What is a directory?
Directory Services
Fundamental properties
ƒ Maps keys to values
ƒ Relatively frequent lookups
ƒ Relatively infrequent updates
PRINCIPLES – DNS – NIS – LDAP
David Byers
©2003–2004 David Byers
Directories in Linux
Service names
ƒ /etc/services
RPC program numbers
ƒ /etc/rpc
Known ethernet addresses
ƒ /etc/ethers
Automount maps
ƒ /etc/auto.master
Problems
ƒ Performance issues
ƒ Hosts that are down
ƒ Other propagation failures
ƒ Simultaneous updates
©2003–2004 David Byers
Standard implementation: local files
Example
ƒ 13000 users and 5000 hosts
ƒ Passwords valid for 30 days
ƒ 50% of changes made at 8-10
Æ One change every 28.8 seconds
Æ Propagation time: 0.00567s
©2003–2004 David Byers
User database
ƒ /etc/passwd, /etc/shadow
Group database
ƒ /etc/group
Host names
ƒ /etc/hosts
Network names
ƒ /etc/network
Protocol names
ƒ /etc/protocols
The scalability problem
What is a directory service
Directory services
A specialized database
ƒ Attribute-value type information
ƒ More reads than updates
ƒ Consistency problems are sometimes OK
©2003–2004 David Byers
ƒ No transactions or rollback
ƒ Support for distribution and replication
ƒ Clear patterns to searches
Components
Common directory services
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
A data model
A protocol for searching
A protocol for reading
A protocol for updating
Methods for replication
Methods for distribution
DNS
X.500 Directory Service
Network Information Service
NIS+
Active Directory (Windows NT)
NDS (Novell Directory Service)
LDAP (Lightweight X.500)
©2003–2004 David Byers
davby@ida.liu.se
IDA/ADIT/IISLAB
©2003–2004 David Byers
Examples
ƒ Phone book
ƒ Office directory
ƒ User database
ƒ List of contacts
1
Directory services
Global directory service
Local directory service
ƒ Context: entire network or entire
internet
ƒ Namespace: uniform
ƒ Distribution: usually
ƒ Examples: DNS, X.500, NIS+,
LDAP
ƒ
ƒ
ƒ
Directory services in Linux
Alias: name services
ƒ /etc/nsswitch.conf selects service
ƒ Several services per directory
ƒ Modular design/implementation
Context: intranet or smaller
Namespace: non-uniform
Examples: NIS, local files
Examples from /etc/nsswitch.conf
©2003–2004 David Byers
files,nis
nis[notfound=return],files
dns,files
©2003–2004 David Byers
users
users
hosts
Network Information Service
Domain (NIS domain)
ƒ Systems administered with NIS
ƒ No connection to DNS domain
NIS, NIS+, LDAP
NIS server
ƒ Server that has information
accessible through NIS
ƒ Serves one or more domains
NIS client
©2003–2004 David Byers
©2003–2004 David Byers
ƒ Host that uses NIS as a directory
service for something
NIS
NIS
Protocol
Data model
Master server
Processes/commands
ƒ
ƒ
ƒ
ƒ
ƒ Directories known as maps
ƒ Simple key-value mapping
ƒ Values have no structure
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ Master/slave servers
Distribution
ƒ No distribution support!
arjle
1001:adFrl
passwd.byname
donkn
1002:*:203
johne
1003:trzQw
alatu
2031:kprrT
johmc
2032:bRelZ
edwyo
2033:*:204
ricst
2034:vvldk
petde
2232:*:204
larwa
3021:*:204
Maps built from text files
Maps in /var/yp
Maps built with make
Maps stored in binary form
Replication to slaves with
yppush
ypserv
Server process
ypbind
Client process
ypcat To view maps
ypmatch
To search maps
ypwhich
Show status
yppasswdd
Change password
Slave servers
ƒ Receive data from master
ƒ Load balancing and failover
©2003–2004 David Byers
Replication
©2003–2004 David Byers
RPC based
No security
No updates
Replication support
2
NIS
NIS
NIS client
ƒ Knows its NIS domain
ƒ Binds to a NIS server
Primitive protocol
ƒ No updates
Scalability problems
ƒ Flat namespace
ƒ No distribution
Two options
ƒ Broadcast
ƒ Hard coded NIS-server
f
Security problems
ƒ No access control
ƒ Broadcast for binding
ƒ Patched as an afterthought
Hack for password change
ƒ Search only on key
ƒ Primitive data model
ƒ ypbind
NIS+
LDAP
New protocol
ƒ Updates through NIS+
ƒ General searches
ƒ Data model with real tables
Scalability
ƒ Hierarchical namespace
ƒ Distributed administration
Security
ƒ Authentication of server,
client and user
ƒ Access control on per-cell
level
©2003–2004 David Byers
©2003–2004 David Byers
Solution: NIS+
Protocol
Data model
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
TCP-based
Fine-grained access control
Support for updates
Flexible search protocol
Based on X.500
Object-oriented
Objects can be extended freely
Attribute-based data model
Hierarchical namespace
Replication
ƒ Replication is possible
Distribution
So why is NIS+ not used?
