1 / 36

The LDAP Protocol…

The LDAP Protocol…. Amrish Kaushik Graduate Student USC – Computer Science (CN). Agenda. Background and Motivation Understanding LDAP Information Structure Naming Functions/Operations Security Protocol Model Mapping onto Transport Services Protocol Element Encoding Discussion.

liam
Download Presentation

The LDAP Protocol…

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The LDAP Protocol… Amrish Kaushik Graduate Student USC – Computer Science (CN)

  2. Agenda • Background and Motivation • Understanding LDAP • Information Structure • Naming • Functions/Operations • Security • Protocol Model • Mapping onto Transport Services • Protocol Element Encoding • Discussion

  3. Background and Motivation • Increased reliance on networked computers • Need in information • Functionality • Ease-of-Use • Administration (Application specific dirs) • Clear and consistent organization • Integrity • Confidentiality

  4. X.500 • X.500 standard. CCITT 1988 • Refer ISO 9594 – X.500-X.521 of 1990

  5. X.500 • Organizes directory entries into a hierarchical namespace • Powerful search capabilities • Often used for interfacing incompatible directory services • Used DAP for c/s communication • DAP (App. Layer) requires ENTIRE OSI stack to operate • Too heavy for small environments

  6. What is LDAP? • Lightweight Directory Access Protocol • Used to access and update information in a directory built on the X.500 model • Specification defines the content of messages between the client and the server • Includes operations to establish and disconnect a session from the server

  7. LDAP Server: G/S

  8. Understanding LDAP • Lightweight alternative to DAP • Uses TCP/IP instead of OSI stack • Simplifies certain functions and omits others… • Uses strings rather than DAP’s ASN.1 notation to represent data.

  9. LDAP • Information • Structure of information stored in an LDAP directory. • Naming • How information is organized and identified. • Functional / Operations • Describes what operations can be performed on the information stored in an LDAP directory. • Security • Describes how the information can be protected from unauthorized access.

  10. LDAP Information Storage

  11. LDAP Information Storage • Each attribute has a type/syntax and a value • Can define how values behave during searches/directory operations • Syntax: bin, ces, cis, tel, dn etc. • Usage limits: ssn – only one, jpegPhoto – 10K

  12. LDAP Information Storage • Each ‘entry’ describes an object (Class) • Person, Server, Printer etc. • Example Entry: • InetOrgPerson(cn, sn, ObjectClass) • Example Attributes: • cn (cis), sn (cis), telephoneNumber (tel), ou (cis), owner (dn), jpegPhoto (bin)

  13. LDAP Naming • DNs consist of sequence of Relative DN • cn=John Smith,ou=Austin,o=IBM,c=US (Leaf 2 Root) (~use \ for special) • Directory Information Tree (DIT) • Follow geographical or organizational scheme • Aliases: Tree-like, • Aliases can link non-leaf nodes

  14. LDAP Naming • Referrals: May not store entire DIT (v3) • Referrals • objectClass=referral, attribute=ref, value=LDAPurl • Implementation differs • Refferals/Chaining (vendor) • RFC 1777: server chaining is expected.

  15. LDAP Naming • Schema • Defines what object classes allowed • Where they are stored • What attributes they have (objectClass) • Which attributes are optional (objectClass) • Type/syntax of each attribute (objectClass) • Query server for info: zero-length DN • LDAP schema must be readable by the client

  16. LDAP Naming Examples

  17. LDAP Functions/Operations • Authentication • BIND/UNBIND • ABANDON • Query • Search • Compare entry • Update • Add an entry • Delete an entry (Only Leaf nodes, no aliases) • Modify an entry, Modify DN/RDN

  18. Client and Server Interaction • Client establishes session with server (BIND) • Hostname/IP and port number • Security • User-id/password based authentication • Anonymous connection - default access rights • Encryption/Kerberos also supported • Client performs operations • Read/Update/Search • SELECT X,Y,Z FROM PART_OF_DIRECTORY • Client ends the session (UNBIND) • Client can ABANDON the session

  19. BIND/UNBIND/ABANDON • Request includes LDAP version, the name the client wants to bind as, authentication type • Simple (clear text passwords, anonymous) • Kerberos v4 to the LDAP server (krbv42LDAP) • Kerberos v4 to the DSA server (krbv42DSA) • Server responds with a status indication • UNBIND: Terminates a protocol session • UnbindRequest ::= [APPLICATION 2] NULL • ABANDON: • MessageID to abandon

