Title: Lightweight Directory Access Protocol LDAP
1Lightweight Directory Access ProtocolLDAP
- Useful site/reference books for LDAP
- http//www.openldap.org
- Understanding and Deploying LDAP Directory
Services, Tim Howes - LDAP System Administration, Gerald Carter
- LDAP is an open, vendor-independent network
protocol for accessing directory services.
"lightweight" protocol is efficient and easy to
use. - LDAP enables central management of users, groups,
devices and data, helps reduce the number of
distinct, application-specific directories,
hence, eases the administration works.
2LDAP
- LDAP defines a message protocol used by directory
clients and directory servers. The LDAP protocol
uses different messages. For example, a bind
request may be sent from the client to the LDAP
server at the beginning of a connection. A search
request is used to search for entry/entries in
the directory. - LDAP defines a standard method for accessing and
updating information in a directory. - LDAP defines a communication protocol it defines
the transport and format of messages used by a
client to access data in a directory. - LDAP does not define the directory service itself.
3LDAP Standards
- LDAP and X.500
- X.500 is an overall model for directory service.
The Directory Access Protocol (DAP) of X.500 is a
"heavyweight" protocol that operates over a full
OSI protocol stack and requires a significant
amount of computing resources. - LDAP was originally developed as a front end for
accessing X.500 directory service. LDAP is a
lightweight protocol that runs directly over
TCP/IP (port 389) and efficiently provides most
of the functionality of DAP for Internet access. - LDAP standards RFC1777, 2251, 3377, 4510-4519,
etc. - LDAP V3 extended LDAP V2 in various areas such
as - Referrals and Continuations A server that does
not store the requested data can refer the client
to another server. - Simple Authentication and Security Layer (SASL).
- Internationalization with Unicode.
- Schema directory, extended operations, controls,
etc.
4LDAP applications
- Enterprises with distributed computer systems can
use online directories for fast searches,
cost-effective management of users and security,
and a central integration point for multiple
applications and services. - Email system may use LDAP to look up addresses.
LDAP can be used as a central authentication
server. LDAP is used by many commercial
directory systems. - LDAP is useful for storing information that would
be read from many locations, but updated
infrequently. Typical information include email
addresses, phone numbers, staff/customer/student
data, etc.
5Directory Systems
- Directory systems such as Novell eDirectory,
Microsoft Active Directory and OpenLDAP, help
administrators to manage systems and network
resources. - A directory system is like a database but there
are differences, for examples, - Read-to-write ratio of directories are much
higher. - The scale of data distribution in directory
systems are much higher. - Data synchronization (between replicas) in
directory systems may be less stringent. - Types of directory systems NOS based (e.g.
Windows AD), application specific (e.g. Lotus
Notes), open standard (e.g. OpenLDAP), global
directory (e.g. DNS), etc.
6Directory for managing resources
- Directory lets organizations store information in
a hierarchical, object-oriented fashion.
Directory uses objects (entries) to represent
network resources such as users, groups,
machines, devices, and applications. - Directory uses containers to represent
organizations or collections of related objects.
Directory manages the relationships among objects
and containers to provide a single, centralized,
comprehensive view. - This makes resources easier to find, manage, and
use in a highly distributed network. - By grouping related users and network resources
objects in containers, administrators can easily
apply different settings (such as access
permissions) to different groups. - Directory also lets administrators delegate
specific administrative privileges and tasks to
individual users.
7LDAP Four Models
- Four models for the use of directory services
- LDAP Information model defines the kind of data
in the directory - LDAP Naming model defines the organization and
reference to the directory data - LDAP Functional model defines the way to access
and update the data - LDAP Security model defines the way to protect
data from unauthorized access
8LDAP Information Model
- LDAP information model defines the types of data
and basic units of information that can be stored
in the directory. - The basic unit of information is the entry, a
collection of information (attributes) about an
object. Often, information in an entry describes
a real-world object such as people, departments,
servers, printers, etc.. - A set of attributes is stored in an entry.
- Each attribute has a type and one or more values.
- The type describes the kind of information
contained. - The value contains the actual data.
- Each entry contains information describing what
it is or, to which object class it belongs
called objectClass.
