Table of contents
Data structure of LDAP directory
LDAP interaction process and related messages
The difference between AD domains, workgroups and local groups
Group Policy and Security Groups
LDAP protocol
LDAP basic concepts
LDAP (Lightweight Directory Access Protocol) is a simplified version based on the X.500 standard (omitting many less commonly used functions in x.500), and uses TCP 389 port number
LDAP is an open standard protocol for accessing and maintaining distributed directory servers, providing a standard method to query and manage directory information
Data structure of LDAP directory
The data organization structure of the directory defined by LDAP is different from that of ordinary databases. LDAP is a hierarchical tree structure.
In a directory service system, the entire directory information set can be represented as a directory information tree. The root of the tree is generally defined as a country (c=CN) or domain name (dc=com), and further down, one/multiple organizations are often defined. Unit OU (avoid moving LDAP records from one OU to another when defining OU)
Each node in the tree is an entry, and each entry is a record (each record has a unique name, that is, DN); for example: DN can take the following values: DN: CN=user1, OU=ou2, DC=cti, DC=support
Technical terms derived from tree structure
| Keywords |
Full English name |
meaning |
| IT |
Directory Information Tree |
The entire tree is called the directory information tree, or DIT. |
| DC |
Domain Component |
The format of the domain name part is to divide the complete domain name into several parts. For example, if the domain name is example.com, it becomes dc=example,dc=com (the location of a record) |
| OR |
Organization Unit |
Organizational unit, which can contain various other objects (including other organizational units), such as "oa group" (the organization to which a record belongs) |
| CN |
Common Name |
A public name, such as "Thomas Johansson" (the name of a record) |
| DN |
Distinguished Name |
The unique identifier of a record (entry). The LDAP protocol is based on this unique identifier to query and operate data |
| Attribute |
------- |
An entry contains multiple attributes, representing part of the information about the entry |
| UID |
User Id |
User ID songtao.xu (ID of a record) |
| SN |
Surname |
Surname, such as "Xu" |
| RDN |
Relative dn |
The relative distinguished name is the name of the entry |
LDAP interaction process and related messages
LDAPExpress type
Bind Request Bind request
Bind Response Bind Response
Unbind Request Unbind request (the client notifies the server to terminate the LDAP session)
Unbind Response Unbind response
Search Request Search request
Search Result Entry Query result return message (including the matching DN obtained from the query)
Search Res Done The query status returned by the server to the client (success means the query is successful, referral means that this LDAP server does not have the DN to be queried)
Search Res Ref The server returns the query results to the client for reference (if the LDAP server stores directory information of other LDAP servers, and the queried Base-DN is consistent, then the URL addresses of other LDAP servers will be listed in this message information)
LDAPAlternating process
1. The client resolves the IP address corresponding to the domain name added to the domain (requires the IP corresponding to the domain name on the DNS server)
2. The client initiates a three-way handshake to establish a connection with the server.
3. The client sends a Bind Request message to establish a connection with the server and binds the account and password; the server confirms the authentication result through the Bind Response message.
4. The client sends a Search Request request to query the server's directory information; the server displays the query results and query status through Search Result Entry and Search Res Done.
5. The client disconnects from the LDAP server by sending an Unbind Request. After receiving it, the server releases the session with the client and responds with an Unbind Response (no need to wave four times)
AD(Active Directory)
AD basic concepts
ADIntervention
AD (Active Directory) is used to store information about network objects and allows administrators and users to easily find and use this information.
The Directory Database in the AD domain is used to store user accounts, computer accounts, printers, shared folders, etc.
Active Directory Domain Service (AD Domain Service, referred to as AD DS) in the AD domain is used to provide directory services and is responsible for operations such as storage, addition, deletion, modification and query of the directory database.
The relationship between AD and LDAP
Through the LDAP protocol, we understand that the directory is a hierarchical tree structure, which can be used to store information related to objects on the network (such as user account passwords, email addresses, phone numbers, etc.)
