SlideShare a Scribd company logo

Do The Right Thing! How LDAP servers should help LDAP clients

LDAPCon
LDAPCon
Technology
1 of 34
Download to read offline
Do The Right Thing! How LDAP servers should help LDAP clients Michael Ströder <michael@stroeder.com> Paris, 2013­11­19
Who? Michael Ströder <michael@stroeder.com> Freelancer : LDAP and PKI consulting Active open source projects: – http://web2ldap.de – http://python-ldap.org Not a UI expert Old-fashioned Concerned about insecurity by complexity stroeder.com
Why? Kurt Zeilenga wrote: > It might be interesting to discuss how/where web2ldap is > able to support its users using vendor-inspecific codes, > where you need to use vendor-specific codes, where LDAP's > discovery mechanisms help, where they don't, what you do > when they don't, etc. How to guide human users using as much server-side information as possible ? How much client-side knowledge is needed? stroeder.com
What? Guiding vs. enforcing, notes about users Introduction to available server information Example use-cases with web2ldap using server information Recommendations Open issues to be solved stroeder.com
Guiding... (1) Mantra: Guiding is not enforcing! Avoid user frustration, reducing false attempts to reach use-case goal in normal situation Try to use server-side extensions to improve client behaviour without bothering user Don't stop a skilled user to do something unusual stroeder.com
Guiding... (2) Meaningful input forms: – searchable naming contexts (rootDSE) – available attributes and editable input values (subschema, access control, constraints) – Information about affected LDAP entries (count) Gracefully handle user's input values (normalize) Optional use of : DIT content/structure rules, name forms, LDAPv3 ext. controls and ext. operations stroeder.com
Enforcing... (1) Recommendation: Let only the server enforce... – schema – access control – constraints (values, uniqueness, references) Avoid client enforcing of schema and constraints because users could circumvent rules => data integrity risks Avoid client-side access control because users could circumvent rules => security risks stroeder.com
Enforcing... (2) Client-side access control requires powerful proxy user accounts which in real life gets (ab)used later for other purposes (yuck!) More meaningful logging possible by using end user's identity for LDAP operations Server can check constraints within one transaction stroeder.com
Enforcing... (3) Things to enforce at client side based on client configuration or user's input: – StartTLS – bind method Local security configuration in web2ldap is gateway security policy stroeder.com
Users... Some personal observations: – Users are not dumb – Users are pretty good in ignoring unneeded things – Users appreciate additional information if something went wrong and will report it to you – Secretary with usual office skills provides better data than IT guy with technical LDAP skills – Speaking with end users helps personal observations are the opposite of mainstream UI opinions of IT guys... stroeder.com
Server-side information (1) LDAP result information (often overlooked) – result code – diagnostic message rootDSE (obvious) – naming contexts, default search root – features (extended controls/operations) – vendor-specific information (server roles etc.) subschema subentry (most promising) stroeder.com
Server-side information (2) extended controls extended operations number of entries/values (entry count) operational attributes (modifyTimestamp, numSubordinates etc.) special count extensions audit / change log databases (for restoring?) server-side access control and constraints stroeder.com
Rather not generic /web2ldap/passwd Set password with various methods (RFC 3062 ext.op., client-side hashed, MS AD, Samba3 hashes) /web2ldap/groupadm Add/remove entry to/from groups /web2ldap/dds Refresh operation for dynamic entries (implemented for Dieter) Still subschema used almost everywhere. stroeder.com
Subschema subentry (1) LDAP syntax matching rule SYNTAX EQUALITY SUBSTR ORDERING SYNTAX attribute type MUST MAY NOT APPLIES matching rule use MUST MAY SUP same OID same OID structural object class SUP abstract object class SUP SUP auxiliary object class MUST AUX DIT structure rule DIT content rule OC FORM Name form SUP stroeder.com
Subschema subentry (2) Query attribute subschemaSubentry in current entry Read and parse the referenced subschema subentry Fall-back needed due to access restrictions Each part of the DIT could have separate subschema (rarely in practice) Not unusual to have big subschema subentry ~200..400kB => caching needed! stroeder.com
Demos Any special interests ? stroeder.com
Diffing with matching rules Goal: Fine-grained delete-by-value to provoke collisions in case of concurrent write access (e.g. two admins working at the same ticket) web2ldap uses EQUALITY matching rule information to determine whether it's possible to delete a certain attribute value Matching rules are inherited ! It's not sufficient to only look at the AttributeTypeDescription... stroeder.com
DIT structure rules & name forms Enforce tree structure, web2ldap guides Ideal if server sets governingStructureRule If not you have to find nearest “subschema administrative point” Real X.500 servers might provide attribute administrativeRole with a value of subschemaAdminSpecificArea => rather exotic in the pure LDAP field => fall-back to best matching naming context Thanks to S. Legg for this private lesson :-) stroeder.com
