LDAP%20LIGHT%20WEIGHT%20DIRECTORY%20ACCESS%20PROTOCOL

1
LDAPLIGHT WEIGHT DIRECTORY ACCESS PROTOCOL

• PRESENTATION BY ALAKESH APURVA DHAN AND ASH

2
WHAT IS LDAP

• LDAP IS LIGHT WEIGHT
• SUFFICIENT STRAIGHT FORWARD
• EASY TO IMPLEMENT AS AGAINST X.500 DAP WHICH IS
  HEAVY WEIGHT

3
LDAP

• DIRECTORY BECAUSE DATA IS ORGANISED IN THE
  FORM OF TREE MUCH LIKE UNIX FILE SYSTEM
• USES SIMPLIFIED SET OF ENCODING
• RUNS DIRECTLY ABOVE TCP/IP
• USES STRING TO REPRESENT DATA

4
LDAP

• LDAP SECURITY MODEL DEFINES HOW INFORMATION
  CAN BE PROTECTED FROM UNAUTHORISED ACCESS

5
LDAP

• LDAP API
• THERE ARE SEVERAL LDAP API APPLICATION
  PROGRAMMING INTERFACE OLDEST ONES WRITTEN IN
  C
• NOW A DAYS LDAP API S ARE AVAILABLE IN OTHER
  PROGRAMMING LANGUAGES LIKE PERL JAVA

6
HOW LDAP WORKS

• LDAP DIRECTORY SERVICE IS BASED ON CLIENT
  SERVER MODEL
• LDAP IS A MESSAGE ORIENTED PROTOCOL
• CLIENT CONSTRUCTS AN LDAP MESSAGE CONTAINING
  A REQUEST AND SENDS IT TO THE SERVER

7
HOW LDAP WORKS

• SERVER PROCESSES THE REQUEST AND SENDS IT
  BACK TO THE CLIENT IN THE FORM OF LDAP MESSAGE

8
LDAP BACKENDS

• THE BASIC DAEMON PROCESS THAT RUNS ON THE LDAP
  SERVER CALLED SLAPD COMES WITH THREE
  DIFFERENT BACKEND DATABASES
• WE ASSUME THAT IN OUR CASE WE USE LDBM THE
  MOST USED ONE

9
HOW LDAP WORKS

• LDAP DATABASE WORKS BY ADDING A COMPACT FOUR
  BYTE UNIQUE IDENTIFIER
• INDEX FILES ARE MAINTAINED FOR REFERRING TO
  DATA

10
LDAP PROTOCOL OPERATION

• INTERROGATION OPERATION SEARCH ,
  COMPARE
• ADD DELETE OPERATOIN ADD ,
  DELETE , MODIFY , MODIFY DN
• AUTHENTICATION AND CONTROL OPERATION
  BIND , UNBIND ,
  ABANDON

11
LDAP INFORMATION MODEL

• BASIC UNIT IS ENTRY ( A COLLECTION OF
  INFORMATION ABOUT AN OBJECT )
• AN ENTRY IS COMPOSED OF A SET OF ATTRIIBUTES

12
LDIF

• LDIF STANDS FOR LDAP DATA INTERCHANGE
  FORMAT
• DIRECTORY ENTRIES IN LDAP ARE IN THE FORM OF
  LDIF

13
LDIF FORMAT

• BASIC FORM OF LDIF
  COMMENT
  DN ltDISTINGUSHED NAMEgt ltATTRDESCgt
  ltATTRVALUEgt ltATTRDESCgt ltATTRVALUEgt
  ..
• EXAMPLE DN UIDALAKESH DCIIT
  DCEDU

14
LDAP

• IN ADDITION TO BEING A NETWORK PROTOCOL IT ALSO
  DEFINES FOUR MODELS
• LDAP INFORMATION MODEL DEFINES THE
  KIND OF DATA U PUT
• LDAP NAMING MODEL HOW U ORGANISE AND REFER
  TO DIRECTORY INFORMATION

15
LDIF FORMAT

• LINES STARTING WITH ARE CONSIDERED TO BE
  COMMENTS
• ALL OTHER ATTRIBUTES ARE WRITTEN IN
  ltATTRDESC gt ltVALUEgt FORM

16
LDIF

• EACH ENTRY IS UNIQUELY IDENTIFIED BY A
  DISTINIGUISHED NAME OR DN . THE DN
  CONSISTS OF THE NAME OF THE ENTRY PLUS A
  PATH IN THE DIRECTORY TREE TRACING BACK TO
  THE TOP OF THE DIRECTORY HIERARCHY
• THE OBJECT CLASS DEFINES THE CLASS OF THE
  ATTRIBUTES THAT CAN BE USED TO DEFINE AN
  ENTRY

