The document discusses the Lightweight Directory Access Protocol (LDAP) which provides a method for accessing and updating directory services based on the X.500 model. It describes LDAP's lightweight alternative approach compared to X.500, how information is structured and named in an LDAP directory, the functional operations that can be performed, security considerations, and how the protocol is encoded for transmission.

1. The LDAP Protocol…
Amrish Kaushik
Graduate Student
USC – Computer Science (CN)

2. Agenda
 Background and Motivation
 Understanding LDAP
 Information Structure
 Naming
 Functions/Operations
 Security
 Protocol Model
 Mapping onto Transport Services
 Protocol Element Encoding
 Discussion

3. Background and Motivation
 Increased reliance on networked
computers
 Need in information
 Functionality
 Ease-of-Use
 Administration (Application specific dirs)
 Clear and consistent organization
 Integrity
 Confidentiality

4. X.500
 X.500 standard. CCITT 1988
 Refer ISO 9594 – X.500-X.521 of 1990

5. X.500
 Organizes directory entries into a
hierarchical namespace
 Powerful search capabilities
 Often used for interfacing incompatible
directory services
 Used DAP for c/s communication
 DAP (App. Layer) requires ENTIRE OSI
stack to operate
 Too heavy for small environments

6. What is LDAP?
 Lightweight Directory Access Protocol
 Used to access and update information
in a directory built on the X.500 model
 Specification defines the content of
messages between the client and the
server
 Includes operations to establish and
disconnect a session from the server

7. LDAP Server: G/S

8. Understanding LDAP
 Lightweight alternative to DAP
 Uses TCP/IP instead of OSI stack
 Simplifies certain functions and omits
others…
 Uses strings rather than DAP’s ASN.1
notation to represent data.

9. LDAP
 Information
 Structure of information stored in an LDAP
directory.
 Naming
 How information is organized and identified.
 Functional / Operations
 Describes what operations can be performed on
the information stored in an LDAP directory.
 Security
 Describes how the information can be protected
from unauthorized access.

10. LDAP Information Storage

11. LDAP Information Storage
 Each attribute has a type/syntax and a
value
 Can define how values behave during
searches/directory operations
 Syntax: bin, ces, cis, tel, dn etc.
 Usage limits: ssn – only one, jpegPhoto
– 10K

12. LDAP Information Storage
 Each ‘entry’ describes an object (Class)
 Person, Server, Printer etc.
 Example Entry:
 InetOrgPerson(cn, sn, ObjectClass)
 Example Attributes:
 cn (cis), sn (cis), telephoneNumber (tel), ou
(cis), owner (dn), jpegPhoto (bin)

13. LDAP Naming
 DNs consist of sequence of Relative DN
 cn=John Smith,ou=Austin,o=IBM,c=US
(Leaf 2 Root) (~use for special)
 Directory Information Tree (DIT)
 Follow geographical or organizational
scheme
 Aliases: Tree-like,
 Aliases can link non-leaf nodes

14. LDAP Naming
 Referrals: May not store entire DIT (v3)
 Referrals
 objectClass=referral, attribute=ref,
value=LDAPurl
 Implementation differs
 Refferals/Chaining (vendor)

RFC 1777: server chaining is expected.

15. LDAP Naming
 Schema
 Defines what object classes allowed
 Where they are stored
 What attributes they have (objectClass)
 Which attributes are optional (objectClass)
 Type/syntax of each attribute (objectClass)
 Query server for info: zero-length DN
 LDAP schema must be readable by the
client

16. LDAP Naming Examples
Attribute Type String
CommonName CN
LocalityName L
StateorProvinceName ST
OrganizationName O
OrganizationalUnitName OU
CountryName C
StreetAddress STREET
domainComponent DC
Userid UID

17. LDAP Functions/Operations
 Authentication
 BIND/UNBIND
 ABANDON
 Query
 Search
 Compare entry
 Update
 Add an entry
 Delete an entry (Only Leaf nodes, no aliases)
 Modify an entry, Modify DN/RDN

18. Client and Server Interaction
 Client establishes session with server (BIND)
 Hostname/IP and port number
 Security

User-id/password based authentication

Anonymous connection - default access rights

Encryption/Kerberos also supported
 Client performs operations
 Read/Update/Search
 SELECT X,Y,Z FROM PART_OF_DIRECTORY
 Client ends the session (UNBIND)
 Client can ABANDON the session

