Jeff Hodges jhodgesoblix.com

1

LDAP Directory Services
Security

• Jeff Hodgesjhodges_at_oblix.com
• http//www.oblix.com/11-Aug-1999 v0.95

2
Directory Security Syllabus

• Brief Review of Directories and LDAP
• Brief Review of Security
• Basic Security Concepts
• Security as Applied to Directories
• Threats
• LDAP Protocol Security Features
• Typically Implemented Security Features
• Futures
• References

3
Directory SecurityBrief Review of Directories
LDAP
Directory Information Tree (DIT)
Network
LDAP
Directory Database
Directory Service
4
Directory SecurityBrief Review of Directories
LDAP

• What directories are
• Object repositories
• Typically read more than written
• Have explicit access protocols
• Support relatively complex queries
• What directories are not
• RDBMSs
• Lack notions of..
• Tabular views
• JOIN operations
• Stored Procedures

5
Directory SecurityBrief Review of Directories
LDAP
Directory-based Application
LDAP
TCP
IP
Ethernet,
Cable,
Wireless, whatever.

• Obligatory, overly-simplified, Protocol Stack
  Diagram

6
Directory SecurityBrief Review of Security

• Notion of Security for a network protocol is
  comprised of (at least) these axes..
• Identity Authentication
• Who are you and who says so?
• Confidentiality
• Tough petunias to eavesdroppers.
• Integrity
• Did anyone muck with this data?
• Authorization
• Yes, you can do that, but no, you cant do that
  other thing.

7
Directory SecurityBasic Security Concepts

• Notions...
• The notion of Identity
• Of Names and Identifiers
• Authentication Identity
• Authorization Identity
• Anonymity

8
Directory SecurityBasic Security Concepts
Overall Namespace
Names
Identifiers
9
Directory SecurityBasic Security Concepts

• The applicable science technology of
  implementation...
• Ciphers
• Encryption
• Integrity
• AKA Cryptography 11

10
Directory Security Basic Security Concepts,
contd
11
Directory Security Basic Security Concepts,
contd
12
Directory Security Basic Security Concepts,
contd
13
Directory SecuritySecurity as Applied to
Directories

• One needs to separately consider each of the four
  security axes in the context of anticipated
  threats.
• Also need to consider security from the
  perspectives of..
• the info stored in the directory, and..
• attributes of the requesters.
• E.g. how much you trust them.
• Note that..
• data security ! access security

14
Directory SecurityExample Deployment Scenarios
15
Directory Security Threats
Legitimate Directory Service
2
, 3
, 7.
LDAP
Network
, 5
, 6.
Directory Database
1.
16
Directory Security Threats, contd
Network
Directory Service Host(s)
Directory Database
17
Directory Security LDAP Protocol Security
Features

• Formal notions of..
• Authentication Identifiers 7, and..
• Authorization Identifiers 7
• Leverages several security mechanisms..
• Simple passwords 2, 8
• SASL 6
• Kerberos 2
• Digest 4
• SSL/TLS 7
• effectively is a session layer
• The above may be used in various combinations
  together.

18
Directory Security LDAP Protocol Security
Features

• Integral-to-the-protocol data integrity and
  attribution are works-in-progress.

19
Directory Security LDAP Security Features
Illustrated
Legitimate Directory Service
Network
LDAP
20
Directory SecurityBrief Intro to Directories and
LDAP
Directory-based Application
LDAP
TLS
TCP
21
Directory SecurityBrief Intro to Directories and
LDAP
Directory-based Application
TLS
SASL
LDAP
TCP
22
Directory SecurityTypical Security Features of
Impls

• Security Features typically found in LDAP
  Implementations
• Simple password-based Authentication.
• SSL on port 636 (aka LDAPS)
• At least one impl does StartTLS on port 389.
• Access control.
• Configurability (e.g. Netscapes DS Plug-ins).

23
Directory SecurityTypical Impl Security
Features, contd

• Important Notice
• The LDAP protocol is NOT an authentication
  protocol in and of itself (IMHO).
• One MAY use LDAP itself as an authentication
  protocol, but one needs to carefully consider
  what functionality it does and doesnt bring to
  your deployment when used in this manner.
• Deployment configuration is critical
• Many server-side knobs
• e.g. requiring client authentication

24
Directory SecurityExample Directory Service
Deployment(s)
Authentication Service
Desktop Clients
Desktop Clients
Clients
LDAP
LDAP-based Directory Service
25
Directory Security Behind the Scenes (simplified)
LDAP
SubjectsDesktop(browser)
TDS
26
Directory Security Security Case Study

• Case Studies of Application of Security
• See..
• Access-Controlled White Pages at Stanford. RL
  Bob Morgan, University of Washington, March
  1999.
• http//staff.washington.edu/rlmorgan/talk/dir.ac.n
  ac.1999.03/top.html
• See also Refs 16..18.