Interop issues (1) Domino/LDAP tested up to 7.x (not sure whether fixed in 8.x): – single null-byte in attribute namingContexts – returns diagnosticMessage in ISO-8859-1 – many attributes not found in subschema web2ldap has work-arounds otherwise users would blame web2ldap not to work with Domino/LDAP BTW : It was funny to see Domino/LDAP 5.x crash because of tab character sent in a password ;-) (fixed) stroeder.com
Interop issues (2) Assertion control sent with modify request to detect concurrent write access Leads to interop issues with slapo-constraint Had to disable this completely forever even if it gets fixed because vendor version not available in rootDSE Users would blame web2ldap not to work with OpenLDAP stroeder.com
Interop issues (3) Basically it's good when LDAP server enforces access control - also on use of extended controls But overzealous checks are not good ! OpenDJ disallowed post read entry control even in case the user was allowed to read entry At least a non-critical controls should not result in error code being returned Users would blame web2ldap not to work with OpenDJ stroeder.com
Interop issues (4) ApacheDS returned invalid ASN.1 encoding for password policy response control => raising ASN.1 exception was disabled in python-ldap in case of invalid but non-critical response controls Otherwise users would blame web2ldap not to work with ApacheDS stroeder.com
Interop issues (5) OpenLDAP returned invalid ASN.1 encoding for read entry response control Immediately fixed by Pierangelo within hours But decoding work-around added to web2ldap Otherwise users would blame web2ldap not to work with OpenLDAP or I'd have to disable the feature forever. stroeder.com
Interop issues (6) non-ASCII chars in MS AD's are a bad idea SASL/DIGEST-MD5 does not work even though you can see UTF-8 mentioned in SASL messages impossible to work around this I don't expect this to be ever fixed because of AD's own backward compability commitment stroeder.com
Recommendation to client developers Don't implement an advance LDAP client, it's waste of your spare time Prefer RAD to meet customer's requirements Still crazy enough? Still interested in implementing advanced LDAP features ? Mantra : testing, testing, testing, testing, .... Otherwise people will complain about your client and will prefer dumb LDAP clients stroeder.com
Interop testing with servers OpenLDAP 2.x OpenDJ 2.4.x MS Active Directory W2K3..W2K12 CA eTrust Directory 8.1 and 12.0 Novell eDirectory 8.7.x and 8.8.x Lotus Domino LDAP R5.x, R6.x and R7.0.x 389/Fedora Directory Server (fairly recent) iPlanet/SunONE Directory Server 5.x and 6.x Siemens DirX 6.x Innosoft Distributed Directory Server (IDDS) IBM Directory Server 5.1 Apache DS 1.5 and 2.0M7 OpenDS 1.0 and 2.0RC Isode's M-Vault LDAP/X.500 Directory Server R14 eB2Bcom's ViewDS (formerly View500) 6.0e11 Critical Path InJoin and Directory Server 4.2 Syntegra (historic) Netscape Directory Server 4.x (historic) stroeder.com
Recommendation to server developers Meaningful diagnosticMessage helps ! Don't write it just to the server's log. Invite client developers to do interop testing of more advanced features (test drive licenses) Fix bugs reported to you ;-) Add vendorName/vendorVersion to rootDSE Document proprietary schema and extensions don't hide experimental schema (.666) stroeder.com
Recommendation to IT admins Don't set overrestrictive access control on – rootDSE – subschema subentry – operational attributes Try to find interop issues and report them to client and server developers if appropriate Mantra : Logging helps... stroeder.com
Access control Goal : Disable input fields if no write access Parsing proprietary ACLs / ACIs not an option Get Effective Rights control : different variants with the same control OID ! web2ldap uses allowedAttributesEffective (available in MS AD and slapo-allowed) Value-based access control is an issue Rather a permissive write access interpretation is recommended stroeder.com
Failed attributes control The diagnosticMessage is useful but not machine-readable, user has to read and correctly interpret it. How about a response control listing what went wrong for which attribute? Would be useful to point the user directly to input fields with false data. stroeder.com
Attribute constraints (1) New schema definition attributeConstraints (suggested on ietf-ldapext back in 2008) – REGEX – VALUES – LDAPURI – OPTIONS – NUMBER <min>..<max> – MAXBYTELEN / MAXCHARLEN Would partially directly fit HTML5 browser-side checking stroeder.com
Attribute constraints (2) Attribute type 'jpegPhoto' with restricted size and limited to a single value: attributeConstraints ( 0.9.2342.19200300.100.1.60 MAXNUMBER 1 MAXBYTELEN 4000 ) Attribute 'gender' restricted to values in ISO-5801: attributeConstraints ( 1.3.6.1.4.1.5427.1.389.4.7 VALUES ( '0' $ '1' $ '2' $ '9' ) ) stroeder.com
Attribute constraints (3) Search URIs ( <attribute type OID> LDAPURI <search URI> ) Value of attribute o in any org. entry : ldap:///ou=dc=example,dc=com?o?? (objectClass=organization) DN of manager's person entry : ldap:///dc=example,dc=com??? (&(objectClass=inetOrgPerson) (title=Manager)) stroeder.com
Thanks ! Any questions? Any suggestions? Still so crazy to develop advanced clients? Improve «dead» LDAP together? Have fun! stroeder.com