Example of user
NIS+ table ”passwd.org_dir.example.com”
name
davby
fsmith
passwd
uid
gid
gecos
*LK*
3x1231v76T89N
1211
1329
1200
1200
David
Fran
home
/home/davby
/home/fsmith
shell
/bin/sh
/bin/sh
NIS table passwd.byname (user name as key):
©2003–2004 David Byers
davby davby:*:1211:1200:David:/home/davby:/bin/sh
fsmith fsmith:*:1329:1200:Fran:/home/fsmith:/bin/sh
dn: uid=fsmith,ou=employees,dc=example,dc=com
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: fsmith
givenname: Fran
sn: Smith
cn: Fran Smith
cn: Frances Smith
telephonenumber: 510-555-1234
roomnumber: 122G
o: Example Corporation International
mailRoutingAddress: fsmith@example.com
mailhost: mail.example.com
userpassword: {crypt}3x1231v76T89N
uidnumber: 1329
gidnumber: 1200
homedirectory: /home/fsmith
loginshell: /bin/sh
LDAP
©2003–2004 David Byers
Example of user
©2003–2004 David Byers
©2003–2004 David Byers
ƒ Distributed management is
possible
3
The future
LDAP is taking over
NIS is too insecure, doesn’t scale and is inflexible
NIS+ is hard to implement and doesn’t exist on many OSes
X.500 is too complex and has a bad reputation
Other options have similar problems
©2003–2004 David Byers
DNS
©2003–2004 David Byers
DNS: Data model
NAME Æ { TYPE Æ RDATA }
(NAME, TYPE, RDATA)
rd
rce reco
Resou
TYPE
TYPE
AA
MX
MX
NS
NS
NS
NS
NS
NS
NS
NS
RDATA
RDATA
130.236.177.25
130.236.177.25
00 ida.liu.se
ida.liu.se
ns.ida.liu.se
ns.ida.liu.se
ns1.liu.se
ns1.liu.se
ns2.liu.se
ns2.liu.se
nsauth.isy.liu.se
nsauth.isy.liu.se
RDATA
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ Binary data, hardcoded format
ƒ TYPE determines format
SOA – Start of authority
NS – Name server
MX – Mail exchanger
A – Address
A6 – IPv6 address
AAAA – IPv6 address
PTR – Domain name pointer
CNAME – Canonical name
TXT – Text
… and many more
©2003–2004 David Byers
NAME
NAME
ida.liu.se
ida.liu.se
ida.liu.se
ida.liu.se
ida.liu.se
ida.liu.se
ida.liu.se
ida.liu.se
ida.liu.se
ida.liu.se
ida.liu.se
ida.liu.se
TYPE
©2003–2004 David Byers
ƒ Functional:
ƒ Relational:
DNS: TYPE & RDATA
DNS: Namespace
DNS: Replication
Names
Namespace
Secondary/slave nameserver
Example
ƒ Dot-separated parts
f one.part.after.another
ƒ Global and hierarchical
ƒ Indicated by NS RR
ƒ Data transfer with AXFR/IXFR
sysi-00:~# host -t ns ida.liu.se
ida.liu.se NS nsauth.isy.liu.se
ida.liu.se NS ns.ida.liu.se
ida.liu.se NS ns1.liu.se
Questions
ƒ
<root>
FQDN
ƒ Fully Qualified Domain Name
ƒ Complete name
ƒ Always ends in a dot
Rule of thumb
net
com
google
ibm
www
www
org
se
ibm
ƒ How does a slave NS know
when there is new information?
