LDAP

1,061 views
942 views

Published on

LDAP Presentation

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,061
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
60
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

LDAP

  1. 1. The LDAP Protocol…Amrish KaushikGraduate StudentUSC – Computer Science (CN)
  2. 2. Agenda Background and Motivation Understanding LDAP Information Structure Naming Functions/Operations Security Protocol Model Mapping onto Transport Services Protocol Element Encoding Discussion
  3. 3. Background and Motivation Increased reliance on networkedcomputers Need in information Functionality Ease-of-Use Administration (Application specific dirs) Clear and consistent organization Integrity Confidentiality
  4. 4. X.500 X.500 standard. CCITT 1988 Refer ISO 9594 – X.500-X.521 of 1990
  5. 5. X.500 Organizes directory entries into ahierarchical namespace Powerful search capabilities Often used for interfacing incompatibledirectory services Used DAP for c/s communication DAP (App. Layer) requires ENTIRE OSIstack to operate Too heavy for small environments
  6. 6. What is LDAP? Lightweight Directory Access Protocol Used to access and update informationin a directory built on the X.500 model Specification defines the content ofmessages between the client and theserver Includes operations to establish anddisconnect a session from the server
  7. 7. LDAP Server: G/S
  8. 8. Understanding LDAP Lightweight alternative to DAP Uses TCP/IP instead of OSI stack Simplifies certain functions and omitsothers… Uses strings rather than DAP’s ASN.1notation to represent data.
  9. 9. LDAP Information Structure of information stored in an LDAPdirectory. Naming How information is organized and identified. Functional / Operations Describes what operations can be performed onthe information stored in an LDAP directory. Security Describes how the information can be protectedfrom unauthorized access.
  10. 10. LDAP Information Storage
  11. 11. LDAP Information Storage Each attribute has a type/syntax and avalue Can define how values behave duringsearches/directory operations Syntax: bin, ces, cis, tel, dn etc. Usage limits: ssn – only one, jpegPhoto– 10K
  12. 12. LDAP Information Storage Each ‘entry’ describes an object (Class) Person, Server, Printer etc. Example Entry: InetOrgPerson(cn, sn, ObjectClass) Example Attributes: cn (cis), sn (cis), telephoneNumber (tel), ou(cis), owner (dn), jpegPhoto (bin)
  13. 13. LDAP Naming DNs consist of sequence of Relative DN cn=John Smith,ou=Austin,o=IBM,c=US(Leaf 2 Root) (~use for special) Directory Information Tree (DIT) Follow geographical or organizationalscheme Aliases: Tree-like, Aliases can link non-leaf nodes
  14. 14. LDAP Naming Referrals: May not store entire DIT (v3) Referrals objectClass=referral, attribute=ref,value=LDAPurl Implementation differs Refferals/Chaining (vendor)RFC 1777: server chaining is expected.
  15. 15. LDAP Naming Schema Defines what object classes allowed Where they are stored What attributes they have (objectClass) Which attributes are optional (objectClass) Type/syntax of each attribute (objectClass) Query server for info: zero-length DN LDAP schema must be readable by theclient
  16. 16. LDAP Naming ExamplesAttribute Type StringCommonName CNLocalityName LStateorProvinceName STOrganizationName OOrganizationalUnitName OUCountryName CStreetAddress STREETdomainComponent DCUserid UID
  17. 17. LDAP Functions/Operations Authentication BIND/UNBIND ABANDON Query Search Compare entry Update Add an entry Delete an entry (Only Leaf nodes, no aliases) Modify an entry, Modify DN/RDN
  18. 18. Client and Server Interaction Client establishes session with server (BIND) Hostname/IP and port number SecurityUser-id/password based authenticationAnonymous connection - default access rightsEncryption/Kerberos also supported Client performs operations Read/Update/Search SELECT X,Y,Z FROM PART_OF_DIRECTORY Client ends the session (UNBIND) Client can ABANDON the session
