Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sicurezza II, A.A. 2011/2012 LDAP Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185.

Published byEllen Anderson Modified over 9 years ago

Similar presentations

Presentation on theme: "Sicurezza II, A.A. 2011/2012 LDAP Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185."— Presentation transcript:

1 Sicurezza II, A.A. 2011/2012 LDAP Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185 – 10149, Torino, Italy panisson@di.unito.it Sicurezza II A.A. 2011-2012

2 Sicurezza II, A.A. 2011/2012 LDAP o LDAP Stands for Lightweight Directory Access Protocol o It is a client-server protocol for reading and editing directories over an IP network A directory in this sense is a hierarchical set of records: telephone directory, for example o Part of the X.500 standards, a series of computer networking standards covering electronic directory services (X.509 is part of the X.500 series, and it is an ITU-T standard for a public key infrastructure) OpenID, OAuth are protocols available for Web users and applications on the Internet. LDAP/SAML are protocols used in Intranets/Enterprises

3 Sicurezza II, A.A. 2011/2012 LDAP – how it works? o A client starts an LDAP session by connecting to an LDAP server, called a Directory System Agent (DSA), by default on TCP port 389 o The client then sends an operation request to the server, and the server sends responses in return o Some of the available operations: Search: search for and/or retrieve directory entries Add a new entry Delete an entry Modify an entry …

4 Sicurezza II, A.A. 2011/2012 LDIF o LDIF Stands for LDAP Data Interchange Format o It is a standard plain text data interchange format for representing LDAP directory content Example: dn: cn=Andre Panisson,ou=people,dc=di,dc=unito,dc=it objectclass: inetOrgPerson cn: Andre Panisson cn: Panisson Andre sn: Andre uid: panisson userpassword: prova carlicense: HISCAR 124 homephone: 555-111-2223 mail: panisson@di.unito.it mail: panisson@gmail.com ou: Docenti

5 Sicurezza II, A.A. 2011/2012 X509 certificates o It opens the possibility to load certificates in the format X509 in order to authenticate users using the user certificate

6 Sicurezza II, A.A. 2011/2012 LDIF Fields Main Fields: o dn: distinguished name o dc: domain component o ou: organizational unit o cn: common name dn: cn=The Postmaster,dc=example,dc=com objectClass: organizationalRole cn: The Postmaster

7 Sicurezza II, A.A. 2011/2012 Lab Goals o Deploy a basic LDAP server Load user info Browse/search for user info o Configure Apache to authenticate users using LDAP

8 Sicurezza II, A.A. 2011/2012 Lab Preparation Server Apache 2.2.13 at $HOME/apache

9 Sicurezza II, A.A. 2011/2012 OpenLDAP www.openldap.org An open source implementation of the Lightweight Directory Access Protocol

10 Sicurezza II, A.A. 2011/2012 OpenLDAP Download OpenLDAP version 2.4.25 Extract it: tar -xvzf openldap-2.4.25.tgz Check the files README, INSTALL Create the target directory and build it: mkdir $HOME/openldap/ cd openldap-2.4.25./configure --prefix=$HOME/openldap/ make depend make make install

11 Sicurezza II, A.A. 2011/2012 OpenLDAP Edit the file $HOME/openldap/etc/openldap/slapd.conf Include the following schemas: include /usr/home/... /openldap/etc/openldap/schema/core.schema include /usr/home/... /openldap/etc/openldap/schema/cosine.schema include /usr/home/... /openldap/etc/openldap/schema/inetorgperson.schema Configure the database: database bdb suffix "dc=di,dc=unito,dc=it” rootdn "cn=Manager,dc=di,dc=unito,dc=it"

12 Sicurezza II, A.A. 2011/2012 OpenLDAP Start LDAP on port 8389: $HOME/openldap/libexec/slapd -h "ldap://0.0.0.0:8389" Connect to the server using ldapsearch: $HOME/openldap/bin/ldapsearch -h localhost -p 8389 -x -b '' -s base '(objectclass=*)' namingContexts

