Article feb2007.tar

Certification: A First Look at LPIC-3 Certification

Emmett Dulaney

Among the most respected vendor-neutral certifications in the industry are those from the Linux Professional Institute (LPI). LPI Level 1 certification (LPIC-1) is the junior-level certification intended to verify the very basic skills needed by a beginning administrator to work with Linux. There are two exams that you must pass, and they consist of questions that are multiple-choice as well as fill-in-the-blank -- the latter question type making the exams much more difficult than those from many other vendors. LPIC-2 certification also requires passing two exams with the same question types, but now the topics are much more advanced and you need to be a knowledgeable administrator to pass.

Since the certification began, LPI has planned three levels of certification, with the highest level equivalent to what other vendors refer to as an engineer. While the other two levels fell into place some time ago, this highest level has been elusive -- until now. In October of 2006, LPI began beta testing the LPIC-3 exams. The two exams in this phase are referred to as 301 and 302. Exam 301 focuses on LDAP, capacity planning and related technologies; exam 302 focuses on Samba and network file/print services. It is too early for the final objectives to be in place or for weighting to be applied to them (one of the great things LPI posts for test-takers to know where to focus most of their attention on), but as soon as they are finalized, they will posted. Until then, the lists that follow are of the topics/tasks as they currently exist.

301 Tasks

This exam looks at authentication and naming, requiring a keen understanding of LDAP. It also looks at integration with core network services, capacity planning, and troubleshooting. The task list, as it now exists, includes:

LDAP

1. LDAP Concepts and Architecture

  • LDAP and X.500 technical specification
  • Directory namespace
  • Attribute definitions
  • Distinguished names
  • Authentication methods
  • LDIF -- LDAP Data Interchange Format -- files

    2. Directory Design

  • Defining directory content
  • Designing data
  • Organizing the directory
  • Planning security
  • Designing server infrastructure

    3. OpenLDAP Server

  • Compiling and configuring from source
  • Configuration layout
  • Backend databases
  • Configuring service files
  • Managing OpenLDAP daemons
  • Testing OpenLDAP

    4. Client Configuration

  • Configuring client
  • Testing client functionality
  • Client software deployment
  • Using client tools and useful parameters

    5. Replication

  • Replication concepts
  • Replication topologies
  • Configuring replication
  • Running and managing replication daemons
  • Replication logs analysis

    6. Access Control List

  • Planning ACLs
  • Restricting directory access
  • Access level types
  • Granting and revoking permissions
  • Access control attribute syntax

    7. Searching the directory

  • Using search tools
  • Advanced searching options
  • Optimizing searching

    8. Schemas

  • Schema concepts
  • Changing schemas
  • Using common schemas
  • Creating new schemas to meet demand

    9. NIS to LDAP Migration

  • Analyzing NIS structure
  • Migration planning creation
  • Automating data migration
  • Administering NIS resources
  • Creating a NIS gateway

    10. User Authentication with LDAP and PAM

  • Configuring server for LDAP authentication
  • Configuring name service switch for LDAP Listing
  • Setting up PAM modules for LDAP authentication
  • Troubleshooting LDAP authentication

    11. Email and LDAP

  • Planning LDAP structure for email services
  • Planning email directory tree
  • Creating email objects
  • Implementing mail alias lookups
  • Integrating with Postfix
  • Integrating with Sendmail

    12. Unix services and LDAP

  • SSH and LDAP
  • FTP and LDAP
  • HTTP and LDAP
  • Free radius and LDAP
  • Printing service and LDAP

    13. Whitepages

  • Planning Whitepages services
  • Configuring Whitepages service
  • Testing Whitepages

    14. Integrating with Samba

  • Migrating from smbpasswd to LDAP
  • LDAP Samba password backend
  • Samba schema

    15. Integrating with Active Directory

  • Cross-platform authentication
  • Single sign-on concepts
  • Kerberos authentication and LDAP
  • Integration and compatibility limitations

    16. Authenticating Mixed Unix Environment

  • Planning LDAP client compatibility matrix
  • Configuring LDAP name service switch in different Unix environments
  • Configuring LDAP PAM modules in different Unix environments
  • Testing clients

