23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr. 2001 Michel Jouvin

Slides:



Advertisements
Similar presentations
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Advertisements

Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.
1/11/2000LDAP Status Report - HEPix - JLab 2000 LDAP Status Report Michel Jouvin LAL / IN2P3
Directory Services BICS 565. What is a Directory Service (DS)? A service that allows users to lookup information about entities in an organization Entities.
Chapter 4 Chapter 4: Planning the Active Directory and Security.
LDAP Jianwen Luo School of CTI, Depaul Univ. Oct.23, 1998.
Directory & Naming Services CS-328 Dick Steflik. A Directory.
CS603 Directory Services January 30, Name Resolution: What would you like? Historical? –Mail –Telephone DNS? X.500 / LDAP? DCE? ActiveDirectory?
CS603 Active Directory February 1, 2001.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.
Understanding Active Directory
1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.
©Copyright 1999 Peter Shipley LDAP Security Peter Shipley Chief Security Architect
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
LDAP: Information Model Part 2 CNS 4650 Fall 2004 Rev. 2.
1 Internet Based Applications Lightweight Directory Access Protocol (LDAP) Piotr Wierzejewski.
Linux Technology Center 18 April 2003 © 2003 IBM LDAP Content Synchronization Kurt D. ZeilengaJong Hyuk Choi OpenLDAP ProjectIBM Research Title slide.
Netprog: LDAP1 Lightweight Directory Access Protocol (LDAP) Refs: –Netscape LDAP server docs – U. of Michigan LDAP docs – docs –RFCs:
LDAP Search Criteria Fall 2004 Rev. 2. LDAP Searches Can be performed on Single directory entry Contents of a single container Entire subtree Required.
Introduction To OpenLDAP Directory Services. What is a Directory Service? A specialized database optimized for reading, browsing, and searching. No complicated.
Directory Server Campus Booster ID: Copyright © SUPINFO. All rights reserved OpenLDAP.
Survey of Identity Repository Security Models JSR 351, Sep 2012.
LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL Presented by Chaithra H.T.
SPARCS 10 이대근 (harry). Contents  Directory Service  What is LDAP?  Installation  Configuration  ldap-utils  User authentication with LDAP.
The Directory A distributed database Distributed maintenance.
1 LDAP and Java Naming Services Murali. M.Nagendranath.
Building Secure, Flexible and Scalable Environments using LDAP - SANS Orlando Sacha Faust PricewaterhouseCoopers
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Implementing LDAP Client/Server System for Directory Service By Maochun Sun Project Advisor: Dr. Chung-E Wang Department of Computer Science California.
LDAP: Introduction CNS 4650 Fall 2004 Rev. 2. LDAP History Simplify directory access protocol Front-end to X.500 Developed my UMich.
LDAP Items
Introduction to Lightweight Directory Access Protocol Introduction Danny Conte Conte Consultants Inc. Jan 31 st 2002.
1 Welcome to CSC 301 Web Programming Charles Frank.
LDAP Authentication Copyright © Liferay, Inc. All Rights Reserved. No material may be reproduced electronically or in print without written permission.
LDAP (Lightweight Directory Access Protocol ) Speaker: Chang-Yu Wu Adviser: Quincy Wu Date:2007/08/22.
Identity Management Technical Training LDAP and Directory Services Joachim Andres Guillaume Andru Renaud Métrich Sun Microsystems, Inc.
Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.
1 Pertemuan #11 User Authentication dan Directory Services Kuliah Pengaman Jaringan.
The HEP White Pages Project Ray Jackson CERN / IT - Internet Services Group 23rd April HEPiX/HEPNT Conference, LAL-Orsay, France.
INTERNET PROTOCOLS. Microsoft’s Internet Information Server Home Page Figure IT2031 UNIT-3.
4 October 2001 Tuning in to H.323 / LDAP security What this presentation is about - RADvision ECS registration control via LDAP - information and configs.
15 May 2001© 2001 University of Salford1 Deficiencies in LDAP when used to support Public Key Infrastructures David W Chadwick
LDAP (Lightweight Directory Access Protocol)
GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.
LDAP- Protocol and Applications. Role of LDAP Allow clients to access a directory service Directories hold hierarchical structured information Clients.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Three Managing Recipients.
Review on Active Directory. Aim Enable users to find network resources easily Central and easy administration of users and resources in a domain Improve.
LDAP Namespace CNS 4650 Fall 2004 Rev. 2. What is a namespace? Different from XML, C++, Java, etc. Names permitted and used in a directory Can include.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Introduction to Directory Services CNS 4650 Fall 2004 Rev. 2.
The LDAP Protocol. Agenda Background and Motivation Understanding LDAP Information Structure Naming Functions/Operations Security Protocol Model Mapping.
CEG 2400 Fall 2012 Directory Services Active Directory Tree Domain.
Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:
1 CEG 2400 Fall 2012 Directory Services Directory Services eDirLDAP Active Directory.
Finding Information in an LDAP Directory Info. Tech. Svcs. University of Hawaii Russell Tokuyama 05/02/01 University of Hawaii © 2001.
1 Directory Services  What is a Directory Service?  Directory Services model  Directory Services naming model  X.500 and LDAP  Implementations of.
Introduction to LDAP Frank A. Kuse.
Directory Access Protocol
News from the wonderful world of directories
CEG 2400 Fall 2012 Directory Services - LDAP
LDAP – Light Weight Directory Access Protocol
Introduction to Name and Directory Services
Lightweight Directory Access Protocol (LDAP)
Amrish Kaushik Graduate Student USC – Computer Science (CN)
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL
Presentation transcript:

