1 / 22

LDAP Overview

LDAP Overview. HEPix – LAL Apr. 2001 Michel Jouvin jouvin@lal.in2p3.fr. Outline. LDAP : What is it ? X500 A short history Information model and naming LDAP A short history Search operation and filters Access Control. LDAP : What Is It ?. Lightweight Directory Access Protocol

kaloni
Download Presentation

LDAP Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LDAP Overview HEPix – LAL Apr. 2001 Michel Jouvin jouvin@lal.in2p3.fr LDAP Overview - HEPix - LAL 2001

  2. Outline • LDAP : What is it ? • X500 • A short history • Information model and naming • LDAP • A short history • Search operation and filters • Access Control LDAP Overview - HEPix - LAL 2001

  3. LDAP : What Is It ? • Lightweight Directory Access Protocol • An access protocol • Originally designed for X500 access • Built on X500 paradigm • Data abstraction • Entry hierarchical naming • Don’t specify server-side LDAP Overview - HEPix - LAL 2001

  4. X500 : Historical Milestones… • 1984 : Start of design as OSI directory app • Driven by CCITT • 1988 : X500 v1 • Hierarchical organization and naming of data • Client/Server model • Client/Server protocol : DAP • Server/Server protocol : DSP • X509 v1 : authentication based on asymmetric encryption LDAP Overview - HEPix - LAL 2001

  5. … X500 : Historical Milestones • 1993 : X500 v2 • Addition of replication (shadowing) : DISP • 1997 : X500 v3 • X509 v3 : extension of X509 for certificates • 2001 : X500 v4 • X509 v4 : Enhanced handling of certificates and privilege management architecture LDAP Overview - HEPix - LAL 2001

  6. Information Model… • Directory object = Entry • Defined by its attributes • Belong to an object class • Attributes : describe an entry characteristics • Type/value pairs • Type : define a syntax • Matching rules defined for each type • Support for multi-valued attributes LDAP Overview - HEPix - LAL 2001

  7. … Information Model • Object Class • Defines a set of allowed/mandatory attributes • Inheritance (multiple) between object class • Schema : set of object classes for 1 purpose • Can restrict allowed attributes/syntaxes • Several standard schemas proposed • inetOrgPerson schema : to represent person • Java Schema : to represent Java object in LDAP LDAP Overview - HEPix - LAL 2001

  8. X500 Naming : DIT and DN… C=US C=FR O=HEP RDN=FR O=IN2P3 O=CEA RDN=IN2P3 OU=LAL OU=CC RDN=LAL CN=Jouvin RDN=Jouvin LDAP Overview - HEPix - LAL 2001

  9. …X500 Naming : DIT and DN • RDN : Relative Distinguished Name • Unique value for each entry at one DIT level • Built from attributes value of an entry • DN : Distinguished Named • Concatenation of all RDNs from root • Unique name of an entry in the DIT • Cn=Jouvin, OU=LAL, O=IN2P3, C=FR • Alias : alternative designation for a DN LDAP Overview - HEPix - LAL 2001

  10. X500 Strengths… • One DIT distributed on several servers • Ability to build a world-wide directory • Knowledge about information location is inside the directory • No need for the client to know every server • Inter server protocol (DSP) • Chaining of request : transparent to the client, initial security level preserved • Referrals : server to contact is returned LDAP Overview - HEPix - LAL 2001

  11. … X500 Strengths • Not bound to any particular data type • Optimized for read/search operation • Several authentication/security levels • Anonymous • Simple via clear text passwords • Strong via encryption/certificates • Certificates/public key distribution (X509) • Shadowing protocol (DISP) LDAP Overview - HEPix - LAL 2001

  12. LDAP History… • Started at the end of 80’s at U. of Michigan • Small subset of DAP for search/retrieval • Use of TCP/IP instead of OSI • 1993 : LDAP v2 (RFC 1487/1488) • Access protocol for X500 directories • Based on X500 information model • Attributes represented as string • Rules for encoding defined for each type • Authentication : anonymous or plain text LDAP Overview - HEPix - LAL 2001

