LDAP and Active Directory, I - PowerPoint PPT Presentation

1 / 26

About This Presentation

Title:

LDAP and Active Directory, I

Description:

Address Book ('White Pages Service') Organizational Chart ('Yellow Pages Service' ... white-pages information. X.509 certificate for PKI. Ref: Wanner talk ... – PowerPoint PPT presentation

Number of Views:458

Avg rating:3.0/5.0

Slides: 27

Provided by: cis55

Category:

more less

Transcript and Presenter's Notes

Title: LDAP and Active Directory, I

1

LDAP and Active Directory, I
CS436/636/736 Lecture
March 13, 2006

2
References, I

Active Directory, Allen and Lowe-Norris,
O'Reilly, 2/e, ISBN 0-596-00466-4
LDAP Programming with Java, Weltman and Dahlbura,
AW, ISBN 0-201-65758-9
Wikipedia
http//en.wikipedia.org/wiki/LDAP

3
References, II

Shipley presentation on Security (1999)
http//www.blackhat.com/presentations/bh-usa-99/Pe
terS/shipley-99.ppt
Kevin Wanner presentation on LDAP
Netscape Worldwide Professional Services
Developed For New York State Office for
Technology, March 17th, 199
http//www.oft.state.ny.us/ldap/LDAPOverview/index
.htm
Jason Heiss talk Kerberos and LDAP
http//www.ofb.net/jheiss/krbldap/kerberos_and_ld
ap.ppt
Openldap.org

4
Three related protocols

DNS IP, hostname and domain name lookup
LDAP v3 Authorization (and authentication)
Kerberos 5 Authentication

5
Why A Directory?

Paper directories out of date by the time
published. Need an online directory, but. . .
Every application needed and provided own
directory (N1 Directory Problem) -
synchronization problematic
International Telecommunications Union (ITU,
formerly CCITT) develops X.500 directory standard
But X.500 bloated, cumbersome, and lacking APIs
Ref Wanner talk

6
DAP, LDAP, X.500

X.500 directory model (OSI)
DAP is directory service for this
(heavy/impractical?)
LDAP is simplified strategy (used/practical)
LDAP comes from work at the University of
Michigan, including model implementations
UMICH refers people now to openldap.org
LDAP v3 tech spec defined in RFC 3377
Ref Wikipedia and others

7
Why LDAP?

Tim Howes at the University of Michigan developed
LDAP as a lightweight directory access protocol
to access X.500 directories.
LDAP has caught on independently of X.500 in the
Internet community adding standardized
Information Model (how the information looks)
APIs (how applications get the information)
Replication (how servers share information)
Access Control (who can see what information)

8
LDAP model

Distinguished names (DNs)
Collection of attributes that have a name
LDAP collects DNs as entries in its architecture
DN is unambigous
Attributes have defined names such as CN for
common name
Schemas control the entire process of LDAP
entries
Schemas can be extended dynamically
Ref Shipley 1999, and others

9
LDAP Provides

Unified sign on (one id and password for all
applications)
Single sign on (sign on to network once to use
all applications -- needs PKI)
PKI certificate repository
Address Book (White Pages Service)
Organizational Chart (Yellow Pages Service)
Access control and authentication for
applications
Ref Wanner talk

10
LDAP Information Management

Self
Users can update their own entries
Replication
Supplier servers which master the data can push
directory information to consumer servers
Synchronization
Directory information can be pulled from one
server (e.g., agency server) and push into
another (e.g., NYT server)
Servers can be LDAP to LDAP or Legacy to LDAP
Agents for this will be bundled in upcoming
Meta-Directory
Ref Wanner talk

11
Strengths/Limitations

LDAP is well suited for
Information that is referenced by many entities
and applications
Information that needs to be accessed from more
then one location
Roaming, e.g. by Road Warriors
Preference information for web portals
Information that is read more often than it is
written
LDAP is not well suited for
Information that changes often (it is not a
relational database)
Information that is unstructured (it is not a
file system)
Ref Wanner talk

12
Alphabet Soup

LDAP
Lightweight Directory Access Protocol
SASL
Simple Authentication and Security Layer
GSSAPI
Generic Security Services Application Programming
Interface
PAM
Pluggable Authentication Module
NSS
Name Service Switch
Ref J. Heiss Talk more in part II of this
presentation

