The LDAP Protocol…Amrish KaushikGraduate StudentUSC – Computer Science (CN)
Agenda Background and Motivation Understanding LDAP Information Structure Naming Functions/Operations Security Protocol Model Mapping onto Transport Services Protocol Element Encoding Discussion
Background and Motivation Increased reliance on networkedcomputers Need in information Functionality Ease-of-Use Administration (Application specific dirs) Clear and consistent organization Integrity Confidentiality
X.500 X.500 standard. CCITT 1988 Refer ISO 9594 – X.500-X.521 of 1990
X.500 Organizes directory entries into ahierarchical namespace Powerful search capabilities Often used for interfacing incompatibledirectory services Used DAP for c/s communication DAP (App. Layer) requires ENTIRE OSIstack to operate Too heavy for small environments
What is LDAP? Lightweight Directory Access Protocol Used to access and update informationin a directory built on the X.500 model Specification defines the content ofmessages between the client and theserver Includes operations to establish anddisconnect a session from the server
Understanding LDAP Lightweight alternative to DAP Uses TCP/IP instead of OSI stack Simplifies certain functions and omitsothers… Uses strings rather than DAP’s ASN.1notation to represent data.
LDAP Information Structure of information stored in an LDAPdirectory. Naming How information is organized and identified. Functional / Operations Describes what operations can be performed onthe information stored in an LDAP directory. Security Describes how the information can be protectedfrom unauthorized access.
LDAP Information Storage Each attribute has a type/syntax and avalue Can define how values behave duringsearches/directory operations Syntax: bin, ces, cis, tel, dn etc. Usage limits: ssn – only one, jpegPhoto– 10K
LDAP Information Storage Each ‘entry’ describes an object (Class) Person, Server, Printer etc. Example Entry: InetOrgPerson(cn, sn, ObjectClass) Example Attributes: cn (cis), sn (cis), telephoneNumber (tel), ou(cis), owner (dn), jpegPhoto (bin)
LDAP Naming DNs consist of sequence of Relative DN cn=John Smith,ou=Austin,o=IBM,c=US(Leaf 2 Root) (~use for special) Directory Information Tree (DIT) Follow geographical or organizationalscheme Aliases: Tree-like, Aliases can link non-leaf nodes
LDAP Naming Referrals: May not store entire DIT (v3) Referrals objectClass=referral, attribute=ref,value=LDAPurl Implementation differs Refferals/Chaining (vendor)RFC 1777: server chaining is expected.
LDAP Naming Schema Defines what object classes allowed Where they are stored What attributes they have (objectClass) Which attributes are optional (objectClass) Type/syntax of each attribute (objectClass) Query server for info: zero-length DN LDAP schema must be readable by theclient
LDAP Functions/Operations Authentication BIND/UNBIND ABANDON Query Search Compare entry Update Add an entry Delete an entry (Only Leaf nodes, no aliases) Modify an entry, Modify DN/RDN
Client and Server Interaction Client establishes session with server (BIND) Hostname/IP and port number SecurityUser-id/password based authenticationAnonymous connection - default access rightsEncryption/Kerberos also supported Client performs operations Read/Update/Search SELECT X,Y,Z FROM PART_OF_DIRECTORY Client ends the session (UNBIND) Client can ABANDON the session
BIND/UNBIND/ABANDON Request includes LDAP version, the namethe client wants to bind as, authenticationtype Simple (clear text passwords, anonymous) Kerberos v4 to the LDAP server (krbv42LDAP) Kerberos v4 to the DSA server (krbv42DSA) Server responds with a status indication UNBIND: Terminates a protocol session UnbindRequest ::= [APPLICATION 2] NULL ABANDON:
Search/Compare Request includes baseObject: an LDAPDN Scope: how many levels to be searched derefAliases: handling of aliases sizeLimit: max number of entries returned timeLimit: max time allowed for search attrsOnly: return attribute types OR values also Filter: cond. to be fulfilled when searching Attributes: List of entry’s attributes to be returned Read and List implemented as searches Compare: similar to search but returns T/F
ADD/MODIFY/DELETE ADD request Entry: LDAPDN List of Attributes and values (or sets of values) MODIFY request Used to add, delete, modify attributes Request includesObject: LDAPDNList of modifications (atomic) Add, Delete, Replace DELETE request Object: LDAPDN MODIFY RDN: LDAPDN, newRDN,
LDAP Security Current LDAP version supports Clear text passwords KERBEROS version 4 authentication Other authentication methods possiblein future versions (March 1995) SASL support added in version 3 Kerberos deemed stronger than SASL…
LDAP Security Security based on the BIND model Clear text ver 1 Kerberos ver 1,2,3 (depr) SASL ver 3 Simple Authentication and Security Layer uses one of many authentication methods Proposal for Transport Layer Security Based on SSL v3 from Netscape
LDAP Security No Authentication Basic Authentication DN and password provided Clear-text or Base 64 encoded SASL (RFC 2222) Parameters: DN, mechanism, credentials Provides cross protocol authentication calls Encryption can be optionally negotiated ldap_sasl_bind() (ver3 call) Ldap://<ldap_server>/?supportedsaslmechanisms
Mapping onto Transport Uses Connection-oriented, reliable transport TCP LDAPMessage PDU mapped onto TCP bytestream LDAP listener on port 389 Connection Oriented Transport Service(COTS) LDAP PDU is mapped directly onto T-Data
Protocol Element Encoding Encoded for Exchange using BER(Basic Encoding Rules) BER defined in Abstract SyntaxNotation One (ASN.1) High Overhead for BER Restrictions imposed to improve perf.Definite form of length encoding onlyBit Strings/ Octet Strings and all characterstring types encoded in primitive form only
LDAP Implementations C Library API LDAPv2 - RFC 1823 ‘The LDAP API’ LDAPv3 – In Internet Draft stage Java JNDI LDAP v3 uses the UTF-8 encoding ofthe Unicode character set. HTTP to LDAP gateway LDAP to X.500 gateway – ldapd
Version 2 v/s Version 3 Referrals A server that does not store the requested datacan refer the client to another server. Security Extensible authentication using SimpleAuthentication and Security Layer (SASL) Internationalization UTF-8 support for international characters. Extensibility New object types and operations can bedynamically defined and schema published in astandard manner.