    17. Securing the Directory

  • TLS and SSL
  • Backing up LDAP data
  • Disaster recovery planning

    18. Performance Tuning

  • LDAP measuring methods
  • Software tuning
  • Hardware tuning

    19. Basic Perl-LDAP Development using Net::LDAP Module

  • Net::LDAP module
  • Connecting, binding and searching
  • Automating LDAP administrative tasks

    Miscellaneous

  • Understand the characteristics of a directory
    • Identify scenarios/data sets suitable for storage in a directory
  • Relation to X.500 DAP
  • Familiar with the various database backends supported
  • Implementation to replace & consolidate existing services and databases
    • Assess the current infrastructure to discover possible sources of data for the LDAP system
    • Gather information from the most appropriate sources
  • Utilize meta-directories to extrapolate data from one source in order to import it into the LDAP directory
  • Plan for an appropriate Directory Information Tree (DIT) to avoid redundancy

    Installation

  • Know the difference between the release types
    • Release vs. stable
  • Compile time options
  • How to handle common errors during installation
  • Characteristics of the user account slapd runs as
  • The slapd.conf file
    • Common configuration directives
    • Access control lists (ACLs)
    • Database definitions
  • Factors that should be taken into consideration when deciding how much memory an LDAP server requires

    Data Definitions

  • Understand Distinguished Names (DNS), "Base DN” vs. "Relative DN”
  • Understand the difference between Attributes and Object Classes
  • Understand the importance of a well-defined schema
  • "Distributed Schema Files” vs. "Extended Schema”
  • Understand the format of an OpenLDAP schema file
    • Syntax for the definition of Attributes and Object Classes
  • Object Identifiers (OIDs)
    • Proper syntax
    • Understand the importance of
    • Obtaining an OID for your company
  • How to include custom schema files
  • Schema checking
    • What it does
    • Why it's important to leave turned on
  • Groups
    • Static, dynamic, combined
    • Using groups effectively to organize entries in the directory
  • Using Class of Service to ease maintenance of redundant information
  • LDAP Data Interchange Format (LDIF)
    • Syntax of an LDIF record
    • Changetype operations, how to chain, how failures are handled
  • Indexes
    • Reasons for
    • Different types

    Administration

  • slapd command-line options
  • The appropriate method to stop the slapd daemon
    • Consequences of killing slapd inappropriately
  • Importance of log files
  • Search filters and syntax
  • Command-line tools using the LDAP API
    • ldapsearch
    • ldapadd
    • ldapmodify
    • ldapdelete
    • ldapmodrdn
  • Implementation-specific (OpenLDAP) command-line tools
    • slapindex
    • slapadd
    • slapcat
    Security
  • Firewall considerations
    • What ports/protocols must be allowed through
  • Access control with TCP wrappers
  • Security Strength Factors (SSF)
    • Disallowing operations in the absence of appropriate protections
    • Integration with ACLs
  • Authentication
    • Anonymous
    • Unauthenticated
    • User/password authentication
    • SASL
  • The Bind Operation
    • BindRequest, AuthenticationChoice, SASLCredentials
  • SASL
    • Maintaining the SASL user DB with saslpasswd/saslpasswd2
    • Configuring SASL in slapd.conf
    • Using SASL in search operations
    • SASL proxy authorization
    • Shared-secret mechanisms
    • Available authentication mechanisms
      • GSSAPI for Kerberos V, DIGEST-MD5, PLAIN, EXTERNAL
    • Mapping authentication identities
        • Direct mapping
        • Search-based mapping
        • Importance of indexing attributes which are queried for authentication
    • GSSAPI
      • Creating service keys
      • Ticket Granting Tickets (TGTs)
      • Using with command-line tools
    • DIGEST-MD5
    • Syntax of the authz-regexp directive
    • Proxy authorization
      • Enabling authorization features in the server's configuration
      • Using with the command-line tools
      • Configuring authorization rules via the authzTo and authzFrom attributes
    • TLS
      • Client/Server certificates
        • Creating/revoking
    • Server slapd.conf configuration directives
    • Client ldap.conf configuration directives
    • Initiating the StartTLS operation with the command line tools
    Replication

