Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Ldap Protocol

10,492 views

Published on

The Lightweight Directory Access Protocol, or LDAP is an application protocol for querying and modifying directory services running over TCP/IP.

Published in: Technology
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Follow the link, new dating source: ❶❶❶ http://bit.ly/2Qu6Caa ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating direct: ❶❶❶ http://bit.ly/2Qu6Caa ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

The Ldap Protocol

  1. 1. The LDAP Protocol Glen Plantz gplantz@san.rr.com
  2. 2. Agenda  Background and Motivation  Understanding LDAP  Protocol Model  Vendors  Implementations  Directory Middleware Vendors  Protocol Details  Security  Directory Services in Patterns for eBusiness Architecture  Discussion
  3. 3. Background and Motivation  Central Corporate Repository for commonly used information  Need in information  Functionality  Ease-of-Use  Administration  Clear and consistent organization  Integrity  Security
  4. 4. Concept  Directory  Specialized database that stores information about objects • List information about printers  Allow user or application to find resources that have the characteristics needed for a task • Find a server that can access customer billing information  White and yellow pages
  5. 5. Comparison with relational database  Optimized for read access  High volumes of Read and Search request  Rare update request  No transactions  The way information can be accessed  LDAP URL
  6. 6. LDAP In Context
  7. 7. X.500  X.500 standard directory
  8. 8. What is LDAP?  Lightweight Directory Access Protocol  Used to access and update information in a directory built on the X.500 model  Specification defines the content of messages between the client and the server  Includes operations to establish and disconnect a session from the server
  9. 9. LDAP server  Gateway to an X.500 server LDAP LDAP X.500 TCP/IP OSI Client Server Server Directory  Stand-Alone LDAP LDAP TCP/IP Client Server Directory
  10. 10. Understanding LDAP  Lightweight alternative to DAP  Uses TCP/IP instead of OSI stack  Simplifies certain functions and omits others…  Uses strings rather than DAP’s ASN.1 notation to represent data
  11. 11. LDAP v2 (Draft Standard)  RFC 1777: LDAP v2  RFC 1778: The String Representation of Standard Attribute Syntaxes  RFC 1779: A String Representation of Distinguished Names  RFC 1959: An LDAP URL Format  RFC 1960: A String Representation of LDAP Search Filters
  12. 12. Version 2 vs Version 3  Referrals  A server that does not store the requested data can refer the client to another server.  Security  Extensible authentication using Simple Authentication and Security Layer (SASL)  Internationalization  UTF-8 support for international characters.  Extensibility  New object types and operations can be dynamically defined and schema published in a standard manner.
  13. 13. LDAP Models  Information  Structure of information stored in an LDAP directory.  Naming  How information is organized and identified.  Functional / Operations  Describes what operations can be performed on the information stored in an LDAP directory.  Security  Describes how the information can be protected from unauthorized access.
  14. 14. Directory Information Tree  Data is stored in entries  Entries are ordered as tree nodes  in the Directory Information Tree (DIT) • Every node as 0 to n children • Every node except root as 1 parent node
  15. 15. Directory Information Tree (DIT) DN: cn=Joe Buck,ou=Sales,dc=sun,dc=com
  16. 16. LDAP Information Storage
  17. 17. LDAP Information Storage  Entries have a quot;type” specified by it’s “objectClass”  Person, Server, Printer etc.  Example Entry:  InetOrgPerson(cn, sn, ObjectClass)  Example Attributes:  cn (cis), sn (cis), telephoneNumber (tel), ou (cis), owner (dn), jpegPhoto (bin)
  18. 18. LDAP Information Storage  Each attribute has a type and zero or more values  Can define how values behave during searches/directory operations  Type: bin, ces, cis, tel, dn etc.
  19. 19. LDAP Attribute Examples Attribute Type String CommonName CN LocalityName L StateorProvinceName ST OrganizationName O OrganizationalUnitName OU CountryName C StreetAddress STREET domainComponent DC Userid UID
