06/03/2006 INT/LOR/RIP Michel Gardie

LDAP

Lightweight Directory Access Protocol

06/03/2006 INT/LOR/RIP 2

Summary

OverviewProtocolClient-server communicationData modelAttributesClassesSchemaSecurityLDIFFunctional modelLDAP URLs

06/03/2006 INT/LOR/RIP 3

Directory: a need.

I want to access to a web server:http://www.int-evry.fr/

I want to log on a remote host:ssh forest.cs.concordia.ca

I want to send an email and get the address from a shared address book

I want to be authenticated when I establish a connection with a mail server

etc.

06/03/2006 INT/LOR/RIP 4

Examples of directory uses

http://www.int-evry.fr

www.int-evry.fr is resolved by the DNS

finger michel@rainbow

rainbow is resolved by the DNS, michel is resolved either locally, or by a more general directory.

mailto michel.gardie@int-evry.fr

same principle as above

06/03/2006 INT/LOR/RIP 5

DNS: an example

Is distributed over several cooperating hosts.

Offers simple features:

name → IP addresses

IP address → name, alias

06/03/2006 INT/LOR/RIP 6

LDAP history

LDAP is an adaptation of the DAP protocol(access protocol to X.500 directories)

LDAP was a front-end processor to X.500 directories

LDAP became a standalone directory in 1995

Last version (v3) in December 1997

06/03/2006 INT/LOR/RIP 7

LDAP: some examples

white-page directory to contact persons

directory of mail addresses to allow the mailing tools or the servers to compose or verify mail addresses

database to allow authentication (certificates, passwords)

NIS (Network Information Service)

06/03/2006 INT/LOR/RIP 8

Directory : overview

Directories may contain:

person identification

device identifiers

URLs

pictures

etc.

06/03/2006 INT/LOR/RIP 9

Directory : offered services

A directory service offers the following features:

a protocol to access to a directory

a functional model

a data model

a replication model

a security model

06/03/2006 INT/LOR/RIP 10

The LDAP protocol

LDAP is a directory protocol over TCP/IP

It defines how operations and data are transmitted

It defines several operations:Bind,Search,Add,Modify,Delete, etc.

06/03/2006 INT/LOR/RIP 11

The protocol: PDUs

The PDU structure uses the BER syntax (see ASN.1).

Simple values are encoded with BER (integers, booleans, etc.).

Other values are encoded with ASCII, UTF8 or base64 codes.

06/03/2006 INT/LOR/RIP 12

The protocol: RFCs

Communication is standardized by IETF.

Today's protocol version (RFC 2251): 3

Other RFCs related to LDAPv3:RFC 2252: attribute syntaxRFC 2253: UFT-8 representation of DNRFC 2254: search filtersRFC 2255: LDAP URL formatRFC 2256: X.500 schema for LDAPRFC 2829: authentication methodsRFC 2830: TLS extensionRFC 2849: LDIF

06/03/2006 INT/LOR/RIP 13

Communications

Client

Main server

Replicatedserver

Referral server

06/03/2006 INT/LOR/RIP 14

The client-server communication

The bind operation is optional

The client may send several requests.

Each request has an identifier.

A request may result in several response messages.

search operation

entry # 1

entry #n

search result

unbind

connection close

connection open and bind

bind result

...........

Client Server

06/03/2006 INT/LOR/RIP 15

The data model

The data model is based on entries.

Each entry is identified by a distinguished name.

An entry can store attributes.

Each attribute has a type and one or several values.

An entry has at least a class. The class models the intrinsic nature of an entry.

06/03/2006 INT/LOR/RIP 16

The data model

The naming space is hierarchical.

This is the Directory Information Tree (DIT).

Each node is an entry.

To be created, an entry must be linked to an already existing entry, or to the root of the tree.

06/03/2006 INT/LOR/RIP 17

The data model

An entry is identified by a full qualified name.

This is the Distinguished Name (DN).

A DN is divided into Relative Distinguished Names (RDN).

06/03/2006 INT/LOR/RIP 18

The data model

o=int,c=fr

ou=rst ou=lor

cn=PH cn=MG

The DN of MG is:

dn: cn=MG, ou=lor, o=int, c=fr

ou=lor is a RDN

The DN of lor is:

dn: ou=lor, o=int, c=fr

06/03/2006 INT/LOR/RIP 19

Attributes

An entry in the directory is a set of couples {attribute type — attribute value}.The attributes are characterized by:

a namean OIDsyntax and matching rulesa parent attribute namea single or multi-value indicationa usage indication

06/03/2006 INT/LOR/RIP 20

Attribute examples

cn (commonName): contains the name of an object.

sn (surname): contains a family name.

postalCode: contains a zip code.

telephoneNumber: obvious, isn't it?

facsimileTelephoneNumber: a fax number

labelledURI: contains URLs

owner: contains the owner’s DN of an object.

