LDAP
-
Upload
khemnath-chauhan -
Category
Technology
-
view
527 -
download
4
description
Transcript of LDAP
![Page 1: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/1.jpg)
The LDAP Protocol…
Amrish KaushikGraduate Student
USC – Computer Science (CN)
![Page 2: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/2.jpg)
Agenda Background and Motivation Understanding LDAP
Information Structure Naming Functions/Operations Security
Protocol Model Mapping onto Transport Services Protocol Element Encoding Discussion
![Page 3: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/3.jpg)
Background and Motivation Increased reliance on networked
computers Need in information
Functionality Ease-of-Use Administration (Application specific
dirs) Clear and consistent organization Integrity Confidentiality
![Page 4: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/4.jpg)
X.500 X.500 standard. CCITT 1988
Refer ISO 9594 – X.500-X.521 of 1990
![Page 5: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/5.jpg)
X.500 Organizes directory entries into a
hierarchical namespace Powerful search capabilities Often used for interfacing
incompatible directory services Used DAP for c/s communication DAP (App. Layer) requires ENTIRE
OSI stack to operate Too heavy for small environments
![Page 6: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/6.jpg)
What is LDAP? Lightweight Directory Access Protocol Used to access and update information
in a directory built on the X.500 model Specification defines the content of
messages between the client and the server
Includes operations to establish and disconnect a session from the server
![Page 7: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/7.jpg)
LDAP Server: G/S
![Page 8: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/8.jpg)
Understanding LDAP Lightweight alternative to DAP Uses TCP/IP instead of OSI stack Simplifies certain functions and
omits others… Uses strings rather than DAP’s
ASN.1 notation to represent data.
![Page 9: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/9.jpg)
LDAP Information
Structure of information stored in an LDAP directory.
Naming How information is organized and identified.
Functional / Operations Describes what operations can be performed on
the information stored in an LDAP directory. Security
Describes how the information can be protected from unauthorized access.
![Page 10: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/10.jpg)
LDAP Information Storage
![Page 11: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/11.jpg)
LDAP Information Storage Each attribute has a type/syntax
and a value Can define how values behave
during searches/directory operations
Syntax: bin, ces, cis, tel, dn etc. Usage limits: ssn – only one,
jpegPhoto – 10K
![Page 12: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/12.jpg)
LDAP Information Storage Each ‘entry’ describes an object
(Class) Person, Server, Printer etc.
Example Entry: InetOrgPerson(cn, sn, ObjectClass)
Example Attributes: cn (cis), sn (cis), telephoneNumber
(tel), ou (cis), owner (dn), jpegPhoto (bin)
![Page 13: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/13.jpg)
LDAP Naming DNs consist of sequence of Relative
DN cn=John Smith,ou=Austin,o=IBM,c=US
(Leaf 2 Root) (~use \ for special) Directory Information Tree (DIT) Follow geographical or organizational
scheme Aliases: Tree-like, Aliases can link non-leaf nodes
![Page 14: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/14.jpg)
LDAP Naming Referrals: May not store entire DIT
(v3) Referrals
objectClass=referral, attribute=ref, value=LDAPurl
Implementation differs Refferals/Chaining (vendor)
RFC 1777: server chaining is expected.
![Page 15: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/15.jpg)
LDAP Naming Schema
Defines what object classes allowed Where they are stored What attributes they have (objectClass) Which attributes are optional (objectClass) Type/syntax of each attribute (objectClass)
Query server for info: zero-length DN LDAP schema must be readable by the
client
![Page 16: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/16.jpg)
LDAP Naming Examples
Attribute Type String
CommonName CN
LocalityName L
StateorProvinceName ST
OrganizationName O
OrganizationalUnitName OU
CountryName C
StreetAddress STREET
domainComponent DC
Userid UID
![Page 17: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/17.jpg)
LDAP Functions/Operations Authentication
BIND/UNBIND ABANDON
Query Search Compare entry
Update Add an entry Delete an entry (Only Leaf nodes, no
aliases) Modify an entry, Modify DN/RDN
![Page 18: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/18.jpg)
Client and Server Interaction Client establishes session with server
(BIND) Hostname/IP and port number Security
User-id/password based authentication Anonymous connection - default access rights Encryption/Kerberos also supported
Client performs operations Read/Update/Search SELECT X,Y,Z FROM PART_OF_DIRECTORY
Client ends the session (UNBIND) Client can ABANDON the session
![Page 19: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/19.jpg)
BIND/UNBIND/ABANDON Request includes LDAP version, the name
