What is LDAP?

What is LDAP?

• Lightweight Directory Application Protocol
• Light Directory Access Procedure
• Lightweight Directory Access Protocol
• Lightweight Data Access Protocol 

EXPLANATION

LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and other programs use to look up information from a server.
LDAP is mostly used by medium-to-large organi­zations. If you belong to one that has an LDAP server, you can use it to look up contact info and the like. Otherwise, if you were just wondering about this acronym, you probably don't need it. But feel free to read on to learn the story of this bit of Internet plumbing.
Every email program has a personal address book, but how do you look up an address for someone who's never sent you email? How can an organization keep one centralized up-to-date phone book that everybody has access to?
Those questions led companies such as Microsoft, IBM, Lotus, and Netscape to support a standard called LDAP. "LDAP-aware" client programs can ask LDAP servers to look up entries in a wide variety of ways. LDAP servers index all the data in their entries, and "filters" may be used to select just the person or group you want, and return just the information you want. For example, here's an LDAP search translated into plain English: "Search for all people located in Chicago whose name contains "Fred" that have an email address. Please return their full name, email, title, and description."
LDAP is not limited to contact information, or even information about people. LDAP is used to look up encryption certificates, pointers to printers and other services on a network, and provide "single sign-on" where one password for a user is shared between many services. LDAP is appropriate for any kind of directory-like information, where fast lookups and less-frequent updates are the norm.
As a protocol, LDAP does not define how programs work on either the client or server side. It defines the "language" used for client programs to talk to servers (and servers to servers, too). On the client side, a client may be an email program, a printer browser, or an address book. The server may speak only LDAP, or have other methods of sending and receiving data—LDAP may just be an add-on method.
If you have an email program (as opposed to web-based email), it probably supports LDAP. Most LDAP clients can only read from a server. Search abilities of clients (as seen in email programs) vary widely. A few can write or update information, but LDAP does not include security or encryption, so updates usually require additional protection such as an encrypted SSL connection to the LDAP server.
If you have OS X and access to an LDAP server, you can enter your LDAP account into System Preferences--Internet Accounts. At bottom of the right pane, click Add Other Account, then choose the LDAP account option. This lets Address Book look up info from your server.
LDAP also defines: Permissions, set by the administrator to allow only certain people to access the LDAP database, and optionally keep certain data private. Schema: a way to describe the format and attributes of data in the server. For example: a schema entered in an LDAP server might define a "groovyPerson" entry type, which has attributes of "instantMessageAddress", and "coffeeRoastPreference". The normal attributes of name, email address, etc., would be inherited from one of the standard schemas, which are rooted in X.500 (see below).
LDAP was designed at the University of Michigan to adapt a complex enterprise directory system (called X.500) to the modern Internet. X.500 is too complex to support on desktops and over the Internet, so LDAP was created to provide this service "for the rest of us."
LDAP servers exist at three levels: There are big public servers, large organizational servers at universities and corporations, and smaller LDAP servers for workgroups. Most public servers from around year 2000 have disappeared, although directory.verisign.com exists for looking up X.509 certificates. The idea of publicly listing your email address for the world to see, of course, has been crushed by spam.
While LDAP didn't bring us the worldwide email address book, it continues to be a popular standard for communicating record-based, directory-like data between programs.

Read More

Which Linux command lists all of the files in a directory, including the hidden ones?

Which Linux command lists all of the files in a directory, including the hidden ones?

• ls -h <directory>
• all-show <directory>
• ls -o <directory>
• ls -a <directory> 

EXPLANATION

ls(1) - Linux man page

Name

ls - list directory contents

Synopsis

ls [OPTION]... [FILE]...

Description

List information about the FILEs (the current directory by default). Sort entries alphabetically if none of -cftuvSUX nor --sort.

Mandatory arguments to long options are mandatory for short options too.

-a, --all

do not ignore entries starting with .

