LDAP – Light Weight Directory Access Protocol By Sirisha Mandadi and Srivamsi Tarigopula
Introduction What is a LDAP Why do we need LDAP What uses dose it have RFC, Origin and Progress LDAP Protocol Stack How LDAP Works LDAP Scheme LDAP Functions Conclusion
What is LDAP Lightweight Directory Access Protocol, or LDAP, is a networking protocol for querying and modifying directory services running over TCP/IP. An LDAP directory usually follows the X.500 model: It is a tree of entries, each of which consists of a set of named attributes with values. While some services use a more complicated "forest" model, the vast majority use a simple starting point for their database organization.
X.500 model X.500 is a model for Directory Services in the OSI model. The DAP (Directory Access Protocol) runs over the OSI network protocol stack.It’s fairly "heavyweight". Therefore, University of Michigan developed the "lightweight” version of DAP and called it LDAP.
It is a tree of entries, each of which consists of a set of named attributes with values. While some services use a more complicated "forest" model, the vast majority use a simple starting point for their database organization.
LDAP RFC’s The Lightweight Directory Access Protocol version 3 (LDAPv3) is specified by this set of nine RFCs: [RFC2251] Lightweight Directory Access Protocol (v3) [the specification of the LDAP on-the-wire protocol] [RFC2252] Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions [RFC2253] Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names [RFC2254] The String Representation of LDAP Search Filters [RFC2255] The LDAP URL Format [RFC2256] A Summary of the X.500(96) User Schema for use with LDAPv3 [RFC2829] Authentication Methods for LDAP [RFC2830] Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security And, this document (RFC3377) :Is the latest RFC for LDAP
Protocol stack
What LDAP software is available OPENLDAP UMICH's original LDAP server Netscape Directory Server Sun's LDAP server and even Microsoft’s Win2000 and Active Directory
What does LDAP do As a protocol, LDAP does not define how programs work on either the client or server side. It defines the "language" used for client programs to talk to servers (and servers to servers, too). When you talk to an LDAP server you have no idea where the data comes from LDAP is characterised as a 'write-once-read-many-times' service
LDAP models LDAP defines four models : Information Model: ~ Data ModelThe Data (or Informational) Model defines how the information or data is represented in an LDAP enabled system Naming Model: Defines the specification used world wide. Functional Model: When you read, search, write or modify the LDAP you are using the Functional Model. Security Model: You can control, in a very fine-grained manner, who can do what to what data.
What can we access We can put just about anything you want into the directory... Text Photos URLs Pointers to whatever Binary data Public Key Certificates
LDAP access
Object Tree structure Data is represented in an LDAP enabled directory as a hierarchy of objects The top of the tree is commonly called the root Each entry in the tree has one parent entry (object) and one or more child entries (objects). Each entry is composed of (is an instance of) one or more objectClasses Objectclasses contain zero or more attributes
Data Information Tree DIT
Each Entry is composed of one or more objectClasses Each objectClass has a name. Each Attribute has a name, usually contains data and is a member of an object class.
LDAP defines operations for accessing and modifying directory entries such as: Binding and unbinding Searching for entries meeting user-specified criteria Adding an entry Deleting an entry Modifying an entry Modifying the distinguished name or relative distinguished name of an entry (move) Comparing an entry 12/1/2018
LDAP Informational model 12/1/2018
LDAP Attribute Syntaxes 12/1/2018
LDAP common Attributes 12/1/2018
LDIF When an LDAP directory is loaded for the first time or when many entries have to be changed at once, it is not very convenient to change every single entry on a one-by-one basis. For this purpose, LDAP supports the LDAP Data Interchange Format (LDIF) that can be seen as a convenient, yet necessary, data management mechanism.
Basic form of an LDIF entry dn: <distinguished name> <attrtype> : <attrvalue> ...
