lightweight directory access protocol - michel/supports/ldapslides.pdf · a protocol to access to a...
TRANSCRIPT
06/03/2006 INT/LOR/RIP Michel Gardie
LDAP
Lightweight Directory Access Protocol
06/03/2006 INT/LOR/RIP 2
Summary
OverviewProtocolClient-server communicationData modelAttributesClassesSchemaSecurityLDIFFunctional modelLDAP URLs
06/03/2006 INT/LOR/RIP 3
Directory: a need.
I want to access to a web server:http://www.int-evry.fr/
I want to log on a remote host:ssh forest.cs.concordia.ca
I want to send an email and get the address from a shared address book
I want to be authenticated when I establish a connection with a mail server
etc.
06/03/2006 INT/LOR/RIP 4
Examples of directory uses
http://www.int-evry.fr
www.int-evry.fr is resolved by the DNS
finger michel@rainbow
rainbow is resolved by the DNS, michel is resolved either locally, or by a more general directory.
mailto [email protected]
same principle as above
06/03/2006 INT/LOR/RIP 5
DNS: an example
Is distributed over several cooperating hosts.
Offers simple features:
name → IP addresses
IP address → name, alias
06/03/2006 INT/LOR/RIP 6
LDAP history
LDAP is an adaptation of the DAP protocol(access protocol to X.500 directories)
LDAP was a front-end processor to X.500 directories
LDAP became a standalone directory in 1995
Last version (v3) in December 1997
06/03/2006 INT/LOR/RIP 7
LDAP: some examples
white-page directory to contact persons
directory of mail addresses to allow the mailing tools or the servers to compose or verify mail addresses
database to allow authentication (certificates, passwords)
NIS (Network Information Service)
06/03/2006 INT/LOR/RIP 8
Directory : overview
Directories may contain:
person identification
device identifiers
URLs
pictures
etc.
06/03/2006 INT/LOR/RIP 9
Directory : offered services
A directory service offers the following features:
a protocol to access to a directory
a functional model
a data model
a replication model
a security model
06/03/2006 INT/LOR/RIP 10
The LDAP protocol
LDAP is a directory protocol over TCP/IP
It defines how operations and data are transmitted
It defines several operations:Bind,Search,Add,Modify,Delete, etc.
06/03/2006 INT/LOR/RIP 11
The protocol: PDUs
The PDU structure uses the BER syntax (see ASN.1).
Simple values are encoded with BER (integers, booleans, etc.).
Other values are encoded with ASCII, UTF8 or base64 codes.
06/03/2006 INT/LOR/RIP 12
The protocol: RFCs
Communication is standardized by IETF.
Today's protocol version (RFC 2251): 3
Other RFCs related to LDAPv3:RFC 2252: attribute syntaxRFC 2253: UFT-8 representation of DNRFC 2254: search filtersRFC 2255: LDAP URL formatRFC 2256: X.500 schema for LDAPRFC 2829: authentication methodsRFC 2830: TLS extensionRFC 2849: LDIF
06/03/2006 INT/LOR/RIP 13
Communications
Client
Main server
Replicatedserver
Referral server
06/03/2006 INT/LOR/RIP 14
The client-server communication
The bind operation is optional
The client may send several requests.
Each request has an identifier.
A request may result in several response messages.
search operation
entry # 1
entry #n
search result
unbind
connection close
connection open and bind
bind result
...........
Client Server
06/03/2006 INT/LOR/RIP 15
The data model
The data model is based on entries.
Each entry is identified by a distinguished name.
An entry can store attributes.
Each attribute has a type and one or several values.
An entry has at least a class. The class models the intrinsic nature of an entry.
06/03/2006 INT/LOR/RIP 16
The data model
The naming space is hierarchical.
This is the Directory Information Tree (DIT).
Each node is an entry.
To be created, an entry must be linked to an already existing entry, or to the root of the tree.
06/03/2006 INT/LOR/RIP 17
The data model
An entry is identified by a full qualified name.
This is the Distinguished Name (DN).
A DN is divided into Relative Distinguished Names (RDN).
06/03/2006 INT/LOR/RIP 18
The data model
o=int,c=fr
ou=rst ou=lor
cn=PH cn=MG
The DN of MG is:
dn: cn=MG, ou=lor, o=int, c=fr
ou=lor is a RDN
The DN of lor is:
dn: ou=lor, o=int, c=fr
06/03/2006 INT/LOR/RIP 19
Attributes
An entry in the directory is a set of couples {attribute type — attribute value}.The attributes are characterized by:
a namean OIDsyntax and matching rulesa parent attribute namea single or multi-value indicationa usage indication
06/03/2006 INT/LOR/RIP 20
Attribute examples
cn (commonName): contains the name of an object.
sn (surname): contains a family name.
postalCode: contains a zip code.
telephoneNumber: obvious, isn't it?
facsimileTelephoneNumber: a fax number
labelledURI: contains URLs
owner: contains the owner’s DN of an object.
