Understanding Lightweight Directory Access Protocol (LDAP)

lightweight directory access protocol n.w
1 / 45
Embed
Share

Learn about Lightweight Directory Access Protocol (LDAP), an application protocol for querying and modifying directory services. Explore how LDAP organizes data in a hierarchical manner, its deployment using Domain Name System (DNS) names, data structure, current version, and origin influencing telecommunication and IT industries.

  • LDAP
  • Directory Services
  • Data Organization
  • Networking
  • Telecommunication
rayaanacharya
ddrum Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Lightweight Directory Access Protocol LDAP

  2. LDAP Directory A set of objects with similar attributes Organized in a logical and hierarchical manner Example: Telephone directory Series of names (either of persons or organizations) Organized alphabetically Each name has an address and phone number

  3. LDAP An application protocol For querying and modifying directory services Runs over TCP/IP LDAP is often used by other services for authentication

  4. LDAP LDAP directory tree Often reflects various Political Geographic Organizational boundaries Depends on the model chosen

  5. LDAP LDAP deployments today tend to use Domain Name System (DNS) names for structuring the topmost levels of the hierarchy Deep inside the directory might appear entries representing People Organizational units Printers Documents Groups of people Anything else which represents a given tree entry (or multiple entries)

  6. LDAP Data Structure Hierarchical Flat dc: domain component ou: organizational unit

  7. LDAP Current version is LDAPv3 Specified in a series of Internet Engineering Task Force Standard Track Requests for comments (RFCs) Detailed in RFC 4510

  8. Origin and influences

  9. Origin and influences Telecommunication companies introduced the concept of directory services Information Technology Computer Networking Understanding of directory requirements was well- developed after some 70 years of producing and managing telephone directories The culmination of this input was the comprehensive X.500 specification Suite of protocols produced by the International Telecommunication Union (ITU) in the 1980s

  10. Origin and influences X.500 directory services Accessed via the X.500 Directory Access Protocol (DAP) Required the Open Systems Interconnection (OSI) protocol stack LDAP originally intended to be a "lightweight" alternative protocol for accessing X.500 directory services Through the simpler TCP/IP protocol stack Model of directory access was borrowed from other protocols

  11. Origin and influences Standalone LDAP directory servers followed Also directory servers supporting both DAP and LDAP LDAP has become popular in enterprises Removed any need to deploy an OSI network X.500 directory protocols including DAP can also be used directly over TCP/IP

  12. Origin and influences Early engineering stages of LDAP Known as Lightweight Directory Browsing Protocol, or LDBP Renamed as the scope of the protocol was expanded to include: Directory browsing and searching functions Directory update functions

  13. Protocol overview

  14. Protocol overview Client starts an LDAP session by connecting to an LDAP server Default on TCP port 389 Client sends operation requests to the server Server sends responses in turn (e.g. whenever it wants) With some exceptions the client need not wait for a response before sending the next request Server may send the responses in any order

  15. Protocol overview Client may request the following operations: Start TLS Optional Protect the connection with Transport Layer Security (TLS) Bind Authenticate and specify LDAP protocol version Search Search for and/or retrieve directory entries Compare Test if a named entry contains a given attribute value Add a new entry Delete an entry Modify an entry Modify Distinguished Name (DN) Move or rename an entry Abandon Abort a previous request Extended Operation Generic operation used to define other operations Unbind Close the connection (not the inverse of Bind) Server may send "Unsolicited Notifications Not responses to any request e.g. Warning of an impending connection time out

  16. Protocol overview Common way of making a secure LDAP communication is using an SSL tunnel Denoted in LDAP URLs by using the URL scheme "ldaps" Default port for LDAP over SSL is 636 Use of LDAP over SSL was common in LDAP Version 2 LDAPv2 Was never standardized in any formal specification Usage has been deprecated along with LDAPv2 Officially retired in 2003 LDAP is defined in terms of ASN.1 Protocol messages are encoded in the binary format BER Uses textual representations for a number of ASN.1 fields/types

