD5 encryption scheme for passwords.
You'll need to specify the HOST and BASE variables in this file, just as you did in the /etc/ldap.conf configuration file. Based on the parameters in the previous section, this leads to the following two commands:
HOST 127.0.0.1 BASE dc=example,dc=com
If your LDAP server is not on the local computer, and your domain is not example.com, you'll need to substitute accordingly.
The Name Service Switch file, /etc/nsswitch.conf, governs how your computer searches for key files such as password databases. You can configure it to look through NIS and LDAP server databases. For example, when an NIS client looks for a computer hostname, it might start with the following entry from /etc/nsswitch.conf:
hosts: files nisplus nis dns
This line tells your computer to search through name databases in the following order:
Start with the database of hostnames and IP addresses in /etc/hosts.
Next, search for the hostname in a map file based on NIS+ (NIS Version 3).
Next, search for the hostname in a map file based on NIS (Version 2).
If none of these databases includes the desired hostname, refer to the DNS server.
You can configure the /etc/nsswitch.conf configuration file to look at an LDAP server for the desired databases. For example, if you want to set up a centralized username and password database for your network, you'll need to configure at least the following commands in /etc/nsswitch.conf:
passwd: files ldap shadow: files ldap group: files ldap
You can configure a number of additional files in an LDAP or NIS centralized database; however, the details are beyond the scope of this book.
If you're not familiar with NIS or LDAP, it may be simpler to configure your computer as a client using the Red Hat Authentication Configuration tool. In the RHEL 3 GUI, you can start it with the redhat-config-authentication command or click Main Menu | System Settings | Authentication. This opens the Authentication Configuration tool shown in Figure 10-1.
Figure 10-1: Authentic Configuration
If you've gone through the First Boot process described in Chapter 2, you may have already configured your computer using this tool. You can set your computer to check an NIS and an LDAP server for usernames and passwords.
If you select Enable NIS Support, click the Configure NIS button. You'll need to enter the name of the NIS domain, as well as the name or IP address of the computer with the NIS server. Make any desired changes and click OK.
If you select Enable LDAP Support, click the Configure LDAP button. Make any desired changes and click OK. You'll need to enter the following information:
If you want to use Transport Layer Security to encrypt the passwords sent to the LDAP server, activate the Use TLS To Encrypt Connections option.
Enter the domain name for your server in LDAP format in the LDAP Search Base DN text box. For example, if your domain is my-domain.com, enter the following:
Specify the location of the LDAP server. If it's the local computer, you can use the 127.0.0.1 IP address.
Under the Authentication tab, you can also specify the use of LDAP support for PAM-aware applications.
Once you've made your changes, click OK; it may take a few seconds for the Authentication Configuration tool to write the changes to the noted configuration files before it closes. If you've set up an NIS client, it automatically sets the ypbind service to start at appropriate runlevels the next time you boot Linux.
If you want to set up an NIS server on your computer, you'll need to install the ypserv RPM. It's a part of the Network Servers package group. You'll also need the yp-tools RPM, which should already be installed by default on a RHEL 3 computer. You can verify and install these RPM packages using the techniques described throughout the book.
NIS clients and NIS servers are organized in NIS domains. In contrast, LDAP clients rely on the LDAP server database. You can have multiple NIS domains on a single network, but clients and servers can belong to only one domain. If you are using NIS, you can find out the name of your NIS domain by using this command:
If this returns a blank or (none), you'll need to define the NIS domain name for your system. It's easy to do; for example, the following command assigns the name nisdomain to your system:
# domainname nisdomain
|On The Job|| |
NIS domains are different from BIND domains. In fact, for security reasons, your NIS domain name should be different from your BIND domain name. If you are coming from the world of Microsoft Windows servers, NIS domains are analogous to LAN Manager domains.
NIS provides you with more than a shared authorization database. With NIS, you can provide shared access to any kind of information. By default, NIS under RHEL 3 shares the following files:
You can configure NIS to share other files as well. This is easy to configure in the NIS configuration file, /var/yp/Makefile.
NIS services require at least one NIS master server. This is where the centralized NIS database files, known as maps, are stored. NIS changes require an update to the map on the master server. You can have only one NIS master server per NIS domain.
For larger networks, you may also want an NIS slave server. NIS slaves take copies of the NIS maps from the master server. NIS clients can then get their configuration files from either the master server or a slave server. You can have multiple NIS slave servers on a network.
NIS clients are systems that use information from an NIS server. NIS clients don't store any information that is contained in the NIS databases; whenever that information is needed, it is retrieved from a server.
|On The Job|| |
You may notice that most NIS commands start with yp. This is a holdover from the previous name of NIS when it was known as the Yellow Pages service.
Once you have edited the configuration files for your computer and network, you can start the NIS service. You can do so with the ypinit command in the /usr/lib/yp directory. This command has two key switches: -m is used to create a master NIS server; -s is used to create a slave NIS server. The process is straightforward. When you run the command to set up a master NIS server, you're prompted to enter the different hosts on the NIS domain. Here's what happened when I ran the command on my Enterprise3.example.com computer:
# /usr/lib/yp/ypinit -m At this point, we have to construct a list of the hosts which will run NIS servers. Enterprise3.example.com is in the list of NIS server hosts. Please continue to add the names for the other hosts, one per line. When you are done with the list, type a <control D>. next host to add: Enterprise3.example.com next host to add:
As you can see, the process is straightforward. Once I complete the list with a CTRL-D, I'm asked to verify the list. Once I confirm, the NIS server takes a few minutes to build a database based on the files specified in /var/yp/Makefile. Once complete, you'll see a message to the effect:
Enterprise3.example.com has been set up as an NIS master server.
If you see errors, make sure that the NIS server daemon, ypserv, is running properly with the service ypserv status command.
You can now join this NIS domain from the NIS clients of your choice.
Once you've started the NIS Service, the /usr/lib/yp directory includes the utilities you need to configure and manage NIS services. The ypinit program can configure an NIS server. Table 10-2 lists the files that you can use to configure an NIS server.
A shell script to build initial database maps in /var/yp; ypinit -m builds the databases for a master server.
The main NIS configuration file. Edit this file to control which maps are shared via NIS. You should edit this file and run the make command in the /var/yp directory.
Converts text database files to NIS maps. Called by /var/yp/Makefile.
NIS server daemon. You should use a command such as chkconfig to make sure this starts the next time Linux boots on your computer.
NIS password change daemon. You need to activate this service before users can change their NIS passwords with the yppass command. Use a command such as chkconfig to make sure this starts the next time Linux boots on your computer.
Another NIS server configuration file.
Controls which systems can access NIS databases.
Although NIS was designed to enable you to manage security by controlling who has access to the systems on your network, NIS is not a very secure product. Anyone who knows your NIS domain name and can connect to your network can read all the information stored in your NIS databases, such as /etc/passwd.
You can do a couple of things to help protect your NIS database. The /var/yp/securenets file can control who can connect to your NIS server. While it isn't installed by default, this file is easy to create and configure. Only two lines are required for a LAN. You may notice that the lines appear backwards, as they specify IP network masks followed by network addresses:
255.0.0.0 127.0.0.1 255.255.255.0 192.168.0.0
The first line allows access from the local computer. The second line allows access from all of the computers with IP addresses on the 192.168.0.0 network. In RHEL 3, there's a template for this file, with comments, available in the /usr/share/doc/ypserv-2.8 directory.
|On The Job|| |
One security risk to keep in mind if you use NIS is that anyone with access to the root account on any system that uses NIS can use the su - username command (note the space on both sides of the hyphen) to work with any account in your NIS database.
|< Day Day Up >|| |