the client wants to bind as, authentication type Simple (clear text passwords, anonymous) Kerberos v4 to the LDAP server (krbv42LDAP) Kerberos v4 to the DSA server (krbv42DSA)
Server responds with a status indication UNBIND: Terminates a protocol session
UnbindRequest ::= [APPLICATION 2] NULL ABANDON:
MessageID to abandon
![Page 20: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/20.jpg)
Search/Compare Request includes
baseObject: an LDAPDN Scope: how many levels to be searched derefAliases: handling of aliases sizeLimit: max number of entries returned timeLimit: max time allowed for search attrsOnly: return attribute types OR values also Filter: cond. to be fulfilled when searching Attributes: List of entry’s attributes to be
returned Read and List implemented as searches Compare: similar to search but returns T/F
![Page 21: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/21.jpg)
ADD/MODIFY/DELETE ADD request
Entry: LDAPDN List of Attributes and values (or sets of values)
MODIFY request Used to add, delete, modify attributes Request includes
Object: LDAPDN List of modifications (atomic)
Add, Delete, Replace
DELETE request Object: LDAPDN
MODIFY RDN: LDAPDN, newRDN, DEL_FLAG
![Page 22: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/22.jpg)
Protocol Elements LDAPMessage (MessageID unique)
![Page 23: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/23.jpg)
Protocol Elements LDAPString ::= OCTET STRING LDAPDN ::= LDAPString RelativeLDAPDN ::= LDAPString AttributeValueAssertion ::=
Sequence {attributeType attributeValue,
attributeValue attributeValue}
attributeType ::= LDAPString attributeValue ::= OCTET STRING
![Page 24: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/24.jpg)
Protocol Elements LDAP Result Errors
Truncated DIT RDN sequence is sent
noSuchObject aliasProblem invalidDNSynta
x isLeaf etc.
![Page 25: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/25.jpg)
LDAP Security Current LDAP version supports
Clear text passwords KERBEROS version 4 authentication
Other authentication methods possible in future versions (March 1995)
SASL support added in version 3 Kerberos deemed stronger than SASL…
![Page 26: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/26.jpg)
LDAP Security Security based on the BIND model Clear text ver 1 Kerberos ver 1,2,3 (depr) SASL ver 3
Simple Authentication and Security Layer uses one of many authentication methods
Proposal for Transport Layer Security Based on SSL v3 from Netscape
![Page 27: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/27.jpg)
LDAP Security No Authentication Basic Authentication
DN and password provided Clear-text or Base 64 encoded
SASL (RFC 2222) Parameters: DN, mechanism, credentials Provides cross protocol authentication calls Encryption can be optionally negotiated ldap_sasl_bind() (ver3 call) Ldap://<ldap_server>/?
supportedsaslmechanisms
![Page 28: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/28.jpg)
LDAP Security LDAP using SASL using SSL/TLS
![Page 29: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/29.jpg)
LDAP Security SSL/TLS Handshake
![Page 30: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/30.jpg)
Agenda Background and Motivation Understanding LDAP
Information Structure Naming Functions/Operations Security
Protocol Model Mapping onto Transport Services Protocol Element Encoding Discussion
![Page 31: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/31.jpg)
Protocol Model Clients performing protocol
operations against servers Client sends protocol request to server Server performs operation on directory Server returns response (results/errors)
Asynchronous Server Behavior
![Page 32: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/32.jpg)
Directory Client/Server Interaction
![Page 33: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/33.jpg)
Mapping onto Transport Uses Connection-oriented, reliable
transport TCP
LDAPMessage PDU mapped onto TCP byte stream
LDAP listener on port 389 Connection Oriented Transport Service
(COTS) LDAP PDU is mapped directly onto T-Data
![Page 34: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/34.jpg)
Protocol Element Encoding Encoded for Exchange using BER
(Basic Encoding Rules) BER defined in Abstract Syntax
Notation One (ASN.1) High Overhead for BER
Restrictions imposed to improve perf. Definite form of length encoding only Bit Strings/ Octet Strings and all character
string types encoded in primitive form only
![Page 35: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/35.jpg)
LDAP Implementations C Library API
LDAPv2 - RFC 1823 ‘The LDAP API’ LDAPv3 – In Internet Draft stage
Java JNDI LDAP v3 uses the UTF-8 encoding
of the Unicode character set. HTTP to LDAP gateway LDAP to X.500 gateway – ldapd
![Page 36: LDAP](https://reader036.fdocuments.us/reader036/viewer/2022081518/54c6af244a795938788b457c/html5/thumbnails/36.jpg)
Version 2 v/s Version 3 Referrals
A server that does not store the requested data can refer the client to another server.
Security Extensible authentication using Simple
Authentication and Security Layer (SASL) Internationalization
UTF-8 support for international characters. Extensibility
New object types and operations can be dynamically defined and schema published in a standard manner.