ƒ How often should a slave NS
attempt to update?
ƒ How long is replicated data
valid?
liu
Partial name
www
ida
www
tfk
©2003–2004 David Byers
ƒ Suffix of name implicit
ƒ Does not end in a dot
Every zone needs at least two
nameservers
©2003–2004 David Byers
ƒ
ƒ
ƒ
ƒ
4
DNS: Distribution
DNS: Delegation
Example
Delegation
Delegating NS
ƒ A NS can delegate responsibility
for a subtree to another NS
ƒ Only entire subtrees can be
delegated
ƒ NS record for delegated zone
ƒ A record (glue) for NS when
needed
<root>
.se zone
net
com
Zone
www
www
ibm
www
SOA
liu
ida
( ns.b.xmp.com
dns.xmp.com
20040909001
24H
2H
1W
2D )
tfk
Q: When is glue needed?
.com domain
www
©2003–2004 David Byers
ƒ A subtree of the namespace
ibm
b.xmp.com
ƒ SOA record for the zone
©2003–2004 David Byers
Domain
google
Delegated-to NS
se
DNS: Delegation
DNS: Cacheing
Format of SOA
SERIAL
Cacheing creates scalability
Cache parameters
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ Increase for every update
ƒ Date format common
f 20040909001
ƒ Cacheing reduces tree traversal
ƒ Cacheing of A and PTR reduce
duplicate DNS queries
ƒ TTL
ƒ Negative TTL
MNAME
RNAME
SERIAL
REFRESH
RETRY
MINIMUM
Master NS
Responsible (email)
Serial number
Refresh interval
Retry interval
TTL for negative
reply
– Set per RR
– Set in SOA
Example
$TTL 4H
REFRESH/RETRY
ƒ How often secondary NS
updates the zone
Choosing good cache
parameters is vital
MINIMUM
©2003–2004 David Byers
24H
24H
©2003–2004 David Byers
ƒ How long to cache NXDOMAIN
ns
SOA (MNAME RNAME
SERIAL REFRESH
RETRY 1H )
NS ns
A
10.1.2.3
DNS: The server
DNS: The client
Recursive/iterative
Review
Client requirements
Partially qualified names
ƒ Does the server offer recursion?
ƒ To which clients is it offered?
ƒ
ƒ Use a recursive NS (resolver)
ƒ Use partially qualified names
ƒ Add suffix if there are fewer
than n dots in the name (ndots)
ƒ Authoritative: first-hand
information
ƒ Otherwise: cached information
ƒ
Name server (resolver)
APP
libc
ƒ Specified in /etc/resolv.conf
Example: /etc/resolv.conf
nsswitch.conf
nss
libnss_dns.so
©2003–2004 David Byers
Authoritative/nonauthoritative
Recursive: the nameserver gives a
definite answer, but may ask other
nameservers in order to generate it
Iterative: the nameserver gives a
definite answer only for locally
known information; otherwise it
generates a referral
resolv.conf
Resolver library
search ida.liu.se
nameserver ns.ida.liu.se
ndots 2
Recursive NS
Iterative NS
Iterative NS
Iterative NS
Iterative NS
©2003–2004 David Byers
ƒ The part of the namespace that
a NS is authoritative for
ƒ Defined by SOA and NS
org
a.example.com NS ns2.xmp.com
b.xmp.com
NS
ns.b.xmp.com
ns.b.xmp.com
A
10.1.2.3
5
DNS: Root Name Server
Why no more than 13?
