ldap light weight directory access protocol presentation by alakesh apurva dhan and ash
TRANSCRIPT
LDAPLIGHT WEIGHT DIRECTORY
ACCESS PROTOCOL• PRESENTATION BY ALAKESH
APURVA DHAN AND ASH
WHAT IS LDAP
• LDAP IS LIGHT WEIGHT • SUFFICIENT STRAIGHT FORWARD • EASY TO IMPLEMENT AS AGAINST
X.500 DAP WHICH IS HEAVY WEIGHT
LDAP
• DIRECTORY BECAUSE DATA IS ORGANISED IN THE FORM OF TREE MUCH LIKE UNIX FILE SYSTEM
• USES SIMPLIFIED SET OF ENCODING
• RUNS DIRECTLY ABOVE TCP/IP• USES STRING TO REPRESENT DATA
LDAP
• LDAP SECURITY MODEL : DEFINES HOW INFORMATION CAN BE PROTECTED FROM UNAUTHORISED ACCESS
LDAP
• LDAP API • THERE ARE SEVERAL LDAP API
APPLICATION PROGRAMMING INTERFACE OLDEST ONES WRITTEN IN C
• NOW A DAYS LDAP API S ARE AVAILABLE IN OTHER PROGRAMMING LANGUAGES LIKE PERL JAVA
HOW LDAP WORKS
• LDAP DIRECTORY SERVICE IS BASED ON CLIENT SERVER MODEL
• LDAP IS A MESSAGE ORIENTED PROTOCOL
• CLIENT CONSTRUCTS AN LDAP MESSAGE CONTAINING A REQUEST AND SENDS IT TO THE SERVER
HOW LDAP WORKS
• SERVER PROCESSES THE REQUEST AND SENDS IT BACK TO THE CLIENT IN THE FORM OF LDAP MESSAGE
LDAP BACKENDS
• THE BASIC DAEMON PROCESS THAT RUNS ON THE LDAP SERVER CALLED SLAPD COMES WITH THREE DIFFERENT BACKEND DATABASES
• WE ASSUME THAT IN OUR CASE WE USE LDBM THE MOST USED ONE
HOW LDAP WORKS
• LDAP DATABASE WORKS BY ADDING A COMPACT FOUR BYTE UNIQUE IDENTIFIER
• INDEX FILES ARE MAINTAINED FOR REFERRING TO DATA
LDAP PROTOCOL OPERATION
• INTERROGATION OPERATION : SEARCH , COMPARE
• ADD DELETE OPERATOIN : ADD , DELETE , MODIFY , MODIFY DN
• AUTHENTICATION AND CONTROL OPERATION : BIND , UNBIND , ABANDON
LDAP INFORMATION MODEL
• BASIC UNIT IS ENTRY ( A COLLECTION OF INFORMATION ABOUT AN OBJECT )
• AN ENTRY IS COMPOSED OF A SET OF ATTRIIBUTES
LDIF
• LDIF STANDS FOR LDAP DATA INTERCHANGE FORMAT
• DIRECTORY ENTRIES IN LDAP ARE IN THE FORM OF LDIF
LDIF FORMAT
• BASIC FORM OF LDIF : #COMMENT DN: <DISTINGUSHED NAME> <ATTRDESC>: <ATTRVALUE> <ATTRDESC>: <ATTRVALUE> …..