13
Distinguished Names

Each object in the LDAP directory has a DN
uidjheiss,oupeople,dcexample,dccom
cnusers,ougroup,dcexample,dccom
Notice that the DNS name is example.com for the
domain
OU is organizational unit (key container privs)
Each domain subdomain could create a tree
structure in LDAP (engr.example.com,
sales.example.com, pre.engr.example.com,
support.engr.example.com, etc)

Ref J. Heiss Talk

14
Sample DIT

Branched by agency
Agencies in this example have branches
containing
Groups which contain people
People in the organization
Resources such as printers and conference rooms
Applications (where application specific info.
could be maintained)
Ref Wanner talk

15
Sample User Object

Objects contain attributes, e.g.,
uid (user ID)
cn (common name)
sn (surname)
mail (e-mail address)
Attributes can be multi-valued, e.g., givenname
of both James and Jim
This object contains
white-pages information
X.509 certificate for PKI
Ref Wanner talk

16
Directory Information Flows

Ref Wanner talk

17
OIDs / Priv Ent Nums / IANA.org

Entites have to register at IANA.org (or ANSI) to
have unique numbers for building LDAP schema
entries
IANA's root is 1.3.6.1.4.1
Microsoft uses 1.3.6.1.4.1.311
UAB uses 1.3.6.1.4.1.7341
www.iana.org/assignments/enterprise-numbers
Companies build hierarchies of their own control
under these root numbers

18
OUs

A key container concept in LDAP
Can hold things like sets of users or computers
Common organizational unit, container plus
security boundary
OU is used widely in LDAP and AD
Container abstraction is a subset of OU, used
less often
OU is a security boundary, can have group
policies (cf, Allen Lowe-Norris, p.19)

19
Schemas

LDAP uses schemas to define what attributes an
object can and must have
posixAccount object class corresponds to an entry
in a passwd file
posixGroup corresponds to a group
The same object can implement multiple object
classes
uidjheiss,oupeople,dcexample,dccom might be a
posixAccount, inetOrgPerson and pilotPerson

Ref J. Heiss Talk

20
Schema Examples

attributetype ( 0.9.2342.19200300.100.1.1
NAME ( 'uid' 'userid' )
DESC 'RFC1274 user identifier'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15256 )
objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount'
SUP top AUXILIARY
DESC 'Abstraction of an account with POSIX
attributes'
MUST ( cn uid uidNumber gidNumber
homeDirectory )
MAY ( userPassword loginShell gecos
description ) )

Ref J. Heiss Talk

21
LDIF Example User

dn uidjheiss,oupeople,dcexample,dccom
objectClass person
objectClass inetOrgPerson
objectClass posixAccount
commonName Jason Heiss
mail jheiss_at_example.com
homePhone 111-222-3333
givenName Jason
surname Heiss
uid jheiss
userPassword KERBEROSjheiss_at_EXAMPLE.COM
loginShell /bin/bash
uidNumber 500
gidNumber 100
homeDirectory /home/jheiss

Ref J. Heiss Talk

22
LDIF Example Group

dn cnusers,ougroup,dcexample,dccom
cn users
objectClass posixGroup
userPassword crypt
gidNumber 100
memberUid jheiss
memberUid bob

Ref J. Heiss Talk

23
What is OpenLDAP?

Open Source LDAP v3 implementation
Slapd standalone server daemon
Slurpd replication daemon
Libraries including Java libraries
Included in major Unix distributions (such as
SuSE10.0)
Ref http//www.openldap.org/
Software version 2.3.20 as of today

24
What is Active Directory 2003?

Microsoft directory services
Uses LDAP
Uses Kerberos 5
Uses DNS (not WINS)
Scalable and available architecture
Extends significantly but does not replace common
X.500 schema elements

25
AD 2003

Replaces AD 2000
Provides upgrade paths from AD 2000 and Windows
NT4 Domain Controllers (PDCs)
Uses LDAP, DNS, and Kerboros 5 in combination to
manage servers, people, devices, etc in large
Windows environments
Compare pGina http//sourceforge.net/projects/pgi
na/

26
Summary