LDAP Jianwen Luo School of CTI, Depaul Univ. Oct.23, 1998
What is LDAP ? n LDAP is the abbreviate of Lightweight Directory Access Protocol. n It is a standard protocol used by applications to access information in a directory. n Vs. DAP, which is the underlining protocol of X.500
What does directory mean here? n The directory here means a type of database that has been optimized for searching and retrieving structure data. n Most commonly, the directory are used to store information about user profile. Like user name, permission.
Why LDAP is necessary ? n Traditionally, every department has its own user database. n User has more account today, , web, Unix, NT,... n How to synchronize the user info. when his work is related to more than one department? n When Intranet/Extranet used, how to efficiently control the user access?
Why LDAP is necessary -2 ? n How to identify the source over network. n Vs, DNS, too simple, only includes host information. n NDS, not based natively on TCP/IP, vendor supplied. n X.500 too complicated, require OSI stack.
History of LDAP?. n X.500, complex, using OSI n LDAP version 1, RFC 1487,1993 u client interact with a LDAP service which interacts with one or more X.500 server n LDAP version 2, RFC 1777, 1995 u LDAP servers could run independently of X.500. n LDAP version 3, RFC 2251, 1997 u Communication between master servers. u Referral capacity
Protocol Model of LDAP 3. n Client/Server structure. n Objective: minimize the complexity of clients.
Data Model of LDAP 3 -2 n DIT tree (Directory Information Tree) n Entry: Tree is made of entries. n DN (Distinguished Name): a set of attribute=value group which uniquely identify an object n RDN(Relative distinguished name) n Naming Context
Data Model of LDAP n DIT tree
Attributes of Entries. n Entries consist of a set of attributes. n An attribute is a type with one or more associated value. n An attribute type is identified by a short description name and object identifier. n Object identifier decides what kind of value you can have.
Elements of Protocol n LDAP protocol is described using ASN.1. (Abstract Syntax Notation) n All protocol operations are encapsulated in a common envelope, the LDAPMessage.
LDAP message envelop. n LDAPMessage ::= SEQUENCE { n messageID MessageID, n protocolOp CHOICE { n bindRequest BindRequest, n bindResponse BindResponse, n unbindRequest UnbindRequest, n searchRequest SearchRequest, n searchResEntry SearchResultEntry, n searchResDone SearchResultDone, n searchResRef SearchResultReference, n modifyRequest ModifyRequest, n modifyResponse ModifyResponse, n addRequest AddRequest, n addResponse AddResponse, n delRequest DelRequest, n delResponse DelResponse, n modDNRequest ModifyDNRequest, n modDNResponse ModifyDNResponse, n compareRequest CompareRequest, n compareResponse CompareResponse, n abandonRequest AbandonRequest, n extendedReq ExtendedRequest, n extendedResp ExtendedResponse }, n controls [0] Controls OPTIONAL } n MessageID ::= INTEGER (0.. maxInt) n maxInt INTEGER ::= (2^^31 - 1) --
Message ID n For the outstanding Message, message ID is unique. Result Message: LDAPResult ::= SEQUENCE { resultCode Enumerated {…}; matchedDN LDAPDN, errorMessage LDAPString, referral Referral OPTIONAL }
Applications(actions) n Search n Add n Delete n Modify n Compare n Bind: allow authentication information to be exchanged between client and server n unbind:
Authentication and security n Authentication Choice ::simple ( clear text password) n SASL (Simple Authentication and Security Layer, RFC 2222) u allows for integrity and privacy services to be negotiated.
Where do you go tomorrow? n LDAP over SSL, Netscape extension. n Replication supporting, Netscape extension n More complex. n From Lightweight to middleweight
Authentication and security n Authentication Choice ::simple ( clear text password) n SASL (Simple Authentication and Security Layer, RFC 2222) u allows for integrity and privacy services to be negotiated.
Netscape Directory Server 3.1 configuration-1
Advanced configuration of Directory server.