  • Understand the roles of:
    • Master server
    • Consumer/slave host
    • Replica hubs
  • slurpd command-line options
  • slurpd one-shot mode
  • Understand how updates are propagated via a changelog/replication log
  • Understand how rejections are logged, and the format of the reject log filename
  • slapd.conf configuration directives for setting up a master server
  • slapd.conf configuration directives for setting up a
    consumer/slave host
  • Best practices for initially populating a consumer
    • slapcat vs. ldapsearch vs. copying the DB files
    Referrals

  • DNS resource records
  • Subordinate knowledge information, creating referrals with the "ref” attributes
  • Superior knowledge information, creating referrals with the "referral” directive
  • The ManageDsaIT control

    Sync Replication with the syncrepl engine

  • LDAP sync protocol
  • Pull-based vs. push-based synchronization
  • RefreshOnly vs. refreshAndPersist synchronization operations
  • Configuring the overlay in the provider's slapd.conf
  • Configuring syncrepl in the consumer's slapd.conf

    Proxy Cache Engine

  • slapd.conf configuration directives
  • Defining search filter templates with the proxyTemplate directive

    Programming and Integration with Services

  • Programming with:
    • C
    • Perl
  • Integrating with:
    • PAM
    • NSS
    • Samba
    • Apache
    • NIS
    Capacity Planning
  • /proc filesystem
  • free
  • iostat
  • netstat
  • nfsstat
  • pmap
  • ps
  • sar
  • top
  • vmstat

    302 Tasks

    This exam looks at network file and print services, with a keen understanding of Samba required. It also looks at integration with core network services and troubleshooting. The task list, as it now exists, includes:

    1. Concepts

  • SMB/CIFS
  • LanManager
  • Wins
  • NetBIOS
  • Node Types

    2. Samba Project Management

  • Mapping resources
  • Planning Samba migration
  • Defining requisites and restrictions
  • Designing domains and relations

    3. Samba Roles

  • Security modes
  • Domain membership
  • Primary Domain Controller Server
  • Backup Domain Controller Server
  • Samba and Active Directory Integration
  • Samba Master Browser
      • Wins server
  • Discuss the roles of Local Master Browsers (LMBs) & Domain Master Browsers (DMBs)
  • Explore the SMB workgroup implementation

    4. Configure and Build from Source

  • Identify key Samba packages & contents
  • Checking dependencies
  • Configuration options
  • Identifying Samba software structure
  • Upgrading Samba
  • Enabling SWAT

    5. Install Samba

  • Analyze compiled Samba binaries
  • Starting services
  • Samba daemons

    6. Configure Samba

  • Explore Samba server configuration
  • Configuration file structure
  • Validating configuration
  • Variables
  • Configuring SWAT
  • Use findsmb & smbclient to reveal the active browse lists

    7. CIFS Integration

  • Mount remote CIFS shares into the Linux file system
  • Share mounted CIFS directories using Samba
  • Discuss the features & benefits of CIFS
  • Identify package & files
  • Create temporary mount point for remote SMB share
  • Examine resultant Linux file-system permissions post CIFS mount
  • Transfer files to mount point (Remote Windows 2003 system) & examine results
  • Identify CIFS process footprint
  • Mount remote SMB share with previously-defined hidden credentials file
  • Modify system startup file to facilitate automatic CIFS mounts upon system restart

    8. Configure Clients

  • Knowledge of Microsoft Windows as clients
  • Configure Samba-3 into an NT4 environment
  • Install rdesktop client for remote desktop connectivity to Windows 2003 Server
  • Explore browse list & SMB clients from Windows 2003
  • Share file resource on Windows 2003 Server for use by Samba clients
  • Join common workgroup from Windows 2003 host
  • Use smbclient to enumerate & connect to shared resources on XP/2003 hosts
  • Transfer files between Samba and Windows 2003 hosts using smbclient
  • Testing connectivity on Linux with smbclient
  • Using mount to connect to a Samba Server
  • net Utility
  • Explore anonymous and authenticated share enumeration using smbclient
  • Use smbget to download files non-interactively from remote SMB server
  • Use smbclient with credentials stored in a hidden file

    9. User and Group Management

  • Manage users' accounts
  • Mapping usernames
  • Setup Password Database
  • The smbpasswd file
  • Password synchronization
  • SID -- Security Identifiers
  • User/Group mapping
  • Password backends
  • LDAP Directories and Samba
  • Account management tools