  20. 20. LDAP Naming  An entry has a distinguished name ( DN)  DNs consist of sequence of Relative DN • Example DN: cn=Joe Buck,ou=Sales,dc=sun,dc=com  in its hierarchy level: Relative Distinguished name ( RDN)  all RDNs from the root onwards build the Distinguished Name ( DN )  Directory Information Tree (DIT)  No two entries in one hierarchy level can have the same RDN  Thus no two entries in the whole Directory can
  21. 21. LDAP Naming  DNs consist of sequence of Relative DN  cn=John Smith,ou=Austin,o=IBM,c=US  Directory Information Tree (DIT)  Follow geographical or organizational scheme  Aliases
  22. 22. Directory Information Tree (DIT) DN: cn=Joe Buck,ou=Sales,dc=sun,dc=com
  23. 23. LDAP Naming  Schema  Defines what object classes allowed  Where they are stored  What attributes they have (objectClass)  Which attributes are optional (objectClass)  Type/syntax of each attribute (objectClass)  Querying the schema supported by a server.  LDAP schema must be readable by the
  24. 24. LDAP Naming  Referrals: May not store entire DIT (v3)  Referrals  objectClass=referral, attribute=ref, value=LDAPurl  Implementation differs  Referrals/Chaining (vendor) • RFC 1777: server chaining is expected.
  25. 25. OIDs  An Entry is an information object  The mechanisms for representing the data are objects as well, identified by an OID ( Object Identifier)  E.g. : 1.234.567.8.123  OIDs are again represented in a hierarchical tree  OIDs are world wide unique
  26. 26. LDAP Vendors  Server:  OpenLDAP  Oracle Internet Directory  Novell eDirectory  Sun ONE Directory Server ( was iPlanet Directory Server)  IBM Directory Server  Microsoft Active Directory  Client:  Microsoft Outlook & Outlook Express
  27. 27. Sun ONE Directory Server Features  Overall fastest LDAP performer  Centralized management console  SDK (Perl, C, Java)  Security (ACL, SSL, SASL)  Data Replication  Extensible/Plug-ins  Referrals
  28. 28. LDAP Implementations  C Library API  LDAPv2 - RFC 1823 ‘The LDAP API’  LDAPv3 – In Internet Draft stage  Java JNDI  PerLDAP and Net::LDAP – Accessing from Perl  C++ API – Experimental – OpenLDAP.org  LDAP v3 uses the UTF-8 encoding of the Unicode character set.
  29. 29. Directory Middleware Vendors  Virtual Directory Vendors  Octetstring – Virtual Directory Engine  Radiant Logic  Meta-Directory Vendors  IBM Directory Integrator  Maxware  Critical Path Meta-Directory Server  Identity Management  Netegrity - Identity Minder  Secure Computing Corporation -Safeword
  30. 30. LDAP Protocol Details
  31. 31. LDAP Functions/Operations  Authentication  BIND/UNBIND  ABANDON  Query  Search  Compare entry  Update  Add an entry  Delete an entry (Only Leaf nodes, no aliases)  Modify an entry
  32. 32. Protocol Model  Clients performing protocol operations against servers  Client sends protocol request to server  Server performs operation on directory  Server returns response (results/errors)  Asynchronous Server Behavior  Is a CONNECTION-ORIENTED Protocol
  33. 33. Protocol Elements  LDAPMessage (MessageID unique)
  34. 34. Protocol Elements  LDAP Result  Errors  Truncated DIT RDN sequence is sent • noSuchObject • aliasProblem • invalidDNSyntax • isLeaf etc.
  35. 35. Protocol Element Encoding  Encoded for Exchange using BER (Basic Encoding Rules)  BER defined in Abstract Syntax Notation One (ASN.1)  High Overhead for BER  Restrictions imposed to improve perf. • Definite form of length encoding only • Bit Strings/ Octet Strings and all character string types encoded in primitive form only
  36. 36. Client and Server Interaction  Client establishes session with server (BIND)  Hostname/IP and port number  Security • User-id/password based authentication • Anonymous connection - default access rights • Encryption/Kerberos also supported  Client performs operations  Read/Update/Search  Client ends the session (UNBIND)  Client can ABANDON the session
  37. 37. Directory Client/Server Interaction
  38. 38. Mapping onto Transport  Uses Connection-oriented, reliable transport  TCP  LDAPMessage PDU mapped onto TCP byte stream  LDAP listener on port 389  Connection Oriented Transport Service (COTS)  LDAP PDU is mapped directly onto T-Data