9Relationship between Entries and Attributes
10Attributes
- Each directory entry contains a collection of
attribute types and values. Attributes hold
specific data element such as a name and a phone
number. - cn common name
- sn surname
11LDAP Naming Model
- LDAP naming model defines how to organize and
refer data, i.e. how to refer to any particular
directory entry within the directory structure.
The design of a naming model is important for
unique and unambiguous reference to an entry. - A naming model is also referred to as Namespace
and Directory Information Tree (DIT).
dccsa-snm dccom
ouServers
ouPeople
cnSales web server
ouSales
cnJohn Chan
12LDAP Naming Model
- LDAP naming model specifies that entries are
arranged in an inverted tree structure. LDAP
names are backward relative to file system names
- Every node (entry/object) in an LDAP directory
contains data (attributes). - Some nodes can "contain" other nodes.
Organizational Unit (OU) is an example of objects
that can "contain" other objects.
dccsa-snm dccom
ouSales
ouEngineering
cnJohn Chan
cnKen Wong
13LDAP Naming Model DN and RDN
- LDAP directory namespace is hierarchical, it has
the concept of fully-qualified names called
Distinguished Names (DNs). - Each entry has a unique DN, such as,
- cnJohn Chan, ouEngineering, dccsa-snm,
dccom. - The DN of an entry helps identify the location of
the entry in the directory tree. - In any entrys DN, the leftmost component is
called the Relative Distinguished Name (RDN),
e.g. cnJohn Chan - RDN of an entry must be unique among all its
siblings. - Alias entry an entry pointing to another entry.
14LDAP Functional Model
- The Functional model describes operations that
can be performed. - Three groups of operations are defined in the
functional model - Interrogation operations - searching the
directory and retrieve of data - Update operations - add, delete, rename and
modify entries - Authentication and control operations - identify
clients, controls in a session. - In addition to the above operations, version 3 of
the LDAP protocol defines the way to add extended
operation.
15LDAP Functional Model
- Two interrogation operations search operation
and compare operation. - Search operation is for searching the directory
for entries and retrieve individual directory
entries. - Compare operation clients submits a compare
request with a DN, an attribute name, and a
value. The server returns positive or negative
(true or false boolean) answer. - Authentication and control operations
- Bind - a client authenticates itself to the
directory. - Unbind - to terminate a connection and all
operations. - Abandon - client issue an abandon request, with a
message ID, to indicate which operation
previously requested is no longer needed.
16LDAP Search Operation
- Used to search for entries and retrieve them
- An LDAP search may takes eight parameters
including - DN of base object for search
- search scope
- search filter
- list of attributes to return
- Other parameters alias, size, time, boolean
17LDAP Search Operation Search Scope
- A Sub-tree search scope covers the entire subtree
from the search base. - A One-level search scope covers the immediate
next level from the search base. - A Base search scope covers the search base only.
18LDAP Filters
- A standard method for selecting relevant entries
in a LDAP search operation. Detailed
specifications are given in RFC 2254, 2251. - Each filter is enclosed in parentheses. To
combine filters, use or .
present attr "" substring attr ""
initial any final initial value any ""
( value "") final value attr
AttributeDescription from Section 4.1.5 of
RFC2251 value AttributeValue from Section
4.1.6 of RFC 2251
filter "(" filtercomp ")" filtercomp and / or
/ not / item and "" filterlist or ""
filterlist not "!" filter filterlist 1
filter item simple / present / substring simple
attr filtertype value filtertype equal /
approx / greater / less equal "" approx
"" greater "gt" less "lt"
19LDAP Filter - example
- Return all entries in the scope of the search
with attribute cn having the value "Albert" - (cn Albert)
- Return all entries in the scope of the search
which do not have the attribute cn with the value
"Albert" - (!(cn Albert))
- Return all entries in the scope of the search
which have the attribute matching a combination
of multiple filters, for example, - (( snChan)((cnAlbert)(cnJohn)))
20LDAP Add and Delete Operations
- Creates a new entry with
- The DN of new entry, and
- A list of attributes and their values to put in
the new entry - Requirement
- parent of new entry exists
- no entry of same name exists in that parent
- new entry matches requirements of schemas
- access control allows operation
- Deletes an entry
- Takes DN of entry to delete
- Requirement
- entry exists
- entry has no child objects
- access control allows operation
21LDAP Modify Operation