Recommended

Build your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerBuild your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerLDAPCon
 
A Backend to tie them all?
A Backend to tie them all?A Backend to tie them all?
A Backend to tie them all?LDAPCon
 
Distributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory ServerDistributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory ServerLDAPCon
 
Fusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldapFusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldapLDAPCon
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPALDAPCon
 
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...LDAPCon
 
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3LDAPCon
 
LDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAPCon
 

Recommended

Build your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerBuild your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerLDAPCon
 
A Backend to tie them all?
A Backend to tie them all?A Backend to tie them all?
A Backend to tie them all?LDAPCon
 
Distributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory ServerDistributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory ServerLDAPCon
 
Fusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldapFusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldapLDAPCon
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPALDAPCon
 
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...LDAPCon
 
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3LDAPCon
 
LDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAPCon
 
How AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudHow AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudLDAPCon
 
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...MongoDB
 
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond SambaSambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond SambaAlexander Bokovoy
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
Spring Ldap
Spring LdapSpring Ldap
Spring LdapPiergiorgio Lucidi
 
Update on the OpenDJ project
Update on the OpenDJ projectUpdate on the OpenDJ project
Update on the OpenDJ projectLDAPCon
 
Practical-LDAP-and-Linux
Practical-LDAP-and-LinuxPractical-LDAP-and-Linux
Practical-LDAP-and-LinuxBalaji Ravi
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
11g Identity Management - InSync10
11g Identity Management - InSync1011g Identity Management - InSync10
11g Identity Management - InSync10Peter McLarty
 
Give a REST to your LDAP directory services
Give a REST to your LDAP directory servicesGive a REST to your LDAP directory services
Give a REST to your LDAP directory servicesLDAPCon
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and HadoopKai Zheng
 
Mime Magic With Apache Tika
Mime Magic With Apache TikaMime Magic With Apache Tika
Mime Magic With Apache TikaJukka Zitting
 
Open source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con euOpen source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con euFrancesco Chicchiriccò
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
Hadoop Security Now and Future
Hadoop Security Now and FutureHadoop Security Now and Future
Hadoop Security Now and Futuretcloudcomputing-tw
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)Anatoliy Okhotnikov
 
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655Getting value from IoT, Integration and Data Analytics
 
JavaOne2016 - Microservices: Terabytes in Microseconds [CON4516]
JavaOne2016 - Microservices: Terabytes in Microseconds [CON4516]JavaOne2016 - Microservices: Terabytes in Microseconds [CON4516]
JavaOne2016 - Microservices: Terabytes in Microseconds [CON4516]Malin Weiss
 
Hadoop security
Hadoop securityHadoop security
Hadoop securityKashif Khan
 
Server 2008 r2 ppt
Server 2008 r2 pptServer 2008 r2 ppt
Server 2008 r2 pptRaj Solanki
 
