LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH

WHAT IS LDAP LDAP IS LIGHT WEIGHT SUFFICIENT STRAIGHT FORWARD EASY TO IMPLEMENT AS AGAINST X.500 DAP WHICH IS HEAVY WEIGHT

LDAP DIRECTORY BECAUSE DATA IS ORGANISED IN THE FORM OF TREE MUCH LIKE UNIX FILE SYSTEM USES SIMPLIFIED SET OF ENCODING RUNS DIRECTLY ABOVE TCP/IP USES STRING TO REPRESENT DATA

LDAP LDAP SECURITY MODEL : DEFINES HOW INFORMATION CAN BE PROTECTED FROM UNAUTHORISED ACCESS

LDAP LDAP API THERE ARE SEVERAL LDAP API APPLICATION PROGRAMMING INTERFACE OLDEST ONES WRITTEN IN C NOW A DAYS LDAP API S ARE AVAILABLE IN OTHER PROGRAMMING LANGUAGES LIKE PERL JAVA

HOW LDAP WORKS LDAP DIRECTORY SERVICE IS BASED ON CLIENT SERVER MODEL LDAP IS A MESSAGE ORIENTED PROTOCOL CLIENT CONSTRUCTS AN LDAP MESSAGE CONTAINING A REQUEST AND SENDS IT TO THE SERVER

HOW LDAP WORKS SERVER PROCESSES THE REQUEST AND SENDS IT BACK TO THE CLIENT IN THE FORM OF LDAP MESSAGE

LDAP BACKENDS THE BASIC DAEMON PROCESS THAT RUNS ON THE LDAP SERVER CALLED SLAPD COMES WITH THREE DIFFERENT BACKEND DATABASES WE ASSUME THAT IN OUR CASE WE USE LDBM THE MOST USED ONE

HOW LDAP WORKS LDAP DATABASE WORKS BY ADDING A COMPACT FOUR BYTE UNIQUE IDENTIFIER INDEX FILES ARE MAINTAINED FOR REFERRING TO DATA

LDAP PROTOCOL OPERATION INTERROGATION OPERATION : SEARCH, COMPARE ADD DELETE OPERATOIN : ADD, DELETE, MODIFY, MODIFY DN AUTHENTICATION AND CONTROL OPERATION : BIND, UNBIND, ABANDON

LDAP INFORMATION MODEL BASIC UNIT IS ENTRY ( A COLLECTION OF INFORMATION ABOUT AN OBJECT ) AN ENTRY IS COMPOSED OF A SET OF ATTRIIBUTES

LDIF LDIF STANDS FOR LDAP DATA INTERCHANGE FORMAT DIRECTORY ENTRIES IN LDAP ARE IN THE FORM OF LDIF

LDIF FORMAT BASIC FORM OF LDIF : #COMMENT DN: : : ….. EXAMPLE : DN: UID=ALAKESH DC=IIT DC=EDU

LDAP IN ADDITION TO BEING A NETWORK PROTOCOL IT ALSO DEFINES FOUR MODELS LDAP INFORMATION MODEL : DEFINES THE KIND OF DATA U PUT LDAP NAMING MODEL : HOW U ORGANISE AND REFER TO DIRECTORY INFORMATION

LDIF FORMAT LINES STARTING WITH # ARE CONSIDERED TO BE COMMENTS ALL OTHER ATTRIBUTES ARE WRITTEN IN = FORM

LDIF EACH ENTRY IS UNIQUELY IDENTIFIED BY A DISTINIGUISHED NAME OR DN. THE DN CONSISTS OF THE NAME OF THE ENTRY PLUS A PATH IN THE DIRECTORY TREE TRACING BACK TO THE TOP OF THE DIRECTORY HIERARCHY THE OBJECT CLASS DEFINES THE CLASS OF THE ATTRIBUTES THAT CAN BE USED TO DEFINE AN ENTRY

