Internet infrastructure

1
Internet infrastructure

• Prof. dr. ir. André Mariën

2
Lightweight DirectoryAccess Protocol
3
LDAP

• Introduction

4
Directory

• Directory searchable information repository
• The best known non-IT example is a telephone
  directory (the book)
• Contains names, addresses, telephone numbers
• Searchable by location and name
• Electronic variants
• Also search by number, subparts, ZIP codes, ...

5
IT Directories

• Network configuration
• host to IP translation, user/password
  information, ...
• User information
• telephone, email, certificates, physical location
• Security
• Authentication, authorization, SSO, PKI
• Resources
• Calendar, room reservations

6
Increasing requirements

• Consolidation of directories (N1 problem)
• Centralized management
• Consistency of information
• Availability of information
• Timeliness of information
• Large data volumes

7
Implementations

• Files
• Dedicated services
• DNS
• DHCP
• YP, NIS
• On top of DBMS

8
Example scenario
Network logon
Web server
LDAP
Certificate (SSLv3)
Web server
Authorization
Application server
Personalization
Personalization
9
LDAP D for Directory

• Directory standard ISO X.500
• X.500 protocol Directory Access Protocol (DAP)
• Lightweight Directory Access Protocol (v3)
• X.500 directory server, acronym DSA

10
LDAP models

• Information model
• Kind of data that the directory can contain
• Naming model
• Data structuring by name
• Functional model
• Access (search updates)
• Security model
• Data protection measures

11
LDAP elements and structure
12
Directory Information Tree

• DIT is made up of entries or objects
• naming context (from RFC)
• The largest collection of entries, starting at
  an entry that is mastered by a particular server,
  and including all its subordinates and their
  subordinates, down to the entries which are
  mastered by different servers

13
DIT graph
okuleuven.ac.be
oucs
l200A
cnAndré Mariën
14
Objects
15
Objects

• An LDAP directory is build from objects
• Objects have an object identifier (OID)
• Objects have names
• Objects belong to at least one class
• Objects have attributes

16
Example objects

• People
• Resources
• Groups
• Roles
• Systems

17
Object Identifier

• Representation dotted decimal
• OID not intended for end-users
• Universally unique
• Example
• INTEGER 1.3.6.1.4.1.1466.115.121.1.27
• all LDAP types OID identical except for last
  number

18
Official OID IANA

• Internet Assigned Numbers Authority IANA
• http//www.iana.org/numbers.html

19
OID registration

• register base OID 1.3.6.1.4.1.X
• Prefix iso.org.dod.internet.private.enterprise
  (1.3.6.1.4.1)
• IBM 2, SUN 42, NOKIA 94, INTEL 343, CIA 743,
  Accenture 945, Bekaert 972, Tivoli 1598,
  Generale Bank 2049, Ubizen 4910, K.U.Leuven
  9678

20
Example of local structure

• organizations OID 1.3.6.1.4.1.9678
• SNMP 1.3.6.1.4.1.9678.1
• LDAP 1.3.6.1.4.1.9678.2
• attribute types 1.3.6.1.4.1.9678.2.1
• myattribute 1.3.6.1.4.1.9678.2.4000
• object classes 1.3.6.1.4.1.9678.2.2
• myobjectclass 1.3.6.1.4.1.9678.2.2.314

21
Objects and Attributes

• Objects have attributes
• Attribute one or more values of the attribute
  type
• Order of attribute values
• undefined and implementation-dependent
• MUST NOT be relied upon.

22
Object Naming DN - RDN

• Relative Distinguished Name (RDN)
• One or more attribute values from the object form
  its relative distinguished name (RDN), which
  MUST be unique among all its siblings
• Distinguished Name (DN)
• The concatenation of the RDNs of the sequence of
  entries from a particular entry to an immediate
  subordinate of the root of the tree forms that
  entry's DN
• DN is unique in the tree

23
RDN
RDN A,B RDN P A1,B2
P
A1,B2
RDN C RDN Q C1
Q
C2,E2
C1,D2
RDN F,G RDN R F1,G1 RDN S F1,G2
F1,G2,I2
F1,G1,H3
R
S
24
DN
DN P A1,B2
P
A1,B2
DN Q C1,A1
Q
C2,E2
C1,D2
DN R F1,G1,C1,A1,B2 DN S
F1,G2,C1,A1,B2
F1,G2,I2
F1,G1,H3
R
S
25
Attributes and Syntaxes
26
Attribute Type

• The attribute type governs whether
• there can be more than one value of an attribute
  of that type in an entry
• the syntax to which the values must conform
• the kinds of matching which can be performed on
  values of that attribute

27
Attribute Type Description

• Identification OID, NAME, DESC, OBSOLETE
• Inheritance SUP
• Syntax SYNTAX
• Matching EQUALITY, ORDERING, SUBSTR
• Flags SINGLE-VALUE, COLLECTIVE,
  NO-USER-MODIFICATION
• Usage USAGE

28
Attribute types usage

• "userApplications default
• "directoryOperation"
• "distributedOperation DSA-shared
• "dSAOperation DSA-specific, value depends on
  server