-A, --almost-all

do not list implied . and ..

--author

with -l, print the author of each file

-b, --escape

print octal escapes for nongraphic characters

--block-size=SIZE

use SIZE-byte blocks. See SIZE format below

-B, --ignore-backups

do not list implied entries ending with ~

-c

with -lt: sort by, and show, ctime (time of last modification of file status information) with -l: show ctime and sort by name otherwise: sort by ctime

-C

list entries by columns

--color[=WHEN]

colorize the output. WHEN defaults to 'always' or can be 'never' or 'auto'. More info below

-d, --directory

list directory entries instead of contents, and do not dereference symbolic links

-D, --dired

generate output designed for Emacs' dired mode

-f

do not sort, enable -aU, disable -ls --color

-F, --classify

append indicator (one of */=>@|) to entries

--file-type

likewise, except do not append '*'

--format=WORD

across -x, commas -m, horizontal -x, long -l, single-column -1, verbose -l, vertical -C

--full-time

like -l --time-style=full-iso

-g

like -l, but do not list owner

--group-directories-first

group directories before files.

augment with a --sort option, but any

use of --sort=none (-U) disables grouping

-G, --no-group

in a long listing, don't print group names

-h, --human-readable

with -l, print sizes in human readable format (e.g., 1K 234M 2G)

--si

likewise, but use powers of 1000 not 1024

-H, --dereference-command-line

follow symbolic links listed on the command line

--dereference-command-line-symlink-to-dir

follow each command line symbolic link that points to a directory

--hide=PATTERN

do not list implied entries matching shell PATTERN (overridden by -a or -A)

--indicator-style=WORD

append indicator with style WORD to entry names: none (default), slash (-p), file-type (--file-type), classify (-F)

-i, --inode

print the index number of each file

-I, --ignore=PATTERN

do not list implied entries matching shell PATTERN

-k

like --block-size=1K

-l

use a long listing format

-L, --dereference

when showing file information for a symbolic link, show information for the file the link references rather than for the link itself

-m

fill width with a comma separated list of entries

-n, --numeric-uid-gid

like -l, but list numeric user and group IDs

-N, --literal

print raw entry names (don't treat e.g. control characters specially)

-o

like -l, but do not list group information

-p, --indicator-style=slash

append / indicator to directories

-q, --hide-control-chars

print ? instead of non graphic characters

--show-control-chars

show non graphic characters as-is (default unless program is 'ls' and output is a terminal)

-Q, --quote-name

enclose entry names in double quotes

--quoting-style=WORD

use quoting style WORD for entry names: literal, locale, shell, shell-always, c, escape

-r, --reverse

reverse order while sorting

-R, --recursive

list subdirectories recursively

-s, --size

print the allocated size of each file, in blocks

-S

sort by file size

--sort=WORD

sort by WORD instead of name: none -U, extension -X, size -S, time -t, version -v

--time=WORD

with -l, show time as WORD instead of modification time: atime -u, access -u, use -u, ctime -c, or status -c; use specified time as sort key if --sort=time

--time-style=STYLE

with -l, show times using style STYLE: full-iso, long-iso, iso, locale, +FORMAT. FORMAT is interpreted like 'date'; if FORMAT is FORMAT1<newline>FORMAT2, FORMAT1 applies to non-recent files and FORMAT2 to recent files; if STYLE is prefixed with 'posix-', STYLE takes effect only outside the POSIX locale

-t

sort by modification time

-T, --tabsize=COLS

assume tab stops at each COLS instead of 8

-u

with -lt: sort by, and show, access time with -l: show access time and sort by name otherwise: sort by access time

-U

do not sort; list entries in directory order

-v

natural sort of (version) numbers within text

-w, --width=COLS

assume screen width instead of current value

-x

list entries by lines instead of by columns

-X

sort alphabetically by entry extension

-1

list one file per line

SELinux options:

--lcontext

Display security context. Enable -l. Lines will probably be too wide for most displays.