LDIF DIRECTORY DATA IS REPRESENTED AS ATTRIBUTE-VALUE PAIR. ANY SPECIFIC PIECE OF INFORMATION IS ASSOSICATED WITH A DESCRIPTIVE ATTRIBUTE

LDAP CONFIGURATION THE CONFIGURATION FILE SLAPD.OC.CONF CONTAINS THE DEFINITION OF ALL THE OBJECT CLASSES THE ATTRIBUTES OF THE OBJECT CLASSES ARE DEFINED IN SLAPD.AT.CONF FILE

LDAP CONFIGURATION EACH OBJECT CLASS HAS REQUIRED AND ALLOWED ATTRIBUTE REQUIRED ATTRIBUTES MUST BE PRESENT WHILE ALLOWED ARE OPTIONAL

LDAP CONFIGURATION EACH ATTRIBUTE HAS CORRESPONDING SYNTAX DEFINITION

LDAP ACCESS CONTROL ACCESS TO [ BY ] THIS DIRECTIVE GRANTS ACCESS TO A SET OF ENTRIES/ATTRIBUTES BY ONE OR MORE REQUESTERS EXAMPLE : ACCESS TO * BY * READ

LDAP ACCESS CONTROL THE ABOVE DIRECTIVE GIVES READ PERMISSION TO EVERYONE FOR EXAMPLE ACCESS TO DN=“. *, C=INDIA” BY * SEARCH GIVES SEARCHING PERMS TO ENTRIES UNDER C=INDIA SUBTREE

LDAPADD OPENLDAP PACKAGE COMES WITH SHELL EXECUTABLE NAMED LDAPADD USED TO ADD ENTRIES TO THE DATABASE WHILE LDAP SERVER IS RUNNING BASIC SYNTAX IS LDAPADD -F -D -w / -W ( IF PASSWORD IS TO BE PROMPTED.

LDAPDELETE ANOTHER SHELL EXECUTABLE FOR DELETING ENTRIES ITS SYNTAX IS LDAPDELETE ‘CN=HI,O=IITB,C=INDIA’

LDAPMODIFY ITS ANOTHER SHELL EXECUTABLE TO MODIFY DATA IN THE DIRECTORY DATABASE IT HAS SIMILAR SYNTAX TO LDAPADD

LDAPSEARCH SHELL ACCESSIBLE INTERFACE TO LDAP_SEARCH() C ROUTINE LDAPSEARCH OPENS CONNECTION TO THE LDAPSERVER PERFORMS SEARCH WHICH FOLLOWS FILTERING RULES DEFINED IN RFC1558

LDAPSEARCH FOR EXAMPLE LDAPSEARCH -B “C=INDIA” “O=IITB” IF * IS ALLOWED READ ACCESS BY DEFAULT THE O=IITB WILL BE RETURNED -B OPTION SEARCHES FOR THE SEARCH BASE

LDAP AND JAVA CONNECTIVITY THERE EXISTS A PACKAGE CALLED JNDI ( JAVA NAMING AND DIRECTORY INTERFACE ) IT CONTAINS API S NEEDED TO CONNECT LDAP SERVER RETRIEVE INFORMATION

JNDI EXAMPLE A typical code WRITTEN USING JNDI TO DO LDAP SEARCH will be like this ….. import java.util.Hashable ; import java.util.Enumeration ; import javax.naming.* ; import javax.naming.directory.* ; class Search { public static void main(String[] args){ Hashtable env = new Hashtable(5, 0.75f) ; env.put(Context.INITIAL_CONTEXT_FACTORY,Env.INITCTX) ; env.put(Context.PROVIDER_URL, Env.MY_SERVICE ) ; ……………………….

Most ldap servers are optimized for read-intensive operations.Thus, one can see an order of magnitude difference when reading data from an ldap directory versus obtaining the same data from a relational database server optimized for OLTP. Because of this optimization, however, most LDAP directories are not suited for storing data where changes are frequent. Why Ldap?