Presentation is loading. Please wait.

Presentation is loading. Please wait.

23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr. 2001 Michel Jouvin

Published byMarjory Jewel Cox Modified over 8 years ago

Similar presentations

Presentation on theme: "23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr. 2001 Michel Jouvin"— Presentation transcript:

1 23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr. 2001 Michel Jouvin jouvin@lal.in2p3.fr

2 23/4/2001 LDAP Overview - HEPix - LAL 2001 Outline LDAP : What is it ? X500 –A short history –Information model and naming LDAP –A short history –Search operation and filters –Access Control

3 23/4/2001 LDAP Overview - HEPix - LAL 2001 LDAP : What Is It ? Lightweight Directory Access Protocol –An access protocol –Originally designed for X500 access Built on X500 paradigm –Data abstraction –Entry hierarchical naming Don’t specify server-side

4 23/4/2001 LDAP Overview - HEPix - LAL 2001 X500 : Historical Milestones… 1984 : Start of design as OSI directory app –Driven by CCITT 1988 : X500 v1 –Hierarchical organization and naming of data –Client/Server model Client/Server protocol : DAP Server/Server protocol : DSP –X509 v1 : authentication based on asymmetric encryption

5 23/4/2001 LDAP Overview - HEPix - LAL 2001 … X500 : Historical Milestones 1993 : X500 v2 –Addition of replication (shadowing) : DISP 1997 : X500 v3 –X509 v3 : extension of X509 for certificates 2001 : X500 v4 –X509 v4 : Enhanced handling of certificates and privilege management architecture

6 23/4/2001 LDAP Overview - HEPix - LAL 2001 Information Model… Directory object = Entry –Defined by its attributes –Belong to an object class Attributes : describe an entry characteristics –Type/value pairs –Type : define a syntax –Matching rules defined for each type –Support for multi-valued attributes

7 23/4/2001 LDAP Overview - HEPix - LAL 2001 … Information Model Object Class –Defines a set of allowed/mandatory attributes –Inheritance (multiple) between object class Schema : set of object classes for 1 purpose –Can restrict allowed attributes/syntaxes –Several standard schemas proposed inetOrgPerson schema : to represent person Java Schema : to represent Java object in LDAP

8 23/4/2001 LDAP Overview - HEPix - LAL 2001 X500 Naming : DIT and DN… C=US OU=LAL O=IN2P3O=CEA C=FRO=HEP OU=CC CN=Jouvin RDN=IN2P3 RDN=LAL RDN=Jouvin RDN=FR

9 23/4/2001 LDAP Overview - HEPix - LAL 2001 …X500 Naming : DIT and DN RDN : Relative Distinguished Name –Unique value for each entry at one DIT level –Built from attributes value of an entry DN : Distinguished Named –Concatenation of all RDNs from root –Unique name of an entry in the DIT Cn=Jouvin, OU=LAL, O=IN2P3, C=FR Alias : alternative designation for a DN

10 23/4/2001 LDAP Overview - HEPix - LAL 2001 X500 Strengths… One DIT distributed on several servers –Ability to build a world-wide directory –Knowledge about information location is inside the directory –No need for the client to know every server Inter server protocol (DSP) –Chaining of request : transparent to the client, initial security level preserved –Referrals : server to contact is returned

11 23/4/2001 LDAP Overview - HEPix - LAL 2001 … X500 Strengths Not bound to any particular data type Optimized for read/search operation Several authentication/security levels –Anonymous –Simple via clear text passwords –Strong via encryption/certificates Certificates/public key distribution (X509) Shadowing protocol (DISP)

12 23/4/2001 LDAP Overview - HEPix - LAL 2001 LDAP History… Started at the end of 80’s at U. of Michigan –Small subset of DAP for search/retrieval –Use of TCP/IP instead of OSI 1993 : LDAP v2 (RFC 1487/1488) –Access protocol for X500 directories Based on X500 information model –Attributes represented as string Rules for encoding defined for each type –Authentication : anonymous or plain text

13 23/4/2001 LDAP Overview - HEPix - LAL 2001 … LDAP History 1997 : LDAP v3 (RFC 2251-2256) –Still based on X500 information model –Allow for standalone LDAP server Introduction referrals –No inter-server protocol like DSP Shadowing not defined (proprietary solutions) –Rules for standard operation extensions –Authentication through SSL/TLS –LDAP URLs

14 23/4/2001 LDAP Overview - HEPix - LAL 2001 LDAP Search Operations Very Powerful - One of LDAP strengths Can search one level or a subtree –Limit possible on number of entries returned, time spent to search entries… Selection of returned attributes –Ex : cn, telephoneNumber Selection of entries through filters –Interpreted according to type matching rules

15 23/4/2001 LDAP Overview - HEPix - LAL 2001 LDAP Search Filters =, =  cn=Jouvin Substring match : *  cn=Jouvin* Attr. presence : *  telephoneNumber=* Approximate (similar sound) : ~= –cn~=Jouvin will match Jouvin and Jouvain –Several algorithms available Relational operators : !, &, | –(&(cn=Jouvin)(c=fr))

16 23/4/2001 LDAP Overview - HEPix - LAL 2001 LDAP Access Control Model Access to an entry controlled by ACLs –One ACL entry : ACI (Access Control Info) Can specify access to one attribute (compare to pwd) –Stored in a multi-valued attribute : ldapACI –Unordered interpretation –At each level of the DIT –Managed through standard operations on attributes

