Presentation is loading. Please wait.

Presentation is loading. Please wait.

LDAP – Light Weight Directory Access Protocol

Published byHarold Craig Modified over 5 years ago

Similar presentations

Presentation on theme: "LDAP – Light Weight Directory Access Protocol"— Presentation transcript:

1 LDAP – Light Weight Directory Access Protocol
By Sirisha Mandadi and Srivamsi Tarigopula

2 Introduction What is a LDAP Why do we need LDAP What uses dose it have
RFC, Origin and Progress LDAP Protocol Stack How LDAP Works LDAP Scheme LDAP Functions Conclusion

3 What is LDAP Lightweight Directory Access Protocol, or LDAP, is a networking protocol for querying and modifying directory services running over TCP/IP. An LDAP directory usually follows the X.500 model: It is a tree of entries, each of which consists of a set of named attributes with values. While some services use a more complicated "forest" model, the vast majority use a simple starting point for their database organization.

4 X.500 model X.500 is a model for Directory Services in the OSI model. The DAP (Directory Access Protocol) runs over the OSI network protocol stack.It’s fairly "heavyweight". Therefore, University of Michigan developed the "lightweight” version of DAP and called it LDAP.

5 It is a tree of entries, each of which consists of a set of named attributes with values. While some services use a more complicated "forest" model, the vast majority use a simple starting point for their database organization.

6 LDAP RFC’s The Lightweight Directory Access Protocol version 3 (LDAPv3) is specified by this set of nine RFCs: [RFC2251] Lightweight Directory Access Protocol (v3) [the specification of the LDAP on-the-wire protocol] [RFC2252] Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions [RFC2253] Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names [RFC2254] The String Representation of LDAP Search Filters [RFC2255] The LDAP URL Format [RFC2256] A Summary of the X.500(96) User Schema for use with LDAPv3 [RFC2829] Authentication Methods for LDAP [RFC2830] Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security And, this document (RFC3377) :Is the latest RFC for LDAP

7 Protocol stack

8 What LDAP software is available
OPENLDAP UMICH's original LDAP server Netscape Directory Server Sun's LDAP server and even Microsoft’s Win2000 and Active Directory

9 What does LDAP do As a protocol, LDAP does not define how programs work on either the client or server side. It defines the "language" used for client programs to talk to servers (and servers to servers, too). When you talk to an LDAP server you have no idea where the data comes from LDAP is characterised as a 'write-once-read-many-times' service

10 LDAP models LDAP defines four models :
Information Model: ~ Data ModelThe Data (or Informational) Model defines how the information or data is represented in an LDAP enabled system Naming Model: Defines the specification used world wide. Functional Model: When you read, search, write or modify the LDAP you are using the Functional Model. Security Model: You can control, in a very fine-grained manner, who can do what to what data.

11 What can we access We can put just about anything you want into the directory... Text Photos URLs Pointers to whatever Binary data Public Key Certificates

12 LDAP access

13 Object Tree structure Data is represented in an LDAP enabled directory as a hierarchy of objects The top of the tree is commonly called the root Each entry in the tree has one parent entry (object) and one or more child entries (objects). Each entry is composed of (is an instance of) one or more objectClasses Objectclasses contain zero or more attributes

14 Data Information Tree DIT

15 Each Entry is composed of one or more objectClasses
Each objectClass has a name. Each Attribute has a name, usually contains data and is a member of an object class.

16 LDAP defines operations for accessing and modifying directory entries such as:
Binding and unbinding Searching for entries meeting user-specified criteria Adding an entry Deleting an entry Modifying an entry Modifying the distinguished name or relative distinguished name of an entry (move) Comparing an entry 12/1/2018

17 LDAP Informational model
12/1/2018

18 LDAP Attribute Syntaxes
12/1/2018

19 LDAP common Attributes
12/1/2018

20 LDIF When an LDAP directory is loaded for the first time or when many entries have to be changed at once, it is not very convenient to change every single entry on a one-by-one basis. For this purpose, LDAP supports the LDAP Data Interchange Format (LDIF) that can be seen as a convenient, yet necessary, data management mechanism.

21 Basic form of an LDIF entry
dn: <distinguished name> <attrtype> : <attrvalue> ...

22 Example LDIF File with organizational and person entries
dn: o=ibm.com objectclass: top objectclass: organization o: ibm.com dn: ou=People, o=ibm.com objectclass: organizationalUnit ou: people dn: ou=marketing, o=ibm.com ou: marketing dn: cn=John Smith, ou=people, o=ibm.com objectclass: organizationalPerson cn: John Smith sn: Smith givenname: John uid: jsmith telephonenumber:

23 LDAP schema Object classes:
An object class is an LDAP term that denotes the type of object being represented by a directory entry or record. Some typical object types are person, organization, organizational unit, domain component and groupOfNames. 12/1/2018

24 LDAP object definition
objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson objectclass: eDominoAccount 12/1/2018

25 Some ITDS object class definitions
objectclass: top objectclasses=( NAME 'top' DESC 'Standard ObjectClass' ABSTRACT MUST ( objectClass ) ) objectclass: person objectclasses=( NAME 'person' DESC 'Defines entries that generically represent people.' SUP 'top' STRUCTURAL MUST ( cn $ sn ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) ) objectclass: organizationalPerson objectclasses=( NAME 'organizationalPerson' DESC 'Defines entries for people employed by or associated with an organization.' SUP 'person' STRUCTURAL MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ internationalISDNNumber $ facsimileTelephoneNumber $ street $ postalAddress $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ ou $ st $ l ) ) objectclass: inetOrgPerson objectclasses=( NAME 'inetOrgPerson' DESC 'Defines entries representing people in an organizations enterprise network.' SUP 'organizationalPerson' STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ pager $ photo $ preferredLanguage $ roomNumber $ secretary $ uid $ userCertificate $ userSMIMECertificate $ x500UniqueIdentifier $ displayName $ o $ userPKCS12 ) )

