introduction to ldap · university of málaga, spain chisin¸au, replublic of moldova˘ may, 15th...

DefinitionsCharacteristics

Back endsDirectory operations

SecurityReferences

Introduction to LDAPIdentity Management Workshop

Victoriano Giralt

Central Computing FacilityUniversity of Málaga, Spain

Chisinau, Replublic of MoldovaMay, 15th 2007

Victoriano Giralt Introduction to LDAP



SecurityReferences

Let’s set things straight from the beginig

LDAP is NOT a directory

it is a protocolto access the directory

X.500 IS the directoryDon’t pannic

Let’s make LDAP = LDAP accesable directory system




SecurityReferences




X.500 IS the directory

Don’t pannic





SecurityReferences




X.500 IS the directoryDon’t pannic





SecurityReferences




X.500 IS the directoryDon’t pannic, I’m not going to resurrect the OSI stack





SecurityReferences

Overview

1 Definitions

2 Characteristics

3 Back ends

4 Directory operations

5 Security




SecurityReferences

What is a directory?from different points of view

Linguistics

According to D.R.A.E.

Directory

5. m. Roster of people belonging to a group,with indication of diverse information about them,such as role, location data, phone numbers, etc.




SecurityReferences

What is a directory?from different points of view

Computer Science

Directory

Information objects organized hierarchycally.Like:

Storage file systems

Domain Name System (DNS)

X.500, the Directory




SecurityReferences

What is an Entry

An entry is simply an individual object stored in the directory

Examples of entries are

A person

An organization

A department

A network node

The description of a classification code




SecurityReferences

What is an Entry

An entry is simply an individual object stored in the directoryExamples of entries are

A person

An organization

A department

A network node

The description of a classification code




SecurityReferences

What is an Attribute

An attribute is a name value pair of a characteristic of an objectstored in a directory entry.

Attributes can be

Univalued. Only one same name value pair per entry.

Multivalued. Any number of same name value pairs.

Operational. Managed by the server.

A person’s Surname (family name)

A system’s IP address

A telephone number

createTimestamp




SecurityReferences


An attribute is a name value pair of a characteristic of an objectstored in a directory entry.Attributes can be






A telephone number

createTimestamp




SecurityReferences


An attribute is a name value pair of a characteristic of an objectstored in a directory entry.Attributes can be




Examples of attributes are



A telephone number

createTimestamp




SecurityReferences

What is an ObjectClass

An objectClass is a logical grouping of attributes thatentries may have

According to objectClass definition, attributes are

Required. The atribute must exist in an entry of that kind.

Optional. The atribute may (or may not) exist.

Person

innetNode

schacLinkageIdentifiers




SecurityReferences


An objectClass is a logical grouping of attributes thatentries may haveAccording to objectClass definition, attributes are



Person

innetNode





SecurityReferences


An objectClass is a logical grouping of attributes thatentries may haveAccording to objectClass definition, attributes are



Examples of objectClasses are

Person

innetNode





SecurityReferences

The Directory Information Treea.k.a. DIT

The tree that organises a hyerarchy of directory objects




SecurityReferences

What is a DistinguishedNameIt’s my very own personal name in the directory

The components of a Distinguished Name

DN

RDN

Base DN




SecurityReferences



DN

RDN

Base DN

Distinguished Name

It is is an special attribute thatuniquelly identifies an entry in a DIT branch.This value is composed of one or moreattributes from the entry itself,and the DN of the branch where it resides.For example:dn=cn=postmaster,ou=roles,dc=renam,dc=md




SecurityReferences



DN

RDN

Base DN

Relative Distinguished Name

It is the part of the DN that singles outan entry inside its branch in the DIT.I.e.: The entry’s DN minus the DN of its parent.In the previous example: cn=postmaster




SecurityReferences



DN

RDN

Base DN

Base DNIt is the DN of the DIT root.For example: dc=renam,dc=md




SecurityReferences

Singularities of directoriesa model closer to the real world

Best known database systems are relational oneswe will describe LDAP directories in comparison to them