06/03/2006 INT/LOR/RIP 21
The data model
Attribute examples:
cn: Michel Gardie
mail: [email protected]
ou: Software & Network Department
roomNumber: C 107-01
jpegPhoto:: R01G0D1h1QATAFcAAP//.......
06/03/2006 INT/LOR/RIP 22
Attributes
Attributes may form a hierarchy.
An attribute may inherit the characteristics of a super-type attribute.
Example:
cn, sn, givenName are subtypes of the super-type attribute Name.
member, owner, roleOccupant are subtypes of the super-type attribute distinguishedName.
06/03/2006 INT/LOR/RIP 23
Attribute description
attributetype (1.3.6.1.4.1.7391.2.1.3
NAME ('semester' 'sem')
DESC 'allows to code a semester'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27)
06/03/2006 INT/LOR/RIP 24
Operational attributes
Some attributes are operational because their use is restricted to the server for management operations.Example:
createTimestamp
modifyTimestamp
These attributes are available in each entry.
06/03/2006 INT/LOR/RIP 25
Operational attributes
Some attributes only exist in the rootDSE entry or in the subschema entry.Example:
subschemaSubEntry contains the name of the entry which describes the schema.
attributeTypes contains the attribute types of the schema.
objectClasses contains the classes of the schema.
06/03/2006 INT/LOR/RIP 26
The data model
Entries must have at least one class: they are "typed".
This is done by the objectClass attribute.
Class examples:
objectClass: person
objectClass: organization
objectClass: organizationalUnit
06/03/2006 INT/LOR/RIP 27
The data model
An objectClass attribute defines the mandatory and optional attributes.
Ex. : objectClass person implies that:
the attributes cn and sn are mandatory;
the attributes userPassword, telephoneNumber, seeAlso and description are optional.
06/03/2006 INT/LOR/RIP 28
Object classes
Object classes represent real or abstract objects through a list of attributes.An object class is defined by:
a name
an OID
a list of mandatory attributes
a list of optional attributes
a parent class name
a type (structural, auxiliary or abstract)
06/03/2006 INT/LOR/RIP 29
Class hierarchy
Classes form a hierarchy
At the highest point is the class called top
Each class inherits properties (attributes) from its parent class.
It is possible to enrich a class by creating a child class with extra attributes
06/03/2006 INT/LOR/RIP 30
Example of class hierarchy
The inetOrgPerson object derives from:top↓
person↓
organizationalPerson↓
inetOrgPerson
06/03/2006 INT/LOR/RIP 31
Class type
The class type defines the nature of attributes used.
Class types:
structural: basic objects of directory
auxiliary: objects used to add information to structural objects
abstract: represents LDAP basic objects such as top or alias.
06/03/2006 INT/LOR/RIP 32
Class description
Example:objectclass (1.3.6.1.4.1.7391.2.2.3NAME ('option' 'opt')DESC 'describes an option'SUP topSTRUCTURALMUST (cn)MAY (description $ manager $ ou $ labeledURI $Population $ semester))
06/03/2006 INT/LOR/RIP 33
The schema
A set of definitions of objects handled by the directory.
Describes:
Object classes
Attribute types
Attribute syntaxes
Inheritance properties
06/03/2006 INT/LOR/RIP 34
Security
Two purposes:
Security of communications
Authentication of the partners
06/03/2006 INT/LOR/RIP 35
Security of communications
TLS / SSLTLS = Transport Layer SecuritySSL = Secure Sockets LayerTLS 1.0 ≈ SSL 3.0TLS: RFC 2246Certificates use the X.509 format
SASL
SASL may encrypt the data exchange if TLS/SSL is not present.
06/03/2006 INT/LOR/RIP 36
Authentication
Three levels:
None ( = anonymity!!!)
