Lightweight Directory Access Protocol LDAP LDAP o Directory

Lightweight Directory Access Protocol LDAP

LDAP o Directory n A set of objects with similar attributes o n Organized in a logical and hierarchical manner Example: o Telephone directory n n n Series of names (either of persons or organizations) Organized alphabetically Each name has an address and phone number

LDAP o An application protocol n n o For querying and modifying directory services Runs over TCP/IP LDAP is often used by other services for authentication

LDAP o LDAP directory tree n Often reflects various o o o n Political Geographic Organizational boundaries Depends on the model chosen

LDAP o LDAP deployments today tend to use Domain Name System (DNS) names for structuring the topmost levels of the hierarchy n Deep inside the directory might appear entries representing o o o People Organizational units Printers Documents Groups of people Anything else which represents a given tree entry (or multiple entries)

LDAP Data Structure Hierarchical dc: domain component ou: organizational unit Flat

LDAP o Current version is LDAPv 3 n Specified in a series of Internet Engineering Task Force Standard Track Requests for comments (RFCs) o Detailed in RFC 4510

Origin and influences

Origin and influences o Telecommunication companies introduced the concept of directory services n n o o Information Technology Computer Networking Understanding of directory requirements was welldeveloped after some 70 years of producing and managing telephone directories The culmination of this input was the comprehensive X. 500 specification n Suite of protocols produced by the International Telecommunication Union (ITU) in the 1980 s

Origin and influences o X. 500 directory services n n o LDAP originally intended to be a "lightweight" alternative protocol for accessing X. 500 directory services n o Accessed via the X. 500 Directory Access Protocol (DAP) Required the Open Systems Interconnection (OSI) protocol stack Through the simpler TCP/IP protocol stack Model of directory access was borrowed from other protocols

Origin and influences o Standalone LDAP directory servers followed n o LDAP has become popular in enterprises n o Also directory servers supporting both DAP and LDAP Removed any need to deploy an OSI network X. 500 directory protocols including DAP can also be used directly over TCP/IP

Origin and influences o Early engineering stages of LDAP n n Known as Lightweight Directory Browsing Protocol, or LDBP Renamed as the scope of the protocol was expanded to include: o o Directory browsing and searching functions Directory update functions

Protocol overview

Protocol overview o Client starts an LDAP session by connecting to an LDAP server n o Client sends operation requests to the server n o Default on TCP port 389 Server sends responses in turn (e. g. whenever it wants) With some exceptions the client need not wait for a response before sending the next request n Server may send the responses in any order

Protocol overview Client may request the following operations: o n Start TLS o o n Bind o n n Generic operation used to define other operations Unbind o o Abort a previous request Extended Operation o n Move or rename an entry Abandon o n Test if a named entry contains a given attribute value Add a new entry Delete an entry Modify Distinguished Name (DN) o n Search for and/or retrieve directory entries Compare o n Authenticate and specify LDAP protocol version Search o n Optional Protect the connection with Transport Layer Security (TLS) Close the connection (not the inverse of Bind) Server may send "Unsolicited Notifications“ n Not responses to any request o e. g. Warning of an impending connection time out

Protocol overview o Common way of making a secure LDAP communication is using an SSL tunnel n Denoted in LDAP URLs by using the URL scheme "ldaps" o n Use of LDAP over SSL was common in LDAP Version 2 o o n LDAPv 2 Was never standardized in any formal specification Usage has been deprecated along with LDAPv 2 o o Default port for LDAP over SSL is 636 Officially retired in 2003 LDAP is defined in terms of ASN. 1 n n Protocol messages are encoded in the binary format BER Uses textual representations for a number of ASN. 1 fields/types

Directory structure

Directory structure o Protocol access of LDAP directories n Directory is a tree of directory entries n Entry consists of a set of attributes o An attribute has n n n Attributes are defined in a schema Each entry has a unique identifier: o Distinguished Name (DN) n n n a name an attribute type or attribute description one or more values Consists of its Relative Distinguished Name (RDN) constructed from some attribute(s) in the entry Followed by the parent entry's DN Think of the o o DN as a full filename RDN as a relative filename in a folder

Directory structure o DN may change over the lifetime of the entry n o For instance, if entries move within a tree To reliably and unambiguously identify entries n UUID might be provided in the set of the entry's operational attributes

