1 Pertemuan #11 User Authentication dan Directory Services Kuliah Pengaman Jaringan

2 History of LDAP X.500 Collective name given to a series of standards produced by the ISO/ITU-T. Collective name given to a series of standards produced by the ISO/ITU-T. Defining the protocol and information model for a global directory service. Defining the protocol and information model for a global directory service. Independent of computing application and network platform. Independent of computing application and network platform. DAP - part of X.500 directory standard - used by clients to access the directory. DAP - part of X.500 directory standard - used by clients to access the directory.

3 Introduction of LDAP LDAP = Lightweight Directory Access Protocol Based on X.500 Directory Service (RFC1777) Stores attribute based data Data generally read more than written to No transactions No rollback Client-server model Based on entries Collection of attributes Has a distinguished name (DN) - like domain name

4 Why use LDAP  Centrally manage users, groups and other data  Don’t have to manage separate directories for each application - stops the “N + 1 directory problem”  Distribute management of data to appropriate people  Allow users to find data that they need  Not locked into a particular server  Ability to distribute servers to where they are needed

5 LDAP vs Databases Read-write ratio - LDAP is read optimised Extensibility - LDAP schemas are more easily changed Distribution - with LDAP data can be near where it is needed Replication - with LDAP data can be stored in multiple locations Different performance - databases are generally deployed for limited amount of applications

6 LDAP vs Databases cont Transaction model - LDAP transactions are simple - usually changing one entry, databases can modify much more Size of information - LDAP is better at storing small bits of information Type of information - LDAP stores information in attributes Standards are more important for directories - LDAP clients can talk to any LDAP server, but database client can only talk to the database it was designed for

7 Acronym LDAPLightweight Directory Access Protocol DN Distinguish Name RDN Relative Distinuished Name DIT Directory Information Tree LDIF LDAP Data Interchange Format OID Object Identifier

8 Namespaces - Hierarchal

9 Namespaces cont Directory tree is similar to unix file system - No root entry in ldap - Each entry in ldap can both contain data and be a container - In unix, an entry is either a file or a directory - not both LDAP distinguished names are read from bottom to top, unix file systems from top to bottom

10 Global View

11 LDAP Entry Entries are composed of attributes Attributes consist of types with multiple values Type describes what the information is Value is the actual information in text format Attributes have a syntax which specifies what type of data - see Schema later on

12 Referrals 1. Client requests information 2. Server 1 returns referral to server 2 3. Client resends request to server 2 4. Server 2 returns information to client

13 LDAP Servers Slapd University of Michigan Openldap Netscape Directory Server Microsoft Active Directory (AD) Microsoft Exchange (interface only) Novell Directory Services (NDS) Lotus Domino (interface only) Sun Directory Services (SDS) Lucent’s Internet Directory Server (IDS)

14 Open LDAP Based on UMich ldap server Available from Versions: - Historic: implements LDAPv2 - Stable: implements LDAPv3 - Release: implements LDAPv3 and other - features

15 LDAP slapd architecture LDAP daemon called slapd - Choice of databases - LDBM - high performance disk based db - SHELL - db interface to unix commands - PASSWORD - simple password file db - SQL - mapping sql to ldap (in OpenLDAP 2.x) - Multiple database instances - Access control - Threaded - Replication

16 LDAP slapd architecture

17 Using LDAP in Applications

18 Using Multiple Applications

19 LDAP URLs Definition taken from RFC1959 ::= "ldap://" [ ] "/" [ "?" [ "?" "?" ] ] ::= [ ":" ] ::= a string as defined in RFC 1485 ::= NULL | ::= | [ "," ] ::= a string as defined in RFC 1777 ::= "base" | "one" | "sub" ::= a string as defined in RFC 1558

20 LDAP URL examples ldap://foo.bar.com/dc=bar,dc=com ldap://argle.bargle.com/dc=bar, dc=com??sub?uid=barney ldap://ldap.bedrock.com/dc=bar, dc=com?cn?sub?uid=barney

21 LDAPv3 Internationalisation - using UTF-8 Referrals Security Extensibility Feature and schema discovery - LDAPv3 servers have a directory entry called root DSE (Directory Server Entry) - Contains: protocol supported, schemas, other useful info

22 LDAP slurpd architecture Replication daemon called slurpd - Frees slapd from worrying about hosts being down etc - Communicates with slapd through text file

23 Active Directory and LDAP Provides a directory for a Microsoft network: Centrally manage Central security Central user administration Integrates with DNS Information replication Provides all the services a domain controller did

24 LDAP Protocol Uses client server model Message oriented protocol - client sends messages to server and gets replies Can issue multiple requests at once - each response has message id to identify 9 basic protocol operations - interrogation, update and authentication LDAPv3 provides extended operations and controls Uses simplified version of Basic Encoding Rules (BER) - not plain text

25 Why have a Directory Service ? Simplifies management. Provides a single, consistent point of management for users, applications, and devices. Strengthens security. Provides users with a single sign-on to network resources and provides administrators with powerful and consistent tools to manage security services for internal desktop users, remote dial-up users, and external e- commerce customers. Extends interoperability. Supplies standards-based access to all Directory features as well as synchronization support for popular directories.

26 What is Active Directory ? Provides a single point of management for Windows-based user accounts, clients, servers, and applications. Integrate systems not using Windows with Windows- based applications, and Windows-compatible devices, thus consolidating directories and easing management of the entire network operating system. Extend systems securely to the Internet.