Docker interview Questions-3.pdf
Docker interview Questions-3.pdfDocker interview Questions-3.pdf
Docker interview Questions-3.pdfYogeshwaran R
 

More Related Content

What's hot

How AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudHow AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudLDAPCon
 
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...MongoDB
 
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond SambaSambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond SambaAlexander Bokovoy
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
Update on the OpenDJ project
Update on the OpenDJ projectUpdate on the OpenDJ project
Update on the OpenDJ projectLDAPCon
 
Practical-LDAP-and-Linux
Practical-LDAP-and-LinuxPractical-LDAP-and-Linux
Practical-LDAP-and-LinuxBalaji Ravi
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
11g Identity Management - InSync10
11g Identity Management - InSync1011g Identity Management - InSync10
11g Identity Management - InSync10Peter McLarty
 
Give a REST to your LDAP directory services
Give a REST to your LDAP directory servicesGive a REST to your LDAP directory services
Give a REST to your LDAP directory servicesLDAPCon
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and HadoopKai Zheng
 
Mime Magic With Apache Tika
Mime Magic With Apache TikaMime Magic With Apache Tika
Mime Magic With Apache TikaJukka Zitting
 
Open source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con euOpen source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con euFrancesco Chicchiriccò
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
Hadoop Security Now and Future
Hadoop Security Now and FutureHadoop Security Now and Future
Hadoop Security Now and Futuretcloudcomputing-tw
 
JavaOne2016 - Microservices: Terabytes in Microseconds [CON4516]
JavaOne2016 - Microservices: Terabytes in Microseconds [CON4516]JavaOne2016 - Microservices: Terabytes in Microseconds [CON4516]
JavaOne2016 - Microservices: Terabytes in Microseconds [CON4516]Malin Weiss
 

What's hot (20)

How AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudHow AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloud
 
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
 
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond SambaSambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
 
Spring Ldap
Spring LdapSpring Ldap
Spring Ldap
 
Update on the OpenDJ project
Update on the OpenDJ projectUpdate on the OpenDJ project
Update on the OpenDJ project
 
Practical-LDAP-and-Linux
Practical-LDAP-and-LinuxPractical-LDAP-and-Linux
Practical-LDAP-and-Linux
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
11g Identity Management - InSync10
11g Identity Management - InSync1011g Identity Management - InSync10
11g Identity Management - InSync10
 
Give a REST to your LDAP directory services
Give a REST to your LDAP directory servicesGive a REST to your LDAP directory services
Give a REST to your LDAP directory services
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and Hadoop
 
Mime Magic With Apache Tika
Mime Magic With Apache TikaMime Magic With Apache Tika
Mime Magic With Apache Tika
 
Open source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con euOpen source identity management 20121106 - apache con eu
Open source identity management 20121106 - apache con eu
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
 
Hadoop Security Now and Future
Hadoop Security Now and FutureHadoop Security Now and Future
Hadoop Security Now and Future
 
Ldap introduction (eng)
Ldap introduction (eng)Ldap introduction (eng)
Ldap introduction (eng)
 
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
Databasecentricapisonthecloudusingplsqlandnodejscon3153oow2016 160922021655
 
JavaOne2016 - Microservices: Terabytes in Microseconds [CON4516]
JavaOne2016 - Microservices: Terabytes in Microseconds [CON4516]JavaOne2016 - Microservices: Terabytes in Microseconds [CON4516]
JavaOne2016 - Microservices: Terabytes in Microseconds [CON4516]
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
 

Similar to Do The Right Thing! How LDAP servers should help LDAP clients

Server 2008 r2 ppt
Server 2008 r2 pptServer 2008 r2 ppt
Server 2008 r2 pptRaj Solanki
 
Docker interview Questions-3.pdf
Docker interview Questions-3.pdfDocker interview Questions-3.pdf
Docker interview Questions-3.pdfYogeshwaran R
 
The way from DB-driven development to DDD
The way from DB-driven development to DDDThe way from DB-driven development to DDD
The way from DB-driven development to DDDProvectus
 
Under the Hood 11g Identity Management
Under the Hood 11g Identity ManagementUnder the Hood 11g Identity Management
Under the Hood 11g Identity ManagementInSync Conference
 
High Performance Mysql
High Performance MysqlHigh Performance Mysql
High Performance Mysqlliufabin 66688
 
Monitoring active-directory
Monitoring active-directoryMonitoring active-directory
Monitoring active-directoryPrince JabaKumar
 