06/03/2006 INT/LOR/RIP 21

The data model

Attribute examples:

cn: Michel Gardie

mail: michel.gardie@int-evry.fr

ou: Software & Network Department

roomNumber: C 107-01

jpegPhoto:: R01G0D1h1QATAFcAAP//.......

06/03/2006 INT/LOR/RIP 22

Attributes

Attributes may form a hierarchy.

An attribute may inherit the characteristics of a super-type attribute.

Example:

cn, sn, givenName are subtypes of the super-type attribute Name.

member, owner, roleOccupant are subtypes of the super-type attribute distinguishedName.

06/03/2006 INT/LOR/RIP 23

Attribute description

attributetype (1.3.6.1.4.1.7391.2.1.3

NAME ('semester' 'sem')

DESC 'allows to code a semester'

EQUALITY integerMatch

SYNTAX 1.3.6.1.4.1.1466.115.121.1.27)

06/03/2006 INT/LOR/RIP 24

Operational attributes

Some attributes are operational because their use is restricted to the server for management operations.Example:

createTimestamp

modifyTimestamp

These attributes are available in each entry.

06/03/2006 INT/LOR/RIP 25

Operational attributes

Some attributes only exist in the rootDSE entry or in the subschema entry.Example:

subschemaSubEntry contains the name of the entry which describes the schema.

attributeTypes contains the attribute types of the schema.

objectClasses contains the classes of the schema.

06/03/2006 INT/LOR/RIP 26

The data model

Entries must have at least one class: they are "typed".

This is done by the objectClass attribute.

Class examples:

objectClass: person

objectClass: organization

objectClass: organizationalUnit

06/03/2006 INT/LOR/RIP 27

The data model

An objectClass attribute defines the mandatory and optional attributes.

Ex. : objectClass person implies that:

the attributes cn and sn are mandatory;

the attributes userPassword, telephoneNumber, seeAlso and description are optional.

06/03/2006 INT/LOR/RIP 28

Object classes

Object classes represent real or abstract objects through a list of attributes.An object class is defined by:

a name

an OID

a list of mandatory attributes

a list of optional attributes

a parent class name

a type (structural, auxiliary or abstract)

06/03/2006 INT/LOR/RIP 29

Class hierarchy

Classes form a hierarchy

At the highest point is the class called top

Each class inherits properties (attributes) from its parent class.

It is possible to enrich a class by creating a child class with extra attributes

06/03/2006 INT/LOR/RIP 30

Example of class hierarchy

The inetOrgPerson object derives from:top↓

person↓

organizationalPerson↓

inetOrgPerson

06/03/2006 INT/LOR/RIP 31

Class type

The class type defines the nature of attributes used.

Class types:

structural: basic objects of directory

auxiliary: objects used to add information to structural objects

abstract: represents LDAP basic objects such as top or alias.

06/03/2006 INT/LOR/RIP 32

Class description

Example:objectclass (1.3.6.1.4.1.7391.2.2.3NAME ('option' 'opt')DESC 'describes an option'SUP topSTRUCTURALMUST (cn)MAY (description $ manager $ ou $ labeledURI $Population $ semester))

06/03/2006 INT/LOR/RIP 33

The schema

A set of definitions of objects handled by the directory.

Describes:

Object classes

Attribute types

Attribute syntaxes

Inheritance properties

06/03/2006 INT/LOR/RIP 34

Security

Two purposes:

Security of communications

Authentication of the partners

06/03/2006 INT/LOR/RIP 35

Security of communications

TLS / SSLTLS = Transport Layer SecuritySSL = Secure Sockets LayerTLS 1.0 ≈ SSL 3.0TLS: RFC 2246Certificates use the X.509 format

SASL

SASL may encrypt the data exchange if TLS/SSL is not present.

06/03/2006 INT/LOR/RIP 36

Authentication

Three levels:

None ( = anonymity!!!)