Directory structure o o Note: LDAP is a binary protocol Example entry represented in LDAP Data Interchange Format (LDIF): n dn: cn=John Doe, dc=example, dc=com cn: John Doe given. Name: John sn: Doe telephone. Number: +1 888 555 6789 telephone. Number: +1 888 555 1234 mail: john@example. com manager: cn=Barbara Doe, dc=example, dc=com object. Class: inet. Org. Person object. Class: organizational. Person object. Class: person object. Class: top n Where: o dn (distinguished name) is the name of the entry n o o n n it's not an attribute nor part of the entry "cn=John Doe" is the entry's RDN "dc=example, dc=com" is the DN of the parent entry. Other lines show the attributes in the entry Attribute names are typically mnemonic strings o o "cn" for common name, "dc" for domain component "mail" for e-mail address "sn" for surname

Directory structure o o A server holds a subtree starting from a specific entry, e. g. "dc=example, dc=com" and its children Servers may also hold references to other servers n o o An attempt to access "ou=department, dc=example, dc=com" could return a referral or continuation reference to a server which holds more of the directory tree Client can then contact the other server Some servers also support chaining n Server contacts other server(s) and returns the results to the client

Directory structure o LDAP rarely defines any ordering: n Server may return o o o the values in an attribute the attributes in an entry the entries found by a search operation …in any order o Follows from the formal definitions n n n an entry is defined as a set of attributes an attribute is a set of values sets need not be ordered

Operations

Operations o Client gives each request a positive Message ID n o Response includes a numeric result code indicating: n n n o Server response has the Message ID returned Success An error condition Or some other special cases Before the response, the server may send other messages with other result data n For example: o Each entry found by the Search operation is returned as a message

Operations: Start. TLS operation n n Establishes Transport Layer Security on the connection o a descendant of SSL Provides data confidentiality and/or data integrity protection o n n Protect from tampering During TLS negotiation server sends its X. 509 certificate to prove its identity Client may also send a certificate to prove its identity o Client may then use SASL/EXTERNAL to have this identity used in determining the identity used in making LDAP authorization decisions

Operations: Bind (authenticate) o Bind operation authenticates the client to the server n Simple Bind can send the user's DN and password in plaintext o n Server typically checks the password o n n Kerberos or the client certificate sent with TLS Bind also sets the LDAP protocol version n n o Against the user. Password attribute in the named entry Anonymous Bind (with empty DN and password) resets the connection to anonymous state SASL (Simple Authentication and Security Layer) Bind provides authentication services through a wide range of mechanisms o o Connection should be protected using Transport Layer Security (TLS) Normally clients should use LDAPv 3 Default in the protocol but not always in LDAP libraries Bind had to be the first operation in a session in LDAPv 2 n Not required in LDAPv 3 (the current LDAP version)

Operations: Search and Compare o The Search operation is used to both search for and read entries n Its parameters are: o base. Object n o scope n n n o Which attributes to return in result entries size. Limit, time. Limit n o Whether and how to follow alias entries (entries which refer to other entries) attributes n o How to examine each entry in the scope. E. g. (&(object. Class=person)(|(given. Name=John)(mail=john*))) o search for persons who either have given name John or an e-mail address starting with john. deref. Aliases n o Base. Object (search just the named entry, typically used to read one entry) Single. Level (entries immediately below the base DN) Whole. Subtree (the entire subtree starting at the base DN) filter n o DN (Distinguished Name) of the entry at which to start the search Max number of entries, and max search time types. Only n Return attribute types only, not attribute values

Operations: Search and Compare o Server returns n n n o Matching entries Maybe continuation references (in any order) Followed by the final result with the result code Compare operation n -a DN n -an attribute name n -an attribute value n Checks if the named entry contains that attribute with that value

Operations: Update operations o Add, Delete, and Modify DN n o Modify takes a list of attributes to modify and the modifications to each: n n n o All require the DN of the entry that is to be changed Delete the attribute of some values Add new values Replace the current values with the new ones. Add operations also can have additional attributes and values for those attributes

Operations: Update operations o Modify DN (move/rename entry) takes: n n New RDN (Relative Distinguished Name) (optionally) the new parent's DN Flag which says whether to delete the value(s) in the entry which match the old RDN Server may support renaming of entire directory subtrees

Operations: Update operations o An update operation is atomic: n Later operations will see either the new entry or the old one o LDAP does not define transactions of multiple operations o If you read an entry and then modify it, another client may have updated the entry in the mean time o Servers may implement extensions which support this, however