Simple authentication
Strong authentication
06/03/2006 INT/LOR/RIP 37
Simple authentication
User identifier (usually, a DN)
Password (clear text)
The exchange should be encrypted with TLS
06/03/2006 INT/LOR/RIP 38
Strong authentication
SASL (Simple Authentication and Security Layer; RFC 2222)Several mechanisms are available:
External (use of TLS and certificates)
GSSAPI (Kerberos)
Digest-MD5
Identifiers are dependent from the chosen mechanismPossibility to use a “proxy” authentication
06/03/2006 INT/LOR/RIP 39
LDIF: LDAP Data Interchange Format
File format suitable for describing directory information or modifications made to directory information
Typically used to:
import and export directory information between LDAP-based directory servers
describe a set of changes which are to be applied to a directory
06/03/2006 INT/LOR/RIP 40
LDIF : an example
dn: cn=Michel Gardie, ou=LOR, o=INT, c=FRobjectClass: inetOrgPersoncn: Michel Gardiesn: GardiegivenName: Michelmail: [email protected]: C 107-01telephoneNumber: 4789title: responsable d’option de 3e annéetitle: 3rd year option manager
06/03/2006 INT/LOR/RIP 41
LDIF : attribute modification
dn: cn=Michel Gardie, ou=LOR, o=INT, c=FRchangetype: modifyadd: licenseCarlicenseCar: 5309 XR 45-replace: telephoneNumbertelephoneNumber: 01 60 76 47 89
06/03/2006 INT/LOR/RIP 42
Data storage
LDAP uses the UTF-8 character set (Unicode Transformation Format 8) to store text attribute values and DN values.
Binary data are encoded with the base64 code.
UTF-8 offers several character sets:iso-latin1, iso-latin2, etc.katakana (Japanese), Arabic, Greek, Hebrew,etc.
06/03/2006 INT/LOR/RIP 43
Functional model
The functional model defines how to access to information.
The basic operations allow:
to access to the server,
to search entries,
to modify the directory entries,
to modify the tree structure.
06/03/2006 INT/LOR/RIP 44
Data access
Data access is done by a combination of:
a searchbase (the starting point),
a filter,
a scope.
06/03/2006 INT/LOR/RIP 45
Data access: search base
The searchbase indicates where to begin a search in the DIT. The searchbase is a DN.
Examples:
o=INT, c=FR
dc=int-evry, dc=fr
ou=LOR, o=INT, dc=int-evry, dc=fr
06/03/2006 INT/LOR/RIP 46
Data access : filter
A filter specifies:
attribute types,
attribute values,
search conditions.
Example : (&(cn=Mi*)(ou=LOR))
06/03/2006 INT/LOR/RIP 47
Data access : scope
The scope of the search can be:
The base DN itself [basebase],
one level below the base DN [oneone],
the sub-tree whose root is the base DN [subsub].
06/03/2006 INT/LOR/RIP 48
The scope
Michel GardiePascal Hennequin
INT
LORRST
dc=int-evry, dc=frdc=int-evry, dc=fr
base
one
sub
06/03/2006 INT/LOR/RIP 49
Basic operation
search search objects in directory according to criteria
compare
add add an entry
modify modify an entry
delete delete an entry
rename modify the RDN entry
bind establish connection with the server
unbind disconnection
abandon abandon an operation
compare 2 objects
06/03/2006 INT/LOR/RIP 50
Request parameters
base object The entry relative to which the search is to be performed
scope An indicator of the scope of the search to be performed
derefAliases How alias objects are to be handled
size limit Maximum number of entries to be returned as a result
time limit Maximum time allowed for a search
typesOnly Whether attribute types and values, or just types
search filter Conditions to fulfill for a search to match a given entry
list of attributes List of attributes to be returned
06/03/2006 INT/LOR/RIP 51
LDAP URLs
LDAP URLs (RFC 2255) allow the web clients to have a direct access to the LDAP protocol.
Syntax:
ldap://<hostname>:<port>/<base_dn>?<attributes>?<scope>?<filter>
06/03/2006 INT/LOR/RIP 52
LDAP URLs: examples
ldap://mesange/o=INT,c=FR??subreturns the complete directory
ldap://mesange/ou=LOR,o=INT,c=FR??onereturns all entries one level below ou=LOR,c=INT,c=FR
ldap://mesange/ou=LOR,o=INT,c=FR???(cn=*mi*)searches in the sub-tree all entries with attribute cn containing mi.
06/03/2006 INT/LOR/RIP 53
LDAP URLs: examples
ldap://mesange/ou=LOR,o=INT,c=FR?cn,sn?onereturns all entries one level below ou=LOR,c=INT,c=FRdisplays only the cn and sn attributes.
ldap://mesange/o=INT,c=FR?mail?sub?(cn=*mi*)searches in the sub-tree all entries with attribute cn containing mistarts from o=INT,c=FRdisplays only the mail attribute
06/03/2006 INT/LOR/RIP 54
Other LDAP URL examples
ldap://mesange/?+?baseaccesses to the specific entry rootDSE
ldap://mesange/o=INT,c=FR?+,*?sub?(sn=Gardie)returns standard and operational attributes of entries with attribute sn=Gardie.
ldap://mesange/cn=subschemareturns standard attributes of this specific entry
ldap://mesange/cn=subschema?+?returns the schema description