23/4/2001 LDAP Overview - HEPix - LAL 2001

LDAP Overview

HEPix – LAL Apr. 2001Michel Jouvin

jouvin@lal.in2p3.fr

23/4/2001 LDAP Overview - HEPix - LAL 2001

Outline

• LDAP : What is it ?

• X500– A short history– Information model and naming

• LDAP– A short history– Search operation and filters– Access Control

23/4/2001 LDAP Overview - HEPix - LAL 2001

LDAP : What Is It ?

• Lightweight Directory Access Protocol– An access protocol– Originally designed for X500 access

• Built on X500 paradigm– Data abstraction– Entry hierarchical naming

• Don’t specify server-side

23/4/2001 LDAP Overview - HEPix - LAL 2001

X500 : Historical Milestones…

• 1984 : Start of design as OSI directory app– Driven by CCITT

• 1988 : X500 v1– Hierarchical organization and naming of data– Client/Server model

• Client/Server protocol : DAP

• Server/Server protocol : DSP

– X509 v1 : authentication based on asymmetric encryption

23/4/2001 LDAP Overview - HEPix - LAL 2001

… X500 : Historical Milestones

• 1993 : X500 v2– Addition of replication (shadowing) : DISP

• 1997 : X500 v3– X509 v3 : extension of X509 for certificates

• 2001 : X500 v4– X509 v4 : Enhanced handling of certificates

and privilege management architecture

23/4/2001 LDAP Overview - HEPix - LAL 2001

Information Model…

• Directory object = Entry– Defined by its attributes– Belong to an object class

• Attributes : describe an entry characteristics– Type/value pairs– Type : define a syntax– Matching rules defined for each type– Support for multi-valued attributes

23/4/2001 LDAP Overview - HEPix - LAL 2001

… Information Model

• Object Class– Defines a set of allowed/mandatory attributes– Inheritance (multiple) between object class

• Schema : set of object classes for 1 purpose– Can restrict allowed attributes/syntaxes– Several standard schemas proposed

• inetOrgPerson schema : to represent person

• Java Schema : to represent Java object in LDAP

23/4/2001 LDAP Overview - HEPix - LAL 2001

X500 Naming : DIT and DN…

C=US

OU=LAL

O=IN2P3 O=CEA

C=FR O=HEP

OU=CC

CN=Jouvin

RDN=IN2P3

RDN=LAL

RDN=Jouvin

RDN=FR

23/4/2001 LDAP Overview - HEPix - LAL 2001

…X500 Naming : DIT and DN

• RDN : Relative Distinguished Name– Unique value for each entry at one DIT level– Built from attributes value of an entry

• DN : Distinguished Named– Concatenation of all RDNs from root– Unique name of an entry in the DIT

• Cn=Jouvin, OU=LAL, O=IN2P3, C=FR

• Alias : alternative designation for a DN

23/4/2001 LDAP Overview - HEPix - LAL 2001

X500 Strengths…

• One DIT distributed on several servers– Ability to build a world-wide directory– Knowledge about information location is inside

the directory– No need for the client to know every server

• Inter server protocol (DSP)– Chaining of request : transparent to the client,

initial security level preserved– Referrals : server to contact is returned

23/4/2001 LDAP Overview - HEPix - LAL 2001

… X500 Strengths

• Not bound to any particular data type• Optimized for read/search operation• Several authentication/security levels

– Anonymous– Simple via clear text passwords– Strong via encryption/certificates

• Certificates/public key distribution (X509)• Shadowing protocol (DISP)

23/4/2001 LDAP Overview - HEPix - LAL 2001

LDAP History…

• Started at the end of 80’s at U. of Michigan– Small subset of DAP for search/retrieval– Use of TCP/IP instead of OSI