AD is used to store directory-related information and provide directory services (it can be understood that AD is a distributed directory server); then extract/load/manage directory information from AD through LDAP
Currently the most common products used to provide directory services (storage directory information)
IBM:IBM Dierectory Server
Microsoft:Active Directory
SUN:SUNONE Dierectory Server
The difference between AD domains, workgroups and local groups
What is a working group
When there was no concept of domain, we used workgroups to put different computers into different groups according to their functions to facilitate management and operation and maintenance; we added them to the WORKGROUP workgroup by default.
Now with the promotion and use of domains, working groups have basically no longer used them.
What is a local group
Local networking is a computer group established by machines in the same network segment through Network Neighborhood. Users in the local group can share files, printers, etc.
ADThe difference between domain and workgroup local group
Domains can be regarded as an upgraded version of workgroups (all functions of workgroups can be implemented)
In management mode
- The AD domain is a centralized management mode. The AD domain can store all user login accounts and passwords on the domain controller (that is, a user's account and password can be logged in on any computer in the same domain to achieve user roaming)
- The workgroup is a decentralized management model, and the account and password used by users to log in are stored locally.
- Local networking is a computer group established by machines in the same network segment through Network Neighborhood. Users in the local group can share files, printers, etc.
scope
AD domains span computers
A workgroup is designed to manage and share files among multiple computers within the same local area network.
Local groups are used to manage and share files among multiple computers in the same network segment.
AD DS (AD Domain Services)
AD DS provides a centralized system for managing users, computers and other resources on the network, and can implement directory database storage, addition, deletion, modification and query operations.
AD DS's composition
physical components
Domain controller (DC), read-only domain controller (RODC), global catalog server (GC)
logical component
Partition, architecture, domain, domain tree, forest, site, organizational unit (OU)
Introduction to each component
domain controller
A server with AD services installed that hosts a complete copy of all directory information in the domain and can be accessed by network applications or services
This domain controller can provide authentication and authorization services, replicate updates to other domain controllers in the domain and forest, and allow management of user accounts and network resources on the server
A domain must have at least one domain controller, and each domain controller has a writable copy of the directory in which it belongs.
global catalog server
A special domain controller that stores a valid copy of all directory information in the forest (but contains only a limited set of attributes for each object in the forest—the most commonly searched attributes); also stores a copy of all directory information for the domain in which the server is located. exact copy
Searching for objects can be more efficient through a global catalog server (avoiding unnecessary references to domain controllers)
and a global catalog server is required for users to log into the domain
All domains in a forest share the same global catalog (the first domain controller in a forest is the default global catalog server)
Read-only domain controller (RODC)
A special domain controller that only stores a copy of the directory information in the domain without making any modifications
Improved security (typically used in branch offices)
#########################################################################
Partition
Partition is a logical structure in the AD DS database, used to divide directory data into logical groups for easy management and access.
Architecture
The schema defines the classes and attributes of directory objects and is the basis of AD DS.
Domain
Domain is the security boundary in AD DS and the basic management unit of the directory database. It contains user accounts, computer accounts and other objects.
The role of the security boundary is to ensure that domain administrators can only have necessary administrative rights within that domain (unless the administrator is explicitly authorized by other domains)
Domain tree (Tree)
A domain tree is a hierarchy of domains, each of which is a security boundary
Domains in the domain tree can be divided into root domains (parent domains) and subdomains
Domain names within the domain tree have continuity
Forest
A forest is a hierarchical structure composed of one or more domain trees, which provides a unified trust relationship model to facilitate cross-domain access and authentication.
The trees in the forest do not share the same contiguous name space (that is, the domain names of multiple domain trees are not contiguous but have trust relationships)
site
A site is a logical structure in AD DS, representing a network location; usually composed of one or more subnets connected through TCP/IP (network communication within the same site is reliable, fast and efficient), used for organizing and Manage physical components such as domain controllers and global catalog servers
effect
Optimize replication traffic
Enables users to log on to domain controllers using reliable, high-speed connections
Organizational unit (OU)
An organizational unit is a container object contained in AD DS and is the smallest unit of action to which group policy settings or administrative rights can be assigned.