27
Directory SecurityFutures

• Integral-to-the-protocol Data Integrity
• Implementations of Start TLS protocol operation.
• Implementations adhering to the Authentication
  Methods for LDAP requirements and
  recommendations.
• Hopefully, implementations (in addition to
  Microsofts Active Directory) utilizing Kerberos
  out-of-the-box.
• Schema standardization and stabilization will
  continue.
• you too can participate in IETF process
• I encourage deployers to invest in the process!

28
Directory SecurityAcknowledgements

• Harald Alvestrand, Gordon Good, Tim Howes, Paul
  Leach, RL Bob Morgan, Mark Smith, John Myers,
  Chris Newman, Mark Wahl, host of others.

29
Directory Security References

• This talk will be available at..
• http//www.stanford.edu/people/hodges/talks/
• Key References..
• 1 Understanding and Deploying LDAP Directory
  Services. Tim Howes, Mark Smith, and Gordon Good.
  MacMillan Technical Publications, ISBN
  1578700701.
• See especially Chapter 11 Privacy and Security
  Design
• 2 Authentication Methods for LDAP. M. Wahl, H.
  Alvestrand, J. Hodges, R. Morgan. INTERNET DRAFT,
  Work In Progress, June-1999. Available as
  draft-ietf-ldapext-authmeth-04.txt

30
Directory Security References, contd

• Selected References..
• 3 Lightweight Directory Access Protocol (v3)
  Extension for Transport Layer Security. J.
  Hodges, R. Morgan, M. Wahl. INTERNET DRAFT, Work
  In Progress, June-1999.
• 4 Digest Authentication as a SASL Mechanism. P.
  Leach, C. Newman. INTERNET DRAFT, Work In
  Progress, March 31, 1999.
• 5 The Kerberos Network Authentication Service
  (V5). J. Kohl, C. Neuman. IETF Request For
  Comments RFC1510, September 1993.

31
Directory Security References, contd

• Selected References..
• 6 Simple Authentication and Security Layer
  (SASL). J. Myers. IETF Request For Comments
  RFC2222, October 1997.
• 7 The TLS Protocol Version 1.0. T. Dierks, C.
  Allen. IETF Request For Comments RFC2246, January
  1999.

32
Directory Security References, contd

• 8 LDAP Core RFCs
• Lightweight Directory Access Protocol (v3). M.
  Wahl, T. Howes, S. Kille. IETF Request For
  Comments RFC2251, December 1997.
• Lightweight Directory Access Protocol (v3)
  Attribute Syntax Definitions. M. Wahl, A.
  Coulbeck, T. Howes, S. Kille. IETF Request For
  Comments RFC2252, December 1997.
• Lightweight Directory Access Protocol (v3) UTF-8
  String Representation of Distinguished Names. M.
  Wahl, S. Kille, T. Howes. IETF Request For
  Comments RFC2253, December 1997.
• The String Representation of LDAP Search Filters.
  T. Howes. IETF Request For Comments RFC2254,
  December 1997.

33
Directory Security References, contd

• 8 LDAP Core RFCs contd
• The LDAP URL Format. T. Howes, M. Smith. IETF
  Request For Comments RFC2255, December 1997.
• A Summary of the X.500(96) User Schema for use
  with LDAPv3. M. Wahl. IETF Request For Comments
  RFC2256, December 1997.
• 9 IP Security Document Roadmap. R. Thayer, N.
  Doraswany, R. Glenn. IETF Request For Comments
  RFC2411, November 1998.
• 10 Site Security Handbook. B. Fraser, Editor.
  IETF Request For Comments RFC2196, FYI8.
  September 1997.

34
Directory Security References, contd

• Security books, papers, etc.
• 11 Applied Cryptography - Protocols,
  Algorithms, and Source Code in C (Second
  Edition). Bruce Schneier, John Wiley Sons,
  Inc., 1996. ISBN 0471117099.
• 12 Practical UNIX Internet Security, 2nd
  Edition. Simson Garfinkel and Gene Spafford,
  OReilly Associates, April 1996, ISBN
  1-56592-148-8.
• 13 Risk Management is Where the Money Is Dan
  Geer, CertCo, November 1998.
• 14 Web Security Commerce. Simson Garfinkel
  with Gene Spafford, OReilly Associates, June
  1997, ISBN 1-56592-269-7.
• 15 Why Cryptography Is Harder Than It
  Looks,Bruce Schneier, Counterpane Systems, 1996.

35
Directory Security References, contd

• 16 Stanford Registries Directories pages..
• http//www.stanford.edu/group/itss-ccs/project/reg
  istry/
• http//www.stanford.edu/group/itss-ccs/project/reg
  istry/registries.html
• http//www.stanford.edu/group/itss-ccs/project/sun
  etid/
• http//www.stanford.edu/group/networking/directory
  /
• http//www.stanford.edu/group/networking/directory
  /models/Word_Dir_Svcs_Model_10-29-98-edited-jdh/Wo
  rd_Dir_Svcs_Model_10-29-98-edited-jdh.htm
• 17 Project Horton
• http//www.stanford.edu/group/itss-ccs/project/hor
  ton/
• 18 SUNet ID
• http//www.stanford.edu/group/itss-ccs/project/sun
  etid/