Presentation is loading. Please wait.

Presentation is loading. Please wait.

The LDAP Protocol. Agenda Background and Motivation Understanding LDAP Information Structure Naming Functions/Operations Security Protocol Model Mapping.

Published byQuentin Hines Modified over 8 years ago

Similar presentations

Presentation on theme: "The LDAP Protocol. Agenda Background and Motivation Understanding LDAP Information Structure Naming Functions/Operations Security Protocol Model Mapping."— Presentation transcript:

1 The LDAP Protocol

2 Agenda Background and Motivation Understanding LDAP Information Structure Naming Functions/Operations Security Protocol Model Mapping onto Transport Services Protocol Element Encoding Discussion

3 Background and Motivation Increased reliance on networked computers Need in information Functionality Ease-of-Use Administration (Application specific dirs) Clear and consistent organization Integrity Confidentiality

4 X.500 X.500 standard. CCITT 1988 Refer ISO 9594 – X.500-X.521 of 1990

5 X.500 Organizes directory entries into a hierarchical namespace Powerful search capabilities Often used for interfacing incompatible directory services Used DAP for c/s communication DAP (App. Layer) requires ENTIRE OSI stack to operate Too heavy for small environments

6 What is LDAP? Lightweight Directory Access Protocol Used to access and update information in a directory built on the X.500 model Specification defines the content of messages between the client and the server Includes operations to establish and disconnect a session from the server

7 LDAP Server: G/S

8 Understanding LDAP Lightweight alternative to DAP Uses TCP/IP instead of OSI stack Simplifies certain functions and omits others… Uses strings rather than DAP’s ASN.1 notation to represent data.

9 LDAP Information Structure of information stored in an LDAP directory. Naming How information is organized and identified. Functional / Operations Describes what operations can be performed on the information stored in an LDAP directory. Security Describes how the information can be protected from unauthorized access.

10 LDAP Information Storage

11 Each attribute has a type/syntax and a value Can define how values behave during searches/directory operations Syntax: bin, ces, cis, tel, dn etc. Usage limits: ssn – only one, jpegPhoto – 10K

12 LDAP Information Storage Each ‘entry’ describes an object (Class) Person, Server, Printer etc. Example Entry: InetOrgPerson(cn, sn, ObjectClass) Example Attributes: cn (cis), sn (cis), telephoneNumber (tel), ou (cis), owner (dn), jpegPhoto (bin)

13 LDAP Naming DNs consist of sequence of Relative DN cn=John Smith,ou=Austin,o=IBM,c=US (Leaf 2 Root) (~use \ for special) Directory Information Tree (DIT) Follow geographical or organizational scheme Aliases: Tree-like, Aliases can link non-leaf nodes

14 LDAP Naming Referrals: May not store entire DIT (v3) Referrals objectClass=referral, attribute=ref, value=LDAPurl Implementation differs Refferals/Chaining (vendor) RFC 1777: server chaining is expected.

15 LDAP Naming Schema Defines what object classes allowed Where they are stored What attributes they have (objectClass) Which attributes are optional (objectClass) Type/syntax of each attribute (objectClass) Query server for info: zero-length DN LDAP schema must be readable by the client

16 LDAP Naming Examples Attribute TypeString CommonNameCN LocalityNameL StateorProvinceNameST OrganizationNameO OrganizationalUnitNameOU CountryNameC StreetAddressSTREET domainComponentDC UseridUID

17 LDAP Functions/Operations Authentication BIND/UNBIND ABANDON Query Search Compare entry Update Add an entry Delete an entry (Only Leaf nodes, no aliases) Modify an entry, Modify DN/RDN

18 Client and Server Interaction Client establishes session with server (BIND) Hostname/IP and port number Security User-id/password based authentication Anonymous connection - default access rights Encryption/Kerberos also supported Client performs operations Read/Update/Search SELECT X,Y,Z FROM PART_OF_DIRECTORY Client ends the session (UNBIND) Client can ABANDON the session

19 BIND/UNBIND/ABANDON Request includes LDAP version, the name the client wants to bind as, authentication type Simple (clear text passwords, anonymous) Kerberos v4 to the LDAP server (krbv42LDAP) Kerberos v4 to the DSA server (krbv42DSA) Server responds with a status indication UNBIND: Terminates a protocol session UnbindRequest ::= [APPLICATION 2] NULL ABANDON: MessageID to abandon

20 Search/Compare Request includes baseObject: an LDAPDN Scope: how many levels to be searched derefAliases: handling of aliases sizeLimit: max number of entries returned timeLimit: max time allowed for search attrsOnly: return attribute types OR values also Filter: cond. to be fulfilled when searching Attributes: List of entry’s attributes to be returned Read and List implemented as searches Compare: similar to search but returns T/F

21 ADD/MODIFY/DELETE ADD request Entry: LDAPDN List of Attributes and values (or sets of values) MODIFY request Used to add, delete, modify attributes Request includes Object: LDAPDN List of modifications (atomic) Add, Delete, Replace DELETE request Object: LDAPDN MODIFY RDN: LDAPDN, newRDN, DEL_FLAG

22 Protocol Elements LDAPMessage (MessageID unique)

23 Protocol Elements LDAPString ::= OCTET STRING LDAPDN ::= LDAPString RelativeLDAPDN ::= LDAPString AttributeValueAssertion ::= Sequence { attributeTypeattributeValue, attributeValueattributeValue } attributeType ::= LDAPString attributeValue ::= OCTET STRING

24 Protocol Elements LDAP Result Errors Truncated DIT RDN sequence is sent noSuchObject aliasProblem invalidDNSyntax isLeaf etc.