  39. 39. BIND/UNBIND/ABANDON  Request includes LDAP version, the name the client wants to bind as, authentication type  Simple (clear text passwords, anonymous)  Kerberos  Server responds with a status indication  UNBIND: Terminates a protocol session  UnbindRequest ::= [APPLICATION 2] NULL  ABANDON:  MessageID to abandon
  40. 40. Search/Compare  Request includes  baseObject: an LDAPDN  Scope: how many levels to be searched  derefAliases: handling of aliases  sizeLimit: max number of entries returned  timeLimit: max time allowed for search  attrsOnly: return attribute types OR values also  Filter: cond. to be fulfilled when searching  Attributes: List of entry’s attributes to be returned  Read and List implemented as searches  Compare: similar to search but returns T/F
  41. 41. ADD/MODIFY/DELETE  ADD request  Entry: LDAPDN  List of Attributes and values (or sets of values)  MODIFY request  Used to add, delete, modify attributes  Request includes • Object: LDAPDN • List of modifications (atomic)  Add, Delete, Replace  DELETE request  Object: LDAPDN  MODIFY RDN: LDAPDN, newRDN, DEL_FLAG
  42. 42. LDAP Security
  43. 43. Security Mechanisms  Issues  Authentication  Integrity  Confidentiality  Authorization  Several Authentication mechanisms  Bind with password  SASL mechanisms  Session encryption  TLS  Access control mechanism  On subtree, entry and attribute level  Different identifications • AuthenticationID, IP address, ...
  44. 44. LDAP Security  Security based on the BIND model  Clear text  ver 1  Kerberos  ver 1,2,3 (depr)  SASL  ver 3  Simple Authentication and Security Layer  uses one of many authentication methods  Transport Layer Security  Based on SSL v3 from Netscape
  45. 45. LDAP Security  No Authentication  Basic Authentication  DN and password provided  Clear-text or Base 64 encoded  SASL (RFC 2222)  Parameters: DN, mechanism, credentials  Provides cross protocol authentication calls  Encryption can be optionally negotiated  ldap_sasl_bind() (ver3 call)  Ldap://<ldap_server>/?supportedsaslmechanisms
  46. 46. LDAP Security  LDAP using SASL using SSL/TLS
  47. 47. LDAP Security  SSL/TLS Handshake
  48. 48. LDAP management
  49. 49. Referral Scheme
  50. 50. Referral Scheme for Knowledge References
  51. 51. LDAP URL Format  quot;ldap://quot; [ hostName [quot;:quot; portNumber] ] quot;/quot; baseDN [quot;?quot; attributeList [quot;?quot; scope quot;?quot; filterString [quot;?quot; extensions ] ] ]  For example, if a client searches the subtree dc=airius, dc=com for all entries with a surname smith (as in the preceding example), the referral would be returned as the following LDAP URL:  ldap://server1.airius.com:389/ou=Engineering, dc=airius, dc=com
  52. 52. LDAP Data Interchange Format LDIF  RFC 2847  The LDAP Data Interchange Format (LDIF) Technical Specification, G. Good, June 2000  Format for exchanging data  Example:  dn: cn=Mister X, o=University, c=CE  objectclass=top  objectclass=person  objectclass=organizationalPerson  cn=Mister X  cn=Xavier Xerxes  mail=X@dot.com  mail=Mister.X@dot.com  telephoneNumber=1234567  dn: cn=next entry, ...
  53. 53. How Directory Services fit into IBM’s Patterns for eBusiness Architecture
  54. 54. Patterns for eBusiness
  55. 55. Patterns for eBusiness that depend on Directory Services Collaboration Business Pattern Access Integration Pattern
  56. 56. Collaboration Application patterns
  57. 57. Directed Collaboration application pattern
  58. 58. Access Integration Patterns  Access Integration requires services that can include one or more of the following:  Device support  Presentation  Personalization  Security and Administration
  59. 59. Application patterns for Access Integration
  60. 60. Web Single Sign-On application pattern
  61. 61. Web Single Sign-On run-time pattern Homogeneous application server
  62. 62. Combined Runtime pattern variation 1
  63. 63. Access Integration Single Sign-On and Personalized Delivery application patterns: Product mappings
  64. 64. Want To Know More?  www.kingsmountain.com/ldapRoadmap.s html  Another roadmap and tutorial  www.openldap.org  www.ldapzone.com

×