  17. Directory structure

  18. Directory structure Protocol access of LDAP directories Directory is a tree of directory entries Entry consists of a set of attributes An attribute has a name an attribute type or attribute description one or more values Attributes are defined in a schema Each entry has a unique identifier: Distinguished Name (DN) Consists of its Relative Distinguished Name (RDN) constructed from some attribute(s) in the entry Followed by the parent entry's DN Think of the DN as a full filename RDN as a relative filename in a folder

  19. Directory structure DN may change over the lifetime of the entry For instance, if entries move within a tree To reliably and unambiguously identify entries UUID might be provided in the set of the entry's operational attributes

  20. Directory structure Note:LDAP is a binary protocol Example entry represented in LDAP Data Interchange Format (LDIF): dn: cn=John Doe,dc=example,dc=com cn: John Doe givenName: John sn: Doe telephoneNumber: +1 888 555 6789 telephoneNumber: +1 888 555 1234 mail: john@example.com manager: cn=Barbara Doe,dc=example,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top Where: dn (distinguished name) is the name of the entry it's not an attribute nor part of the entry "cn=John Doe" is the entry's RDN "dc=example,dc=com" is the DN of the parent entry. Other lines show the attributes in the entry Attribute names are typically mnemonic strings "cn" for common name, "dc" for domain component "mail" for e-mail address "sn" for surname

  21. Directory structure A server holds a subtree starting from a specific entry, e.g. "dc=example,dc=com" and its children Servers may also hold references to other servers An attempt to access "ou=department,dc=example,dc=com" could return a referral or continuation reference to a server which holds more of the directory tree Client can then contact the other server Some servers also support chaining Server contacts other server(s) and returns the results to the client

  22. Directory structure LDAP rarely defines any ordering: Server may return the values in an attribute the attributes in an entry the entries found by a search operation in any order Follows from the formal definitions an entry is defined as a set of attributes an attribute is a set of values sets need not be ordered

  23. Operations

  24. Operations Client gives each request a positive Message ID Server response has the Message ID returned Response includes a numeric result code indicating: Success An error condition Or some other special cases Before the response, the server may send other messages with other result data For example: Each entry found by the Search operation is returned as a message

  25. Operations: StartTLS StartTLS operation Establishes Transport Layer Security on the connection a descendant of SSL Provides data confidentiality and/or data integrity protection Protect from tampering During TLS negotiation server sends its X.509 certificate to prove its identity Client may also send a certificate to prove its identity Client may then use SASL/EXTERNAL to have this identity used in determining the identity used in making LDAP authorization decisions

  26. Operations: Bind (authenticate) Bind operation authenticates the client to the server Simple Bind can send the user's DN and password in plaintext Connection should be protected using Transport Layer Security (TLS) Server typically checks the password Against the userPassword attribute in the named entry Anonymous Bind (with empty DN and password) resets the connection to anonymous state SASL (Simple Authentication and Security Layer) Bind provides authentication services through a wide range of mechanisms Kerberos or the client certificate sent with TLS Bind also sets the LDAP protocol version Normally clients should use LDAPv3 Default in the protocol but not always in LDAP libraries Bind had to be the first operation in a session in LDAPv2 Not required in LDAPv3 (the current LDAP version)

  27. Operations: Search and Compare The Search operation is used to both search for and read entries Its parameters are: baseObject DN (Distinguished Name) of the entry at which to start the search scope BaseObject (search just the named entry, typically used to read one entry) SingleLevel (entries immediately below the base DN) WholeSubtree (the entire subtree starting at the base DN) filter How to examine each entry in the scope. E.g. (&(objectClass=person)(|(givenName=John)(mail=john*))) search for persons who either have given name John or an e-mail address starting with john. derefAliases Whether and how to follow alias entries (entries which refer to other entries) attributes Which attributes to return in result entries sizeLimit, timeLimit Max number of entries, and max search time typesOnly Return attribute types only, not attribute values