• EXAMPLE : DN: UID=ALAKESH DC=IIT DC=EDU
LDAP
• IN ADDITION TO BEING A NETWORK PROTOCOL IT ALSO DEFINES FOUR MODELS
• LDAP INFORMATION MODEL : DEFINES THE KIND OF DATA U PUT
• LDAP NAMING MODEL : HOW U ORGANISE AND REFER TO DIRECTORY INFORMATION
LDIF FORMAT
• LINES STARTING WITH # ARE CONSIDERED TO BE COMMENTS
• ALL OTHER ATTRIBUTES ARE WRITTEN IN <ATTRDESC > = <VALUE> FORM
LDIF
• EACH ENTRY IS UNIQUELY IDENTIFIED BY A DISTINIGUISHED NAME OR DN . THE DN CONSISTS OF THE NAME OF THE ENTRY PLUS A PATH IN THE DIRECTORY TREE TRACING BACK TO THE TOP OF THE DIRECTORY HIERARCHY
• THE OBJECT CLASS DEFINES THE CLASS OF THE ATTRIBUTES THAT CAN BE USED TO DEFINE AN ENTRY
LDIF
• DIRECTORY DATA IS REPRESENTED AS ATTRIBUTE-VALUE PAIR . ANY SPECIFIC PIECE OF INFORMATION IS ASSOSICATED WITH A DESCRIPTIVE ATTRIBUTE
LDAP CONFIGURATION
• THE CONFIGURATION FILE SLAPD.OC.CONF CONTAINS THE DEFINITION OF ALL THE OBJECT CLASSES
• THE ATTRIBUTES OF THE OBJECT CLASSES ARE DEFINED IN SLAPD.AT.CONF FILE
LDAP CONFIGURATION
• EACH OBJECT CLASS HAS REQUIRED AND ALLOWED ATTRIBUTE
• REQUIRED ATTRIBUTES MUST BE PRESENT WHILE ALLOWED ARE OPTIONAL
LDAP CONFIGURATION
• EACH ATTRIBUTE HAS CORRESPONDING SYNTAX DEFINITION
LDAP ACCESS CONTROL
• ACCESS TO <WHAT> [ BY <WHO> <ACCESS LEVEL> <CONTROL> ]
• THIS DIRECTIVE GRANTS ACCESS TO A SET OF ENTRIES/ATTRIBUTES BY ONE OR MORE REQUESTERS
• EXAMPLE : ACCESS TO * BY * READ
LDAP ACCESS CONTROL
• THE ABOVE DIRECTIVE GIVES READ PERMISSION TO EVERYONE
• FOR EXAMPLE ACCESS TO DN=“ . * , C=INDIA” BY * SEARCH GIVES SEARCHING PERMS TO ENTRIES UNDER C=INDIA SUBTREE
LDAPADD
• OPENLDAP PACKAGE COMES WITH SHELL EXECUTABLE NAMED LDAPADD USED TO ADD ENTRIES TO THE DATABASE WHILE LDAP SERVER IS RUNNING
• BASIC SYNTAX IS LDAPADD -F <DATAFILE> -D
<DN> -w <PASSWD> / -W ( IF PASSWORD IS TO BE PROMPTED .
LDAPDELETE
• ANOTHER SHELL EXECUTABLE FOR DELETING ENTRIES
• ITS SYNTAX IS LDAPDELETE
‘CN=HI,O=IITB,C=INDIA’
LDAPMODIFY
• ITS ANOTHER SHELL EXECUTABLE TO MODIFY DATA IN THE DIRECTORY DATABASE
• IT HAS SIMILAR SYNTAX TO LDAPADD
LDAPSEARCH
• SHELL ACCESSIBLE INTERFACE TO LDAP_SEARCH() C ROUTINE
• LDAPSEARCH OPENS CONNECTION TO THE LDAPSERVER PERFORMS SEARCH WHICH FOLLOWS FILTERING RULES DEFINED IN RFC1558
LDAPSEARCH
• FOR EXAMPLE LDAPSEARCH -B “C=INDIA”
“O=IITB” IF * IS ALLOWED READ ACCESS BY DEFAULT THE O=IITB WILL BE RETURNED
• -B OPTION SEARCHES FOR THE SEARCH BASE
LDAP AND JAVA CONNECTIVITY
• THERE EXISTS A PACKAGE CALLED JNDI ( JAVA NAMING AND DIRECTORY INTERFACE )
• IT CONTAINS API S NEEDED TO CONNECT LDAP SERVER RETRIEVE INFORMATION
JNDI EXAMPLE
• A typical code WRITTEN USING JNDI TO DO LDAP SEARCH • will be like this …..
• import java.util.Hashable ;• import java.util.Enumeration ;• import javax.naming.* ; • import javax.naming.directory.* ;
• class Search {• public static void main(String[] args){• Hashtable env = new Hashtable(5 , 0.75f) ; • env.put(Context.INITIAL_CONTEXT_FACTORY,Env.INITCTX) ; • env.put(Context.PROVIDER_URL , Env.MY_SERVICE ) ; • ……………………….
• Most ldap servers are optimized for read-intensive operations.Thus, one can see an order of magnitude difference when reading data from an ldap directory versus obtaining the same data from a relational database server optimized for OLTP.
• Because of this optimization , however , most LDAP directories are not suited for storing data where changes are frequent.
Why Ldap?