19. BIND/UNBIND/ABANDON
 Request includes LDAP version, the name
the client wants to bind as, authentication
type
 Simple (clear text passwords, anonymous)
 Kerberos v4 to the LDAP server (krbv42LDAP)
 Kerberos v4 to the DSA server (krbv42DSA)
 Server responds with a status indication
 UNBIND: Terminates a protocol session
 UnbindRequest ::= [APPLICATION 2] NULL
 ABANDON:

20. Search/Compare
 Request includes
 baseObject: an LDAPDN
 Scope: how many levels to be searched
 derefAliases: handling of aliases
 sizeLimit: max number of entries returned
 timeLimit: max time allowed for search
 attrsOnly: return attribute types OR values also
 Filter: cond. to be fulfilled when searching
 Attributes: List of entry’s attributes to be returned
 Read and List implemented as searches
 Compare: similar to search but returns T/F

21. ADD/MODIFY/DELETE
 ADD request
 Entry: LDAPDN
 List of Attributes and values (or sets of values)
 MODIFY request
 Used to add, delete, modify attributes
 Request includes

Object: LDAPDN

List of modifications (atomic)
 Add, Delete, Replace
 DELETE request
 Object: LDAPDN
 MODIFY RDN: LDAPDN, newRDN,

22. Protocol Elements
 LDAPMessage (MessageID unique)

23. Protocol Elements
 LDAPString ::= OCTET STRING
 LDAPDN ::= LDAPString
 RelativeLDAPDN ::= LDAPString
 AttributeValueAssertion ::=
Sequence {
attributeType attributeValue,
attributeValue attributeValue
}
 attributeType ::= LDAPString
 attributeValue ::= OCTET STRING

24. Protocol Elements
 LDAP Result
 Errors
 Truncated DIT
RDN sequence is
sent

noSuchObject

aliasProblem

invalidDNSyntax

isLeaf etc.

25. LDAP Security
 Current LDAP version supports
 Clear text passwords
 KERBEROS version 4 authentication
 Other authentication methods possible
in future versions (March 1995)
 SASL support added in version 3
 Kerberos deemed stronger than SASL…

26. LDAP Security
 Security based on the BIND model
 Clear text  ver 1
 Kerberos  ver 1,2,3 (depr)
 SASL  ver 3
 Simple Authentication and Security Layer
 uses one of many authentication methods
 Proposal for Transport Layer Security
 Based on SSL v3 from Netscape

27. LDAP Security
 No Authentication
 Basic Authentication
 DN and password provided
 Clear-text or Base 64 encoded
 SASL (RFC 2222)
 Parameters: DN, mechanism, credentials
 Provides cross protocol authentication calls
 Encryption can be optionally negotiated
 ldap_sasl_bind() (ver3 call)
 Ldap://<ldap_server>/?supportedsaslmechanisms

28. LDAP Security
 LDAP using SASL using SSL/TLS

29. LDAP Security
 SSL/TLS Handshake

30. Agenda
 Background and Motivation
 Understanding LDAP
 Information Structure
 Naming
 Functions/Operations
 Security
 Protocol Model
 Mapping onto Transport Services
 Protocol Element Encoding
 Discussion

31. Protocol Model
 Clients performing protocol operations
against servers
 Client sends protocol request to server
 Server performs operation on directory
 Server returns response (results/errors)
 Asynchronous Server Behavior

32. Directory Client/Server
Interaction

33. Mapping onto Transport
 Uses Connection-oriented, reliable transport
 TCP
 LDAPMessage PDU mapped onto TCP byte
stream
 LDAP listener on port 389
 Connection Oriented Transport Service
(COTS)
 LDAP PDU is mapped directly onto T-Data

34. Protocol Element Encoding
 Encoded for Exchange using BER
(Basic Encoding Rules)
 BER defined in Abstract Syntax
Notation One (ASN.1)
 High Overhead for BER
 Restrictions imposed to improve perf.

Definite form of length encoding only

Bit Strings/ Octet Strings and all character
string types encoded in primitive form only

35. LDAP Implementations
 C Library API
 LDAPv2 - RFC 1823 ‘The LDAP API’
 LDAPv3 – In Internet Draft stage
 Java JNDI
 LDAP v3 uses the UTF-8 encoding of
the Unicode character set.
 HTTP to LDAP gateway
 LDAP to X.500 gateway – ldapd

36. Version 2 v/s Version 3
 Referrals
 A server that does not store the requested data
can refer the client to another server.
 Security
 Extensible authentication using Simple
Authentication and Security Layer (SASL)
 Internationalization
 UTF-8 support for international characters.
 Extensibility
 New object types and operations can be
dynamically defined and schema published in a
standard manner.