  28. Operations: Search and Compare Server returns Matching entries Maybe continuation references (in any order) Followed by the final result with the result code Compare operation -a DN -an attribute name -an attribute value Checks if the named entry contains that attribute with that value

  29. Operations: Update operations Add, Delete, and Modify DN All require the DN of the entry that is to be changed Modify takes a list of attributes to modify and the modifications to each: Delete the attribute of some values Add new values Replace the current values with the new ones. Add operations also can have additional attributes and values for those attributes

  30. Operations: Update operations Modify DN (move/rename entry) takes: New RDN (Relative Distinguished Name) (optionally) the new parent's DN Flag which says whether to delete the value(s) in the entry which match the old RDN Server may support renaming of entire directory subtrees

  31. Operations: Update operations An update operation is atomic: Later operations will see either the new entry or the old one LDAP does not define transactions of multiple operations If you read an entry and then modify it, another client may have updated the entry in the mean time Servers may implement extensions which support this, however

  32. Operations: Extended operations Extended Operation A generic LDAP operation can be used to define new operations Examples include the Cancel Password Modify Start TLS operations

  33. Operations: Abandon The Abandon operation requests that the server aborts an operation named by a message ID The server need not honor the request Neither Abandon nor a successfully abandoned operation sends a response Cancel: an extended operation which does send a response Not all implementations support cancel

  34. Operations: Unbind The Unbind operation abandons any outstanding operations and closes the connection It has no response Name is of historical origin: It is not the opposite of the Bind operation. Clients can abort a session by simply closing the connection, but they should use Unbind Otherwise server cannot tell the difference between a failed network connection (or a truncation attack) and a discourteous client

  35. LDAP URLs

  36. LDAP URLs LDAP URL format exists Clients support in varying degree Servers return in referrals and continuation references Typical form: ldap://host:port/DN?attributes?scope?filter?extensions The attributes, scope, filter and extensions are positional I.E. if one of parameters is not used the ? is still required except at the end E.g. no scope or extensions ldap://fred.uncc.edu/DN?att1??filt1

  37. LDAP URLs Most components are optional host is the DNS or IP address of the LDAP server to search port is the network port of the LDAP server DN is the distinguished name to use as the search base attributes is a comma-separated list of attributes to retrieve scope specifies the search scope and can be "base" (the default), "one" or "sub" filter is a search filter, e.g. (objectClass=*) (see RFC 4515) extensions are extensions to the LDAP URL format Examples: "ldap://ldap.example.com/cn=John%20Doe,dc=example,dc=com refers to all user attributes in John Doe's entry in ldap.example.com As in other URLs, special characters must be percent-encoded "ldap:///dc=example,dc=com??sub?(givenName=John)" searches for the entry in the default server DN: example.com No attributes Scope: sub Filter: givenName=John No extensions There is a similar non-standard "ldaps:" URL scheme for LDAP over SSL

  38. Usage

  39. Usage Applications Reasons to choose LDAP for a service: Widely supported Data presented in LDAP is available to many clients and libraries LDAP is very general and includes basic security Can support many types of applications Choosing general protocols like LDAP and HTTP: Allows focusing on a few protocols Instead of having to maintain and upgrade many specialized protocols Two common applications of LDAP: Computer user/group data Address book information (persons, departments etc) Many e-mail clients support LDAP lookups Some tasks LDAP does not handle well: Model a relational database Data that is frequently updated Data whose ordering must be preserved An extension does exist for this

  40. Usage Naming structure An LDAP server can return referrals to other servers for requests the server itself will not/can not serve A naming structure for LDAP entries is needed so one can find a server holding a given DN A structure already exists in the Domain name system (DNS) Servers' top level names often mimic DNS names If an organization has domain name foo.example Its top level LDAP entry will therefore typically have the DN dc=foo,dc=example where dc means domain component If the ldap server is also named ldap.foo.example, the organization's top level LDAP URL becomes ldap://ldap.foo.example/dc=foo,dc=example Below the top level, the entry names will typically reflect the organization's internal structure or needs rather than DNS names