• 1993 : LDAP v2 (RFC 1487/1488)– Access protocol for X500 directories

• Based on X500 information model

– Attributes represented as string• Rules for encoding defined for each type

– Authentication : anonymous or plain text

23/4/2001 LDAP Overview - HEPix - LAL 2001

… LDAP History

• 1997 : LDAP v3 (RFC 2251-2256)– Still based on X500 information model– Allow for standalone LDAP server

• Introduction referrals

– No inter-server protocol like DSP• Shadowing not defined (proprietary solutions)

– Rules for standard operation extensions– Authentication through SSL/TLS– LDAP URLs

23/4/2001 LDAP Overview - HEPix - LAL 2001

LDAP Search Operations

• Very Powerful - One of LDAP strengths

• Can search one level or a subtree– Limit possible on number of entries returned,

time spent to search entries…

• Selection of returned attributes– Ex : cn , telephoneNumber

• Selection of entries through filters– Interpreted according to type matching rules

23/4/2001 LDAP Overview - HEPix - LAL 2001

LDAP Search Filters

• =, <=, >= cn=Jouvin

• Substring match : * cn=Jouvin*

• Attr. presence : * telephoneNumber=*

• Approximate (similar sound) : ~=– cn~=Jouvin will match Jouvin and Jouvain

– Several algorithms available

• Relational operators : !, &, |– (&(cn=Jouvin)(c=fr))

23/4/2001 LDAP Overview - HEPix - LAL 2001

LDAP Access Control Model

• Access to an entry controlled by ACLs– One ACL entry : ACI (Access Control Info)

• Can specify access to one attribute (compare to pwd)

– Stored in a multi-valued attribute : ldapACI– Unordered interpretation– At each level of the DIT– Managed through standard operations on attributes

23/4/2001 LDAP Overview - HEPix - LAL 2001

LDAP ACI Structure

• Each ldapACI combines– Subject : “user” identification

• Combination of a DN and an authentication level

– Rights • grant or deny

• Permissions : add, modify, delete, read, search, compare, write…

– Scope : one level or subtree– Attribute the ACI applies to or [entry]

23/4/2001 LDAP Overview - HEPix - LAL 2001

LDAP ACI Examples

• A group may read, search compare an attribute in a subtreeldapAci: subtree#grant:r,s,c#OID.attr1#

group:cn=Atlas,ou=lal,o=in2p3,c=fr

• SysAdmins role can add entry in subtree and but only compare attribute attr2ldapACI: subtree#grant: a#[entry]#

role:cn=SysAdmins,ou=lal,o=in2p3,c=fr

ldapACI: subtree#grant:c#OID.attr2# role:cn=SysAdmins,ou=lal,o=in2p3,c=fr

23/4/2001 LDAP Overview - HEPix - LAL 2001

How to locate an LDAP server ?

• A client should know only one server– Knowledge must be “served”– Not one standard agreed upon

• Knowledge inside LDAP server– Based on use of referrals– Not well standardize for superior references

• Use DNS SRV records– Approach used by Microsoft in ActiveDirectory

23/4/2001 LDAP Overview - HEPix - LAL 2001

Who Speaks LDAP ? (server)

• Almost any distributed directory– X500 (93 and +)– Microsoft ActiveDirectory (W2000)– Novel NDS

• Standalone LDAP servers– Netscape iPlanet– OpenLDAP : OSS successor to Univ. of Michigan– PMDF…

23/4/2001 LDAP Overview - HEPix - LAL 2001

Who Speaks LDAP ? (Clients)

• Almost any mail clients– 1 popular client still v2 : Pine

• Web browsers– LDAP URLs– Through servlets in PHP, Java, Perl…

• PGP clients– Public/private keys

23/4/2001 LDAP Overview - HEPix - LAL 2001

Issues with Standalone LDAP

• No chaining, referrals only in v3– Popular mail clients like Pine or Netscape < 4.7 are v2

– Knowledge about servers inside the v2 client : difficult to maintain when infrastructure changes

• Request routing between servers– No standard on how to locate a server

• No shadowing protocol– Proprietary solutions

• generally based on SLURPD from Univ. of Michigan