27 Usage of Active Directory

28 How Does Active Directory Work? Hierarchical Organization Object-oriented Storage Multi-Master Replication

29 What Are the Benefits of Active Directory? (1) Simplifies management tasks.  Eliminates redundant management tasks. Provides a single-point of management for Windows user accounts, clients, servers, and applications as well as the ability to synchronize with existing directories.  Reduces trips to the desktop. Automatically distributes software to users based on their role in the company, reducing or eliminating multiple trips that system administrators need to make for software installation and configuration.  Better maximizes IT resources. Securely delegates administrative functions to all levels of an organization.  Lowers total cost of ownership (TCO). Simplifies the management and use of file and print services by making network resources easier to find, configure, and use. Strengthens network security. Makes use of existing systems through interoperability.

30 What Are the Benefits of Active Directory? (2) Simplifies management tasks. Strengthens network security.  It improves password security and management. By providing single sign-on to network resources with integrated, high-powered security services that are transparent to end users.  It ensures desktop functionality. By locking-down desktop configurations and preventing access to specific client machine operations, such as software installation or registry editing, based on the role of the end user.  It speeds e-business deployment. By providing built-in support for secure Internet-standard protocols and authentication mechanisms such as Kerberos, public key infrastructure (PKI) and lightweight directory access protocol (LDAP) over secure sockets layer (SSL).  It tightly controls security. By setting access control privileges on directory objects and the individual data elements that make them up. Makes use of existing systems through interoperability

31 What Are the Benefits of Active Directory? (3) Makes use of existing systems through interoperability  Takes advantage of existing investments and ensures flexibility. Standards-based interfaces to all features make use of investments and ensure flexibility for future applications and infrastructure.  Consolidates management of multiple application directories. Using open interfaces, connectors, and synchronization mechanisms, organizations can consolidate directories including Novell's NDS, LDAP, ERP, , and other mission-critical applications.  Allows organizations to deploy directory-enabled networking. Network devices from leading vendors such as Cisco and 3COM can use the directory to let administrators assign quality of service and allocate network bandwidth to users based on their role in the company.  Allows organizations to develop and deploy directory- enabled applications. Using the fully extensible directory architecture, developers can build applications that deliver functionality tailored to the needs of the end user.

32 Cross-Platform Authentication The aim of cross-platform authentication is to have a single, centralized password database that can be used to authenticate users on both Unix, Windows, and perhaps even other systems such as Macintosh or NetWare.

33 ADS limitation on Cross Platform The Microsoft clients for Windows 2000 and XP are specific to authenticating against a Microsoft Active Directory server. AD clients are only available on Windows 2000 and Windows XP. AD Server only runs on Windows 2000 Server.

34 LDAP Alternatives OpenLDAP, this is an excellent authentication system for Linux clients; however, Microsoft clients will not be able to authenticate to it. iPlanet Directory Service, runs on Windows, Linux and Solaris systems. Although the iPlanet directory server contains a Windows NT to LDAP password synchronisation system, direct authentication to iPlanet directory server is not possible from Windows systems. NDS. Novell's directory service.

35 MKS AD4Unix Plug-in extension for Microsoft's Active Directory Server, that enables Unix-related authentication and user information to be stored in Active Directory. AD4Unix includes a schema update, and an extension to Microsoft's User & Group manager (part of the Active Directory administration interface, which is in turn part of the Microsoft Management Console)

36 Authentication in Windows 2000 Kerberos Version 5. The Kerberos version 5 authentication protocol is the default for network authentication on computers with Windows Windows NT LAN Manager (NTLM). The NTLM protocol was the default for network authentication in the Windows NT® 4.0 operating system. It is retained in Windows 2000 for compatibility with downlevel clients and servers. NTLM is also used to authenticate logons to standalone computers with Windows 2000

37 Benefits of Kerberos Authentication (1) More efficient authentication to servers. With NTLM authentication, an application server must connect to a domain controller in order to authenticate each client. With Kerberos authentication, the server does not need to go to a domain controller. It can authenticate the client by examining credentials presented by the client. Clients can obtain credentials for a particular server once and reuse them throughout a network logon session. Mutual authentication. NTLM allows servers to verify the identities of their clients. It does not allow clients to verify a server’s identity, or one server to verify the identity of another. NTLM authentication was designed for a network environment in which servers were assumed to be genuine. The Kerberos protocol makes no such assumption. Parties at both ends of a network connection can know that the party on the other end is who it claims to be.

38 Benefits of Kerberos Authentication (2) Delegated authentication. Windows services impersonate clients when accessing resources on their behalf. In many cases, a service can complete its work for the client by accessing resources on the local computer. Both NTLM and Kerberos provide the information that a service needs to impersonate its client locally. However, some distributed applications are designed so that a front-end service must impersonate clients when connecting to back-end services on other computers. The Kerberos protocol has a proxy mechanism that allows a service to impersonate its client when connecting to other services. No equivalent is available with NTLM.

39 Benefits of Kerberos Authentication (3) Simplified trust management. One of the benefits of the Kerberos protocol is that trust between the security authorities for Windows 2000 domains is by default two-way and transitive. Networks with multiple domains no longer require a complex web of explicit, point-to-point trust relationships. Instead, the many domains of a large network can be organized in a tree of transitive, mutual trust. Credentials issued by the security authority for any domain are accepted everywhere in the tree. If the network includes more than one tree, credentials issued by a domain in any tree are accepted throughout the forest.

40 Benefits of Kerberos Authentication (4) Interoperability. Microsoft’s implementation of the Kerberos protocol is based on standards-track specifications recommended to the Internet Engineering Task Force (IETF). As a result, the implementation of the protocol in Windows 2000 lays a foundation for interoperability with other networks where Kerberos version 5 is used for authentication.