Data Handning with Sqlite for Android
Data Handning with Sqlite for AndroidData Handning with Sqlite for Android
Data Handning with Sqlite for AndroidJakir Hossain
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory EnumerationDaniel López Jiménez
 
Complete open source IAM solution
Complete open source IAM solutionComplete open source IAM solution
Complete open source IAM solutionRadovan Semancik
 
MySQL HA Alternatives 2010
MySQL HA Alternatives 2010MySQL HA Alternatives 2010
MySQL HA Alternatives 2010Kris Buytaert
 
Voldemort & Hadoop @ Linkedin, Hadoop User Group Jan 2010
Voldemort & Hadoop @ Linkedin, Hadoop User Group Jan 2010Voldemort & Hadoop @ Linkedin, Hadoop User Group Jan 2010
Voldemort & Hadoop @ Linkedin, Hadoop User Group Jan 2010Bhupesh Bansal
 
Hadoop and Voldemort @ LinkedIn
Hadoop and Voldemort @ LinkedInHadoop and Voldemort @ LinkedIn
Hadoop and Voldemort @ LinkedInHadoop User Group
 
Sql server performance tuning and optimization
Sql server performance tuning and optimizationSql server performance tuning and optimization
Sql server performance tuning and optimizationManish Rawat
 
Front Range PHP NoSQL Databases
Front Range PHP NoSQL DatabasesFront Range PHP NoSQL Databases
Front Range PHP NoSQL DatabasesJon Meredith
 
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)Maarten Balliauw
 
The Power of Relationships in Your Big Data
The Power of Relationships in Your Big DataThe Power of Relationships in Your Big Data
The Power of Relationships in Your Big DataPaulo Fagundes
 

Similar to Do The Right Thing! How LDAP servers should help LDAP clients (20)

Server 2008 r2 ppt
Server 2008 r2 pptServer 2008 r2 ppt
Server 2008 r2 ppt
 
Docker interview Questions-3.pdf
Docker interview Questions-3.pdfDocker interview Questions-3.pdf
Docker interview Questions-3.pdf
 
The way from DB-driven development to DDD
The way from DB-driven development to DDDThe way from DB-driven development to DDD
The way from DB-driven development to DDD
 
Under the Hood 11g Identity Management
Under the Hood 11g Identity ManagementUnder the Hood 11g Identity Management
Under the Hood 11g Identity Management
 
Intro to Databases
Intro to DatabasesIntro to Databases
Intro to Databases
 
High Performance Mysql
High Performance MysqlHigh Performance Mysql
High Performance Mysql
 
Monitoring active-directory
Monitoring active-directoryMonitoring active-directory
Monitoring active-directory
 
Monitoring active-directory
Monitoring active-directoryMonitoring active-directory
Monitoring active-directory
 
Data Handning with Sqlite for Android
Data Handning with Sqlite for AndroidData Handning with Sqlite for Android
Data Handning with Sqlite for Android
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
 
Complete open source IAM solution
Complete open source IAM solutionComplete open source IAM solution
Complete open source IAM solution
 
MySQL HA Alternatives 2010
MySQL HA Alternatives 2010MySQL HA Alternatives 2010
MySQL HA Alternatives 2010
 
Software Development with PHP & Laravel
Software Development with PHP & LaravelSoftware Development with PHP & Laravel
Software Development with PHP & Laravel
 
Voldemort & Hadoop @ Linkedin, Hadoop User Group Jan 2010
Voldemort & Hadoop @ Linkedin, Hadoop User Group Jan 2010Voldemort & Hadoop @ Linkedin, Hadoop User Group Jan 2010
Voldemort & Hadoop @ Linkedin, Hadoop User Group Jan 2010
 
Hadoop and Voldemort @ LinkedIn
Hadoop and Voldemort @ LinkedInHadoop and Voldemort @ LinkedIn
Hadoop and Voldemort @ LinkedIn
 
L11 Application Architecture
L11 Application ArchitectureL11 Application Architecture
L11 Application Architecture
 
Sql server performance tuning and optimization
Sql server performance tuning and optimizationSql server performance tuning and optimization
Sql server performance tuning and optimization
 
Front Range PHP NoSQL Databases
Front Range PHP NoSQL DatabasesFront Range PHP NoSQL Databases
Front Range PHP NoSQL Databases
 