Dulles VA
Marina Del Rey CA
Herndon VA; Los Angeles; New York City; Chicago
College Park MD
Mountain View CA
Ottawa; Palo Alto; San Jose, CA; New York City; San Francisco;
Madrid; Hong Kong; Los Angeles; Rome; Auckland; Sao Paulo;
Beijing; Seoul; Moscow; Taipei; Dubai; Paris; Singapore; Brisbane;
Toronto; Monterrey; Lisbon; Johannesburg;Tel Aviv; Jakarta;
Munich;
Vienna VA
Aberdeen MD
Stockholm; Helsinki; Milan; London; Geneva; Amsterdam; Oslo;
Bangkok; Hong Kong; Brussels; Frankfurt
Dulles VA (2 locations); Mountain View CA; Seattle WA;
Amsterdam; Atlanta GA; Los Angeles CA; Miami; Stockholm;
London; Tokyo; Seoul; Singapore; Sterling VA (2 locations,
standby)
London; Amsterdam; Frankfurt; Athens; Doha (Quatar)
Los Angeles
Tokyo; Seoul (KR); Paris (FR)
G U.S. DOD NIC
H U.S. Army Research Lab
I Autonomica/NORDUnet
Thirteen services
ƒ Some are anycast
ƒ Over 60 servers
J VeriSign Global Registry
Services
©2003–2004 David Byers
Hard-coded in resolver
K RIPE NCC
L ICANN
M WIDE Project
DNS: CNAME
Canonical name
ƒ Pointer within namespace
ƒ Johansson: See Johnson
ida
www
informatix
CNAME Woopsie 1
Address-to-name mapping
www CNAME informatix
www A 130.236.177.12
ƒ Same RR type for IPv4 och IPv6
ƒ ”A big reverse zone in the sky”
CNAME Woopsie 2
IPv4: in-addr.arpa.
ida.liu.se. CNAME www.ida.liu.se.
www.ida.liu.se. A 130.236.177.12
CNAME Woopsie 3
f
ida.liu.se. NS ns.ida.liu.se.
ns CNAME vitalstatistix
vitalstatistix A 130.236.177.12
f
arpa
in-addr
A:
tfk
www
0 … 189 … 255
15.189.236.130.in-addr.arpa. PTR sysi-05.sysinst.ida.liu.se.
ƒ Normally UDP port 53
ƒ TCP if the reply is too large
DNS packet
ida
ƒ
ƒ
ƒ
ƒ
ƒ
sysinst
1
Use CNAME to create a new
zone that can be delegated!
Delegate each address as a separate zone
ida
liu
10
0 1 2 3 4 5 … 63
0 … 236 … 255
liu
TCP or UDP
se
rv4
0 1 2 3 4 5 … 63
$GENERATE 1-63 $ CNAME $.rv4.sysinst.ida.liu.se.
©2003–2004 David Byers
A:
How to delegate partial
subtrees corresponding to small
subnets, e.g. 10.17.1.0/26?
in-addr
DNS: The protocol
17
Q:
ibm
se
0 … 15 … 255
<root>
ƒ Delegering of entire subtrees
ƒ Subtrees at each dot
ƒ In in-addr.arpa a dot after each
octet of the address
google
arpa
0 … 130 … 255
Same lookup, cache etc.
CNAME works too
DNS: Delegation in in-addr.arpa.
Delegation
<root>
com
ƒ Reverse address and add in-addr.arpa.
ƒ A.B.C.D Æ D.C.B.A.in-addr.arpa.
ƒ Same as any other name in DNS!
©2003–2004 David Byers
www.ida.liu.se CNAME informatix.ida.liu.se
DNS: PTR
©2003–2004 David Byers
ƒ Data generated by ICANN
ƒ Data distributed by Verisign
ƒ Distribution from hidden master
Locations
VeriSign
ISI
Cogent Communications
University of Maryland
NASA Ames
Internet Systems
Consortium, Inc.
Header section
Query section
Answer section
Authority section
Additional section
Flags etc.
Queries to the server
Replies to the queries
Referrals to other NS
Extra data that may be useful (e.g. glue)
©2003–2004 David Byers
Handles the root zone
Operator
©2003–2004 David Byers
A
B
C
D
E
F
6
DNS: The protocol
DNS: The protocol
Header section: flags
Flags
Question section
Authority section
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ Set RD for recursive quer
ƒ If AA is not set, reply is from
cache
ƒ If TC it set, the reply is too large
for UDP
ƒ Contains questions
ƒ Also included in reply
ƒ
ƒ
Indicates authoritative NS
Never empty in referrals
Additional section
ƒ
Answer section
ƒ
ƒ SERVFAIL
Problem with NS
ƒ NXDOMAIN No such name
ƒ REFUSED
Refuse to reply
IN
A
86400
86400
86400
86400
IN
IN
IN
IN
NS
NS
NS
NS
ns2.liu.se.
sunic.sunet.se.
nsauth.isy.liu.se.
ns1.liu.se.