  13. … LDAP History • 1997 : LDAP v3 (RFC 2251-2256) • Still based on X500 information model • Allow for standalone LDAP server • Introduction referrals • No inter-server protocol like DSP • Shadowing not defined (proprietary solutions) • Rules for standard operation extensions • Authentication through SSL/TLS • LDAP URLs LDAP Overview - HEPix - LAL 2001

  14. LDAP Search Operations • Very Powerful - One of LDAP strengths • Can search one level or a subtree • Limit possible on number of entries returned, time spent to search entries… • Selection of returned attributes • Ex : cn , telephoneNumber • Selection of entries through filters • Interpreted according to type matching rules LDAP Overview - HEPix - LAL 2001

  15. LDAP Search Filters • =, <=, >=  cn=Jouvin • Substring match : *  cn=Jouvin* • Attr. presence : *  telephoneNumber=* • Approximate (similar sound) : ~= • cn~=Jouvin will match Jouvin and Jouvain • Several algorithms available • Relational operators : !, &, | • (&(cn=Jouvin)(c=fr)) LDAP Overview - HEPix - LAL 2001

  16. LDAP Access Control Model • Access to an entry controlled by ACLs • One ACL entry : ACI (Access Control Info) • Can specify access to one attribute (compare to pwd) • Stored in a multi-valued attribute : ldapACI • Unordered interpretation • At each level of the DIT • Managed through standard operations on attributes LDAP Overview - HEPix - LAL 2001

  17. LDAP ACI Structure • Each ldapACI combines • Subject : “user” identification • Combination of a DN and an authentication level • Rights • grant or deny • Permissions : add, modify, delete, read, search, compare, write… • Scope : one level or subtree • Attribute the ACI applies to or [entry] LDAP Overview - HEPix - LAL 2001

  18. LDAP ACI Examples • A group may read, search compare an attribute in a subtree ldapAci: subtree#grant:r,s,c#OID.attr1# group:cn=Atlas,ou=lal,o=in2p3,c=fr • SysAdmins role can add entry in subtree and but only compare attribute attr2 ldapACI: subtree#grant: a#[entry]# role:cn=SysAdmins,ou=lal,o=in2p3,c=fr ldapACI: subtree#grant:c#OID.attr2# role:cn=SysAdmins,ou=lal,o=in2p3,c=fr LDAP Overview - HEPix - LAL 2001

  19. How to locate an LDAP server ? • A client should know only one server • Knowledge must be “served” • Not one standard agreed upon • Knowledge inside LDAP server • Based on use of referrals • Not well standardize for superior references • Use DNS SRV records • Approach used by Microsoft in ActiveDirectory LDAP Overview - HEPix - LAL 2001

  20. Who Speaks LDAP ? (server) • Almost any distributed directory • X500 (93 and +) • Microsoft ActiveDirectory (W2000) • Novel NDS • Standalone LDAP servers • Netscape iPlanet • OpenLDAP : OSS successor to Univ. of Michigan • PMDF… LDAP Overview - HEPix - LAL 2001

  21. Who Speaks LDAP ? (Clients) • Almost any mail clients • 1 popular client still v2 : Pine • Web browsers • LDAP URLs • Through servlets in PHP, Java, Perl… • PGP clients • Public/private keys LDAP Overview - HEPix - LAL 2001

  22. Issues with Standalone LDAP • No chaining, referrals only in v3 • Popular mail clients like Pine or Netscape < 4.7 are v2 • Knowledge about servers inside the v2 client : difficult to maintain when infrastructure changes • Request routing between servers • No standard on how to locate a server • No shadowing protocol • Proprietary solutions • generally based on SLURPD from Univ. of Michigan LDAP Overview - HEPix - LAL 2001

More Related