Introduction to Lightweight Directory Access Protocol Introduction Danny Conte Conte Consultants Inc. Jan 31 st 2002

Overview  History  Functional Overview  Protocol Overview  Data Model  Replication / Architechture  Vendor Landscape  Security Considerations  Applications  Operational Challenges  The LAB Analysis  Tools & References

LDAP History  X.500 Jointly developed by the ITU, and the ISO for different needs.  X.500 Good: distributed, extensible.  X.500 Bad: Based on OSI protocol, poor performance, designed for large service providers in non-internet fashion.  DAP X.500 Client, not well suited for desktop PC, (HEAVYWEIGHT Client).  Two Independent groups developed a 'lighter' client.  Directory Assistance Service (DAS RFC1202) & Directory Interface to X.500 (DIXIE RFC1249), still tied to X.500.  Wengyik Yeong, Steve Kille, Colin Robbins, and Tim Howes Publish the first LDAP spec in 1993 RFC1487.  LDAP v2 vs V3 (ACL, Replication, and many more)

LDAP Overview  Client Operations (functions):  Interrogate: Search, compare.  Update: Add, delete, modify.  Authentication: bind, unbind, abandon.  Protocol is Message based.  Allowing for multiple concurrent requests, and responses.  Client and server handle messages concurrently.  Speedy Search operations.  Server functions:  Implement LDAP RFC's, store data, index data, backup functions.  Provide Access Control.  Provide Transactional record keeping (rollback).

LDAP Protocol Overview LDAP Client LDAP Server 1. Bind Request 2. Bind Result 3. Operation Request (search) 4. Operation Result Entry #1 5. Operation Result Entry #2 6. Result of Operation (search) 7. Unbind Operation 8. Close Operation " Server port 389 for standard LDAP " Server port 636 for LDAP over SSL " Step 2 and Step 6 are KEY for LDAP trouble shooting! Jan 31/2002

LDAP Protocol Mesgages LDAP Client LDAP Server Bind Request Bind Result Search Operation msgid=1 Unbind Operation Close Operation Search Operation msgid=2 Result Code msgid=2 Result Code msgid=1 Jan 31/2002

LDAP Data Model dc=3lg, dc=com Ou=People ou=Groups ou=Servers uid: Dconte givenName: Danny sn: Conte telephonenumber: mail: cn: Danny objectClass: top objectClass: Person objectClass: organizationalPerson objectClass: inetorgperson Attribute: A name, and Data associated to an object Object: Collection of Attributes, and values ObjectClass: Tied to the schema, defines what attributes are required/optional Distinguished Name: 'dn: uid=dconte, ou=people,o=Canada, dc=3lg, dc=com' Relative Distinguished Name (RDN): (ie) uid=dconte Must be UNIQUE Schema: Set of rules that govern what and how data is stored LDIF: LDAP Data Interchange Forma (structured text) o=Asia o=United States o=Canada Jan 31/2002

LDAP Replication  Means of making a backup of a dataset to another server.  Used to distribute data, to provide redundancy, local access.  Usually incremental, and live driven by changes.  Referals: Point to the true 'authoritative' datasource, and are inherent in the data.  Single Master vs Multimaster. Master Server Master Server Client Update Replication Replica Client Referal Update Jan 31/2002

LDAP Architechture dc=3lg, dc=com o=Canada LDAP Server LDAP Server LDAP Server LDAP Server LDAP Server LDAP Server LDAP Server LDAP Server LDAP Server LDAP Server o=Asia o=UnitedStates o=UnitedKingom Local Clients Multimaster scenario Each Region is authoritative for local data Each Region has ALL data Master server 'glues' each region together via replication All clients have access to all data locally Jan 31/2002

LDAP Vendor Landscape  Iplanet / Netscape Directory Server  Meta Directory Product  Directory Access Router Product  Microsoft Active Directory (LDAP is LDAP or is it?)   Novell - Reinvents themselves as a 'directory company'  Openldap  The future is....wait and see Jan 31/2002

LDAP Security  Access Control lists for search and modify functions must be created carefully.  Remember headhunters stealing phonebooks?  Target for the unscrupulous, or disgruntled employees.  Restrict number of results for searches (ie) display only first 10,20,30 options.  Clients suseptable to sniffing, keep directory manager passwords secure. Jan 31/2002

LDAP Applications  LOTUS Notes / Domino.  Range of webservers: Apache (php/perl), IIS(asp).  NOS:Sun Solaris, Linux, Netware, Microsoft, IBM OS390.  Database: Oracle, Sybase.  EAM: Netegrity, Tivoli, Oblix, Peoplesoft  CISCO's Network Registrar DNS/DHCP.  Video Conferencing, IP Telephony  Public Key Infrastructure (uses LDAP for key distribution)  Many more vendors who require the need to use UID /Auth data are allowing clients to use an existing LDAP directory. Jan 31/2002

Operational / Implementation Challenges  Determine your needs (ie) what you expect to store in the directory, then design the scheama and branches (DIT) accordingly.  Living with an abundance of 'directories': Distinguish NOS vs Enterprise directories.  Meta-Directories are probably needed.  DMZ Challenges.  New Roles and Responsibilities (NT Admins <> Directory Managers).  Document / Document / Document - Create a data source / process map oulining how/where/when data moves in and out of the directory.  Process definitions and flow must be clearly defined.  Directory Services team? Jan 31/2002

LDAP LAB / Analysis LDAP Master LDAP Master LDAP Replica LDAP Replica Software Used " Windows NT Worstation Ver4 SP6a " Iplanet Directory Server ver 5.1 " RedHat Linux 7.1 " Openldap-client ver on linux " Vmware for Linux ver 3.0 " Ethereal Sniffer for Linux LDAP Operations LDAP Replication Jan 31/2002 Openldap Client

LDAP Tools /References LDAP Clients Vendor Pages RFC's RFC1777 -Lightweight Directory Access Protocol RFC1778 -The String Representation of Standard Attribute Syntaxes RFC1959 -An LDAP URL Format RFC1823 -The LDAP API / RFC2251- RFC LDAP v3 Browsers / Addressbook Apps Netscapes 4x Browser is LDAP Compliant MS Outlook Express -addressbook Public Access LDAP Directories ldap://ldap.bigfoot.com Some Graphics are from Jan 31/2002