1. Amrish Kaushik Graduate Student USC – Computer Science (CN)
The LDAP Protocol…
Amrish Kaushik
Graduate Student
USC – Computer Science (CN)

2. Agenda Background and Motivation Understanding LDAP Protocol Model
Information Structure
Naming
Functions/Operations
Security
Protocol Model
Mapping onto Transport Services
Protocol Element Encoding
Discussion

3. Background and Motivation
Increased reliance on networked computers
Need in information
Functionality
Ease-of-Use
Administration (Application specific dirs)
Clear and consistent organization
Integrity
Confidentiality

4. X.500
X.500 standard. CCITT 1988
Refer ISO 9594 – X.500-X.521 of 1990

5. X.500 Organizes directory entries into a hierarchical namespace
Powerful search capabilities
Often used for interfacing incompatible directory services
Used DAP for c/s communication
DAP (App. Layer) requires ENTIRE OSI stack to operate
Too heavy for small environments

6. What is LDAP? Lightweight Directory Access Protocol
Used to access and update information in a directory built on the X.500 model
Specification defines the content of messages between the client and the server
Includes operations to establish and disconnect a session from the server

7. LDAP Server: G/S

8. Understanding LDAP Lightweight alternative to DAP
Uses TCP/IP instead of OSI stack
Simplifies certain functions and omits others…
Uses strings rather than DAP’s ASN.1 notation to represent data.

9. LDAP Information Naming Functional / Operations Security
Structure of information stored in an LDAP directory.
Naming
How information is organized and identified.
Functional / Operations
Describes what operations can be performed on the information stored in an LDAP directory.
Security
Describes how the information can be protected from unauthorized access.

10. LDAP Information Storage

11. LDAP Information Storage
Each attribute has a type/syntax and a value
Can define how values behave during searches/directory operations
Syntax: bin, ces, cis, tel, dn etc.
Usage limits: ssn – only one, jpegPhoto – 10K

12. LDAP Information Storage
Each ‘entry’ describes an object (Class)
Person, Server, Printer etc.
Example Entry:
InetOrgPerson(cn, sn, ObjectClass)
Example Attributes:
cn (cis), sn (cis), telephoneNumber (tel), ou (cis), owner (dn), jpegPhoto (bin)

13. LDAP Naming DNs consist of sequence of Relative DN
cn=John Smith,ou=Austin,o=IBM,c=US (Leaf 2 Root) (~use \ for special)
Directory Information Tree (DIT)
Follow geographical or organizational scheme
Aliases: Tree-like,
Aliases can link non-leaf nodes

14. LDAP Naming Referrals: May not store entire DIT (v3) Referrals
objectClass=referral, attribute=ref, value=LDAPurl
Implementation differs
Refferals/Chaining (vendor)
RFC 1777: server chaining is expected.

15. LDAP Naming Schema Query server for info: zero-length DN
Defines what object classes allowed
Where they are stored
What attributes they have (objectClass)
Which attributes are optional (objectClass)
Type/syntax of each attribute (objectClass)
Query server for info: zero-length DN
LDAP schema must be readable by the client

16. LDAP Naming Examples Attribute Type String CommonName CN LocalityName
StateorProvinceName ST
OrganizationName O
OrganizationalUnitName OU
CountryName C
StreetAddress
STREET
domainComponent DC
Userid
UID

17. LDAP Functions/Operations
Authentication
BIND/UNBIND
ABANDON
Query
Search
Compare entry
Update
Add an entry
Delete an entry (Only Leaf nodes, no aliases)
Modify an entry, Modify DN/RDN

18. Client and Server Interaction
Client establishes session with server (BIND)
Hostname/IP and port number
Security
User-id/password based authentication
Anonymous connection - default access rights
Encryption/Kerberos also supported
Client performs operations
Read/Update/Search
SELECT X,Y,Z FROM PART_OF_DIRECTORY
Client ends the session (UNBIND)
Client can ABANDON the session

19. BIND/UNBIND/ABANDON
Request includes LDAP version, the name the client wants to bind as, authentication type
Simple (clear text passwords, anonymous)
Kerberos v4 to the LDAP server (krbv42LDAP)
Kerberos v4 to the DSA server (krbv42DSA)
Server responds with a status indication
UNBIND: Terminates a protocol session
UnbindRequest ::= [APPLICATION 2] NULL
ABANDON:
MessageID to abandon

