• Aucun résultat trouvé

The LDAP Protocol…

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "The LDAP Protocol…"

Copied!
37
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

The LDAP Protocol…

Amrish Kaushik

Graduate Student USC – Computer Science (CN)

(2)

Agenda

Background and Motivation

Understanding LDAP

Information Structure

Naming

Functions/Operations

Security

Protocol Model

Mapping onto Transport Services

Protocol Element Encoding

(3)

Background and Motivation

Increased reliance on networked computers

Need in information

Functionality

Ease-of-Use

Administration (Application specific dirs)

Clear and consistent organization

Integrity

(4)

X.500

X.500 standard. CCITT 1988

Refer ISO 9594 – X.500-X.521 of 1990

(5)

X.500

Organizes directory entries into a hierarchical namespace

Powerful search capabilities

Often used for interfacing incompatible directory services

Used DAP for c/s communication

DAP (App. Layer) requires ENTIRE OSI stack to operate

(6)

What is LDAP?

Lightweight Directory Access Protocol

Used to access and update information in a directory built on the X.500 model

Specification defines the content of messages between the client and the server

Includes operations to establish and disconnect a session from the server

(7)

LDAP Server: G/S

(8)

Understanding LDAP

Lightweight alternative to DAP

Uses TCP/IP instead of OSI stack

Simplifies certain functions and omits others…

Uses strings rather than DAP’s ASN.1 notation to represent data.

(9)

LDAP

Information

Structure of information stored in an LDAP directory.

Naming

How information is organized and identified.

Functional / Operations

Describes what operations can be performed on the information stored in an LDAP directory.

Security

Describes how the information can be protected from unauthorized access.

(10)

LDAP Information Storage

(11)

LDAP Information Storage

Each attribute has a type/syntax and a value

Can define how values behave during searches/directory operations

Syntax: bin, ces, cis, tel, dn etc.

Usage limits: ssn – only one, jpegPhoto – 10K

(12)

LDAP Information Storage

Each ‘entry’ describes an object (Class)

Person, Server, Printer etc.

Example Entry:

InetOrgPerson(cn, sn, ObjectClass)

Example Attributes:

cn (cis), sn (cis), telephoneNumber (tel), ou (cis), owner (dn), jpegPhoto (bin)

(13)

LDAP Naming

DNs consist of sequence of Relative DN

cn=John Smith,ou=Austin,o=IBM,c=US (Leaf 2 Root) (~use \ for special)

Directory Information Tree (DIT)

Follow geographical or organizational scheme

Aliases: Tree-like,

Aliases can link non-leaf nodes

(14)

LDAP Naming

Referrals: May not store entire DIT (v3)

Referrals

objectClass=referral, attribute=ref, value=LDAPurl

Implementation differs

Refferals/Chaining (vendor)

RFC 1777: server chaining is expected.

(15)

LDAP Naming

Schema

Defines what object classes allowed

Where they are stored

What attributes they have (objectClass)

Which attributes are optional (objectClass)

Type/syntax of each attribute (objectClass)

Query server for info: zero-length DN

LDAP schema must be readable by the

(16)

LDAP Naming Examples

Attribute Type String

CommonName CN

LocalityName L

StateorProvinceName ST

OrganizationName O

OrganizationalUnitName OU

CountryName C

StreetAddress STREET

(17)

LDAP Functions/Operations

Authentication

BIND/UNBIND

ABANDON

Query

Search

Compare entry

Update

Add an entry

Delete an entry (Only Leaf nodes, no aliases)

(18)

Client and Server Interaction

Client establishes session with server (BIND)

Hostname/IP and port number

Security

User-id/password based authentication

Anonymous connection - default access rights

Encryption/Kerberos also supported

Client performs operations

Read/Update/Search

SELECT X,Y,Z FROM PART_OF_DIRECTORY

(19)

BIND/UNBIND/ABANDON

Request includes LDAP version, the name the client wants to bind as, authentication type

Simple (clear text passwords, anonymous)

Kerberos v4 to the LDAP server (krbv42LDAP)

Kerberos v4 to the DSA server (krbv42DSA)

Server responds with a status indication

UNBIND: Terminates a protocol session

UnbindRequest ::= [APPLICATION 2] NULL

ABANDON:

(20)

Search/Compare

Request includes

baseObject: an LDAPDN

Scope: how many levels to be searched

derefAliases: handling of aliases

sizeLimit: max number of entries returned

timeLimit: max time allowed for search

attrsOnly: return attribute types OR values also

Filter: cond. to be fulfilled when searching

Attributes: List of entry’s attributes to be returned

(21)

ADD/MODIFY/DELETE

ADD request

Entry: LDAPDN

List of Attributes and values (or sets of values)

MODIFY request

Used to add, delete, modify attributes

Request includes

Object: LDAPDN

List of modifications (atomic)

Add, Delete, Replace

DELETE request

Object: LDAPDN

MODIFY RDN: LDAPDN, newRDN, DEL_FLAG

(22)

