Courses and certifications Open Source
Kerberos and LDAP
Price (without VAT)
Directory service LDAP and authentication by using Kerberos are not newcomers in IT word. A wide variety of their implementations ranges from the Windows platform (ActiveDirectory), to the world of Unix and Linux distributions (389 Directory Server, OpenLDAP, Sun ONE Directory Server and others).
With the increasing complexity of IT systems and their administration, developers and administrators are often receding the basic configuration or implementation of individual services. They prefere superstructure of configuration tools or upper implementation procedures, without having detailed knowledge about the features, options and restrictions on fundamental technological elements or protocols.
Kerberos and LDAP course goes in this regard to the roots. Training is designed to provide systematic introduction to both the services individually and cohesively and to point out some special features and aspects of their deployment. Theoretical explanations will alternate with practical labs so after completing the course, participants will have the useful skills for deploying and managing both the technologies.
Audience
- System administrators
- IT infrastructure architects
- Application developers
Goals
You will learn how to:
- understand the principles of directory services and LDAP protocol
- adopt different types of models when designing directory service
- how to perform a standard installation and basic configuration of the OpenLDAP server
- understand the problems of data security in the LDAP directory and control access to data
- basic data manipulation in LDAP – insertion and deletion, changes in the content and search engine
- Gain knowledge about monitoring, backup and high availability LDAP
- how to set up LDAP client and use LDAP as an authentication and authorization service
- understand the purpose and principles of Kerberos
- how to perform a standard installation and configuration of the Kerberos server, configuring clients and Kerberized services on application servers
- how to use Kerberos as an authentication authority to access LDAP data
- know how to easily set the system to the RHEL centralized authentication and account management using LDAP and Kerberos
- understand the use of Kerberos security NFSv4
Outline
- Introduction to Directory Services and types of models
- What is a directory service
- Examples of the use of directory services
- History of service X.500 and its weaknesses
- LDAP as the successor X.509
- Types of LDAP models: informational, naming, functional and security
- Information model
- Directory schema: attributes, classes, OID
- Standards of the scheme definition
- Attribute definition
- Search and comparison operators for attributes
- Object classes: structural and auxiliary
- Derivation and inheritance classes
- Special auxiliary class extensibleObject
- LDIF
- Different aspects of the directory service design
- Data security in the directory and data access control
- Nominal model and data organization
- Distinguished Name and Directory Information Tree
- Role of the suffix and its selection
- Two basic concepts of the namespace: flat and deep
- Designing of the namespace
- Designing a directory
- Work with existing directory
- Functional model
- Querying (search, compare)
- Data Manipulation (add, delete, modify, modify RDN)
- Authentication (bind, unbind, abandon)
- Line tools package openldap-clients
- Configuring the LDAP client
- Directory lookup: ranges, operators and filters
- Special suffixes cn=config, cn=monitor a cn=schema
- Practical use of ldapadd, ldapdelete, ldappasswd, ldapmodify
- Using LDIF format for Data Manipulation
- Authentication and security
- Authentication- authorization -audit
- Authentication methods: simple-bind and SASL-bind
- Safe communication: TLS and SSL
- Creating and installing a certificate with OpenSSL, client configuration
- Policy Management of Client access to a directory service: bind-policy
- Data security: encryption and Access Control Lists
- Service
- Installation of simple service LDAP with OpenLDAP
- High Availability and Replication
- Data distribution: refereall
- Backup and disaster recovery
- Increased efficiency access: indexing
- Monitoring and Logging
- LDAP as central authentication authority
- Project considerations: class selection and mapping attributes
- LDAP and PAM
- Simple way: LDAP, authconfig and sssd
- LDAP and Samba: first insight
- Kerberos, we count to three
- Historical introduction: what is Kerberos and what is Cerberus?
- Basic terms and shortcuts: KDC, AS, TGS, TGT, principal, realm, and more.
- From client to KDC and application server: How it all works
- Current implementations: krb5, bundles, service and configuration files
- Kerberos, DNS and NTP
- Installation and security
- Simple installation of Master KDC, kadmin, other tools and utility
- Initial security: conf and kadm5.acl
- Installing an application server, principles services, keytabs and tools ktutil and kvno
- Preparing client system: Software Installation and Configuration
- Test trivium: kinit, klist and kdestroy
- Safety communication: client authentication and validation ticket
- High availability: replication, slave KDC
- Backup and KDC database recovery
- Kerberos and LDAP access
- GSSAPI mechanism of SASL
- LDAP as a “kerberized” service
- Mapping of GSSAPI authenticated users
- Centralized management of accounts and something extra
- Kerberos and PAM
- Simple way: Kerberos, LDAP, authconfig and sssd
- Direct and indirect relationships of trust between the KDC
- Kerberos as the source of cryptographic keys: NFSv4
- We have got IPA
Prerequisites
- Knowledge of standard administration procedures on systems with RHEL/CentOS version 7.x: Software installation, service management, configuration
- Routine work with the command line, editors vim or nano (Caution: most procedures and examples are taking place in the command line environment)
- Basic knowledge of network protocols IP/TCP
Study materials
Printed study materials included.