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)
Get more than a cache back! The Microsoft Azure Redis Cache (NDC Oslo)
 
The Power of Relationships in Your Big Data
The Power of Relationships in Your Big DataThe Power of Relationships in Your Big Data
The Power of Relationships in Your Big Data
 

More from LDAPCon

Benchmarks on LDAP directories
Benchmarks on LDAP directoriesBenchmarks on LDAP directories
Benchmarks on LDAP directoriesLDAPCon
 
Synchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCSynchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCLDAPCon
 
What's New in OpenLDAP
What's New in OpenLDAPWhat's New in OpenLDAP
What's New in OpenLDAPLDAPCon
 
What makes a LDAP server running fast ? An bit of insight about the various b...
What makes a LDAP server running fast ? An bit of insight about the various b...What makes a LDAP server running fast ? An bit of insight about the various b...
What makes a LDAP server running fast ? An bit of insight about the various b...LDAPCon
 
Manage password policy in OpenLDAP
Manage password policy in OpenLDAPManage password policy in OpenLDAP
Manage password policy in OpenLDAPLDAPCon
 
OpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory StudioOpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory StudioLDAPCon
 
Making Research "Social" using LDAP
Making Research "Social" using LDAPMaking Research "Social" using LDAP
Making Research "Social" using LDAPLDAPCon
 
eSCIMo - User Provisioning over Web
eSCIMo - User Provisioning over WebeSCIMo - User Provisioning over Web
eSCIMo - User Provisioning over WebLDAPCon
 
IAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship ManagementIAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship ManagementLDAPCon
 

More from LDAPCon (9)

Benchmarks on LDAP directories
Benchmarks on LDAP directoriesBenchmarks on LDAP directories
Benchmarks on LDAP directories
 
Synchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCSynchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSC
 
What's New in OpenLDAP
What's New in OpenLDAPWhat's New in OpenLDAP
What's New in OpenLDAP
 
What makes a LDAP server running fast ? An bit of insight about the various b...
What makes a LDAP server running fast ? An bit of insight about the various b...What makes a LDAP server running fast ? An bit of insight about the various b...
What makes a LDAP server running fast ? An bit of insight about the various b...
 
Manage password policy in OpenLDAP
Manage password policy in OpenLDAPManage password policy in OpenLDAP
Manage password policy in OpenLDAP
 
OpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory StudioOpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory Studio
 
Making Research "Social" using LDAP
Making Research "Social" using LDAPMaking Research "Social" using LDAP
Making Research "Social" using LDAP
 
eSCIMo - User Provisioning over Web
eSCIMo - User Provisioning over WebeSCIMo - User Provisioning over Web
eSCIMo - User Provisioning over Web
 
IAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship ManagementIAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship Management
 

Recently uploaded

H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Recently uploaded (20)