26 IBM-specific OIDs 1 (ISO-assigned OID)
1.3 (ISO-identified organization) (IBM) (IBM Objects) (IBM Distributed Directory) 12/1/2018

27 Attributes All the object class does is define the attributes, or types of data items contained in that type of object. Some examples of typical attributes are cn (commonname), sn (surname), givenName, mail, uid, and userPassword. 12/1/2018

28 Attribute definitions Example
attribute: name attributetypes=( NAME 'name' DESC 'The name attribute type is the attribute supertype from which string attribute types typically used for naming may be formed. It is unlikely that values of this type itself will occur in an entry.' EQUALITY SUBSTR SYNTAX USAGE userApplications )

29 The naming model The LDAP naming model defines how entries are identified and organized. Entries are organized in a tree-like structure called the Directory Information Tree (DIT). Entries are arranged within the DIT based on their distinguished name (DN). A DN is a unique name that unambiguously identifies a single entry. DNs are made up of a sequence of relative distinguished names (RDNs).

30 Example of Directory Information Tree

31 Functional model Authentication: Bind, Unbind, and Abandon operations used to connect and disconnect to and from an LDAP server, establish access rights and protect information. Query: Search for and Compare entries for entries meeting user-specified criteria. Update: Add an entry, Delete an entry, Modify an entry, and modify thedistinguished name (ModifyRDN) or relative distinguished name of an entry.

32 Query Base A DN that defines the starting point, called the base object, of the search. The base object is a node within the DIT. Scope Specifies how deep within the DIT to search from the base object. There are three choices: baseObject, singleLevel, and wholeSubtree.

33 Search Specifies the criteria an entry must match to be returned from a search. Attributes to Return Specifies which attributes to retrieve from entries that match the search criteria. Alias Dereferencing Specifies if aliases are dereferenced—that is, if the alias entry itself or the entry it points to is used. Limits Searches can be very general, examining large subtrees and causing many entries to be returned.

34 Conclusion LDAP supports network heterogeneity
It is vendor independent and extensible. LDAP works with various applications like , web access, authentication .

35 Questions What other functions can be done through LDAP apart from reading data. Authentication details, add, search, modify are supported, it also defines as to how data and operations are conveyed. Where is LDAP used ? It is used in Attribute mapping, , yellow pages. Example of an application that is LDAP compliant . Microsoft Active directory.

36 Thank you !

Download ppt "LDAP – Light Weight Directory Access Protocol"

Similar presentations

Lightweight Directory Access Protocol (LDAP) By Raghavendra Aekka Professor Dr. Ravi Mukkamala.

Lightweight Directory Access Protocol (LDAP) By Raghavendra Aekka Professor Dr. Ravi Mukkamala.
LDAP Lightweight Directory Access Protocol LDAP.

LDAP Lightweight Directory Access Protocol LDAP.
Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.

Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.
1 Internet2 EduPerson 2nd TF-LSD meeting, Amsterdam, 2. February 2001 Peter Gietz

1 Internet2 EduPerson 2nd TF-LSD meeting, Amsterdam, 2. February 2001 Peter Gietz
LDAP Jianwen Luo School of CTI, Depaul Univ. Oct.23, 1998.

LDAP Jianwen Luo School of CTI, Depaul Univ. Oct.23, 1998.
Directory & Naming Services CS-328 Dick Steflik. A Directory.

Directory & Naming Services CS-328 Dick Steflik. A Directory.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.

Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.

LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.
©Copyright 1999 Peter Shipley LDAP Security Peter Shipley Chief Security Architect +1 650 404 3292.

©Copyright 1999 Peter Shipley LDAP Security Peter Shipley Chief Security Architect
Configuration Management Supplement 67 Robert Horn, Agfa Healthcare.

Configuration Management Supplement 67 Robert Horn, Agfa Healthcare.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
INFORMATION FOR NETWORK OPERATION. CONTENT Directory service Standard X.500 LDAP.

INFORMATION FOR NETWORK OPERATION. CONTENT Directory service Standard X.500 LDAP.
LDAP: Information Model Part 2 CNS 4650 Fall 2004 Rev. 2.

LDAP: Information Model Part 2 CNS 4650 Fall 2004 Rev. 2.
LDAP Lightweight Directory Access Protocol LDAP.

LDAP Lightweight Directory Access Protocol LDAP.
23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr. 2001 Michel Jouvin

23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr Michel Jouvin
Netprog: LDAP1 Lightweight Directory Access Protocol (LDAP) Refs: –Netscape LDAP server docs – U. of Michigan LDAP docs – www.openldap.org docs –RFCs:

Netprog: LDAP1 Lightweight Directory Access Protocol (LDAP) Refs: –Netscape LDAP server docs – U. of Michigan LDAP docs – docs –RFCs:
LDAP Search Criteria Fall 2004 Rev. 2. LDAP Searches Can be performed on Single directory entry Contents of a single container Entire subtree Required.

LDAP Search Criteria Fall 2004 Rev. 2. LDAP Searches Can be performed on Single directory entry Contents of a single container Entire subtree Required.
Making Productive Use of OpenLDAP Presented to the CALUG by John Unekis August 11,2004.

Making Productive Use of OpenLDAP Presented to the CALUG by John Unekis August 11,2004.
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

Similar presentations

Ads by Google