- Allows updating existing entry
- Can add, delete or replace attributes
- Can modify many attributes in one modify
operation - Requirement
- entry exists
- all attribute modifications must succeed
- resulting entry obeys schemas
- access control permits modification
22LDAP Rename and Move Operations
- Rename an entry
- Parameters the DN and the new RDN of entry
- Requirement
- entry exists
- new name not already used by other entry
- access control allows operation
- Moving an entry to a new parent entry
- Parameters the DN of the entry, DN of the new
parent entry - Requirement
- the new parent entry exists
- no entry in the new parent has the same RDN
- access control allows operation
23LDAP Bind Operation
- Authenticates client to the directory
- Three bind types
- Simple bind
- send DN and password in clear text to server
- Need to use TLS to encrypt communication in this
case - Simple Authentication and Security Layer (SASL)
bind - A standard protocol independent way of
negotiating and performing authentication - Anonymous bind
- No (empty) DN and password
- Client can bind, perform operations, bind again,
and perform other operations
24OpenLDAP utilities
- The utility ldapsearch is used to query a
directory, for example, - ldapsearch x h ldap.csa-snm.com b
"dccsa-snm,dccom" "((ousales)(acTypestaff))" - Common parameters/options for ldapsearch
- -x use simple authentication instead of SASL
- -h specify hostname of LDAP server
- -b specify the DN of the search base
- -s specify the search scope, options are base,
one and sub - -D specify a DN to bind with
- -w specify a password (use W for interactive
prompt) - Other utilities of OpenLDAP
- ldapmodify, ldapdelete, ldapadd, ldapmodrdn
(rename RDN), ldapcompare, ldappasswd - slapadd, slapcat, slapindex, slappasswd
25LDAP Security Model
- LDAP security model protects the information in
the directory from unauthorized access. With
anonymous bind, the server does not know who the
client is, hence, limited (or none) privileges
will be provided. - Apart from simple binding, LDAP also supports
(LDAPv3) Secure Socket Layer SSL, Transport Layer
Security TLS and Simple Authentication and
Security Layer SASL. - Similar to the use of HTTPS (Hypertext Transfer
Protocol over SSL) for secure web access, LDAP
over SSL (LDAPS) allows secure LDAP client access
and client authentication (uses port 636). - For secure directory data (queries/search and
results) transmission between LDAP server and
clients, LDAPv3 can use TLS encryption to prevent
eavesdropping on the Internet.
26Directory Security
- Securing an LDAP directory
- Authentication - checking the identification, two
parties (user server) involved with a third
party of mutual trust. - Authorization assign access rights to someone,
and requiring certain rights to access resources
or perform actions on resources. Different
levels of access (read, write, etc.) to different
resources may be assigned to different users. - Encryption transmitting or storing data
securely so it is kept private.
27Directory Schema
- A directory schema is a set of rules that
determines what data can be stored in a
directory. Schema determines the allowed object
classes and attributes. LDAP schema formats
ASN.1, U of Michigan, LDAPv3. - A directory schema also determines how directory
servers and clients should treat information
during directory operations such as a search.
Before a directory server stores a new or
modified entry, it checks the entrys contents
against the schema rules. Whenever directory
clients or servers compare two attribute values,
they consult the schema to determine what
comparison algorithm to use. - Schemas can be used to impose constraints on the
size, range, and format of data values stored in
the directory. - There is only one namespace for attributes the
definition of an attribute, such as cn, is the
same for all Object Classes that support that
attribute.
28Directory Schema
- Sets of rules that describes what kind of data is
stored. - Determines rules that entries must follow.
- Reduces duplication of data
- Specifies details of object classes such as
required attributes and allowed attributes. - Specifies details of attributes such as how to
compare, data type, range/size, etc. - Schema consists of Attribute Types, Attribute
Syntaxes and Object Classes. - Example of schema core.schema of openLDAP
29Object Classes
- Object classes are defined in LDAP Schema.
- Object classes are used to group related
information. An object class models some
real-world object such as a person, printer, or
network device. - An object class defines what attributes must, or
may be present in an entry - For example, an object class called person that
hold information about peoples requires that a
name be present in the entry, and allows a number
of optional attributes to be included, such as
age, sex, telephone, etc.