13 Sicurezza II, A.A. 2011/2012 OpenLDAP Create a file user.ldif: dn: dc=di,dc=unito,dc=it dc: di objectClass: top objectClass: domain dn: ou=people,dc=di,dc=unito,dc=it ou: people objectClass: top objectClass: organizationalUnit dn: cn=Andre Panisson,ou=people,dc=di,dc=unito,dc=it objectclass: inetOrgPerson cn: Andre Panisson cn: Panisson Andre sn: Andre uid: panisson userpassword: prova carlicense: HISCAR 124 homephone: 555-111-2223 mail: panisson@di.unito.it mail: panisson@gmail.com ou: Docenti

14 Sicurezza II, A.A. 2011/2012 OpenLDAP Load to LDAP server using ldapadd: $HOME/openldap/bin/ldapadd -h localhost -p 8389 \ -D "cn=Manager,dc=di,dc=unito,dc=it" -W -f user.ldif

15 Sicurezza II, A.A. 2011/2012 OpenLDAP Clients Connect to LDAP using a client: http://jxplorer.org/ http://phpldapadmin.sourceforge.net/

16 Sicurezza II, A.A. 2011/2012 Lab Goals 1.Create a Login form that gets the user credentials from LDAP 2.Create a Web app that gets the user credentials from a client certificate

17 Sicurezza II, A.A. 2011/2012 LDAP and Certificates Create a new key and X.509 certificate: Create user key: openssl genrsa -out userkey.pem 2048 openssl req -key userkey.pem -new -out userreq.pem Create certificate and sign using CA openssl x509 -days 365 -CA ca-bundle.crt -CAkey CA.key \ -CAcreateserial -CAserial ca.srl -req -in userreq.pem -out usercert.pem Convert to pkcs12 format, to use it in your browser: openssl pkcs12 -in usercert.pem -inkey userkey.pem -export -out usercert.p12 Convert certificate to DER format openssl x509 -outform DER -in usercert.pem -out usercert.der Encode it in base64 openssl base64 -A usercert.der.b64

18 Sicurezza II, A.A. 2011/2012 LDAP and Certificates Create a LDIF (cert.ldif) with the certificate contents: dn: cn=Andre Panisson,ou=people,dc=di,dc=unito,dc=it changetype: modify replace: userCertificate;binary userCertificate;binary:: Import it to LDAP: $HOME/openldap/bin/ldapadd -h localhost -p 8389 -D \ "cn=Manager,dc=di,dc=unito,dc=it" -W -f cert.ldif

19 Sicurezza II, A.A. 2011/2012 Apache and LDAP (with PHP) Compile PHP with required libraries: cd $HOME/php-5.3.6./configure --prefix=$HOME/php \ --with-apxs2=$HOME/apache/bin/apxs \ --with-libxml-dir=$HOME/libxml2-2.7.8 \ --with-curl \ --with-zlib \ --with-openssl \ --with-ldap \ --with-libdir=lib64 make OR get the PHP libraries with LDAP support (only for Postel lab): cp /usr/home/docenti/panisson/libphp5.so.ldap_support $HOME/apache/modules/libphp5.so

20 Sicurezza II, A.A. 2011/2012 Apache and LDAP (with PHP) Edit form.html: Name: Password:

21 Sicurezza II, A.A. 2011/2012 Apache and LDAP (with PHP) Edit resource.php: <?php $name = $_GET['name']; $password = $_GET['password']; // specify the LDAP server to connect to $conn = ldap_connect("localhost","8389") or die("Could not connect to server"); ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3); // bind to the LDAP server specified above $r = ldap_bind($conn, "cn=Manager,dc=di,dc=unito,dc=it", "secret") or die("Could not bind to server"); // search for credentials $result = ldap_search($conn,"dc=di,dc=unito,dc=it", "(&(uid=".$name.")(userpassword=".$password."))"); // get entry data as array $info = ldap_get_entries($conn, $result); if ($info["count"] == 0) { die("Invalid credentials"); } $entry = $info[0]; ldap_close($conn); ?>