    10. Winbind Service

  • Winbind internals
  • Configuring Winbind
  • Winbind and trust domains
  • Name Service Switch and PAM
  • Testing Winbind with wbinfo And getent
  • Discuss the features & advantages of Winbind
  • Discuss the accounts resolutions process
  • Alter the name server switch process to facilitate winbind
  • Discuss UNIX/Linux uids & gids
  • Explain the application of idmaps -- uids & gids
  • Configure Samba to use Winbind
  • Enumerate remote Active Directory users using wbinfo & getent
  • Examine auto-assigned uids & gids via idmap
  • Connect to Samba server using Active Directory users & Winbind
  • Configure SSHD to support Winbind-provided users from Active Directory
  • Configure Winbind to use the default Active Directory domain for authentication
  • Configure VSFTPD to use the default Active Directory domain for authentication

    11. File Services

  • Planning file service migration
  • Creating and configuring file sharing
  • Creating scripts for user and group handling
  • Setup using share of user home directory
  • Configure [homes]
  • Hide IPC$
  • Setup for changing file access permissions and owner forcedly
  • Using parameters force user, file mode, etc.

    12. Print Services

  • Planning print service migration
  • Creating and configuring print shares
  • Samba and CUPS integration
  • Managing Windows print drivers
  • Point'n' Print feature
  • Print service and security
  • Device mode
  • Creating PDF printer
  • Print accounting
  • Setup for downloading printer's driver
  • Configure [print$]

    13. Authentication and Authorization

  • Mapping to guest account
  • Integrating with Kerberos
  • ACL
  • Password and username level
  • Synchronizing passwords
  • User privilege management

    14. Name resolution -- Workgroup & Windows Internet Naming System (WINS) Integration

  • Discuss NETBIOS naming rules
  • Identify system broadcast address & discuss broadcast-based NETBIOS name resolution
  • Identify key Samba configuration file & package
    membership
  • Use findsmb to reveal available workgroups
  • Alter Samba configuration file to join available
    workgroup
  • Identify key TCP/UDP ports used by key Samba daemons
  • Use findsmb & browse list to confirm workgroup
    membership
  • Enumerate default Samba shares on primary Linux
    system using smbclient
  • Introduction to smbpasswd utility and database
  • Use smbpasswd to add Windows user to database & confirm authentication from Windows host
  • Install WINS Server on Windows 2003 Server for use by SMB-clients
  • Explain default Samba NETBIOS name resolution order
  • Identify name resolution order directive in primary Samba configuration file
  • Configure Samba server to be a WINS client via Samba configuration file
  • Confirm WINS NETBIOS registrations of Samba & Windows hosts
  • Configure name resolution order
  • Set up and configure name resolution
  • Name resolution concepts
  • Configure Samba as a WINS server & discuss capabilities
  • WINS replication
  • lmhosts file
  • Browsing
  • DNS proxy
  • NetBIOS name cache

    15. Service announcement (browsing)

  • Browsing process
  • Manage browsing parameters
  • Set up and configure browsing configuration

    16. Active Directory (AD) -- BIND Integration

  • Discuss the DNS requirements of Active Directory
  • Install BIND from RPM repository
  • Configure BIND as a caching-only name server
  • Define usable BIND named.conf configuration file with appropriate zones
  • Define required Active Directory dynamically updateable zones
  • Install Active Directory on Windows server
  • Confirm BIND DNS connectivity
  • Configure Kerberos to support Active Directory realm & test connectivity
  • Convert Samba from basic user-level to ADS security mode
  • Use the net command to create Samba machine account in the Active Directory
  • Confirm authentication against Active Directory when accessing resources
  • Create AD -> Linux corresponding users for transparent access
  • Add computer in existing Active Directory
  • Join AD domain and set up Kerberos
  • Convert Samba from basic user-level to ADS security mode

    17. Domain controller

  • Add computer in existing domain
  • Set up Primary Domain Controller (PDC)
  • Set up Backup Domain Controller (BDC)
  • Using smbldap-tools
  • Install and set up Winbind
  • Using logon scripts
  • Using roaming profiles
  • Using system policies
  • Trust from/to other domain(s)

