LDAP- amrish

8/7/2019 LDAP- amrish

1/37

The LDAP Protocol

Amrish KaushikGraduate Student

USC Computer Science (CN)


2/37

Agenda Background and Motivation

Understanding LDAP Information Structure Naming

Functions/Operations

Security

Protocol Model Mapping onto Transport Services

Protocol Element Encoding

Discussion


3/37

Background and Motivation Increased reliance on networked

computers

Need in information Functionality

Ease-of-Use

Administration (Application specific dirs) Clear and consistent organization

Integrity

Confidentiality


4/37

X.500

X.500 standard. CCITT 1988

Refer ISO 9594 X.500-X.521 of 1990


5/37

X.500 Organizes directory entries into a

hierarchical namespace

Powerful search capabilities

Often used for interfacing incompatibledirectory services

Used DAP for c/s communication DAP (App. Layer) requires ENTIRE OSI

stack to operate

Too heavy for small environments


6/37

What is LDAP? Lightweight Directory Access Protocol

Used to access and update information

in a directory built on the X.500 model Specification defines the content of

messages between the client and theserver

Includes operations to establish anddisconnect a session from the server


7/37

LDAP Server: G/S


8/37

Understanding LDAP Lightweight alternative to DAP

Uses TCP/IP instead of OSI stack Simplifies certain functions and omits

others

Uses strings rather than DAPs ASN.1notation to represent data.


9/37

LDAP Information

Structure of information stored in an LDAP

directory. Naming

How information is organized and identified.

Functional / Operations

Describes what operations can be performed onthe information stored in an LDAP directory.

Security Describes how the information can be protected

from unauthorized access.


10/37

LDAP Information Storage


11/37

LDAP Information Storage Each attribute has a type/syntax and a

value

Can define how values behave duringsearches/directory operations

Syntax: bin, ces, cis, tel, dn etc.

Usage limits: ssn only one, jpegPhoto 10K


12/37

LDAP Information Storage Each entry describes an object (Class)

Person, Server, Printer etc.

Example Entry:

InetOrgPerson(cn, sn, ObjectClass)

Example Attributes:

cn (cis), sn (cis), telephoneNumber (tel),ou (cis), owner (dn), jpegPhoto (bin)


13/37

LDAP Naming DNs consist of sequence of Relative DN

cn=John Smith,ou=Austin,o=IBM,c=US

(Leaf2 Root) (~use \ for special) Directory Information Tree (DIT)

Follow geographical or organizational

scheme Aliases: Tree-like,

Aliases can link non-leaf nodes


14/37

LDAP Naming Referrals: May not store entire DIT (v3)

Referrals objectClass=referral, attribute=ref,

value=LDAPurl

Implementation differs

Refferals/Chaining (vendor)

RFC 1777: server chaining is expected.


15/37

LDAP Naming Schema

Defines what object classes allowed

Where they are stored

What attributes they have (objectClass)

Which attributes are optional (objectClass)

Type/syntax of each attribute (objectClass)

Query server for info: zero-length DN

LDAP schema must be readable by the

client


16/37

LDAP Naming ExamplesAttribute Type String

CommonName CN

LocalityName L

StateorProvinceName ST

OrganizationName O

OrganizationalUnitName OU

CountryName C

StreetAddress STREET

domainComponent DC

Userid UID


17/37

LDAP Functions/Operations Authentication

BIND/UNBIND

ABANDON

Query

Search

Compare entry

Update

Add an entry

Delete an entry (Only Leaf nodes, no aliases)

Modify an entry, Modify DN/RDN


18/37

Client and Server Interaction Client establishes session with server (BIND)

Hostname/IP and port number

Security User-id/password based authentication

Anonymous connection - default access rights

Encryption/Kerberos also supported

Client performs operations Read/Update/Search

SELECT X,Y,Z FROM PART_OF_DIRECTORY

Client ends the session (UNBIND)

Client can ABANDON the session


19/37

BIND/UNBIND/ABANDON Request includes LDAP version, the name the

client wants to bind as, authentication type

Simple (clear text passwords, anonymous) Kerberos v4 to the LDAP server (krbv42LDAP)

Kerberos v4 to the DSA server (krbv42DSA)

Server responds with a status indication

UNBIND: Terminates a protocol session

UnbindRequest ::= [APPLICATION 2] NULL

ABANDON:

MessageID to abandon


20/37

Search/Compare Request includes

baseObject: an LDAPDN

Scope: how many levels to be searched derefAliases: handling of aliases

sizeLimit: max number of entries returned

timeLimit: max time allowed for search

attrsOnly: return attribute types OR values also Filter: cond. to be fulfilled when searching

Attributes: List of entrys attributes to be returned

Read and List implemented as searches

Compare: similar to search but returns T/F


21/37

ADD/MODIFY/DELETE ADD request

Entry: LDAPDN

List of Attributes and values (or sets of values) MODIFY request

Used to add, delete, modify attributes

Request includes

Object: LDAPDN List of modifications (atomic)

Add, Delete, Replace

DELETE request Object: LDAPDN

MODIFY RDN: LDAPDN, newRDN, DEL_FLAG


22/37

Protocol Elements LDAPMessage (MessageID unique)


23/37

Protocol Elements LDAPString ::= OCTET STRING

LDAPDN ::= LDAPString

RelativeLDAPDN ::= LDAPString

AttributeValueAssertion ::=

Sequence {

attributeType attributeValue,attributeValue attributeValue

}

attributeType ::= LDAPString

attributeValue ::= OCTET STRING


24/37

Protocol Elements LDAP Result

Errors Truncated DIT

RDN sequence issent noSuchObject

aliasProblem invalidDNSyntax

isLeaf etc.


25/37

LDAP Security Current LDAP version supports

Clear text passwords

KERBEROS version 4 authentication

Other authentication methods possiblein future versions (March 1995)

SASL support added in version 3

Kerberos deemed stronger than SASL


26/37

LDAP Security Security based on the BIND model

Clear text ver 1

Kerberos ver 1,2,3 (depr)

SASL ver 3 Simple Authentication and Security Layer

uses one of many authentication methods Proposal for Transport Layer Security

Based on SSL v3 from Netscape


27/37

LDAP Security No Authentication

Basic Authentication DN and password provided Clear-text or Base 64 encoded

SASL (RFC 2222) Parameters: DN, mechanism, credentials

Provides cross protocol authentication calls Encryption can be optionally negotiated

ldap_sasl_bind() (ver3 call)

Ldap:///?supportedsaslmechanisms


28/37

LDAP Security LDAP using SASL using SSL/TLS


29/37

LDAP Security SSL/TLS Handshake


30/37

Agenda Background and Motivation

Understanding LDAP Information Structure Naming

Functions/Operations

Security

Protocol Model Mapping onto Transport Services

Protocol Element Encoding

Discussion


31/37

Protocol Model Clients performing protocol operations

against servers

Client sends protocol request to server

Server performs operation on directory

Server returns response (results/errors)

Asynchronous Server Behavior


32/37

Directory Client/Server

Interaction


33/37

Mapping onto Transport Uses Connection-oriented, reliable transport

TCP

LDAPMessage PDU mapped onto TCP byte stream

LDAP listener on port 389

Connection Oriented Transport Service(COTS)

LDAP PDU is mapped directly onto T-Data


34/37

Protocol Element Encoding Encoded for Exchange using BER (Basic

Encoding Rules)

BER defined in Abstract Syntax NotationOne (ASN.1)

High Overhead for BER

Restrictions imposed to improve perf. Definite form of length encoding only

Bit Strings/ Octet Strings and all characterstring types encoded in primitive form only


35/37

LDAP Implementations C Library API

LDAPv2 - RFC 1823 The LDAP API

LDAPv3 In Internet Draft stage

Java JNDI

LDAP v3 uses the UTF-8 encoding of

the Unicode character set. HTTP to LDAP gateway

LDAP to X.500 gateway ldapd


36/37

LDAP v2 (Draft Standard) RFC 1777: LDAP v1

RFC 1778: The String Representation of

Standard Attribute Syntaxes RFC 1779: A String Representation of

Distinguished Names

RFC 1959: An LDAP URL Format RFC 1960: A String Representation of

LDAP Search Filters


37/37

Version 2 v/s Version 3 Referrals

A server that does not store the requested data

can refer the client to another server.

Security Extensible authentication using Simple

Authentication and Security Layer (SASL)

Internationalization UTF-8 support for international characters.

Extensibility New object types and operations can be

dynamically defined and schema published in astandard manner.

Documents

LDAP- amrish