Precautions
Organizational units can place users, groups, computers, and other units into containers in AD DS
Organizational units cannot include objects from other domains
trust relationship
Trust relationship is an intrinsic relationship between different domains in the network. Two domains can only access each other if a trust relationship is created between them.
Building a trusting relationship
automatically created
When creating a domain tree and domain forest, a two-way, transitive trust relationship will automatically be created between the root domain and subdomains of the domain tree, and between different tree roots of the domain forest (it will not be automatically established between forests).
Create manually
If you want two unrelated domains to access each other or log in to your own domain from the other domain, you can also manually create a trust relationship between the domains.
Before win2000, it was not allowed to establish trust relationships between forests (it is allowed after win2000)
Characteristics of trust relationship
The domain trust relationship is directional (if domain A trusts domain B, then the resources of domain A can be allocated to users of domain B; but the resources of domain B cannot be allocated to users of domain A. If you want to achieve this purpose, you need Only if domain B trusts domain A)
The initiative of domain trust relationship is in the hands of the trusted domain rather than the trusting domain.
Group Policy and Security Groups
Security Group (Local Security Policy)
A security group is a group in any access control list (DACL) that defines resource and object permissions; the Windows security group policy is actually a part of the security settings in the group policy (including account security policies, Windows firewall configuration and other configuration directories)
A security group can also be understood as a permission level (if you join a security group, you will have the permissions granted by the security group)
Enter: secpol.msc in the run bar to open the security group. After changing the security group, it will take effect after logging in to the Windows user again
Account policies, password policies, local policies, etc. can be changed in the security group
The relationship between group policy and security groups
Group Policy and Local Security Policy are both tools for security configuration in Windows systems. The main differences between the two are as follows
First: Local security policy mainly focuses on the security configuration of the system, including audit policies, user rights assignments, etc., while group policy covers a wider range of system, software and hardware configurations
Second: Group Policy includes all contents of local security policy (Group Policy is an extension of local security policy)
Group Policy—Generally configure group policy directly (no additional security groups will be configured)
A policy set in Windows systems that controls what users can and cannot do on their computers.
This policy provides centralized management and configuration of user settings across operating systems, applications, and Active Directory
For example: Enforce password complexity policies through Group Policy to prevent users from choosing passwords that are too simple.
For example: Allow or block unidentified users from connecting to a network share from a remote computer through Group Policy
For example: blocking access to Windows Task Manager or restricting access to specific folders via Group Policy
Group Policy Type
Computer Configuration: Group policies that are effective for all users of the computer
User configuration: Group policy that only takes effect for the current user
Open group policy
In running mode: gpedit.msc
Group Policy Update
After modifying the group policy, you can force the update of the group policy through gpupdate /force
Group Policy is refreshed every 90 minutes by default, with a random offset of 30 minutes; on a domain controller, Group Policy is refreshed every 5 minutes.
Group Policy Object processing order (top to bottom)
Local (any settings on the local computer)
Prior to Windows Vista, each computer could only have one copy of Local Group Policy
In Windows Vista and later versions of Windows, allow each user account to have separate Group Policy
Site (any Group Policy associated with the Active Directory site where the computer is located)
Active Directory AD provides a centralized way to manage and organize computers and users on your network
An Active Directory site represents a network location, usually consisting of one or more subnets connected through TCP/IP (network communication within the same site is reliable, fast and efficient)
If multiple policies are linked to a site, they will be processed in the order set by the administrator
Domain (any Group Policy associated with the Windows domain where the computer is located)
If multiple policies are linked to a domain, they will be processed in the order set by the administrator
Organizational unit (any group policy associated with the Active Directory organizational unit (OU) in which the computer or user resides)
An OU is a logical unit that helps organize and manage a group of users, computers, or other Active Directory objects
If multiple policies are linked to an OU, they will be processed in the order set by the administrator.