LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL • PRESENTATION BY ALAKESH APURVA DHAN AND ASH
WHAT IS LDAP • LDAP IS LIGHT WEIGHT • SUFFICIENT STRAIGHT FORWARD • EASY TO IMPLEMENT AS AGAINST X. 500 DAP WHICH IS HEAVY WEIGHT
LDAP • DIRECTORY BECAUSE DATA IS ORGANISED IN THE FORM OF TREE MUCH LIKE UNIX FILE SYSTEM • USES SIMPLIFIED SET OF ENCODING • RUNS DIRECTLY ABOVE TCP/IP • USES STRING TO REPRESENT DATA
LDAP • LDAP SECURITY MODEL : DEFINES HOW INFORMATION CAN BE PROTECTED FROM UNAUTHORISED ACCESS
LDAP • LDAP API • THERE ARE SEVERAL LDAP API APPLICATION PROGRAMMING INTERFACE OLDEST ONES WRITTEN IN C • NOW A DAYS LDAP API S ARE AVAILABLE IN OTHER PROGRAMMING LANGUAGES LIKE PERL JAVA
HOW LDAP WORKS • LDAP DIRECTORY SERVICE IS BASED ON CLIENT SERVER MODEL • LDAP IS A MESSAGE ORIENTED PROTOCOL • CLIENT CONSTRUCTS AN LDAP MESSAGE CONTAINING A REQUEST AND SENDS IT TO THE SERVER
HOW LDAP WORKS • SERVER PROCESSES THE REQUEST AND SENDS IT BACK TO THE CLIENT IN THE FORM OF LDAP MESSAGE
LDAP BACKENDS • THE BASIC DAEMON PROCESS THAT RUNS ON THE LDAP SERVER CALLED SLAPD COMES WITH THREE DIFFERENT BACKEND DATABASES • WE ASSUME THAT IN OUR CASE WE USE LDBM THE MOST USED ONE
HOW LDAP WORKS • LDAP DATABASE WORKS BY ADDING A COMPACT FOUR BYTE UNIQUE IDENTIFIER • INDEX FILES ARE MAINTAINED FOR REFERRING TO DATA
LDAP PROTOCOL OPERATION • INTERROGATION OPERATION : SEARCH , COMPARE • ADD DELETE OPERATOIN : ADD , DELETE , MODIFY DN • AUTHENTICATION AND CONTROL OPERATION : BIND , UNBIND , ABANDON
LDAP INFORMATION MODEL • BASIC UNIT IS ENTRY ( A COLLECTION OF INFORMATION ABOUT AN OBJECT ) • AN ENTRY IS COMPOSED OF A SET OF ATTRIIBUTES
LDIF • LDIF STANDS FOR LDAP DATA INTERCHANGE FORMAT • DIRECTORY ENTRIES IN LDAP ARE IN THE FORM OF LDIF
LDIF FORMAT • BASIC FORM OF LDIF : #COMMENT DN: <DISTINGUSHED NAME> <ATTRDESC>: <ATTRVALUE> …. . • EXAMPLE : DN: UID=ALAKESH DC=IIT DC=EDU
LDAP • IN ADDITION TO BEING A NETWORK PROTOCOL IT ALSO DEFINES FOUR MODELS • LDAP INFORMATION MODEL : DEFINES THE KIND OF DATA U PUT • LDAP NAMING MODEL : HOW U ORGANISE AND REFER TO DIRECTORY INFORMATION
LDIF FORMAT • LINES STARTING WITH # ARE CONSIDERED TO BE COMMENTS • ALL OTHER ATTRIBUTES ARE WRITTEN IN <ATTRDESC > = <VALUE> FORM
LDIF • EACH ENTRY IS UNIQUELY IDENTIFIED BY A DISTINIGUISHED NAME OR DN. THE DN CONSISTS OF THE NAME OF THE ENTRY PLUS A PATH IN THE DIRECTORY TREE TRACING BACK TO THE TOP OF THE DIRECTORY HIERARCHY • THE OBJECT CLASS DEFINES THE CLASS OF THE ATTRIBUTES THAT CAN BE USED TO DEFINE AN ENTRY
LDIF • DIRECTORY DATA IS REPRESENTED AS ATTRIBUTE-VALUE PAIR. ANY SPECIFIC PIECE OF INFORMATION IS ASSOSICATED WITH A DESCRIPTIVE ATTRIBUTE
