LDAP Directory Services: - PowerPoint PPT Presentation

About This Presentation
Title:

LDAP Directory Services:

Description:

LDAP Directory Services: Security Directory Security Overview Brief Review of Directories and LDAP Brief Review of Security Basic Security Concepts Security as ... – PowerPoint PPT presentation

Number of Views:43
Avg rating:3.0/5.0
Slides: 28
Provided by: bestitdoc
Category:

less

Transcript and Presenter's Notes

Title: LDAP Directory Services:


1
LDAP Directory Services
Security
2
Directory Security Overview
  • Brief Review of Directories and LDAP
  • Brief Review of Security
  • Basic Security Concepts
  • Security as Applied to Directories
  • Threats
  • LDAP Protocol Security Features
  • Typically Implemented Security Features
  • Futures
  • References

3
Brief Review of Directories LDAP
Directory Information Tree (DIT)
Network
LDAP
Directory Database
Directory Service
4
Brief Review of Directories LDAP
  • What directories are
  • Object repositories
  • Typically read more than written
  • Have explicit access protocols
  • Support relatively complex queries
  • What directories are not
  • RDBMSs
  • Lack notions of..
  • Tabular views
  • JOIN operations
  • Stored Procedures

5
Brief Review of Directories LDAP
Directory-based Application
LDAP
TCP
IP
Ethernet,
Cable,
Wireless, whatever.
  • Obligatory, overly-simplified, Protocol Stack
    Diagram

6
Brief Review of Security
  • Notion of Security for a network protocol is
    comprised of (at least) these axes..
  • Identity Authentication
  • Who are you and who says so?
  • Confidentiality
  • Tough petunias to eavesdroppers.
  • Integrity
  • Did anyone muck with this data?
  • Authorization
  • Yes, you can do that, but no, you cant do that
    other thing.

7
Basic Security Concepts
  • Notions...
  • The notion of Identity
  • Of Names and Identifiers
  • Authentication Identity
  • Authorization Identity
  • Anonymity

8
Basic Security Concepts
Overall Namespace
Names
Identifiers
9
Basic Security Concepts
  • The applicable science technology of
    implementation...
  • Ciphers
  • Encryption
  • Integrity
  • AKA Cryptography 11

10
Basic Security Concepts, contd
11
Basic Security Concepts, contd
12
Basic Security Concepts, contd
13
Security as Applied to Directories
  • One needs to separately consider each of the four
    security axes in the context of anticipated
    threats.
  • Also need to consider security from the
    perspectives of..
  • the info stored in the directory, and..
  • attributes of the requesters.
  • E.g. how much you trust them.
  • Note that..
  • data security ! access security

14
Example Deployment Scenarios
15
Directory Security Threats
Legitimate Directory Service
2
, 3
, 7.
LDAP
Network
, 5
, 6.
Directory Database
1.
16
Threats, contd
Network
Directory Service Host(s)
Directory Database
17
LDAP Protocol Security Features
  • Formal notions of..
  • Authentication Identifiers 7, and..
  • Authorization Identifiers 7
  • Leverages several security mechanisms..
  • Simple passwords 2, 8
  • SASL 6
  • Kerberos 2
  • Digest 4
  • SSL/TLS 7
  • effectively is a session layer
  • The above may be used in various combinations
    together.

18
LDAP Protocol Security Features
  • Integral-to-the-protocol data integrity and
    attribution are works-in-progress.

19
LDAP Security Features Illustrated
Legitimate Directory Service
Network
LDAP
20
Brief Intro to Directories and LDAP
Directory-based Application
LDAP
TLS
TCP
21
Brief Intro to Directories and LDAP
Directory-based Application
TLS
SASL
LDAP
TCP
22
Typical Security Features of Impls
  • Security Features typically found in LDAP
    Implementations
  • Simple password-based Authentication.
  • SSL on port 636 (aka LDAPS)
  • At least one impl does StartTLS on port 389.
  • Access control.
  • Configurability (e.g. Netscapes DS Plug-ins).

23
Typical Impl Security Features, contd
  • Important Notice
  • The LDAP protocol is NOT an authentication
    protocol in and of itself (IMHO).
  • One MAY use LDAP itself as an authentication
    protocol, but one needs to carefully consider
    what functionality it does and doesnt bring to
    your deployment when used in this manner.
  • Deployment configuration is critical
  • Many server-side knobs
  • e.g. requiring client authentication

24
Example Directory Service Deployment(s)
Authentication Service
Desktop Clients
Desktop Clients
Clients
LDAP
LDAP-based Directory Service
25
Behind the Scenes (simplified)
LDAP
SubjectsDesktop(browser)
TDS
26
Security Case Study
  • Case Studies of Application of Security
  • See..
  • Access-Controlled White Pages at Stanford. RL
    Bob Morgan, University of Washington, March
    1999.
  • http//staff.washington.edu/rlmorgan/talk/dir.ac.n
    ac.1999.03/top.html
  • See also Refs 16..18.

27
Futures
  • Integral-to-the-protocol Data Integrity
  • Implementations of Start TLS protocol operation.
  • Implementations adhering to the Authentication
    Methods for LDAP requirements and
    recommendations.
  • Hopefully, implementations (in addition to
    Microsofts Active Directory) utilizing Kerberos
    out-of-the-box.
  • Schema standardization and stabilization will
    continue.
  • you too can participate in IETF process
  • I encourage deployers to invest in the process!
Write a Comment
User Comments (0)
About PowerShow.com