Operations: Extended operations o Extended Operation n n A generic LDAP operation can be used to define new operations Examples include the o o o Cancel Password Modify Start TLS operations

Operations: o Abandon n n o The Abandon operation requests that the server aborts an operation named by a message ID The server need not honor the request Neither Abandon nor a successfully abandoned operation sends a response n Cancel: an extended operation which does send a response o Not all implementations support cancel

Operations: o Unbind n The Unbind operation abandons any outstanding operations and closes the connection o o It has no response Name is of historical origin: n n It is not the opposite of the Bind operation. Clients can abort a session by simply closing the connection, but they should use Unbind o Otherwise server cannot tell the difference between a failed network connection (or a truncation attack) and a discourteous client

LDAP URLs

LDAP URLs o LDAP URL format exists Clients support in varying degree n Servers return in referrals and continuation references n o Typical form: n ldap: //host: port/DN? attributes? scope? filter? extensions o o o The attributes, scope, filter and extensions are positional I. E. if one of parameters is not used the ? is still required except at the end E. g. no scope or extensions n ldap: //fred. uncc. edu/DN? att 1? ? filt 1

LDAP URLs o Most components are optional n n n n o host is the DNS or IP address of the LDAP server to search port is the network port of the LDAP server DN is the distinguished name to use as the search base attributes is a comma-separated list of attributes to retrieve scope specifies the search scope and can be "base" (the default), "one" or "sub" filter is a search filter, e. g. (object. Class=*) (see RFC 4515) extensions are extensions to the LDAP URL format Examples: "ldap: //ldap. example. com/cn=John%20 Doe, dc=example, dc=com“ n refers to all user attributes in John Doe's entry in ldap. example. com n As in other URLs, special characters must be percent-encoded "ldap: ///dc=example, dc=com? ? sub? (given. Name=John)" n searches for the entry in the default server o o o DN: example. com No attributes Scope: sub Filter: given. Name=John No extensions There is a similar non-standard "ldaps: " URL scheme for LDAP over SSL

Usage

Usage o Applications n Reasons to choose LDAP for a service: o Widely supported n o LDAP is very general and includes basic security n n o Allows focusing on a few protocols Instead of having to maintain and upgrade many specialized protocols Two common applications of LDAP: o o Computer user/group data Address book information (persons, departments etc) n n Can support many types of applications Choosing general protocols like LDAP and HTTP: o n Data presented in LDAP is available to many clients and libraries Many e-mail clients support LDAP lookups Some tasks LDAP does not handle well: o o o Model a relational database Data that is frequently updated Data whose ordering must be preserved n An extension does exist for this

Usage o Naming structure n An LDAP server can return referrals to other servers for requests the server itself will not/can not serve o o A naming structure for LDAP entries is needed so one can find a server holding a given DN A structure already exists in the Domain name system (DNS) n n If an organization has domain name foo. example o Its top level LDAP entry will therefore typically have the DN n o dc=foo, dc=example o where dc means domain component If the ldap server is also named ldap. foo. example, the organization's top level LDAP URL becomes n n Servers' top level names often mimic DNS names ldap: //ldap. foo. example/dc=foo, dc=example Below the top level, the entry names will typically reflect the organization's internal structure or needs rather than DNS names

Terminology

Terminology o The LDAP terminology one can encounter can be confusing n Some of this confusion is due to misunderstandings o o n Other examples are due to its historical origins Others arise when used with non-X. 500 services that use different terminology For example, o "LDAP" is sometimes used to refer to the protocol n o o the attribute type the contents of an attribute in a directory an attribute description (an attribute type with options) An "anonymous" and an "unauthenticated" Bind are different Bind methods that both produce anonymous authentication state o n An "LDAP directory" may be the data or also the access point An "attribute" may be: o n Other times to the protocol and the data So both terms are being used for both variants The "uid" attribute should hold user names rather than numeric user IDs

Closing remarks o LDAP is good for retrieving simple hierarchical type of data n n o o Lookup “directory” type of information The data is already organized LDAP is not good for relational type data LDAP is not a good choice when the data is changed or updated frequently

Resources: o o http: //www. ldapman. org/articles/intro_to_lda p. html http: //quark. humbug. org. au/publications/ldap/ ldap_tut. html

Which is not a good use for LDAP: 1. 2. 3. 4. Finding peoples names and phone numbers Finding departments and department members Searching relational data Organizing user names, userids, and capabilities