LDAP- amrish
-
Upload
anang-triastana -
Category
Documents
-
view
225 -
download
0
Transcript of LDAP- amrish
-
8/7/2019 LDAP- amrish
1/37
The LDAP Protocol
Amrish KaushikGraduate Student
USC Computer Science (CN)
-
8/7/2019 LDAP- amrish
2/37
Agenda Background and Motivation
Understanding LDAP Information Structure Naming
Functions/Operations
Security
Protocol Model Mapping onto Transport Services
Protocol Element Encoding
Discussion
-
8/7/2019 LDAP- amrish
3/37
Background and Motivation Increased reliance on networked
computers
Need in information Functionality
Ease-of-Use
Administration (Application specific dirs) Clear and consistent organization
Integrity
Confidentiality
-
8/7/2019 LDAP- amrish
4/37
X.500
X.500 standard. CCITT 1988
Refer ISO 9594 X.500-X.521 of 1990
-
8/7/2019 LDAP- amrish
5/37
X.500 Organizes directory entries into a
hierarchical namespace
Powerful search capabilities
Often used for interfacing incompatibledirectory services
Used DAP for c/s communication DAP (App. Layer) requires ENTIRE OSI
stack to operate
Too heavy for small environments
-
8/7/2019 LDAP- amrish
6/37
What is LDAP? Lightweight Directory Access Protocol
Used to access and update information
in a directory built on the X.500 model Specification defines the content of
messages between the client and theserver
Includes operations to establish anddisconnect a session from the server
-
8/7/2019 LDAP- amrish
7/37
LDAP Server: G/S
-
8/7/2019 LDAP- amrish
8/37
Understanding LDAP Lightweight alternative to DAP
Uses TCP/IP instead of OSI stack Simplifies certain functions and omits
others
Uses strings rather than DAPs ASN.1notation to represent data.
-
8/7/2019 LDAP- amrish
9/37
LDAP Information
Structure of information stored in an LDAP
directory. Naming
How information is organized and identified.
Functional / Operations
Describes what operations can be performed onthe information stored in an LDAP directory.
Security Describes how the information can be protected
from unauthorized access.
-
8/7/2019 LDAP- amrish
10/37
LDAP Information Storage
-
8/7/2019 LDAP- amrish
11/37
LDAP Information Storage Each attribute has a type/syntax and a
value
Can define how values behave duringsearches/directory operations
Syntax: bin, ces, cis, tel, dn etc.
Usage limits: ssn only one, jpegPhoto 10K
-
8/7/2019 LDAP- amrish
12/37
LDAP Information Storage Each entry describes an object (Class)
Person, Server, Printer etc.
Example Entry:
InetOrgPerson(cn, sn, ObjectClass)
Example Attributes:
cn (cis), sn (cis), telephoneNumber (tel),ou (cis), owner (dn), jpegPhoto (bin)
-
8/7/2019 LDAP- amrish
13/37
LDAP Naming DNs consist of sequence of Relative DN
cn=John Smith,ou=Austin,o=IBM,c=US
(Leaf2 Root) (~use \ for special) Directory Information Tree (DIT)
Follow geographical or organizational
scheme Aliases: Tree-like,
Aliases can link non-leaf nodes
-
8/7/2019 LDAP- amrish
14/37
LDAP Naming Referrals: May not store entire DIT (v3)
Referrals objectClass=referral, attribute=ref,
value=LDAPurl
Implementation differs
Refferals/Chaining (vendor)
RFC 1777: server chaining is expected.
-
8/7/2019 LDAP- amrish
15/37
LDAP Naming Schema
Defines what object classes allowed
Where they are stored
What attributes they have (objectClass)
Which attributes are optional (objectClass)
Type/syntax of each attribute (objectClass)
Query server for info: zero-length DN
LDAP schema must be readable by the
client
-
8/7/2019 LDAP- amrish
16/37
LDAP Naming ExamplesAttribute Type String
CommonName CN
LocalityName L
StateorProvinceName ST
OrganizationName O
OrganizationalUnitName OU
CountryName C
StreetAddress STREET
domainComponent DC
Userid UID
-
8/7/2019 LDAP- amrish
17/37
LDAP Functions/Operations Authentication
BIND/UNBIND
ABANDON
Query
Search
Compare entry
Update
Add an entry
Delete an entry (Only Leaf nodes, no aliases)
Modify an entry, Modify DN/RDN
-
8/7/2019 LDAP- amrish
18/37
Client and Server Interaction Client establishes session with server (BIND)
Hostname/IP and port number
Security User-id/password based authentication
Anonymous connection - default access rights
Encryption/Kerberos also supported
Client performs operations Read/Update/Search
SELECT X,Y,Z FROM PART_OF_DIRECTORY
Client ends the session (UNBIND)
Client can ABANDON the session
-
8/7/2019 LDAP- amrish
19/37
BIND/UNBIND/ABANDON Request includes LDAP version, the name the
client wants to bind as, authentication type
Simple (clear text passwords, anonymous) Kerberos v4 to the LDAP server (krbv42LDAP)
Kerberos v4 to the DSA server (krbv42DSA)
Server responds with a status indication