17 23/4/2001 LDAP Overview - HEPix - LAL 2001 LDAP ACI Structure Each ldapACI combines –Subject : “user” identification Combination of a DN and an authentication level –Rights grant or deny Permissions : add, modify, delete, read, search, compare, write… –Scope : one level or subtree –Attribute the ACI applies to or [entry]

18 23/4/2001 LDAP Overview - HEPix - LAL 2001 LDAP ACI Examples A group may read, search compare an attribute in a subtree ldapAci: subtree#grant:r,s,c#OID.attr1# group:cn=Atlas,ou=lal,o=in2p3,c=fr SysAdmins role can add entry in subtree and but only compare attribute attr2 ldapACI: subtree#grant: a#[entry]# role:cn=SysAdmins,ou=lal,o=in2p3,c=fr ldapACI: subtree#grant:c#OID.attr2# role:cn=SysAdmins,ou=lal,o=in2p3,c=fr

19 23/4/2001 LDAP Overview - HEPix - LAL 2001 How to locate an LDAP server ? A client should know only one server –Knowledge must be “served” –Not one standard agreed upon Knowledge inside LDAP server –Based on use of referrals –Not well standardize for superior references Use DNS SRV records –Approach used by Microsoft in ActiveDirectory

20 23/4/2001 LDAP Overview - HEPix - LAL 2001 Who Speaks LDAP ? (server) Almost any distributed directory –X500 (93 and +) –Microsoft ActiveDirectory (W2000) –Novel NDS Standalone LDAP servers –Netscape iPlanet –OpenLDAP : OSS successor to Univ. of Michigan –PMDF…

21 23/4/2001 LDAP Overview - HEPix - LAL 2001 Who Speaks LDAP ? (Clients) Almost any mail clients –1 popular client still v2 : Pine Web browsers –LDAP URLs –Through servlets in PHP, Java, Perl… PGP clients –Public/private keys

22 23/4/2001 LDAP Overview - HEPix - LAL 2001 Issues with Standalone LDAP No chaining, referrals only in v3 –Popular mail clients like Pine or Netscape < 4.7 are v2 –Knowledge about servers inside the v2 client : difficult to maintain when infrastructure changes Request routing between servers –No standard on how to locate a server No shadowing protocol –Proprietary solutions generally based on SLURPD from Univ. of Michigan

Download ppt "23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr. 2001 Michel Jouvin"

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.

Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.
1/11/2000LDAP Status Report - HEPix - JLab 2000 LDAP Status Report Michel Jouvin LAL / IN2P3

1/11/2000LDAP Status Report - HEPix - JLab 2000 LDAP Status Report Michel Jouvin LAL / IN2P3
Directory Services BICS 565. What is a Directory Service (DS)? A service that allows users to lookup information about entities in an organization Entities.

Directory Services BICS 565. What is a Directory Service (DS)? A service that allows users to lookup information about entities in an organization Entities.
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
LDAP Jianwen Luo School of CTI, Depaul Univ. Oct.23, 1998.

LDAP Jianwen Luo School of CTI, Depaul Univ. Oct.23, 1998.
Directory & Naming Services CS-328 Dick Steflik. A Directory.

Directory & Naming Services CS-328 Dick Steflik. A Directory.
CS603 Directory Services January 30, 2002. Name Resolution: What would you like? Historical? –Mail –Telephone DNS? X.500 / LDAP? DCE? ActiveDirectory?

CS603 Directory Services January 30, Name Resolution: What would you like? Historical? –Mail –Telephone DNS? X.500 / LDAP? DCE? ActiveDirectory?
CS603 Active Directory February 1, 2001.

CS603 Active Directory February 1, 2001.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.

Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.

LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.
Understanding Active Directory

Understanding Active Directory
1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.

1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.
©Copyright 1999 Peter Shipley LDAP Security Peter Shipley Chief Security Architect +1 650 404 3292.

©Copyright 1999 Peter Shipley LDAP Security Peter Shipley Chief Security Architect
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
LDAP: Information Model Part 2 CNS 4650 Fall 2004 Rev. 2.

LDAP: Information Model Part 2 CNS 4650 Fall 2004 Rev. 2.
1 Internet Based Applications Lightweight Directory Access Protocol (LDAP) Piotr Wierzejewski.

1 Internet Based Applications Lightweight Directory Access Protocol (LDAP) Piotr Wierzejewski.
Linux Technology Center 18 April 2003 © 2003 IBM LDAP Content Synchronization Kurt D. ZeilengaJong Hyuk Choi OpenLDAP ProjectIBM Research Title slide.

Linux Technology Center 18 April 2003 © 2003 IBM LDAP Content Synchronization Kurt D. ZeilengaJong Hyuk Choi OpenLDAP ProjectIBM Research Title slide.
Netprog: LDAP1 Lightweight Directory Access Protocol (LDAP) Refs: –Netscape LDAP server docs – U. of Michigan LDAP docs – www.openldap.org docs –RFCs:

Netprog: LDAP1 Lightweight Directory Access Protocol (LDAP) Refs: –Netscape LDAP server docs – U. of Michigan LDAP docs – docs –RFCs:
LDAP Search Criteria Fall 2004 Rev. 2. LDAP Searches Can be performed on Single directory entry Contents of a single container Entire subtree Required.

LDAP Search Criteria Fall 2004 Rev. 2. LDAP Searches Can be performed on Single directory entry Contents of a single container Entire subtree Required.

Similar presentations

Ads by Google