  20. Search/Compare • Request includes • baseObject: an LDAPDN • Scope: how many levels to be searched • derefAliases: handling of aliases • sizeLimit: max number of entries returned • timeLimit: max time allowed for search • attrsOnly: return attribute types OR values also • Filter: cond. to be fulfilled when searching • Attributes: List of entry’s attributes to be returned • Read and List implemented as searches • Compare: similar to search but returns T/F

  21. ADD/MODIFY/DELETE • ADD request • Entry: LDAPDN • List of Attributes and values (or sets of values) • MODIFY request • Used to add, delete, modify attributes • Request includes • Object: LDAPDN • List of modifications (atomic) • Add, Delete, Replace • DELETE request • Object: LDAPDN • MODIFY RDN: LDAPDN, newRDN, DEL_FLAG

  22. Protocol Elements • LDAPMessage (MessageID unique)

  23. Protocol Elements • LDAPString ::= OCTET STRING • LDAPDN ::= LDAPString • RelativeLDAPDN ::= LDAPString • AttributeValueAssertion ::= Sequence {attributeType attributeValue, attributeValue attributeValue } • attributeType ::= LDAPString • attributeValue ::= OCTET STRING

  24. Protocol Elements • LDAP Result • Errors • Truncated DIT RDN sequence is sent • noSuchObject • aliasProblem • invalidDNSyntax • isLeaf etc.

  25. LDAP Security • Current LDAP version supports • Clear text passwords • KERBEROS version 4 authentication • Other authentication methods possible in future versions (March 1995) • SASL support added in version 3 • Kerberos deemed stronger than SASL…

  26. LDAP Security • Security based on the BIND model • Clear text  ver 1 • Kerberos  ver 1,2,3 (depr) • SASL  ver 3 • Simple Authentication and Security Layer • uses one of many authentication methods • Proposal for Transport Layer Security • Based on SSL v3 from Netscape

  27. LDAP Security • No Authentication • Basic Authentication • DN and password provided • Clear-text or Base 64 encoded • SASL (RFC 2222) • Parameters: DN, mechanism, credentials • Provides cross protocol authentication calls • Encryption can be optionally negotiated • ldap_sasl_bind() (ver3 call) • Ldap://<ldap_server>/?supportedsaslmechanisms

  28. LDAP Security • LDAP using SASL using SSL/TLS

  29. LDAP Security • SSL/TLS Handshake

  30. Agenda • Background and Motivation • Understanding LDAP • Information Structure • Naming • Functions/Operations • Security • Protocol Model • Mapping onto Transport Services • Protocol Element Encoding • Discussion

  31. Protocol Model • Clients performing protocol operations against servers • Client sends protocol request to server • Server performs operation on directory • Server returns response (results/errors) • Asynchronous Server Behavior

  32. Directory Client/Server Interaction

  33. Mapping onto Transport • Uses Connection-oriented, reliable transport • TCP • LDAPMessage PDU mapped onto TCP byte stream • LDAP listener on port 389 • Connection Oriented Transport Service (COTS) • LDAP PDU is mapped directly onto T-Data

  34. Protocol Element Encoding • Encoded for Exchange using BER (Basic Encoding Rules) • BER defined in Abstract Syntax Notation One (ASN.1) • High Overhead for BER • Restrictions imposed to improve perf. • Definite form of length encoding only • Bit Strings/ Octet Strings and all character string types encoded in primitive form only

  35. LDAP Implementations • C Library API • LDAPv2 - RFC 1823 ‘The LDAP API’ • LDAPv3 – In Internet Draft stage • Java JNDI • LDAP v3 uses the UTF-8 encoding of the Unicode character set. • HTTP to LDAP gateway • LDAP to X.500 gateway – ldapd

  36. Version 2 v/s Version 3 • Referrals • A server that does not store the requested data can refer the client to another server. • Security • Extensible authentication using Simple Authentication and Security Layer (SASL) • Internationalization • UTF-8 support for international characters. • Extensibility • New object types and operations can be dynamically defined and schema published in a standard manner.

More Related