Lightweight Directory Access Protocol

Page 2

Outline

o Introduction

o Directory vs Database

o Current directory

o Directory features

o History

o Understanding LDAP Information model

Naming model

Ldap directory structure

Functional model

Security Model

Replication model

o LDAP software

o Configure a LDAP on a server

o Conclusion

Page 3

Introduction (1/2)

To improve functionality and ease-of-use, and to enable cost-effective administration of distributed applications:

information about the services: resources users and other objects accessible from the applications

needs to be organized in a clear and consistent manner.

Much of this information can be shared among many applications.

Page 4

Introduction (2/2)

But it must also be protected

Such information is often collected into a special database that is sometimes called a directory.

The Lightweight Directory Access Protocol (LDAP) is an open industry standard that has evolved to meet these needs

.

Page 5

Before moving to the following!!!!

What is a Directories Is it a data base as commonly saidLet us knowing the difference

Directory vs Database

Page 6

Directory vs Database!!!!(1/2)

o A directory is often described as a database

oBut it has special characteristics different from general databases:

They are accessed much more than they are updated. And they are optimized for read access

They are not suited for information that changes rapidly

(number of jobs in a printer queue)

Page 7

Directory vs Database!!!!(2/2)

Many directory services don’t support transactions

Directories normally limits the type of information that can be stored

Databases use powerful query languages like SQL but Directories normally use very simple access methods

Hence directories can be optimized to economically provide more applications with rapid access

Page 8

Current directories

o Paper Directories

Phonebook

Address Book

Sales Catalog

o Electronic Directories

DNS

Windows registry

Page 9

Directory features

oA directory is a listing of information about objects arranged in some order that gives details about each object.

o Dynamic (real time update)

o Flexible (easy change of type and data organization)

o Secure (who sees what)

o Personalized (how to present data,…)

Page 10

History:(1/2)

Page 11

History:(2/2)

o LDAP version 3

Consideration of special characters

Security : SASL authentication and TLS encryption (Transport Layer Security)

Overloading operations

Page 12

Understanding LDAP?(1/2)

What’s LDAP!!! Lightweight Directory Access Protocol

An application protocol for querying and modifying directory services running over TCP/IP

Information Structure of information stored in an LDAP directory.

Page 13

Understanding LDAP?(2/2)

Naming • How information is organized and identified.

Functional / Operations• Describes what operations can be performed on the

information stored in an LDAP directory.

Security Describes how the information can be protected from

unauthorized access.

Page 14

Information model

o Based on X.500 model

o Information stored in DIT (Directory Information Tree)

Hierarchical model

o An entry contains a set of attributes

type of attribute- attribute value(s)

Page 15

Each Tree has

o DIT ( Directory Information Tree) : top of the Tree

o Nodes called DSE (Directory service Entry)

o RootDSE (contains a description of the tree and its content), specific to each LDAP server

Page 16

Each entry is an object

Attribute

Attribute

Attribute

Entry

Type

Value Value

Value

Page 17

Two types of attributes

o Normal attributes : accessible to users

(givenname attribute)

o Operational attributes : used only for server administration data

(modifyTimeStamp attribute )

Page 18

An attribute is characterized by

Name

Object Identifier (OID)

If single or multi-valued attribute

Syntax and comparison rules

Use indicator

size limit value

Page 19

Object class

o Contains real or abstract objects

o It characterizes them by a list of optional and required attributes

o All object classes are contained in the directory schema

Page 20

An object class is defined by

o A name that identifies

o An OID that also identifies

o Required attributes

o Optional attributes

o A type (structural, auxiliary or abstract)

Page 21

Three types of object class

Contains objects that can add

additional informations to

structural objects

Description of basic objects in the directory.

An entry belongs always at least to

one structural object class

Contains basic LDAP objects like

top or alias

Structural class Auxiliary class Abstract class

Page 22

Naming model

o Naming constraints to ensure interoperability between directories

o Each entry is uniquely identified by:

Relative Distinguished Name (RDNs)

Distinguished Name (DN)

Page 23

LDAP Data Interchange Format (LDIF)

o LDAP data represented in standard text format

o It is used to view or edit the data base

o The format used is ASCII, binary data are encoded in base 64

o LDIF is used : to import / export base

to make changes to entries

Page 24

LDAP directory structure

Page 25

Example

Page 26

Functional model

o The functional model describes how to access data

o Update functions : add, modify, delete, rename

o Session functions : bind, unbind

Page 27

Basic operations

LDAP operation Description

Search search directory objects using criteria

Compare comparing the contents of two objects

Add Adding an entry

Modify modifying the contents of an entry

Delete Deleting an object

Rename (Modify DN) modifying the DN of an entry

Bind server connection

Unbind logout

Abandon Giving up a running operation

Extended extended operation (v3)

Page 28

Search/compare queries parameters

Parameter Description

base object  the location of the tree where the search must begin

scope depth research

derefAliases if you follow the links or not

size limit limit number of responses

time limit maximum time allocated for research

attrOnly returns or not the value of attributes in addition to their type

search filter Search Filter

list of attributes list of attributes that you want to know

Page 29

Security model

o Define for each user data access rights (authentication control list access)

o Ensuring the confidentiality of trade (encryption)

Page 30

Replication model

o Duplicate a directory on multiple servers

o Prevent network outages, overload ofservice or the server crashes

o Master-slave structure

Page 31

LDAP software

o Server software

OpenLDAP server

Netscape Directory Server

IBM's DSSeries LDAP Directory

o Client software

Netscape Communicator

Microsoft Outlook

Page 32

Configure a LDAP on a server

Installation of the package slapd and ldap-utils:

Modifying the configuration:

A password for the administrator:

Edit the configuration file «/etc/ldap/slapd.conf »

suffix "dc=example,dc=com" directory "/var/lib/ldap" rootdn "cn=admin,dc=example,dc=com" rootpw {SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m

sudo apt-get install slapd ldap-utils

sudo dpkg-reconfigure slapd

sudo slappasswd

Page 33

Conclusion

o LDAP can become the information system key now

o LDAP is available on many types of platforms

o It can centralize information from different sources for different applications and different users

o To simplify data management

Page 34

Thanks for your attention ..