25 LDAP Security Current LDAP version supports Clear text passwords KERBEROS version 4 authentication Other authentication methods possible in future versions (March 1995) SASL support added in version 3 Kerberos deemed stronger than SASL…

26 LDAP Security Security based on the BIND model Clear text  ver 1 Kerberos  ver 1,2,3 (depr) SASL  ver 3 Simple Authentication and Security Layer uses one of many authentication methods Proposal for Transport Layer Security Based on SSL v3 from Netscape

27 LDAP Security No Authentication Basic Authentication DN and password provided Clear-text or Base 64 encoded SASL (RFC 2222) Parameters: DN, mechanism, credentials Provides cross protocol authentication calls Encryption can be optionally negotiated ldap_sasl_bind() (ver3 call) Ldap:// /?supportedsaslmechanisms

28 LDAP Security LDAP using SASL using SSL/TLS

29 LDAP Security SSL/TLS Handshake

30 Agenda Background and Motivation Understanding LDAP Information Structure Naming Functions/Operations Security Protocol Model Mapping onto Transport Services Protocol Element Encoding Discussion

31 Protocol Model Clients performing protocol operations against servers Client sends protocol request to server Server performs operation on directory Server returns response (results/errors) Asynchronous Server Behavior

32 Directory Client/Server Interaction

33 Mapping onto Transport Uses Connection-oriented, reliable transport TCP LDAPMessage PDU mapped onto TCP byte stream LDAP listener on port 389 Connection Oriented Transport Service (COTS) LDAP PDU is mapped directly onto T-Data

34 Protocol Element Encoding Encoded for Exchange using BER (Basic Encoding Rules) BER defined in Abstract Syntax Notation One (ASN.1) High Overhead for BER Restrictions imposed to improve perf. Definite form of length encoding only Bit Strings/ Octet Strings and all character string types encoded in primitive form only

35 LDAP Implementations C Library API LDAPv2 - RFC 1823 ‘The LDAP API’ LDAPv3 – In Internet Draft stage Java JNDI LDAP v3 uses the UTF-8 encoding of the Unicode character set. HTTP to LDAP gateway LDAP to X.500 gateway – ldapd

36 LDAP v2 (Draft Standard) RFC 1777: LDAP v1 RFC 1778: The String Representation of Standard Attribute Syntaxes RFC 1779: A String Representation of Distinguished Names RFC 1959: An LDAP URL Format RFC 1960: A String Representation of LDAP Search Filters

37 Version 2 v/s Version 3 Referrals A server that does not store the requested data can refer the client to another server. Security Extensible authentication using Simple Authentication and Security Layer (SASL) Internationalization UTF-8 support for international characters. Extensibility New object types and operations can be dynamically defined and schema published in a standard manner.

Download ppt "The LDAP Protocol. Agenda Background and Motivation Understanding LDAP Information Structure Naming Functions/Operations Security Protocol Model Mapping."

Similar presentations

SOAP.

SOAP.
Secure Socket Layer.

Secure Socket Layer.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Internet Security Protocols

Internet Security Protocols
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Lightweight Directory Access Protocol (LDAP) By Raghavendra Aekka Professor Dr. Ravi Mukkamala.

Lightweight Directory Access Protocol (LDAP) By Raghavendra Aekka Professor Dr. Ravi Mukkamala.
LDAP Lightweight Directory Access Protocol LDAP.

LDAP Lightweight Directory Access Protocol LDAP.
Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.

Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.
LDAP Jianwen Luo School of CTI, Depaul Univ. Oct.23, 1998.

LDAP Jianwen Luo School of CTI, Depaul Univ. Oct.23, 1998.
TCP/IP Protocol Suite 1 Chapter 21 Upon completion you will be able to: Network Management: SNMP Understand the SNMP manager and the SNMP agent Understand.

TCP/IP Protocol Suite 1 Chapter 21 Upon completion you will be able to: Network Management: SNMP Understand the SNMP manager and the SNMP agent Understand.
Directory & Naming Services CS-328 Dick Steflik. A Directory.

Directory & Naming Services CS-328 Dick Steflik. A Directory.
CS603 Directory Services January 30, 2002. Name Resolution: What would you like? Historical? –Mail –Telephone DNS? X.500 / LDAP? DCE? ActiveDirectory?

CS603 Directory Services January 30, Name Resolution: What would you like? Historical? –Mail –Telephone DNS? X.500 / LDAP? DCE? ActiveDirectory?
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
SNMP Simple Network Management Protocol

SNMP Simple Network Management Protocol
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.

LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.
Network Protocols UNIT IV – NETWORK MANAGEMENT FUNDAMENTALS.

Network Protocols UNIT IV – NETWORK MANAGEMENT FUNDAMENTALS.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Internet-Based Client Access

Internet-Based Client Access
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

Similar presentations

Ads by Google