  19. 19. BIND/UNBIND/ABANDON Request includes LDAP version, the namethe client wants to bind as, authenticationtype Simple (clear text passwords, anonymous) Kerberos v4 to the LDAP server (krbv42LDAP) Kerberos v4 to the DSA server (krbv42DSA) Server responds with a status indication UNBIND: Terminates a protocol session UnbindRequest ::= [APPLICATION 2] NULL ABANDON:
  20. 20. Search/Compare Request includes baseObject: an LDAPDN Scope: how many levels to be searched derefAliases: handling of aliases sizeLimit: max number of entries returned timeLimit: max time allowed for search attrsOnly: return attribute types OR values also Filter: cond. to be fulfilled when searching Attributes: List of entry’s attributes to be returned Read and List implemented as searches Compare: similar to search but returns T/F
  21. 21. ADD/MODIFY/DELETE ADD request Entry: LDAPDN List of Attributes and values (or sets of values) MODIFY request Used to add, delete, modify attributes Request includesObject: LDAPDNList of modifications (atomic) Add, Delete, Replace DELETE request Object: LDAPDN MODIFY RDN: LDAPDN, newRDN,
  22. 22. Protocol Elements LDAPMessage (MessageID unique)
  23. 23. Protocol Elements LDAPString ::= OCTET STRING LDAPDN ::= LDAPString RelativeLDAPDN ::= LDAPString AttributeValueAssertion ::=Sequence {attributeType attributeValue,attributeValue attributeValue} attributeType ::= LDAPString attributeValue ::= OCTET STRING
  24. 24. Protocol Elements LDAP Result Errors Truncated DITRDN sequence issentnoSuchObjectaliasProbleminvalidDNSyntaxisLeaf etc.
  25. 25. LDAP Security Current LDAP version supports Clear text passwords KERBEROS version 4 authentication Other authentication methods possiblein future versions (March 1995) SASL support added in version 3 Kerberos deemed stronger than SASL…
  26. 26. LDAP Security Security based on the BIND model Clear text  ver 1 Kerberos  ver 1,2,3 (depr) SASL  ver 3 Simple Authentication and Security Layer uses one of many authentication methods Proposal for Transport Layer Security Based on SSL v3 from Netscape
  27. 27. LDAP Security No Authentication Basic Authentication DN and password provided Clear-text or Base 64 encoded SASL (RFC 2222) Parameters: DN, mechanism, credentials Provides cross protocol authentication calls Encryption can be optionally negotiated ldap_sasl_bind() (ver3 call) Ldap://<ldap_server>/?supportedsaslmechanisms
  28. 28. LDAP Security LDAP using SASL using SSL/TLS
  29. 29. LDAP Security SSL/TLS Handshake
  30. 30. Agenda Background and Motivation Understanding LDAP Information Structure Naming Functions/Operations Security Protocol Model Mapping onto Transport Services Protocol Element Encoding Discussion
  31. 31. Protocol Model Clients performing protocol operationsagainst servers Client sends protocol request to server Server performs operation on directory Server returns response (results/errors) Asynchronous Server Behavior
  32. 32. Directory Client/ServerInteraction
  33. 33. Mapping onto Transport Uses Connection-oriented, reliable transport TCP LDAPMessage PDU mapped onto TCP bytestream LDAP listener on port 389 Connection Oriented Transport Service(COTS) LDAP PDU is mapped directly onto T-Data
  34. 34. Protocol Element Encoding Encoded for Exchange using BER(Basic Encoding Rules) BER defined in Abstract SyntaxNotation One (ASN.1) High Overhead for BER Restrictions imposed to improve perf.Definite form of length encoding onlyBit Strings/ Octet Strings and all characterstring types encoded in primitive form only
  35. 35. LDAP Implementations C Library API LDAPv2 - RFC 1823 ‘The LDAP API’ LDAPv3 – In Internet Draft stage Java JNDI LDAP v3 uses the UTF-8 encoding ofthe Unicode character set. HTTP to LDAP gateway LDAP to X.500 gateway – ldapd
  36. 36. Version 2 v/s Version 3 Referrals A server that does not store the requested datacan refer the client to another server. Security Extensible authentication using SimpleAuthentication and Security Layer (SASL) Internationalization UTF-8 support for international characters. Extensibility New object types and operations can bedynamically defined and schema published in astandard manner.

×