H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

Do The Right Thing! How LDAP servers should help LDAP clients

  • 2. Who? Michael Ströder <michael@stroeder.com> Freelancer : LDAP and PKI consulting Active open source projects: – http://web2ldap.de – http://python-ldap.org Not a UI expert Old-fashioned Concerned about insecurity by complexity stroeder.com
  • 3. Why? Kurt Zeilenga wrote: > It might be interesting to discuss how/where web2ldap is > able to support its users using vendor-inspecific codes, > where you need to use vendor-specific codes, where LDAP's > discovery mechanisms help, where they don't, what you do > when they don't, etc. How to guide human users using as much server-side information as possible ? How much client-side knowledge is needed? stroeder.com
  • 4. What? Guiding vs. enforcing, notes about users Introduction to available server information Example use-cases with web2ldap using server information Recommendations Open issues to be solved stroeder.com
  • 5. Guiding... (1) Mantra: Guiding is not enforcing! Avoid user frustration, reducing false attempts to reach use-case goal in normal situation Try to use server-side extensions to improve client behaviour without bothering user Don't stop a skilled user to do something unusual stroeder.com
  • 6. Guiding... (2) Meaningful input forms: – searchable naming contexts (rootDSE) – available attributes and editable input values (subschema, access control, constraints) – Information about affected LDAP entries (count) Gracefully handle user's input values (normalize) Optional use of : DIT content/structure rules, name forms, LDAPv3 ext. controls and ext. operations stroeder.com
  • 7. Enforcing... (1) Recommendation: Let only the server enforce... – schema – access control – constraints (values, uniqueness, references) Avoid client enforcing of schema and constraints because users could circumvent rules => data integrity risks Avoid client-side access control because users could circumvent rules => security risks stroeder.com
  • 8. Enforcing... (2) Client-side access control requires powerful proxy user accounts which in real life gets (ab)used later for other purposes (yuck!) More meaningful logging possible by using end user's identity for LDAP operations Server can check constraints within one transaction stroeder.com
  • 9. Enforcing... (3) Things to enforce at client side based on client configuration or user's input: – StartTLS – bind method Local security configuration in web2ldap is gateway security policy stroeder.com
  • 10. Users... Some personal observations: – Users are not dumb – Users are pretty good in ignoring unneeded things – Users appreciate additional information if something went wrong and will report it to you – Secretary with usual office skills provides better data than IT guy with technical LDAP skills – Speaking with end users helps personal observations are the opposite of mainstream UI opinions of IT guys... stroeder.com
  • 11. Server-side information (1) LDAP result information (often overlooked) – result code – diagnostic message rootDSE (obvious) – naming contexts, default search root – features (extended controls/operations) – vendor-specific information (server roles etc.) subschema subentry (most promising) stroeder.com
  • 12. Server-side information (2) extended controls extended operations number of entries/values (entry count) operational attributes (modifyTimestamp, numSubordinates etc.) special count extensions audit / change log databases (for restoring?) server-side access control and constraints stroeder.com
  • 13. Rather not generic /web2ldap/passwd Set password with various methods (RFC 3062 ext.op., client-side hashed, MS AD, Samba3 hashes) /web2ldap/groupadm Add/remove entry to/from groups /web2ldap/dds Refresh operation for dynamic entries (implemented for Dieter) Still subschema used almost everywhere. stroeder.com
  • 14. Subschema subentry (1) LDAP syntax matching rule SYNTAX EQUALITY SUBSTR ORDERING SYNTAX attribute type MUST MAY NOT APPLIES matching rule use MUST MAY SUP same OID same OID structural object class SUP abstract object class SUP SUP auxiliary object class MUST AUX DIT structure rule DIT content rule OC FORM Name form SUP stroeder.com
  • 15. Subschema subentry (2) Query attribute subschemaSubentry in current entry Read and parse the referenced subschema subentry Fall-back needed due to access restrictions Each part of the DIT could have separate subschema (rarely in practice) Not unusual to have big subschema subentry ~200..400kB => caching needed! stroeder.com
  • 16. Demos Any special interests ? stroeder.com
  • 17. Diffing with matching rules Goal: Fine-grained delete-by-value to provoke collisions in case of concurrent write access (e.g. two admins working at the same ticket) web2ldap uses EQUALITY matching rule information to determine whether it's possible to delete a certain attribute value Matching rules are inherited ! It's not sufficient to only look at the AttributeTypeDescription... stroeder.com
  • 18. DIT structure rules & name forms Enforce tree structure, web2ldap guides Ideal if server sets governingStructureRule If not you have to find nearest “subschema administrative point” Real X.500 servers might provide attribute administrativeRole with a value of subschemaAdminSpecificArea => rather exotic in the pure LDAP field => fall-back to best matching naming context Thanks to S. Legg for this private lesson :-) stroeder.com