30Object Classes
- An object class includes the following
information - A name that uniquely identifies the class, such
as person - An Object ID (OID) that also uniquely identifies
the class - A set of mandatory attribute types.
- A set of allowed attribute types, could be quite
long. - A kind (or type) structural, auxiliary or
abstract. - Multiple object classes
- An entry can be one type of structural object
class and can also be several types of auxiliary
object classes. - An entry cannot be two different types of
structural object classes (e.g. an entry cannot
be a person as well as a device)
31Kind/type of Object Class
- Structural object classes represent real-world
objects. Most object classes are structural
classes. Each entry should belong to exactly one
structural object class. Classes of this type can
be instantiated into objects. Example person - Auxiliary object classes are used to add a set of
attributes to an entry that already belongs to a
structural class classes of this type provide
attributes that extend a structural class.
Classes of this type cannot be used on their own.
Example dcObject - Abstract object classes are used only for classes
needed to support LDAPs basic information model.
Classes of this type provide attributes that
flow through the hierarchy, for example, the
abstract object class top ensures that all
classes derived from it contain the attribute
objectClass. Abstract object classes cannot be
instantiated into object.
32Example of Object Class
- Here is the definition for the object class
person - objectclass ( 2.5.6.6 NAME 'person'
- SUP top STRUCTURAL
- MUST ( sn cn )
- MAY ( userPassword telephoneNumber
- seeAlso description ) )
- This says a person entry must contain
- a surname (sn) and
- common name (cn),
- and may contain a userPassword, a
telephoneNumber, a description, and a reference
to another LDAP entry.
33Object Class inheritance
- Object class inheritance is also referred as
subclassing. With subclassing, one object class
can be derived from another, and inherits the
characteristics. - For example, the object class inetOrgPerson
extends the object class organizationalPerson and
includes additional attribute types. - Therefore, inetOrgPerson entries must have all
the "required" attributes defined in the object
class organizationalPerson. Also, inetOrgPerson
entries are allowed to include any of the
"optional" attributes of the object class
organizationalPerson.
34Object Class Definitions for top and organization
- Objectclass top
- (2.5.6.0
- Name top
- ABSTRACT
- MUST (
- objectClass
- )
- )
- Objectclass organization
- (2.5.6.4
- NAME organization
- SUP top
- STRUCTURAL
- MUST (
- o
- MAY (
- userPassword
- searchGuide
- seeAlso
- businessCategory
- x121Address
- registeredAddress
- destinationIndicator
- preferredDeliveryMethod
- telexNumber
- teletexTerminalIdentifier
- telephoneNumber
- internationaliSDNNumber
- facsimileTelephoneNumber
- street
- postOfficeBox
- postalAddress
- physicalDeliveryOfficeName
- st
- l
- description
- )
35Example Object Class Definitions (1)
- Object class top
- All object classes derived from the object class
top - Its purpose is to ensure every object contains
the objectClass attribute - It exists only to be subclassed i.e., ABSTRACT
- You will not find an entry for object class top
- Because every object class inherits from top,
every object class must contain the attribute
objectClass - (2.5.6.0
- NAME top
- ABSTRACT
- MUST (
- objectClass
- )
- )
36Example Object Class Definitions (2)
- Object class person
- Derived from top
- Besides the attribute objectClass inherited
from top every person entry must have the
attributes sn and cn - The line with SUP top expresses that the
object class top is its ancestor - We can use the numeric OID here SUP 2.5.6.0
- (2.5.6.6
- NAME person
- SUP top
- STRUCTURAL
- MUST (
- sn cn
- )
- MAY (
- userPassword telephoneNumber seeAlso
description - )
- )
37Example Object Class Definitions (3)
- Object class organizationalPerson
- Derived from person
- This object class has a number of attributes
useful for implementing an employee object such
as fax number, organizational unit and so on. - It adds more optional attributes in addition to
those provided by person. - (2.5.6.7
- NAME 'organizationalPerson'
- SUP person
- STRUCTURAL
- MAY (
- title x121Address registeredAddress
destination Indicator preferredDeliveryMet
hod telexNumber teletexTerminal Identifier
telephoneNumber internationaliSDNNumber
facsimileTelephoneNumber street postOfficeBox
postalCode postalAddress physicalDeliveryOff