17
LDIF

• DIRECTORY DATA IS REPRESENTED AS
  ATTRIBUTE-VALUE PAIR . ANY SPECIFIC PIECE
  OF INFORMATION IS ASSOSICATED WITH A
  DESCRIPTIVE ATTRIBUTE

18
LDAP CONFIGURATION

• THE CONFIGURATION FILE SLAPD.OC.CONF
  CONTAINS THE DEFINITION OF ALL THE OBJECT
  CLASSES
• THE ATTRIBUTES OF THE OBJECT CLASSES ARE DEFINED
  IN SLAPD.AT.CONF FILE

19
LDAP CONFIGURATION

• EACH OBJECT CLASS HAS REQUIRED AND ALLOWED
  ATTRIBUTE
• REQUIRED ATTRIBUTES MUST BE PRESENT WHILE
  ALLOWED ARE OPTIONAL

20
LDAP CONFIGURATION

• EACH ATTRIBUTE HAS CORRESPONDING SYNTAX
  DEFINITION

21
LDAP ACCESS CONTROL

• ACCESS TO ltWHATgt BY ltWHOgt ltACCESS LEVELgt
  ltCONTROLgt
• THIS DIRECTIVE GRANTS ACCESS TO A SET OF
  ENTRIES/ATTRIBUTES BY ONE OR MORE REQUESTERS
• EXAMPLE ACCESS TO BY READ

22
LDAP ACCESS CONTROL

• THE ABOVE DIRECTIVE GIVES READ PERMISSION TO
  EVERYONE
• FOR EXAMPLE ACCESS TO DN . , CINDIA
  BY SEARCH GIVES SEARCHING PERMS TO
  ENTRIES UNDER CINDIA SUBTREE

23
LDAPADD

• OPENLDAP PACKAGE COMES WITH SHELL EXECUTABLE
  NAMED LDAPADD USED TO ADD ENTRIES TO THE
  DATABASE WHILE LDAP SERVER IS RUNNING
• BASIC SYNTAX IS LDAPADD -F ltDATAFILEgt -D
  ltDNgt -w ltPASSWDgt / -W ( IF PASSWORD IS TO
  BE PROMPTED .

24
LDAPDELETE

• ANOTHER SHELL EXECUTABLE FOR DELETING ENTRIES
• ITS SYNTAX IS LDAPDELETE
  CNHI,OIITB,CINDIA

25
LDAPMODIFY

• ITS ANOTHER SHELL EXECUTABLE TO MODIFY DATA
  IN THE DIRECTORY DATABASE
• IT HAS SIMILAR SYNTAX TO LDAPADD

26
LDAPSEARCH

• SHELL ACCESSIBLE INTERFACE TO LDAP_SEARCH() C
  ROUTINE
• LDAPSEARCH OPENS CONNECTION TO THE LDAPSERVER
  PERFORMS SEARCH WHICH FOLLOWS FILTERING RULES
  DEFINED IN RFC1558

27
LDAPSEARCH

• FOR EXAMPLE LDAPSEARCH -B CINDIA
  OIITB IF IS ALLOWED READ ACCESS BY
  DEFAULT THE OIITB WILL BE RETURNED
• -B OPTION SEARCHES FOR THE SEARCH BASE

28
LDAP AND JAVA CONNECTIVITY

• THERE EXISTS A PACKAGE CALLED JNDI (
  JAVA NAMING AND DIRECTORY INTERFACE )
• IT CONTAINS API S NEEDED TO CONNECT LDAP
  SERVER RETRIEVE INFORMATION

29
JNDI EXAMPLE

• A typical code WRITTEN USING JNDI TO DO
  LDAP SEARCH
• will be like this ..
• import java.util.Hashable
• import java.util.Enumeration
• import javax.naming.
• import javax.naming.directory.
• class Search
• public static void main(String args)
• Hashtable env new Hashtable(5 , 0.75f)
• env.put(Context.INITIAL_CONTEXT_FACTORY,Env.INITCT
  X)
• env.put(Context.PROVIDER_URL , Env.MY_SERVICE )
  
• .

30
Why Ldap?

• Most ldap servers are optimized for
  read-intensive operations.Thus, one can see an
  order of magnitude difference when reading data
  from an ldap directory versus obtaining the same
  data from a relational database server optimized
  for OLTP.
• Because of this optimization , however , most
  LDAP directories are not suited for storing data
  where changes are frequent.