23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr Michel Jouvin

23/4/2001 LDAP Overview - HEPix - LAL 2001 Outline LDAP : What is it ? X500 –A short history –Information model and naming LDAP –A short history –Search operation and filters –Access Control

23/4/2001 LDAP Overview - HEPix - LAL 2001 LDAP : What Is It ? Lightweight Directory Access Protocol –An access protocol –Originally designed for X500 access Built on X500 paradigm –Data abstraction –Entry hierarchical naming Don’t specify server-side

23/4/2001 LDAP Overview - HEPix - LAL 2001 X500 : Historical Milestones… 1984 : Start of design as OSI directory app –Driven by CCITT 1988 : X500 v1 –Hierarchical organization and naming of data –Client/Server model Client/Server protocol : DAP Server/Server protocol : DSP –X509 v1 : authentication based on asymmetric encryption

23/4/2001 LDAP Overview - HEPix - LAL 2001 … X500 : Historical Milestones 1993 : X500 v2 –Addition of replication (shadowing) : DISP 1997 : X500 v3 –X509 v3 : extension of X509 for certificates 2001 : X500 v4 –X509 v4 : Enhanced handling of certificates and privilege management architecture

23/4/2001 LDAP Overview - HEPix - LAL 2001 Information Model… Directory object = Entry –Defined by its attributes –Belong to an object class Attributes : describe an entry characteristics –Type/value pairs –Type : define a syntax –Matching rules defined for each type –Support for multi-valued attributes

23/4/2001 LDAP Overview - HEPix - LAL 2001 … Information Model Object Class –Defines a set of allowed/mandatory attributes –Inheritance (multiple) between object class Schema : set of object classes for 1 purpose –Can restrict allowed attributes/syntaxes –Several standard schemas proposed inetOrgPerson schema : to represent person Java Schema : to represent Java object in LDAP

23/4/2001 LDAP Overview - HEPix - LAL 2001 X500 Naming : DIT and DN… C=US OU=LAL O=IN2P3O=CEA C=FRO=HEP OU=CC CN=Jouvin RDN=IN2P3 RDN=LAL RDN=Jouvin RDN=FR

23/4/2001 LDAP Overview - HEPix - LAL 2001 …X500 Naming : DIT and DN RDN : Relative Distinguished Name –Unique value for each entry at one DIT level –Built from attributes value of an entry DN : Distinguished Named –Concatenation of all RDNs from root –Unique name of an entry in the DIT Cn=Jouvin, OU=LAL, O=IN2P3, C=FR Alias : alternative designation for a DN

23/4/2001 LDAP Overview - HEPix - LAL 2001 X500 Strengths… One DIT distributed on several servers –Ability to build a world-wide directory –Knowledge about information location is inside the directory –No need for the client to know every server Inter server protocol (DSP) –Chaining of request : transparent to the client, initial security level preserved –Referrals : server to contact is returned