Simple authentication

Strong authentication

06/03/2006 INT/LOR/RIP 37

Simple authentication

User identifier (usually, a DN)

Password (clear text)

The exchange should be encrypted with TLS

06/03/2006 INT/LOR/RIP 38

Strong authentication

SASL (Simple Authentication and Security Layer; RFC 2222)Several mechanisms are available:

External (use of TLS and certificates)

GSSAPI (Kerberos)

Digest-MD5

Identifiers are dependent from the chosen mechanismPossibility to use a “proxy” authentication

06/03/2006 INT/LOR/RIP 39

LDIF: LDAP Data Interchange Format

File format suitable for describing directory information or modifications made to directory information

Typically used to:

import and export directory information between LDAP-based directory servers

describe a set of changes which are to be applied to a directory

06/03/2006 INT/LOR/RIP 40

LDIF : an example

dn: cn=Michel Gardie, ou=LOR, o=INT, c=FRobjectClass: inetOrgPersoncn: Michel Gardiesn: GardiegivenName: Michelmail: michel.gardie@int-evry.frroomNumber: C 107-01telephoneNumber: 4789title: responsable d’option de 3e annéetitle: 3rd year option manager

06/03/2006 INT/LOR/RIP 41

LDIF : attribute modification

dn: cn=Michel Gardie, ou=LOR, o=INT, c=FRchangetype: modifyadd: licenseCarlicenseCar: 5309 XR 45-replace: telephoneNumbertelephoneNumber: 01 60 76 47 89

06/03/2006 INT/LOR/RIP 42

Data storage

LDAP uses the UTF-8 character set (Unicode Transformation Format 8) to store text attribute values and DN values.

Binary data are encoded with the base64 code.

UTF-8 offers several character sets:iso-latin1, iso-latin2, etc.katakana (Japanese), Arabic, Greek, Hebrew,etc.

06/03/2006 INT/LOR/RIP 43

Functional model

The functional model defines how to access to information.

The basic operations allow:

to access to the server,

to search entries,

to modify the directory entries,

to modify the tree structure.

06/03/2006 INT/LOR/RIP 44

Data access

Data access is done by a combination of:

a searchbase (the starting point),

a filter,

a scope.

06/03/2006 INT/LOR/RIP 45

Data access: search base

The searchbase indicates where to begin a search in the DIT. The searchbase is a DN.

Examples:

o=INT, c=FR

dc=int-evry, dc=fr

ou=LOR, o=INT, dc=int-evry, dc=fr

06/03/2006 INT/LOR/RIP 46

Data access : filter

A filter specifies:

attribute types,

attribute values,

search conditions.

Example : (&(cn=Mi*)(ou=LOR))

06/03/2006 INT/LOR/RIP 47

Data access : scope

The scope of the search can be:

The base DN itself [basebase],

one level below the base DN [oneone],

the sub-tree whose root is the base DN [subsub].

06/03/2006 INT/LOR/RIP 48

The scope

Michel GardiePascal Hennequin

INT

LORRST

dc=int-evry, dc=frdc=int-evry, dc=fr

base

one

sub

06/03/2006 INT/LOR/RIP 49

Basic operation

search search objects in directory according to criteria

compare

add add an entry

modify modify an entry

delete delete an entry

rename modify the RDN entry

bind establish connection with the server

unbind disconnection

abandon abandon an operation

compare 2 objects

06/03/2006 INT/LOR/RIP 50

Request parameters

base object The entry relative to which the search is to be performed

scope An indicator of the scope of the search to be performed

derefAliases How alias objects are to be handled

size limit Maximum number of entries to be returned as a result

time limit Maximum time allowed for a search

typesOnly Whether attribute types and values, or just types

search filter Conditions to fulfill for a search to match a given entry

list of attributes List of attributes to be returned

06/03/2006 INT/LOR/RIP 51

LDAP URLs

LDAP URLs (RFC 2255) allow the web clients to have a direct access to the LDAP protocol.

Syntax:

ldap://<hostname>:<port>/<base_dn>?<attributes>?<scope>?<filter>

06/03/2006 INT/LOR/RIP 52

LDAP URLs: examples

ldap://mesange/o=INT,c=FR??subreturns the complete directory

ldap://mesange/ou=LOR,o=INT,c=FR??onereturns all entries one level below ou=LOR,c=INT,c=FR

ldap://mesange/ou=LOR,o=INT,c=FR???(cn=*mi*)searches in the sub-tree all entries with attribute cn containing mi.

06/03/2006 INT/LOR/RIP 53

LDAP URLs: examples

ldap://mesange/ou=LOR,o=INT,c=FR?cn,sn?onereturns all entries one level below ou=LOR,c=INT,c=FRdisplays only the cn and sn attributes.

ldap://mesange/o=INT,c=FR?mail?sub?(cn=*mi*)searches in the sub-tree all entries with attribute cn containing mistarts from o=INT,c=FRdisplays only the mail attribute

06/03/2006 INT/LOR/RIP 54

Other LDAP URL examples

ldap://mesange/?+?baseaccesses to the specific entry rootDSE

ldap://mesange/o=INT,c=FR?+,*?sub?(sn=Gardie)returns standard and operational attributes of entries with attribute sn=Gardie.

ldap://mesange/cn=subschemareturns standard attributes of this specific entry

ldap://mesange/cn=subschema?+?returns the schema description