UNBIND: Terminates a protocol session
UnbindRequest ::= [APPLICATION 2] NULL
ABANDON:
MessageID to abandon
-
8/7/2019 LDAP- amrish
20/37
Search/Compare Request includes
baseObject: an LDAPDN
Scope: how many levels to be searched derefAliases: handling of aliases
sizeLimit: max number of entries returned
timeLimit: max time allowed for search
attrsOnly: return attribute types OR values also Filter: cond. to be fulfilled when searching
Attributes: List of entrys attributes to be returned
Read and List implemented as searches
Compare: similar to search but returns T/F
-
8/7/2019 LDAP- amrish
21/37
ADD/MODIFY/DELETE ADD request
Entry: LDAPDN
List of Attributes and values (or sets of values) MODIFY request
Used to add, delete, modify attributes
Request includes
Object: LDAPDN List of modifications (atomic)
Add, Delete, Replace
DELETE request Object: LDAPDN
MODIFY RDN: LDAPDN, newRDN, DEL_FLAG
-
8/7/2019 LDAP- amrish
22/37
Protocol Elements LDAPMessage (MessageID unique)
-
8/7/2019 LDAP- amrish
23/37
Protocol Elements LDAPString ::= OCTET STRING
LDAPDN ::= LDAPString
RelativeLDAPDN ::= LDAPString
AttributeValueAssertion ::=
Sequence {
attributeType attributeValue,attributeValue attributeValue
}
attributeType ::= LDAPString
attributeValue ::= OCTET STRING
-
8/7/2019 LDAP- amrish
24/37
Protocol Elements LDAP Result
Errors Truncated DIT
RDN sequence issent noSuchObject
aliasProblem invalidDNSyntax
isLeaf etc.
-
8/7/2019 LDAP- amrish
25/37
LDAP Security Current LDAP version supports
Clear text passwords
KERBEROS version 4 authentication
Other authentication methods possiblein future versions (March 1995)
SASL support added in version 3
Kerberos deemed stronger than SASL
-
8/7/2019 LDAP- amrish
26/37
LDAP Security Security based on the BIND model
Clear text ver 1
Kerberos ver 1,2,3 (depr)
SASL ver 3 Simple Authentication and Security Layer
uses one of many authentication methods Proposal for Transport Layer Security
Based on SSL v3 from Netscape
-
8/7/2019 LDAP- amrish
27/37
LDAP Security No Authentication
Basic Authentication DN and password provided Clear-text or Base 64 encoded
SASL (RFC 2222) Parameters: DN, mechanism, credentials
Provides cross protocol authentication calls Encryption can be optionally negotiated
ldap_sasl_bind() (ver3 call)
Ldap:///?supportedsaslmechanisms
-
8/7/2019 LDAP- amrish
28/37
LDAP Security LDAP using SASL using SSL/TLS
-
8/7/2019 LDAP- amrish
29/37
LDAP Security SSL/TLS Handshake
-
8/7/2019 LDAP- amrish
30/37
Agenda Background and Motivation
Understanding LDAP Information Structure Naming
Functions/Operations
Security
Protocol Model Mapping onto Transport Services
Protocol Element Encoding
Discussion
-
8/7/2019 LDAP- amrish
31/37
Protocol Model Clients performing protocol operations
against servers
Client sends protocol request to server
Server performs operation on directory
Server returns response (results/errors)
Asynchronous Server Behavior
-
8/7/2019 LDAP- amrish
32/37
Directory Client/Server
Interaction
-
8/7/2019 LDAP- amrish
33/37
Mapping onto Transport Uses Connection-oriented, reliable transport
TCP
LDAPMessage PDU mapped onto TCP byte stream
LDAP listener on port 389
Connection Oriented Transport Service(COTS)
LDAP PDU is mapped directly onto T-Data
-
8/7/2019 LDAP- amrish
34/37
Protocol Element Encoding Encoded for Exchange using BER (Basic
Encoding Rules)
BER defined in Abstract Syntax NotationOne (ASN.1)
High Overhead for BER
Restrictions imposed to improve perf. Definite form of length encoding only
Bit Strings/ Octet Strings and all characterstring types encoded in primitive form only
-
8/7/2019 LDAP- amrish
35/37
LDAP Implementations C Library API
LDAPv2 - RFC 1823 The LDAP API
LDAPv3 In Internet Draft stage
Java JNDI
LDAP v3 uses the UTF-8 encoding of
the Unicode character set. HTTP to LDAP gateway
LDAP to X.500 gateway ldapd
-
8/7/2019 LDAP- amrish
36/37
LDAP v2 (Draft Standard) RFC 1777: LDAP v1
RFC 1778: The String Representation of
Standard Attribute Syntaxes RFC 1779: A String Representation of
Distinguished Names
RFC 1959: An LDAP URL Format RFC 1960: A String Representation of
LDAP Search Filters
-
8/7/2019 LDAP- amrish
37/37
Version 2 v/s Version 3 Referrals
A server that does not store the requested data
can refer the client to another server.
Security Extensible authentication using Simple
Authentication and Security Layer (SASL)
Internationalization UTF-8 support for international characters.
Extensibility New object types and operations can be
dynamically defined and schema published in astandard manner.