SecurityReferences



Relational DBMSNo standardtable schema

Schema

LDAP directory

International standardsfor persons andorganizations,more so in Academia




SecurityReferences



Relational DBMS

One logical entitystored in severaltables

SchemaOrganization LDAP directory

One logical entityOne objectOne node = entry in DIT




SecurityReferences



Relational DBMSNew table orseveral fields

SchemaOrganizationMulti value

LDAP directory

All stored in one attributeAs many as needed




SecurityReferences



Relational DBMSRestricted set

SchemaOrganizationMulti valueDatatypes

LDAP directory

Unlimited numberthrough the use ofsyntaxes




SecurityReferences



Relational DBMSMatching rulesoutside thedata model.Implemented inprograms

SchemaOrganizationMulti valueDatatypesMatching

LDAP directory

Matching rules in thedata model.Defined with the schema




SecurityReferences



Relational DBMS

Changes in schemarequire big efforts.Affect program logic

SchemaOrganizationMulti valueDatatypesMatchingFlexibility

LDAP directory

Granularschema modificationsUp to the entry level.Need attribute − >

add objectClass




SecurityReferences



Relational DBMSNetwork accessnot standardised

SchemaOrganizationMulti valueDatatypesMatchingFlexibilityAccess

LDAP directory

Standard networkaccess: LDAPEasy distribution of dataon the Net




SecurityReferences



Relational DBMS

Only proprietaryAuthN mechanisms

SchemaOrganizationMulti valueDatatypesMatchingFlexibilityAccessAuthN

LDAP directory

Various standard AuthNmechanisms thatwork over the network




SecurityReferences



Relational DBMS

Only proprietaryOverly complicated

SchemaOrganizationMulti valueDatatypesMatchingFlexibilityAccessAuthNReplication

LDAP directory

Standard protocolsthat are includedfrom design




SecurityReferences

Database systemsdirectory data has to be put onto storage

It is possible to use different database backends tostore the directory data on the filesystem.

Sleepy Cat Berkeley DBIt is the most used backed for LDAP

Relational database systemsIt is possible to use this databases as backendsfor LDAP enabled directories.There are even RPMs to do that with OpenLDAP.

GNU DBM




SecurityReferences

ConnectingSearchingData managementIndexing

Connecting to the directoryfor performing other tasks

These are the operations that control the connectionto the directory

1 StartTLS2 Bind3 Unbind

Abandon




SecurityReferences




1 StartTLS

2 Bind3 Unbind

Abandon

Secure connectionsIt should be mandatoryEncrypted transports protect the data




SecurityReferences




1 StartTLS2 Bind

3 Unbind

Abandon

AuthNThe principal proves identity to the serviceThus, access controls can be applied toother operationsSome operations maybe made insideanonymous sessions




SecurityReferences





Abandon

End the sessionThe principal tells the service ithas finished workingIn practice, this closes de connection




SecurityReferences





Abandon

End operations

LDAP protocols allows for operations to beasynchronousThen, it is possible to abandon operationsbefore they finish




SecurityReferences


Searching in LDAP directoriespowerful, but not for the faint of heart

Search operations using the LDAP protocolare very powerful, thus they need many parameters




SecurityReferences




Base DN a.k.a. Base object

The node in the DIT that is the starting pointfor the search




SecurityReferences




scope

Base DNsearch depth

base:Search only the base DN object

onelevel:Search first level below base DN

subtree:Search all levels below base DN




SecurityReferences




derefAliases

scope

Base DN

follow pointers

neverDerefAlias

derefInSearching:scope onelevel or sub

derefFindingBaseObject:scope base

derefAways




SecurityReferences




size limit

derefAliases

scope

Base DN

how many results

Limit the number of entries the serverwill return in the search result




SecurityReferences




time limit

size limit

derefAliases

scope

Base DN

how long to wait

Limit the time the server will spendperforming the search




SecurityReferences




attrsOnly

time limit

size limit

derefAliases

scope

Base DN

just the names

Return only the names of the attributes,no values




SecurityReferences




filter

attrsOnly

time limit

size limit

derefAliases

scope

Base DN

search expression

The query itselfThe format is (condition)




SecurityReferences




attributes

filter

attrsOnly

time limit

size limit

derefAliases

scope

Base DN

search results

A list of the attributes (and possibly values)the server should returnfrom the entries in the result set.* means all attributes




SecurityReferences


Search operationsthe art of query building

LDAP queries consist of comparison conditions combined byboolean operations.