22 Sicurezza II, A.A. 2011/2012 Apache and LDAP (with PHP) Edit resource.php (continuation): <?php echo "dn is: ". $entry["dn"]." "; echo "first cn is: ". $entry["cn"][0]." "; echo "first email address is: ". $entry["mail"][0]." "; echo "password is: ". $entry["userpassword"][0]." "; $certificate = $entry["usercertificate;binary"][0]; ?>

23 Sicurezza II, A.A. 2011/2012 Apache and LDAP Connect to localhost using a browser and access the form Login using uid + password

24 Sicurezza II, A.A. 2011/2012 Apache and LDAP 2. Create a Web app that gets the user credentials from a client certificate Modify the script to recognize the user credentials by using the client certificate

25 Sicurezza II, A.A. 2011/2012 Apache and LDAP Configure Apache SSL to require user certificate: Change the file httpd-ssl.conf in the apache configuration SSLRequireSSL SSLVerifyClient require Configure your browser to use client certificate In Firefox: Edit > Preferences > Advanced > Encryption > View Certificates > Import > (select your usercert.p12)

26 Sicurezza II, A.A. 2011/2012 Apache and LDAP Add to resource.php a section to verify the user certificate: function der2pem($certificate) { $beginpem = "-----BEGIN CERTIFICATE-----\n"; $endpem = "\n-----END CERTIFICATE-----"; $result = ""; $certificate = base64_encode($certificate); for ($i=0; $i<strlen($certificate); $i++) { $result.= $certificate[$i]; if ($i%64==63) $result.= "\n"; } return $beginpem.$result.$endpem; } // Build the PEM string. $pemdata = der2pem($certificate); // Get a certificate resource from the PEM string. $cert = openssl_x509_read( $pemdata ); // Parse the resource and print out the contents. $cert_data = openssl_x509_parse( $cert ); echo ' LDAP Certificate Credentials: '.$cert_data['name']; echo ' Client Certificate Credentials: '.$_SERVER["SSL_CLIENT_S_DN"]; // all done? clean up openssl_x509_free( $cert );

27 Sicurezza II, A.A. 2011/2012 LDAP Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185 – 10149, Torino, Italy panisson@di.unito.it Sicurezza II A.A. 2011-2012 Grazie per l’attenzione!

28 Sicurezza II, A.A. 2011/2012 © 2009 by André Panisson. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.

Download ppt "Sicurezza II, A.A. 2011/2012 LDAP Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185."

Similar presentations

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
PHP Modules LDAP and MySQL. External Functions In addition to the usual programming functions (arrays, date and time, typing, mathematical, etc), PHP.

PHP Modules LDAP and MySQL. External Functions In addition to the usual programming functions (arrays, date and time, typing, mathematical, etc), PHP.
Sicurezza II, A.A. 2011/2012 SAML Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185.

Sicurezza II, A.A. 2011/2012 SAML Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
LDAP Lightweight Directory Access Protocol LDAP.

LDAP Lightweight Directory Access Protocol LDAP.
Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.

Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.
LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA.

LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA.
Synchronize Google Apps Passwords with eDirectory for FREE!! Brad Rodgers & Matt Schlawin.

Synchronize Google Apps Passwords with eDirectory for FREE!! Brad Rodgers & Matt Schlawin.
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.

LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.
CIT 470: Advanced Network and System Administration

CIT 470: Advanced Network and System Administration
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
SquirrelMail for Webmail AfNOG 2013 Scalable Internet Services (SS-E) Presented by Michuki Mwangi Lusaka, Zambia (Original Materials by Joelja)

SquirrelMail for Webmail AfNOG 2013 Scalable Internet Services (SS-E) Presented by Michuki Mwangi Lusaka, Zambia (Original Materials by Joelja)
Apache Security with SSL Using FreeBSD SANOG VI IP Services Workshop July 18, 2005 Hervey Allen Network Startup Resource Center.

Apache Security with SSL Using FreeBSD SANOG VI IP Services Workshop July 18, 2005 Hervey Allen Network Startup Resource Center.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.

Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
Implementing POP3 and IMAP4 Using Dovecot

Implementing POP3 and IMAP4 Using Dovecot
Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.

Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.

Similar presentations

Ads by Google