;; ADDITIONAL SECTION:
ns1.liu.se.
ns2.liu.se.
sunic.sunet.se.
nsauth.isy.liu.se.
86400
86400
86400
86400
IN
IN
IN
IN
A
A
A
A
130.236.6.251
130.236.6.243
192.36.125.2
130.236.48.9
©2003–2004 David Byers
;; AUTHORITY SECTION:
liu.se.
liu.se.
liu.se.
liu.se.
;; QUESTION SECTION:
;www.ida.liu.se.
IN
A
IN
IN
CNAME
A
informatix.ida.liu.se.
130.236.177.26
259200
259200
259200
259200
IN
IN
IN
IN
NS
NS
NS
NS
ns1.liu.se.
ns2.liu.se.
nsauth.isy.liu.se.
ns.ida.liu.se.
259200
43200
43200
21600
IN
IN
IN
IN
A
A
A
A
130.236.177.25
130.236.6.251
130.236.6.243
130.236.48.9
;; ANSWER SECTION:
www.ida.liu.se.
informatix.ida.liu.se.
259200
259200
;; AUTHORITY SECTION:
ida.liu.se.
ida.liu.se.
ida.liu.se.
ida.liu.se.
;; ADDITIONAL SECTION:
ns.ida.liu.se.
ns1.liu.se.
ns2.liu.se.
nsauth.isy.liu.se.
sysi-00:~# dig www.ibm.com @ns.ida.liu.se
; <<>> DiG 9.2.4rc5 <<>> www.ibm.com @ns.ida.liu.se
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38042
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 4, ADDITIONAL: 4
DNS: Commands
nslookup
IN
A
ƒ Look up names
;; ANSWER SECTION:
www.ibm.com.
www.ibm.com.
www.ibm.com.
www.ibm.com.
1800
1800
1800
1800
IN
IN
IN
IN
A
A
A
A
129.42.21.99
129.42.16.99
129.42.17.99
129.42.18.99
;; AUTHORITY SECTION:
ibm.com.
ibm.com.
ibm.com.
600
600
600
IN
IN
IN
NS
NS
NS
ns.austin.ibm.com.
ns.watson.ibm.com.
ns.almaden.ibm.com.
;; ADDITIONAL SECTION:
ns.austin.ibm.com.
ns.watson.ibm.com.
ns.almaden.ibm.com.
70372
92202
70372
IN
IN
IN
A
A
A
192.35.232.34
129.34.20.80
198.4.83.35
host
ƒ Look up data in DNS
Don’t tr
ou
using n bleshoot DNS
slookup
.
only ca
use grief It will
.
dig
ƒ Look up data in DNS
ƒ Full access to protocol
whois
©2003–2004 David Byers
;; QUESTION SECTION:
;www.ibm.com.
©2003–2004 David Byers
sysi-00:~# dig www.ida.liu.se @nsauth.isy.liu.se
; <<>> DiG 9.2.4rc5 <<>> www.ida.liu.se @nsauth.isy.liu.se
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49836
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 4
sysi-00:~# dig www.ida.liu.se @a.ns.se
; <<>> DiG 9.2.4rc5 <<>> www.ida.liu.se @a.ns.se
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7059
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;www.ida.liu.se.
©2003–2004 David Byers
ƒ Contains requested RRs
ƒ Empty in referral replies
RCODE
RR related to response, but not part
of response
E.g. A for NS in authority section
ƒ Information about who has registered a domain
ƒ Many versions – jwhois is nice
©2003–2004 David Byers
Query or response
Type of quer
Authoritative Answer
TrunCation
Recursion Desired
Recursion Available
Reserved
Result code
©2003–2004 David Byers
QR
OPCODE
AA
TC
RD
RA
Z
RCODE
7
Directory Service Summary
Properties
Common directory services
ƒ Search-optimized database
ƒ Attribute-based data
ƒ Distributed management for
scalability
ƒ Replication for performance and
reliability
ƒ Search protocol
ƒ Update protocol
ƒ
ƒ
ƒ
©2003–2004 David Byers
DNS – Host names etc.
NIS/NIS+ – Replace local files
LDAP – General directory service
8