370 likes | 661 Views
The LDAP Protocol…. Amrish Kaushik Graduate Student USC – Computer Science (CN). Agenda. Background and Motivation Understanding LDAP Information Structure Naming Functions/Operations Security Protocol Model Mapping onto Transport Services Protocol Element Encoding Discussion.
E N D
The LDAP Protocol… Amrish Kaushik Graduate Student USC – Computer Science (CN)
Agenda • Background and Motivation • Understanding LDAP • Information Structure • Naming • Functions/Operations • Security • Protocol Model • Mapping onto Transport Services • Protocol Element Encoding • Discussion
Background and Motivation • Increased reliance on networked computers • Need in information • Functionality • Ease-of-Use • Administration (Application specific dirs) • Clear and consistent organization • Integrity • Confidentiality
X.500 • X.500 standard. CCITT 1988 • Refer ISO 9594 – X.500-X.521 of 1990
X.500 • Organizes directory entries into a hierarchical namespace • Powerful search capabilities • Often used for interfacing incompatible directory services • Used DAP for c/s communication • DAP (App. Layer) requires ENTIRE OSI stack to operate • Too heavy for small environments
What is LDAP? • Lightweight Directory Access Protocol • Used to access and update information in a directory built on the X.500 model • Specification defines the content of messages between the client and the server • Includes operations to establish and disconnect a session from the server
Understanding LDAP • Lightweight alternative to DAP • Uses TCP/IP instead of OSI stack • Simplifies certain functions and omits others… • Uses strings rather than DAP’s ASN.1 notation to represent data.
LDAP • Information • Structure of information stored in an LDAP directory. • Naming • How information is organized and identified. • Functional / Operations • Describes what operations can be performed on the information stored in an LDAP directory. • Security • Describes how the information can be protected from unauthorized access.
LDAP Information Storage • Each attribute has a type/syntax and a value • Can define how values behave during searches/directory operations • Syntax: bin, ces, cis, tel, dn etc. • Usage limits: ssn – only one, jpegPhoto – 10K
LDAP Information Storage • Each ‘entry’ describes an object (Class) • Person, Server, Printer etc. • Example Entry: • InetOrgPerson(cn, sn, ObjectClass) • Example Attributes: • cn (cis), sn (cis), telephoneNumber (tel), ou (cis), owner (dn), jpegPhoto (bin)
LDAP Naming • DNs consist of sequence of Relative DN • cn=John Smith,ou=Austin,o=IBM,c=US (Leaf 2 Root) (~use \ for special) • Directory Information Tree (DIT) • Follow geographical or organizational scheme • Aliases: Tree-like, • Aliases can link non-leaf nodes
LDAP Naming • Referrals: May not store entire DIT (v3) • Referrals • objectClass=referral, attribute=ref, value=LDAPurl • Implementation differs • Refferals/Chaining (vendor) • RFC 1777: server chaining is expected.