20. Search/Compare Request includes Read and List implemented as searches
baseObject: an LDAPDN
Scope: how many levels to be searched
derefAliases: handling of aliases
sizeLimit: max number of entries returned
timeLimit: max time allowed for search
attrsOnly: return attribute types OR values also
Filter: cond. to be fulfilled when searching
Attributes: List of entry’s attributes to be returned
Read and List implemented as searches
Compare: similar to search but returns T/F

21. ADD/MODIFY/DELETE ADD request MODIFY request DELETE request
Entry: LDAPDN
List of Attributes and values (or sets of values)
MODIFY request
Used to add, delete, modify attributes
Request includes
Object: LDAPDN
List of modifications (atomic)
Add, Delete, Replace
DELETE request
MODIFY RDN: LDAPDN, newRDN, DEL_FLAG

22. Protocol Elements
LDAPMessage (MessageID unique)

23. Protocol Elements LDAPString ::= OCTET STRING LDAPDN ::= LDAPString
RelativeLDAPDN ::= LDAPString
AttributeValueAssertion ::=
Sequence { attributeType attributeValue,
attributeValue attributeValue }
attributeType ::= LDAPString
attributeValue ::= OCTET STRING

24. Protocol Elements LDAP Result Errors
Truncated DIT RDN sequence is sent
noSuchObject
aliasProblem
invalidDNSyntax
isLeaf etc.

25. LDAP Security Current LDAP version supports
Clear text passwords
KERBEROS version 4 authentication
Other authentication methods possible in future versions (March 1995)
SASL support added in version 3
Kerberos deemed stronger than SASL…

26. LDAP Security Security based on the BIND model Clear text  ver 1
Kerberos  ver 1,2,3 (depr)
SASL  ver 3
Simple Authentication and Security Layer
uses one of many authentication methods
Proposal for Transport Layer Security
Based on SSL v3 from Netscape

27. LDAP Security No Authentication Basic Authentication SASL (RFC 2222)
DN and password provided
Clear-text or Base 64 encoded
SASL (RFC 2222)
Parameters: DN, mechanism, credentials
Provides cross protocol authentication calls
Encryption can be optionally negotiated
ldap_sasl_bind() (ver3 call)
Ldap://<ldap_server>/?supportedsaslmechanisms

28. LDAP Security
LDAP using SASL using SSL/TLS

29. LDAP Security
SSL/TLS Handshake

30. Agenda Background and Motivation Understanding LDAP Protocol Model
Information Structure
Naming
Functions/Operations
Security
Protocol Model
Mapping onto Transport Services
Protocol Element Encoding
Discussion

31. Protocol Model Clients performing protocol operations against servers
Client sends protocol request to server
Server performs operation on directory
Server returns response (results/errors)
Asynchronous Server Behavior

32. Directory Client/Server Interaction

33. Mapping onto Transport
Uses Connection-oriented, reliable transport
TCP
LDAPMessage PDU mapped onto TCP byte stream
LDAP listener on port 389
Connection Oriented Transport Service (COTS)
LDAP PDU is mapped directly onto T-Data

34. Protocol Element Encoding
Encoded for Exchange using BER (Basic Encoding Rules)
BER defined in Abstract Syntax Notation One (ASN.1)
High Overhead for BER
Restrictions imposed to improve perf.
Definite form of length encoding only
Bit Strings/ Octet Strings and all character string types encoded in primitive form only

35. LDAP Implementations C Library API Java JNDI
LDAPv2 - RFC 1823 ‘The LDAP API’
LDAPv3 – In Internet Draft stage
Java JNDI
LDAP v3 uses the UTF-8 encoding of the Unicode character set.
HTTP to LDAP gateway
LDAP to X.500 gateway – ldapd

36. Version 2 v/s Version 3 Referrals Security Internationalization
A server that does not store the requested data can refer the client to another server.
Security
Extensible authentication using Simple Authentication and Security Layer (SASL)
Internationalization
UTF-8 support for international characters.
Extensibility
New object types and operations can be dynamically defined and schema published in a standard manner.