iceName ou st 1 - )
- )
38Example Object Class Definitions (4)
- Object class inetOrgPerson
- This class was intended to accommodate
information about a person in a typical
Internet/Intranet environment - (2.16.840.1.113730.3.2.2
- NAME ' inetOrgPerson '
- SUP organizationalPerson
- STRUCTURAL
- MAY (
- audio businessCategory carLicense
departmentNumber displayName employeeNumber
employeeType givenName homePhone
homePostalAddress initials jpegPhoto
labeledURI mail manager mobile o pager
photo roomNumber secretary uid
userCertificate x500uniqueIdentifier
preferredLanguage userSMIMECertificate
userPKCS12 - )
- )
39LDAP Data Interchange Format (LDIF)
- LDIF is defined in RFC 2849
- LDIF is used to represent entries of an LDAP
directory or a set of changes to an LDAP
directory in a text-based file format. - LDIF can be used for a variety of management
functions, including backup, replication, bulk
import/export or modification. - For example, to add entries, you can first put
all the details of the entries in a ldif file and
then use the ldapadd command with the option f
ltfilename of ldifgt
dn uidjohnc,ouPeople,dccsa-snm,dccom uid
johnc cn John Chan givenName John sn
Chan mail johnc_at_csa-snm.com objectClass
person description a staff dn
uidmayc,ouPeople,dccsa-snm,dccom
Example of LDIF
40Example - Content of a directory exported to a
LDIF file
- dn oldap_abc.de
- objectclass top
- objectclass organization
- o ldap_abc.de
- l Munich
- dn ouIT, oldap_abc.de
- objectclass top
- objectclass organizationalUnit
- ou IT
- description Information Technologies
- dn ouHR, oldap_abc.de
- objectclass top
- objectclass organizationalUnit
- ou HR
- description Human Resources
- dn uidSParker, ouHR, oldap_abc.de
- objectclass top
- objectclass person
- objectclass organizationalPerson
- objectclass inetOrgPerson
- ou HR
- cn Sarah Parker
- sn Parker
- givenName Sarah
- uid SParker
- mail SarahParker_at_ldap_abc.de
- Mobile (0049) 89 671 293
41Different Types of Objects
- We have three different types of objects
- The whole organization is identified by an o
- oldap_abc.de
- The individual departments, called
organizationalUnit abbreviated with ou - ouIT,oldap_abc.de
- ouHR,oldap_abc.de
- The entry for a single person, called
inetOrgPerson is identified as follows - uidSParker,ouHR,oldap_abc.de
- Each entry corresponds directly to an object in
the real world, i.e, a person, a printer, a
computer, an organization, etc.
42LDAP URLs
- RFC 2255 defines the format of URL for LDAP
system - ldapurl ldap"//" hostport "/" dn "?"
attributes "?" scope "?" filter "?"
extensions - port number defaults to 389 for LDAP and 636
for LDAPS - dn the distinguished name used as the base of
the search - scope either base, one or subtree
- attributes a comma-separated list of the
attributes to return - filter the search filter to apply
- Example querying an LDAP server on port 389 and
doing a subtree search of the CSA-SNM for any
entry with a surname of "Chan", retrieving all
attributes - ldap//csa-snm.com389/dccsa-snm,dccom??sub?(sn
Chan)
43Directory Structure
- Hierarchical structure
- A deeper (more layers) structure can easily
delegate controls to local departments/units - Searching can be more efficient
- Flat structure
- A simple and flat structure (with a few
containers) needs fewer movements of objects
between containers when there is change in the
real-world organization of staff and equipment
(e.g. reorganization, changing of departments) - Other factors for design directory structure
- Replication
- Access Control
- Requirement of applications that use the directory
44Directory Structure
45LDAP Referrals
- LDAP referrals and search result continuation
references are pieces of knowledge reference
information sent from an LDAP server to an LDAP
client indicating that other servers need to be
contacted to fulfill the client's request. - LDAP referrals When an LDAP client performs an
LDAP add, modify, delete, modify DN, compare, or
search operation with a base-level scope, and the
server does not hold the target entry, the
knowledge reference information is returned to
the client in an LDAP referral. - LDAP search result continuation references If
the server was able to locate the entry referred
to by the baseObject but was unable to search all
the entries in the scope at and under the
baseObject, the server may return one or more
search result continuation references. - The information in LDAP referrals and search
result continuation references is in the format
of an LDAP Uniform Resource Locator (URL).