-Z, --context

Display security context so it fits on most displays. Displays only mode, user, group, security context and file name.

--scontext

Display only security context and file name.

--help

display this help and exit

--version

output version information and exit

SIZE may be (or may be an integer optionally followed by) one of following: KB 1000, K 1024, MB 1000*1000, M 1024*1024, and so on for G, T, P, E, Z, Y.
Using color to distinguish file types is disabled both by default and with --color=never. With --color=auto, ls emits color codes only when standard output is connected to a terminal. The LS_COLORS environment variable can change the settings. Use the dircolors command to set it.

 

Read More

With regards to Group Policy, what does OU stand for?

With regards to Group Policy, what does OU stand for?

• Ordinary user
• Organizational unit
• Overwrite upload
• Online umbrella 

EXPLANATION

 Organizational Unit (OU) is a container in Active Directory domain that can contain different objects from the same AD domain: other containers, groups, user and computer accounts. Active Directory OU is a simple administrative unit within a domain on which an administrator can link Group Policy objects and assign permissions to another user.

 Thus, we can distinguish two main tasks when using OU, except for storing objects in Active Directory:

• Delegation of management and administrative tasks within the domain to other administrators and users without granting them the domain administrator permissions;
• Linking Group Policies (GPO) to all objects (users and computers) in this OU.

Read More

From first to last, in what order are Group Policy objects applied?

From first to last, in what order are Group Policy objects applied?

• Local computer, domain, AD site, OU, child OU
• Child OU, OU, AD site, domain, local computer
• Domain, AD site, OU, child OU, local computer
• Local computer, AD site, domain, OU, child OU 

EXPLANATION

By default, Group Policy is inherited and cumulative, and it affects all computers and users in an Active Directory container.

GPOs are processed in the following order:

•     The local GPO is applied.
•     GPOs linked to sites are applied.
•     GPOs linked to domains are applied.
•     GPOs linked to organizational units are applied. For nested organizational units, GPOs linked to parent organizational units are applied before GPOs linked to child organizational units are applied.

Note  The order in which GPOs are processed is significant because when policy is applied, it overwrites policy that was applied earlier.

The Group Policy objects (GPOs) that apply to a user (or computer) do not all have the same precedence. Settings that are applied later can override settings that are applied earlier
The policies are applied in the hierarchy --> Local machines, Sites, Domains and Organizational Units.(LSDOU)

More info: Group Policy processing and precedence

http://technet.microsoft.com/en-us/library/cc785665%28WS.10%29.aspx
Step-by-Step Guide to Understanding the Group Policy Feature Set
http://technet.microsoft.com/en-us/library/bb742376.aspx

---

Read More

Which folder contains login scripts in an Active Directory domain?

Which folder contains login scripts in an Active Directory domain?

• Scripts
• Schema
• System32
• Sysvol 

EXPLANATION

The logon script is the file that does the actual action. It could be almost any action, as noted above. So we’ll start by creating that script. The default location for logon scripts is the NETLOGON share, which, by default, is shared on all Domain Controllers in an Active Directory forest, and is located in the following folder:

%SystemRoot%\SYSVOL\sysvol\<domain DNS name>\scripts

Where %SystemRoot% is usually “C:\Windows” and <domain DNS name> is the DNS name of the domain, similar to “Techlanda.local”. This folder, which is a part of the SYSVOL special folder, is replicated to all the Domain Controllers in the domain.

Read More

Which of the following is NOT a valid Active Directory group scope?

Which of the following is NOT a valid Active Directory group scope?