    18. Administration

  • Use smbtree to enumerate the active workgroups, hosts & file & print shares
  • Identify & discuss the roles of the key Samba daemons
  • Managing Samba daemons
  • Samba Control Tool
  • Samba Web Administration Tool (SWAT)
    • Discuss the features & benefits of Samba SWAT
    • Explore XINETD system configuration for the presence of Samba SWAT
    • Install Samba SWAT from the local package repository
    • Update XINETD configuration to enable Samba SWAT & confirm TCP listener
    • Authenticate to Samba SWAT as non-privileged and privileged users
    • Examine current smbd & nmbd connections
    • Explore & discuss the key tools included with Samba
    • Correlate Samba's primary configuration file to Samba SWAT's Web interface
    • Discuss the key directives in the global section of the Samba SWAT Web interface
    • Discuss additional directives in the advanced view of the Samba SWAT global area
    • Adjust the OS level and examine the changes to the role in the browse list
    • Discuss Samba WINS server rules & limitations
    • Explore shares configuration
    • Correlate shares section of main config file to Samba SWAT's shares interface
    • Discuss the effects of various share directives
    • Discuss the variable homes share and its applications
    • Explain Samba's create mask directive & examine its application
    • Examine the advanced Samba SWAT shares view & discuss key directives
    • Define valid & invalid users per share & test connectivity from remote Windows host
    • Force ownership of file & directory objects using the force user directive
    • Explore & discuss advanced printer share directives
    • Define multiple NETBIOS names and view results in the browse list
  • Setup logging to utmp
  • Print Status (smbstatus)
  • Using VFS
  • Shadow copy
  • Virus Check
  • Quota
  • Audit File Access Log
  • Backup
  • Create tar-compatible archives of remote SMB-share using smbtar
  • Troubleshooting
    • Explore Samba logging
    • Samba tracing using UNIX tools
    • Reading daemon debug information
    • Generating and analyzing detailed samba information
    • Browsing troubleshooting
    • Name resolution troubleshooting
    19. Security
  • Using user/group access control
  • Samba user-level security mode

    • Explain the advantages and features of user-level security
    • Discuss the user-accounts back-ends supported by Samba
    • Convert Samba from share-level to user-level security mode
    • Test user-level connectivity to Samba shares/services
    • Discuss IPC$ connections and applications
    • Explore passwd & shadow user-accounts databases
    • Explore the smbpasswd database
  • Using file/directory permission control
  • Using host control
  • Using firewall protection
  • Samba security modes
  • Using ACL
  • Basic Samba security options
  • Firewall settings
  • Samba audit

    20. Samba Clustering

  • High-availability Samba cluster
  • Discuss Samba load balance clustering

    21. Performance Tuning

  • Measuring Samba performance
  • Improving file transfer speed
  • Optimizing Samba memory
  • Network tuning

    22. Trivial Database Files

  • Discuss TDB files structure
  • TDB files backup/restore
  • Identifying TDB files corruption
  • Editing and dumping TDB files

    23. Linux File System & Share/Service Permissions

  • Explain how Samba interacts with file-system permissions
  • Explain UNIX/Linux file-system permissions -- UGO
  • Use chown/chmod to adjust file-system permissions
  • Discuss the applicable Samba share/service permissions directives
  • Apply various share/service permissions & test results

    24. Internationalization

  • Understanding character codes and code-page
  • Patch and build the appropriate code conversion library
  • Understanding the difference in the name space between Windows and Linux/Unix
    • User/group name
    • Computer name
  • Configure SWAT screen in local language

    25. Miscellaneous

  • Time syncing
  • Windows Messenger Service
  • Create share/service with appropriate permissions for collaborations
  • Examine collaborative permission from Windows client

    For More Information on LPIC-3 Certification

    Elsewhere in this supplement, fifty sample questions on Samba allow you to test your knowledge and judge your own readiness for this certification. For more information on the certification itself, though, look to these resources:

    LPI home page: http://www.lpi.org

    LPIC-3 exam development main page: https://group.lpi.org/cgi-bin/publicwiki/view/Examdev/LPIC-3

    Information on exam development process: https://www1.lpi.org/en/examdev.html

    Emmett Dulaney is the author and co-author of several books on Linux, Unix, and certification, including the recent A+ Fast Pass, Third Edition. He is a former partner in Mercury Technical Solutions, his blog can be found at http://edulaney.blogspot.com, and he can be reached at edulaney@iquest.net.