  • 19. Interop issues (1) Domino/LDAP tested up to 7.x (not sure whether fixed in 8.x): – single null-byte in attribute namingContexts – returns diagnosticMessage in ISO-8859-1 – many attributes not found in subschema web2ldap has work-arounds otherwise users would blame web2ldap not to work with Domino/LDAP BTW : It was funny to see Domino/LDAP 5.x crash because of tab character sent in a password ;-) (fixed) stroeder.com
  • 20. Interop issues (2) Assertion control sent with modify request to detect concurrent write access Leads to interop issues with slapo-constraint Had to disable this completely forever even if it gets fixed because vendor version not available in rootDSE Users would blame web2ldap not to work with OpenLDAP stroeder.com
  • 21. Interop issues (3) Basically it's good when LDAP server enforces access control - also on use of extended controls But overzealous checks are not good ! OpenDJ disallowed post read entry control even in case the user was allowed to read entry At least a non-critical controls should not result in error code being returned Users would blame web2ldap not to work with OpenDJ stroeder.com
  • 22. Interop issues (4) ApacheDS returned invalid ASN.1 encoding for password policy response control => raising ASN.1 exception was disabled in python-ldap in case of invalid but non-critical response controls Otherwise users would blame web2ldap not to work with ApacheDS stroeder.com
  • 23. Interop issues (5) OpenLDAP returned invalid ASN.1 encoding for read entry response control Immediately fixed by Pierangelo within hours But decoding work-around added to web2ldap Otherwise users would blame web2ldap not to work with OpenLDAP or I'd have to disable the feature forever. stroeder.com
  • 24. Interop issues (6) non-ASCII chars in MS AD's are a bad idea SASL/DIGEST-MD5 does not work even though you can see UTF-8 mentioned in SASL messages impossible to work around this I don't expect this to be ever fixed because of AD's own backward compability commitment stroeder.com
  • 25. Recommendation to client developers Don't implement an advance LDAP client, it's waste of your spare time Prefer RAD to meet customer's requirements Still crazy enough? Still interested in implementing advanced LDAP features ? Mantra : testing, testing, testing, testing, .... Otherwise people will complain about your client and will prefer dumb LDAP clients stroeder.com
  • 26. Interop testing with servers OpenLDAP 2.x OpenDJ 2.4.x MS Active Directory W2K3..W2K12 CA eTrust Directory 8.1 and 12.0 Novell eDirectory 8.7.x and 8.8.x Lotus Domino LDAP R5.x, R6.x and R7.0.x 389/Fedora Directory Server (fairly recent) iPlanet/SunONE Directory Server 5.x and 6.x Siemens DirX 6.x Innosoft Distributed Directory Server (IDDS) IBM Directory Server 5.1 Apache DS 1.5 and 2.0M7 OpenDS 1.0 and 2.0RC Isode's M-Vault LDAP/X.500 Directory Server R14 eB2Bcom's ViewDS (formerly View500) 6.0e11 Critical Path InJoin and Directory Server 4.2 Syntegra (historic) Netscape Directory Server 4.x (historic) stroeder.com
  • 27. Recommendation to server developers Meaningful diagnosticMessage helps ! Don't write it just to the server's log. Invite client developers to do interop testing of more advanced features (test drive licenses) Fix bugs reported to you ;-) Add vendorName/vendorVersion to rootDSE Document proprietary schema and extensions don't hide experimental schema (.666) stroeder.com
  • 28. Recommendation to IT admins Don't set overrestrictive access control on – rootDSE – subschema subentry – operational attributes Try to find interop issues and report them to client and server developers if appropriate Mantra : Logging helps... stroeder.com
  • 29. Access control Goal : Disable input fields if no write access Parsing proprietary ACLs / ACIs not an option Get Effective Rights control : different variants with the same control OID ! web2ldap uses allowedAttributesEffective (available in MS AD and slapo-allowed) Value-based access control is an issue Rather a permissive write access interpretation is recommended stroeder.com
  • 30. Failed attributes control The diagnosticMessage is useful but not machine-readable, user has to read and correctly interpret it. How about a response control listing what went wrong for which attribute? Would be useful to point the user directly to input fields with false data. stroeder.com
  • 31. Attribute constraints (1) New schema definition attributeConstraints (suggested on ietf-ldapext back in 2008) – REGEX – VALUES – LDAPURI – OPTIONS – NUMBER <min>..<max> – MAXBYTELEN / MAXCHARLEN Would partially directly fit HTML5 browser-side checking stroeder.com
  • 32. Attribute constraints (2) Attribute type 'jpegPhoto' with restricted size and limited to a single value: attributeConstraints ( 0.9.2342.19200300.100.1.60 MAXNUMBER 1 MAXBYTELEN 4000 ) Attribute 'gender' restricted to values in ISO-5801: attributeConstraints ( 1.3.6.1.4.1.5427.1.389.4.7 VALUES ( '0' $ '1' $ '2' $ '9' ) ) stroeder.com
  • 33. Attribute constraints (3) Search URIs ( <attribute type OID> LDAPURI <search URI> ) Value of attribute o in any org. entry : ldap:///ou=dc=example,dc=com?o?? (objectClass=organization) DN of manager's person entry : ldap:///dc=example,dc=com??? (&(objectClass=inetOrgPerson) (title=Manager)) stroeder.com
  • 34. Thanks ! Any questions? Any suggestions? Still so crazy to develop advanced clients? Improve «dead» LDAP together? Have fun! stroeder.com