46LDAP Referral Chaining
- The information in LDAP referral or reference
- Host name of the server to contact
- Port number of the server
- The base DN or target DN this part is optional.
- Example ldap//serverB.csa-snm.com389/ousales
,dccsa-snm,dccom - Another way to glue together directory partitions
is with chaining. When this approach is used and
if the server is unable to process the client's
request completely because it does not hold all
the required data, it (the server) contacts other
servers on behalf of the client (forming a chain
of connections between servers). After the other
servers have completed the operations, the server
that was contacted by the client returns the
combined results to the client.
47LDAP Replication
- In replication systems, a Master server sends
updates to another server a Replica (or slave)
server accepts those changes. - Single-Master Replication system
- Only one server contains a writable copy of a
given directory entry. Only the master server
can perform write operations. - All replicas contain read-only copies of the
entry. - Multi-Master Replication system
- More than one read/write copy of an entry is
available. Client may submit update operation to
any of the read/write replicas. The set of
cooperating servers need to ensure that changes
are propagated to all servers and that
consistency is maintained.
48Single-Master Replication
- Method I all modifications go to the master LDAP
server - Method II Referrals
- Client sends modification to replica
- Replica returns referral to master
- Client resubmits modification to master
- Master returns results to client
- Master updates replica with change
- Method III Chaining
- Client sends modification to replica
- Replica forwards request to master
- Master returns result to replica
- Replica forwards result to client
- Master updates replica
49OpenLDAP Access Control
- OpenLDAP server Stand-alone LDAP daemon (slapd)
- At present, there is no standard LDAP access
control model specified. Different vendors are
using different approaches to implement access
control. Some vendors place a separate Access
Control List (ACL) on each directory entry
(possibly with inherited settings from parent
entries). With OpenLDAP, there is not a separate
ACL for each entry. Instead, directives in the
slapd configuration file form the basis for
access control policy. - All slapd runtime configuration is accomplished
through the slapd.conf file. An important
configuration in the slapd.conf file is about
access control. Access to slapd entries and
attributes is controlled by the access directives
defined in the configuration file. - Reference for slapd.conf - http//www.openldap.org
50OpenLDAP Access Control
- ltaccess directivegt access to ltwhatgt
- by ltwhogt ltaccessgt ltcontrolgt
- ltwhatgt dn.ltbasic-stylegtltregexgt
dn.ltscope-stylegtltDNgt
filterltldapfiltergt attrsltattrlistgt - ltwhogt anonymous users self
- dn.ltbasic-stylegtltregexgt
dn.ltscope-stylegtltDNgt - ltaccessgt selfltlevelgtltprivgt
- ltlevelgt none auth compare search read
write - ltscope-stylegt base one subtree children
- ltprivgt -wrscx0
- ltcontrolgt stop continue break
51OpenLDAP Access Control
- The ltwhatgt part of an access specification
determines the entries and attributes to which
the access control applies. - Examples of specifying ltwhatgt
- dn"cnJohn,oustaff,dccsa-snm,dccom"
- dn.base"oustaff,dccsa-snm,dccom"
- match the base entry only, i.e. oustaff
- dn.one"oustaff,dccsa-snm,dccom"
- match entries at the next level
- dn.subtree"oustaff,dccsa-snm,dccom"
- match entries of the subtree including the base
entry - dn.children"oustaff,dccsa-snm,dccom"
- match entries of the subtree excluding the base
entry - Attributes are selected by including a
comma-separated list of attribute names in the
ltwhatgt selector, for example, - dn.subtree"oustaff,dccsa-snm,dccom" attrssn
52OpenLDAP Access Control
- The ltwhogt part identifies the entity or entities
being granted access. Entities can be specified
by a number of ways - the special "" identifier, matching any entry,
- the keyword "self" matching the entry protected
by the access, - Anonymous non-authenticated Users
authenticated - a regular expression matching an entry's
distinguished name - a regular expression matching the client's IP
address or domain name - The kind of ltaccessgt granted can be one of the
following - none auth compare search read write
- Each level implies all lower levels of access,
e.g. granting the write access to an entry also
grants read, search, compare, and auth access to
that entry.
53OpenLDAP Access Control