Protocol Elements

LDAPMessage (MessageID unique)

(23)

Protocol Elements

LDAPString ::= OCTET STRING

LDAPDN ::= LDAPString

RelativeLDAPDN ::= LDAPString

AttributeValueAssertion ::=

Sequence {

attributeType attributeValue, attributeValue attributeValue }

attributeType ::= LDAPString

(24)

Protocol Elements

LDAP Result

Errors

Truncated DIT RDN sequence is sent

noSuchObject

aliasProblem

invalidDNSyntax

(25)

LDAP Security

Current LDAP version supports

Clear text passwords

KERBEROS version 4 authentication

Other authentication methods possible in future versions (March 1995)

SASL support added in version 3

Kerberos deemed stronger than SASL…

(26)

LDAP Security

Security based on the BIND model

Clear text  ver 1

Kerberos  ver 1,2,3 (depr)

SASL  ver 3

Simple Authentication and Security Layer

uses one of many authentication methods

Proposal for Transport Layer Security

(27)

LDAP Security

No Authentication

Basic Authentication

DN and password provided

Clear-text or Base 64 encoded

SASL (RFC 2222)

Parameters: DN, mechanism, credentials

Provides cross protocol authentication calls

Encryption can be optionally negotiated

ldap_sasl_bind() (ver3 call)

Ldap://<ldap_server>/?supportedsaslmechanisms

(28)

LDAP Security

LDAP using SASL using SSL/TLS

(29)

LDAP Security

SSL/TLS Handshake

(30)

Agenda

Background and Motivation

Understanding LDAP

Information Structure

Naming

Functions/Operations

Security

Protocol Model

Mapping onto Transport Services

Protocol Element Encoding

(31)

Protocol Model

Clients performing protocol operations against servers

Client sends protocol request to server

Server performs operation on directory

Server returns response (results/errors)

Asynchronous Server Behavior

(32)

Directory Client/Server

Interaction

(33)

Mapping onto Transport

Uses Connection-oriented, reliable transport

TCP

LDAPMessage PDU mapped onto TCP byte stream

LDAP listener on port 389

Connection Oriented Transport Service (COTS)

LDAP PDU is mapped directly onto T-Data

(34)

Protocol Element Encoding

Encoded for Exchange using BER (Basic Encoding Rules)

BER defined in Abstract Syntax Notation One (ASN.1)

High Overhead for BER

Restrictions imposed to improve perf.

Definite form of length encoding only

Bit Strings/ Octet Strings and all character string

(35)

LDAP Implementations

C Library API

LDAPv2 - RFC 1823 ‘The LDAP API’

LDAPv3 – In Internet Draft stage

Java JNDI

LDAP v3 uses the UTF-8 encoding of the Unicode character set.

HTTP to LDAP gateway

LDAP to X.500 gateway – ldapd

(36)

Version 2 v/s Version 3

Referrals

A server that does not store the requested data can refer the client to another server.

Security

Extensible authentication using Simple Authentication and Security Layer (SASL)

Internationalization

UTF-8 support for international characters.

Extensibility

New object types and operations can be dynamically

Références

Télécharger maintenant ( PPT - 37 Page - 336.00 KB )

Documents relatifs

To interpret the information stored in the directory, the schema must be known to all the components of the directory

The proposal allows the algorithmic resolution of unknown objects in the directory and in the absence of 1993 X.500 Directory Standard implementations provides an interim

Overview of the LDAP Model LDAP is the lightweight directory access protocol, described in [2] and [7]

All synchronous routines return an indication of the outcome of the operation (e.g, the constant LDAP_SUCCESS or some other error code).. The asynchronous routines return

URL Definition An LDAP URL begins with the protocol prefix &#34;ldap&#34

The &lt;dn&gt; is an LDAP Distinguished Name using the string format described in [1], with any URL-illegal characters (e.g., spaces) escaped using the % method described in RFC

This document defines the schema for representing CORBA object references in an LDAP directory [LDAPv3]

Using this common schema, any CORBA application that needs to read or store CORBA object references in the directory can do so in an interoperable way.. Note that this schema

Abstract This document describes the fundamental requirements of an access control list (ACL) model for the Lightweight Directory Application Protocol (LDAP) directory service

An authorization policy may be defined in terms of access control lists, capabilities, or attributes assigned to security subjects, security objects, or both.. Control

Abstract This document provides procedures for registering extensible elements of the Lightweight Directory Access Protocol (LDAP)

Subject: Request for LDAP Protocol Mechanism Registration Object

The IntermediateResponse message is defined in such a way that the protocol behavior of existing LDAP operations is maintained

Any LDAP operation may be extended by the addition of one or more controls ([RFC2251] Section 4.1.12). A control’s semantics may include the return of zero or

This document details the use of Language Tags and Ranges in the Lightweight Directory Access Protocol (LDAP)

If the server does not support storing attributes with language tag options in the DIT, then any assertion which includes a language range option will not match as it is