Comparison operations

Equality

Substring

Presence




SecurityReferences





Equality

Substring

Presence

Exact matchThe attribute value must matchthe search string




SecurityReferences





Equality

Substring

Presence

Substring match

The attribute value shouldstart (string*) or end (*string) withor contain (*string*) the search string




SecurityReferences





Equality

Substring

Presence

Any value *

The search retrieves entries that havethe attribute, whatever its value.




SecurityReferences




Comparison operators(attribute operator searchstring)

=

<=

=

Equal

The attribute value shall equal the result ofthe comparison operation




SecurityReferences





=

<=

=

Less than or equal

The attribute value ordering position shall belower or equal that that of the result ofthe comparison operation




SecurityReferences





=

<=

=

Approximate

The attribute value should sound similar,in English, to the comparison operation.Only equality is accepted here.




SecurityReferences




Boolean operators(operator(condition). . . )

&

|

!

And

All conditions must be true for the entry to beadded to the result set(&([email protected])(schacUserStatus=*:mail:active))




SecurityReferences





&

|

!

Or

If any of the conditions is true,the entry is added to the result set(|([email protected])([email protected]))




SecurityReferences





&

|

!

NotThe entry must not meet the condition to beadded to the result set(!(schacUserStatus=*:locked))




SecurityReferences


Updating the directorythe usual operations, with a twist

All update operations require the DN of the entryand are atomic, i.e. searches get the whole old or new one

Add

Delete

Modify

Rename




SecurityReferences




Add

Delete

Modify

Rename

Insert a new entryCreates a new entry with the provided DN,as long as there is no other entry with the same DN

and all required attributes are present




SecurityReferences




Add

Delete

Modify

Rename

Remove the named entryDeletes the entry with the provided DN




SecurityReferences




Add

Delete

Modify

Rename

Modify the entry attributesThe attributes listed in the operation are alteredin the entry whose DN is provided.Attribute operations are:

- Add attribute-value pair

- Remove attribute-pair

- Delete attribute

- Replace current value




SecurityReferences




Add

Delete

Modify

Rename

Modify the entry’s DNThis operation changes the entry’s DNA copy of the original entry is first created

- rename: delete original, new in same branch

- move: delete original, new in other branch

- copy: keep original




SecurityReferences


Directory indexinggetting ready for finding entries

LDAP is read optimizedThus proper indexing is of capital importance

More indexes => faster searches

More indexes => slower updates

Which attributes to indexHow to index them, it depends on the schema

equalitypresencesubstring




SecurityReferences






Which attributes to index

How to index them, it depends on the schema





SecurityReferences






Which attributes to indexHow to index them

, it depends on the schema





SecurityReferences











SecurityReferences







equality

presencesubstring




SecurityReferences







equalitypresence

substring




SecurityReferences











SecurityReferences

Access Control ListsControlling Access to entries and attributes

LDAP offers a very fine grained control onwho can access what

Anonymous or bound sessions

Requested attributes

Search, read or write

Attribute values

Complex search filters

Originating IP address




SecurityReferences

Some URLs

Wikipedia http://en.wikipedia.org/wiki/Ldap

OpenLDAP http://www.openldap.org/

Fedora DS http://directory.fedoraproject.org/

RFCs http://www.rfc-editor.org/rfcsearch.htmlsearch for LDAP


introduction to ldap · university of málaga, spain chisin¸au, replublic of moldova˘ may, 15th...

Documents