Example LDIF File with organizational and person entries dn: o=ibm.com objectclass: top objectclass: organization o: ibm.com dn: ou=People, o=ibm.com objectclass: organizationalUnit ou: people dn: ou=marketing, o=ibm.com ou: marketing dn: cn=John Smith, ou=people, o=ibm.com objectclass: organizationalPerson cn: John Smith sn: Smith givenname: John uid: jsmith telephonenumber: 838-6004
LDAP schema Object classes: An object class is an LDAP term that denotes the type of object being represented by a directory entry or record. Some typical object types are person, organization, organizational unit, domain component and groupOfNames. 12/1/2018
LDAP object definition objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson objectclass: eDominoAccount 12/1/2018
Some ITDS object class definitions objectclass: top objectclasses=( 2.5.6.0 NAME 'top' DESC 'Standard ObjectClass' ABSTRACT MUST ( objectClass ) ) objectclass: person objectclasses=( 2.5.6.6 NAME 'person' DESC 'Defines entries that generically represent people.' SUP 'top' STRUCTURAL MUST ( cn $ sn ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) ) objectclass: organizationalPerson objectclasses=( 2.5.6.7 NAME 'organizationalPerson' DESC 'Defines entries for people employed by or associated with an organization.' SUP 'person' STRUCTURAL MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ internationalISDNNumber $ facsimileTelephoneNumber $ street $ postalAddress $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ ou $ st $ l ) ) objectclass: inetOrgPerson objectclasses=( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'Defines entries representing people in an organizations enterprise network.' SUP 'organizationalPerson' STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ pager $ photo $ preferredLanguage $ roomNumber $ secretary $ uid $ userCertificate $ userSMIMECertificate $ x500UniqueIdentifier $ displayName $ o $ userPKCS12 ) )
IBM-specific OIDs 1 (ISO-assigned OID) 1.3 (ISO-identified organization) 1.3.18 (IBM) 1.3.18.0 (IBM Objects) 1.3.18.0.2 (IBM Distributed Directory) 12/1/2018
Attributes All the object class does is define the attributes, or types of data items contained in that type of object. Some examples of typical attributes are cn (commonname), sn (surname), givenName, mail, uid, and userPassword. 12/1/2018
Attribute definitions Example attribute: name attributetypes=( 2.5.4.41 NAME 'name' DESC 'The name attribute type is the attribute supertype from which string attribute types typically used for naming may be formed. It is unlikely that values of this type itself will occur in an entry.' EQUALITY 1.3.6.1.4.1.1466.109.114.2 SUBSTR 2.5.13.4 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications )
The naming model The LDAP naming model defines how entries are identified and organized. Entries are organized in a tree-like structure called the Directory Information Tree (DIT). Entries are arranged within the DIT based on their distinguished name (DN). A DN is a unique name that unambiguously identifies a single entry. DNs are made up of a sequence of relative distinguished names (RDNs).
Example of Directory Information Tree
Functional model Authentication: Bind, Unbind, and Abandon operations used to connect and disconnect to and from an LDAP server, establish access rights and protect information. Query: Search for and Compare entries for entries meeting user-specified criteria. Update: Add an entry, Delete an entry, Modify an entry, and modify thedistinguished name (ModifyRDN) or relative distinguished name of an entry.
Query Base A DN that defines the starting point, called the base object, of the search. The base object is a node within the DIT. Scope Specifies how deep within the DIT to search from the base object. There are three choices: baseObject, singleLevel, and wholeSubtree.
Search Specifies the criteria an entry must match to be returned from a search. Attributes to Return Specifies which attributes to retrieve from entries that match the search criteria. Alias Dereferencing Specifies if aliases are dereferenced—that is, if the alias entry itself or the entry it points to is used. Limits Searches can be very general, examining large subtrees and causing many entries to be returned.
Conclusion LDAP supports network heterogeneity It is vendor independent and extensible. LDAP works with various applications like email, web access, authentication .
Questions What other functions can be done through LDAP apart from reading data. Authentication details, add, search, modify are supported, it also defines as to how data and operations are conveyed. Where is LDAP used ? It is used in Attribute mapping, email, yellow pages. Example of an application that is LDAP compliant . Microsoft Active directory.
Thank you !