LDAP CONFIGURATION • THE CONFIGURATION FILE SLAPD. OC. CONF CONTAINS THE DEFINITION OF ALL THE OBJECT CLASSES • THE ATTRIBUTES OF THE OBJECT CLASSES ARE DEFINED IN SLAPD. AT. CONF FILE
LDAP CONFIGURATION • EACH OBJECT CLASS HAS REQUIRED AND ALLOWED ATTRIBUTE • REQUIRED ATTRIBUTES MUST BE PRESENT WHILE ALLOWED ARE OPTIONAL
LDAP CONFIGURATION • EACH ATTRIBUTE HAS CORRESPONDING SYNTAX DEFINITION
LDAP ACCESS CONTROL • ACCESS TO <WHAT> [ BY <WHO> <ACCESS LEVEL> <CONTROL> ] • THIS DIRECTIVE GRANTS ACCESS TO A SET OF ENTRIES/ATTRIBUTES BY ONE OR MORE REQUESTERS • EXAMPLE : ACCESS TO * BY * READ
LDAP ACCESS CONTROL • THE ABOVE DIRECTIVE GIVES READ PERMISSION TO EVERYONE • FOR EXAMPLE ACCESS TO DN=“. * , C=INDIA” BY * SEARCH GIVES SEARCHING PERMS TO ENTRIES UNDER C=INDIA SUBTREE
LDAPADD • OPENLDAP PACKAGE COMES WITH SHELL EXECUTABLE NAMED LDAPADD USED TO ADD ENTRIES TO THE DATABASE WHILE LDAP SERVER IS RUNNING • BASIC SYNTAX IS LDAPADD -F <DATAFILE> -D <DN> -w <PASSWD> / -W ( IF PASSWORD IS TO BE PROMPTED.
LDAPDELETE • ANOTHER SHELL EXECUTABLE FOR DELETING ENTRIES • ITS SYNTAX IS LDAPDELETE ‘CN=HI, O=IITB, C=INDIA’
LDAPMODIFY • ITS ANOTHER SHELL EXECUTABLE TO MODIFY DATA IN THE DIRECTORY DATABASE • IT HAS SIMILAR SYNTAX TO LDAPADD
LDAPSEARCH • SHELL ACCESSIBLE INTERFACE TO LDAP_SEARCH() C ROUTINE • LDAPSEARCH OPENS CONNECTION TO THE LDAPSERVER PERFORMS SEARCH WHICH FOLLOWS FILTERING RULES DEFINED IN RFC 1558
LDAPSEARCH • FOR EXAMPLE LDAPSEARCH -B “C=INDIA” “O=IITB” IF * IS ALLOWED READ ACCESS BY DEFAULT THE O=IITB WILL BE RETURNED • -B OPTION SEARCHES FOR THE SEARCH BASE
LDAP AND JAVA CONNECTIVITY • THERE EXISTS A PACKAGE CALLED JNDI ( JAVA NAMING AND DIRECTORY INTERFACE ) • IT CONTAINS API S NEEDED TO CONNECT LDAP SERVER RETRIEVE INFORMATION
JNDI EXAMPLE • • A typical code WRITTEN USING JNDI TO DO LDAP SEARCH will be like this …. . • • import • • • class Search { public static void main(String[] args){ Hashtable env = new Hashtable(5 , 0. 75 f) ; env. put(Context. INITIAL_CONTEXT_FACTORY, Env. INITCTX) ; env. put(Context. PROVIDER_URL , Env. MY_SERVICE ) ; ……………. java. util. Hashable ; java. util. Enumeration ; javax. naming. * ; javax. naming. directory. * ;
Why Ldap? • Most ldap servers are optimized for read -intensive operations. Thus, one can see an order of magnitude difference when reading data from an ldap directory versus obtaining the same data from a relational database server optimized for OLTP. • Because of this optimization , however , most LDAP directories are not suited for
- Slides: 30