LDAP Naming • Schema • Defines what object classes allowed • Where they are stored • What attributes they have (objectClass) • Which attributes are optional (objectClass) • Type/syntax of each attribute (objectClass) • Query server for info: zero-length DN • LDAP schema must be readable by the client
LDAP Functions/Operations • Authentication • BIND/UNBIND • ABANDON • Query • Search • Compare entry • Update • Add an entry • Delete an entry (Only Leaf nodes, no aliases) • Modify an entry, Modify DN/RDN
Client and Server Interaction • Client establishes session with server (BIND) • Hostname/IP and port number • Security • User-id/password based authentication • Anonymous connection - default access rights • Encryption/Kerberos also supported • Client performs operations • Read/Update/Search • SELECT X,Y,Z FROM PART_OF_DIRECTORY • Client ends the session (UNBIND) • Client can ABANDON the session
BIND/UNBIND/ABANDON • Request includes LDAP version, the name the client wants to bind as, authentication type • Simple (clear text passwords, anonymous) • Kerberos v4 to the LDAP server (krbv42LDAP) • Kerberos v4 to the DSA server (krbv42DSA) • Server responds with a status indication • UNBIND: Terminates a protocol session • UnbindRequest ::= [APPLICATION 2] NULL • ABANDON: • MessageID to abandon
Search/Compare • Request includes • baseObject: an LDAPDN • Scope: how many levels to be searched • derefAliases: handling of aliases • sizeLimit: max number of entries returned • timeLimit: max time allowed for search • attrsOnly: return attribute types OR values also • Filter: cond. to be fulfilled when searching • Attributes: List of entry’s attributes to be returned • Read and List implemented as searches • Compare: similar to search but returns T/F
ADD/MODIFY/DELETE • ADD request • Entry: LDAPDN • List of Attributes and values (or sets of values) • MODIFY request • Used to add, delete, modify attributes • Request includes • Object: LDAPDN • List of modifications (atomic) • Add, Delete, Replace • DELETE request • Object: LDAPDN • MODIFY RDN: LDAPDN, newRDN, DEL_FLAG
Protocol Elements • LDAPMessage (MessageID unique)
Protocol Elements • LDAPString ::= OCTET STRING • LDAPDN ::= LDAPString • RelativeLDAPDN ::= LDAPString • AttributeValueAssertion ::= Sequence {attributeType attributeValue, attributeValue attributeValue } • attributeType ::= LDAPString • attributeValue ::= OCTET STRING
Protocol Elements • LDAP Result • Errors • Truncated DIT RDN sequence is sent • noSuchObject • aliasProblem • invalidDNSyntax • isLeaf etc.
LDAP Security • Current LDAP version supports • Clear text passwords • KERBEROS version 4 authentication • Other authentication methods possible in future versions (March 1995) • SASL support added in version 3 • Kerberos deemed stronger than SASL…
LDAP Security • Security based on the BIND model • Clear text ver 1 • Kerberos ver 1,2,3 (depr) • SASL ver 3 • Simple Authentication and Security Layer • uses one of many authentication methods • Proposal for Transport Layer Security • Based on SSL v3 from Netscape
LDAP Security • No Authentication • Basic Authentication • DN and password provided • Clear-text or Base 64 encoded • SASL (RFC 2222) • Parameters: DN, mechanism, credentials • Provides cross protocol authentication calls • Encryption can be optionally negotiated • ldap_sasl_bind() (ver3 call) • Ldap://<ldap_server>/?supportedsaslmechanisms
LDAP Security • LDAP using SASL using SSL/TLS
LDAP Security • SSL/TLS Handshake
Agenda • Background and Motivation • Understanding LDAP • Information Structure • Naming • Functions/Operations • Security • Protocol Model • Mapping onto Transport Services • Protocol Element Encoding • Discussion
Protocol Model • Clients performing protocol operations against servers • Client sends protocol request to server • Server performs operation on directory • Server returns response (results/errors) • Asynchronous Server Behavior
Mapping onto Transport • Uses Connection-oriented, reliable transport • TCP • LDAPMessage PDU mapped onto TCP byte stream • LDAP listener on port 389 • Connection Oriented Transport Service (COTS) • LDAP PDU is mapped directly onto T-Data
Protocol Element Encoding • Encoded for Exchange using BER (Basic Encoding Rules) • BER defined in Abstract Syntax Notation One (ASN.1) • High Overhead for BER • Restrictions imposed to improve perf. • Definite form of length encoding only • Bit Strings/ Octet Strings and all character string types encoded in primitive form only
LDAP Implementations • C Library API • LDAPv2 - RFC 1823 ‘The LDAP API’ • LDAPv3 – In Internet Draft stage • Java JNDI • LDAP v3 uses the UTF-8 encoding of the Unicode character set. • HTTP to LDAP gateway • LDAP to X.500 gateway – ldapd
Version 2 v/s Version 3 • Referrals • A server that does not store the requested data can refer the client to another server. • Security • Extensible authentication using Simple Authentication and Security Layer (SASL) • Internationalization • UTF-8 support for international characters. • Extensibility • New object types and operations can be dynamically defined and schema published in a standard manner.