23/4/2001 LDAP Overview - HEPix - LAL 2001 … X500 Strengths Not bound to any particular data type Optimized for read/search operation Several authentication/security levels –Anonymous –Simple via clear text passwords –Strong via encryption/certificates Certificates/public key distribution (X509) Shadowing protocol (DISP)

23/4/2001 LDAP Overview - HEPix - LAL 2001 LDAP History… Started at the end of 80’s at U. of Michigan –Small subset of DAP for search/retrieval –Use of TCP/IP instead of OSI 1993 : LDAP v2 (RFC 1487/1488) –Access protocol for X500 directories Based on X500 information model –Attributes represented as string Rules for encoding defined for each type –Authentication : anonymous or plain text

23/4/2001 LDAP Overview - HEPix - LAL 2001 … LDAP History 1997 : LDAP v3 (RFC ) –Still based on X500 information model –Allow for standalone LDAP server Introduction referrals –No inter-server protocol like DSP Shadowing not defined (proprietary solutions) –Rules for standard operation extensions –Authentication through SSL/TLS –LDAP URLs

23/4/2001 LDAP Overview - HEPix - LAL 2001 LDAP Search Operations Very Powerful - One of LDAP strengths Can search one level or a subtree –Limit possible on number of entries returned, time spent to search entries… Selection of returned attributes –Ex : cn, telephoneNumber Selection of entries through filters –Interpreted according to type matching rules

23/4/2001 LDAP Overview - HEPix - LAL 2001 LDAP Search Filters =, =  cn=Jouvin Substring match : *  cn=Jouvin* Attr. presence : *  telephoneNumber=* Approximate (similar sound) : ~= –cn~=Jouvin will match Jouvin and Jouvain –Several algorithms available Relational operators : !, &, | –(&(cn=Jouvin)(c=fr))

23/4/2001 LDAP Overview - HEPix - LAL 2001 LDAP Access Control Model Access to an entry controlled by ACLs –One ACL entry : ACI (Access Control Info) Can specify access to one attribute (compare to pwd) –Stored in a multi-valued attribute : ldapACI –Unordered interpretation –At each level of the DIT –Managed through standard operations on attributes

23/4/2001 LDAP Overview - HEPix - LAL 2001 LDAP ACI Structure Each ldapACI combines –Subject : “user” identification Combination of a DN and an authentication level –Rights grant or deny Permissions : add, modify, delete, read, search, compare, write… –Scope : one level or subtree –Attribute the ACI applies to or [entry]

23/4/2001 LDAP Overview - HEPix - LAL 2001 LDAP ACI Examples A group may read, search compare an attribute in a subtree ldapAci: subtree#grant:r,s,c#OID.attr1# group:cn=Atlas,ou=lal,o=in2p3,c=fr SysAdmins role can add entry in subtree and but only compare attribute attr2 ldapACI: subtree#grant: a#[entry]# role:cn=SysAdmins,ou=lal,o=in2p3,c=fr ldapACI: subtree#grant:c#OID.attr2# role:cn=SysAdmins,ou=lal,o=in2p3,c=fr

23/4/2001 LDAP Overview - HEPix - LAL 2001 How to locate an LDAP server ? A client should know only one server –Knowledge must be “served” –Not one standard agreed upon Knowledge inside LDAP server –Based on use of referrals –Not well standardize for superior references Use DNS SRV records –Approach used by Microsoft in ActiveDirectory

23/4/2001 LDAP Overview - HEPix - LAL 2001 Who Speaks LDAP ? (server) Almost any distributed directory –X500 (93 and +) –Microsoft ActiveDirectory (W2000) –Novel NDS Standalone LDAP servers –Netscape iPlanet –OpenLDAP : OSS successor to Univ. of Michigan –PMDF…

23/4/2001 LDAP Overview - HEPix - LAL 2001 Who Speaks LDAP ? (Clients) Almost any mail clients –1 popular client still v2 : Pine Web browsers –LDAP URLs –Through servlets in PHP, Java, Perl… PGP clients –Public/private keys

23/4/2001 LDAP Overview - HEPix - LAL 2001 Issues with Standalone LDAP No chaining, referrals only in v3 –Popular mail clients like Pine or Netscape < 4.7 are v2 –Knowledge about servers inside the v2 client : difficult to maintain when infrastructure changes Request routing between servers –No standard on how to locate a server No shadowing protocol –Proprietary solutions generally based on SLURPD from Univ. of Michigan

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.