• Distribution
• Domain Local
• Global
• Universal 

EXPLANATION

Group Scopes

The different group scopes make it possible for groups to be used differently to assign permissions for accessing resources. A group’s scope defines the place in the network where the group will be used or is valid. This is the degree to which the group will be able to reach across a domain, domain tree, or forest. The group scope also determines what users can be included as group members.
In Active Directory, there are three different group scopes:

• Global groups: Global groups are containers for user accounts and computers accounts in the domain. They assign permissions to objects that reside in any domain in a tree or forest. Users can include a global group in the access control list (ACL) of objects in any domain in the tree/forest. A global group can, however, only have members from the domain in which it is created. What this means is that a global group cannot include user accounts, computer accounts, and global groups from other domains. The domain functional level set for the domain determines which members can be included in the global group.
  
  • Windows 2000 Mixed: Only user accounts and computer accounts from the domain in which the group was created can be added as group members.
  • Windows 2000 Native / Windows Server 2003: User accounts, computer accounts, and other global groups from the domain in which the group was created can be added as group members.
• Domain Local groups: Domain local groups can have user accounts, computer accounts, global groups, and universal groups from any domain as group members. However, only domain local groups can assign permissions to local resources or to resources that reside in the domain in which the domain local group was created. This means that only domain local groups in the ACL of objects that are located in the local domain can be included. The domain functional level set for the domain determines which members can be included in the domain local group.
  
  • Windows 2000 Mixed: User accounts, computer accounts, and global groups from any domain can be added as group members.
  • Windows 2000 Native / Windows Server 2003: User accounts, computer accounts, global groups, and universal groups from any domain can be added as group members. Other domain local groups from the same domain as group members can also be added.
• Universal groups: Universal groups can have user accounts, computer accounts, global groups, and other universal groups from any domain in the tree or forest as members. This basically means that users can add members from any domain in the forest to a universal group. Users can use universal groups to assign permissions to access resources that are located in any domain in the forest. Universal groups are only available when the domain functional level for the domain is Windows 2000 Native or Windows Server 2003. Universal groups are not available when domains are functioning in the Windows 2000 Mixed domain functional level. Users can convert a universal group to a global group or to a domain local group if the particular universal group has no other universal group as a group member. When adding members to universal groups, it is recommended to add global groups as members and not individual users.

Read More

There are two types of groups recognized by Active Directory: Security and _________

There are two types of groups recognized by Active Directory: Security and _________

• Peer
• Domain
• Global
• Distribution 

EXPLANATION

Group Types

Two types of groups can be created in Active Directory. Each group type is used for a different purpose. A security group is one that is created for security purposes, while a distribution group is one created for purposes other than security purposes. Security groups are typically created to assign permissions, while distribution groups are usually created to distribute bulk e-mail to users. As one may notice, the main difference between the two groups is the manner in which each group type is used. Active Directory allows users to convert a security group into a distribution group and to convert a distribution group into a security group if the domain functional level is raised to Windows 2000 Native or above.

• Security groups: A security group is a collection of users who have the same permissions to resources and the same rights to perform certain system tasks. These are the groups to which permissions are assigned so that its members can access resources. Security groups therefore remove the need for an Administrator to individually assign permissions to users. Users that need to perform certain tasks can be grouped in a security group then assigned the necessary permissions to perform these tasks. Each user that is a member of the group has the same permissions. In addition to this, each group member receives any e-mail sent to a security group. When a security group is first created, it receives an SID. It is this SID that enables permissions to be assigned to security groups – the SID can be included in a resource’s DACL. An access token is created when a user logs on to the system. The access token contains the user’s SID and the SID of those groups to which the user is a member of. This access token is referenced when the user attempts to access a resource. The access token is compared with the resource’s DACL to determine which permissions the user should receive for the resource.
• Distribution groups: Distribution groups are created to share information with a group of users through e-mail messages. Thus, a distribution group is not created for security purposes. A distribution does not obtain an SID when it is created. Distribution groups enable the same message to be simultaneously sent to its group members. Messages do not need to be individually sent to each user. Applications such as Microsoft Exchange that work with Active Directory can use distribution groups to send bulk e-mail to groups of users.

Read More