  41. Terminology

  42. Terminology The LDAP terminology one can encounter can be confusing Some of this confusion is due to misunderstandings Other examples are due to its historical origins Others arise when used with non-X.500 services that use different terminology For example, "LDAP" is sometimes used to refer to the protocol Other times to the protocol and the data An "LDAP directory" may be the data or also the access point An "attribute" may be: the attribute type the contents of an attribute in a directory an attribute description (an attribute type with options) An "anonymous" and an "unauthenticated" Bind are different Bind methods that both produce anonymous authentication state So both terms are being used for both variants The "uid" attribute should hold user names rather than numeric user IDs

  43. Closing remarks LDAP is good for retrieving simple hierarchical type of data Lookup directory type of information The data is already organized LDAP is not good for relational type data LDAP is not a good choice when the data is changed or updated frequently

  44. Resources: http://www.ldapman.org/articles/intro_to_lda p.html http://quark.humbug.org.au/publications/ldap/ ldap_tut.html

  45. Which is not a good use for LDAP: 1. Finding peoples names and phone numbers 2. Finding departments and department members 3. Searching relational data 4. Organizing user names, userids, and capabilities 96% 4% 0% 0% 1. 2. 3. 4.

Related


Short Term Loans UK Use Debit Cards to Manage Emergencies

Short Term Loans UK Use Debit Cards to Manage Emergencies

Nueva
Short Term Loans UK Use Debit Cards to Manage Emergencies

Short Term Loans UK Use Debit Cards to Manage Emergencies

Nueva
Apache MINA: High-performance Network Applications Framework

Apache MINA: High-performance Network Applications Framework

eilidh
Secure Shared Data Analysis Environment on Kubernetes at CERN

Secure Shared Data Analysis Environment on Kubernetes at CERN

kornelia
Short Term Rental Public Meeting in Fairfield County Government Complex

Short Term Rental Public Meeting in Fairfield County Government Complex

jeffrey
Direct Lender - Traditional Loan Solution - Short Term Loans UK

Direct Lender - Traditional Loan Solution - Short Term Loans UK

Sarah1
Quick and Easy access to Cash with Direct Lender's Short Term Loans UK

Quick and Easy access to Cash with Direct Lender's Short Term Loans UK

Sarah1
Short Term Loans UK the Best Option for You Is A Direct Lender

Short Term Loans UK the Best Option for You Is A Direct Lender

Helen1
Short Term Funding A Special Way to Get Out of Debt Overall

Short Term Funding A Special Way to Get Out of Debt Overall

Helen1
Short I Advanced Lesson: Improve Your Pronunciation Skills

Short I Advanced Lesson: Improve Your Pronunciation Skills

zakariya
Activities Unlimited Short Breaks Service Overview

Activities Unlimited Short Breaks Service Overview

amayah
Short Stories: Elements and Formats

Short Stories: Elements and Formats

milosz
The Art of the Short Story

The Art of the Short Story

vito
Crafting Compelling Short Stories Workshop

Crafting Compelling Short Stories Workshop

sephir
Leveraging the Power of Short Videos for Business Growth

Leveraging the Power of Short Videos for Business Growth

vladimi
Fife Council Short-term Let Licensing Consultation Responses June 2022

Fife Council Short-term Let Licensing Consultation Responses June 2022

nair_n
Exploring Writing Styles in Short Stories: Key Features and Approaches

Exploring Writing Styles in Short Stories: Key Features and Approaches

veth901
Enhancing Identity and Access Management Services at UHawaii

Enhancing Identity and Access Management Services at UHawaii

rnav
Short-Run Production and Cost Concepts

Short-Run Production and Cost Concepts

zyrionva
Themes in Short Stories: A Literary Analysis Journey

Themes in Short Stories: A Literary Analysis Journey

sowl_lin
Financial Decision Making and Short-Term Financing Options

Financial Decision Making and Short-Term Financing Options

taer596
Short Term Mortgages Flexible Financing for Property Purchases

Short Term Mortgages Flexible Financing for Property Purchases

Basic

More Related Content