29
Attribute types constraint

• must have either
• "SUP inheritance
• "SYNTAX definition

30
Syntaxes Escaping

• Escape the following separator symbol character
  (such as "' or "" or "") if it occurs in that
  string
• backslash followed by a pair of hexadecimal
  digits
• Backslash itself encoded as '\5C' or '\5c

31
Extensibility and Interoperability

• Other syntaxes allowed
• Additional arbitrary syntaxes strongly
  deprecated
• client and server implementations do not
  dynamically recognize new syntaxes
• In most cases attributes will be defined with the
  syntax for directory strings

32
Object Classes
33
The objectClass attribute

• Object must belong gt 1 object class
• Object must have an objectClass attribute
• Values the object classes with which the entry
  complies
• Objectclasses determine the possible object
  attributes
• mandatory union of all mandatory
• optional union of all optional \ mandatory

34
objectClass attribute
objectClassoc
DNoc
att1v1
Mustatt1
att2v2
Mustatt2
att3v3
Mayatt3
att3v4
35
Object Classes

• The format for representation of object classes
  X.501
• Kind of classes
• abstract class ("top" or "alias")
• similar to Java abstract class
• structural object class
• normal classes
• auxiliary object class
• similar to interfaces in Java

36
Object Class BNF

• ObjectClassDescription "(" numericoid
• "NAME" qdescrs "DESC" qdstring
• "OBSOLETE"
• "SUP" oids
• ( "ABSTRACT" / "STRUCTURAL" / "AUXILIARY" )
  
• "MUST" oids "MAY" oids
• ")"

37
Attribute inheritance

• objectClass has a superClass
• top is the base objectClass
• inheritance if objectClass o has superClass s
  then
• all attributes of objectClass and those implied
  by s are possible attributes of o
• any mandatory attributes of o or implied by s
  must be present

38
Inheritance
objectClassoc
DNoc
att1v1
Mustatt1
att2v2
SUPsup
att3v3
DNsup
att3v4
Mustatt2
Mayatt3
39
Special Object Class Extensible

• if present in an entry, permits that entry to
  optionally hold any attribute
• mandatory attributes still required to be
  present.
• servers which do not support extensible will
  reject requests
• to add entries which contain this object class
• to modify an entry to add this object class

40
Operational Attributes

• used by servers for administering the directory
  system itself
• not returned in search results unless explicitly
  requested by name
• maintained automatically by the server
• not modifiable by clients

41
Operational Attributes audit

• creatorsName
• the DN of the user who added this entry to the
  directory.
• createTimestamp
• the time this entry was added to the directory.
• modifiersName
• the DN of the user who last modified this entry.
• modifyTimestamp
• the time this entry was last modified.

42
Directory Schema
43
Schema

• Schema is the collection of
• attribute type definitions
• object class definitions
• to determine
• how to match a filter or attribute value
  assertion (in a compare operation) against the
  attributes of an entry
• permissions for add and modify operations

44
Operational Attribute subschema

• subschemaSubentry the DN of the subschema entry
  which controls the schema for this entry
• Allows reflection
• Enables more dynamic usage
• Simplifies extension support

45
Subschema Entries

• Used for administering information about the
  directory schema
• object classes
• attribute types
• A single subschema entry contains all schema
  definitions used by entries in a particular part
  of the directory tree.

46
Object Class Subschema

• Used in the subschema entry
• BNF
• ( 2.5.20.1 NAME 'subschema'
• AUXILIARY
• MAY ( DITStructureRules nameForms
  DITContentRules objectClasses attributeTypes
  matchingRules matchingRuleUse )
• )

47
Subschema Attributes mandatory

• must be present
• cn to form the RDN of the subschema entry
• objectClass minimal "top and "subschema"
• objectClasses all used classes
• attributeTypes all used types

48
Subschema Attributes optional

• may be present
• matchingRules, matchingRuleUse,
  DITStructureRules, DITContentRules, nameForms and
  LDAPSyntaxes

49
Server-specific Data Requirements

• An LDAP server MUST provide information about
  itself and other information that is specific to
  each server
• information is represented as a group of
  attributes
• located in the root DSE (DSA-Specific Entry)
• named with the zero-length LDAP DN
• retrievable with a base object search of the root
  with filter "(objectClass)"

50
Attributes of the root DSE

• namingContexts naming contexts held in the
  server
• subschemaSubentry subschema entries (or
  subentries) known by this server.
• altServer alternative servers in case this one
  is later unavailable.
• supportedExtension list of supported extended
  operations.

51
Attributes of the root DSE (cont.)

• supportedControl list of supported controls.
• supportedSASLMechanisms list of supported SASL
  security features.
• supportedLDAPVersion LDAP versions implemented
  by the server.

52
subschemaSubentry

• not present in the root DSE if server does not
• master the entries
• know the locations of schema information
• otherwise
• any number of values of the subschemaSubentry
  attribute

53
Overview
Directory Schema
DIT
Subschema Rule
Subschema Area
Object Classes
Entries
Attribute Types
Attributes
Syntax rules
Values
determine
uses
part of