LDAP

1
LDAP

• Jianwen Luo
• School of CTI, Depaul Univ.
• Oct.23, 1998

2
What is LDAP ?

• LDAP is the abbreviate of Lightweight Directory
  Access Protocol.
• It is a standard protocol used by applications to
  access information in a directory.
• Vs. DAP, which is the underlining protocol of
  X.500

3
What does directory mean here?

• The directory here means a type of database that
  has been optimized for searching and retrieving
  structure data.
• Most commonly, the directory are used to store
  information about user profile. Like user name,
  permission.

4
Why LDAP is necessary ?

• Traditionally, every department has its own user
  database.
• User has more account today, email, web, Unix,
  NT,...
• How to synchronize the user info. when his work
  is related to more than one department?
• When Intranet/Extranet used, how to efficiently
  control the user access?

5
Why LDAP is necessary -2 ?

• How to identify the source over network.
• Vs, DNS, too simple, only includes host
  information.
• NDS, not based natively on TCP/IP, vendor
  supplied.
• X.500 too complicated, require OSI stack.

6
History of LDAP?.

• X.500, complex, using OSI
• LDAP version 1, RFC 1487,1993
• client interact with a LDAP service which
  interacts with one or more X.500 server
• LDAP version 2, RFC 1777, 1995
• LDAP servers could run independently of X.500.
• LDAP version 3, RFC 2251, 1997
• Communication between master servers.
• Referral capacity

7
Protocol Model of LDAP 3.

• Client/Server structure.
• Objective minimize the complexity of clients.

8
Data Model of LDAP 3 -2

• DIT tree (Directory Information Tree)
• Entry Tree is made of entries.
• DN (Distinguished Name) a set of attributevalue
  group which uniquely identify an object
• RDN(Relative distinguished name)
• Naming Context

9
Data Model of LDAP 3 -2.

• DIT tree

10
Attributes of Entries.

• Entries consist of a set of attributes.
• An attribute is a type with one or more
  associated value.
• An attribute type is identified by a short
  description name and object identifier.
• Object identifier decides what kind of value you
  can have.

11
Elements of Protocol

• LDAP protocol is described using ASN.1.
  (Abstract Syntax Notation)
• All protocol operations are encapsulated in a
  common envelope, the LDAPMessage.

12
LDAP message envelop.

• LDAPMessage SEQUENCE
• messageID MessageID,
• protocolOp CHOICE
• bindRequest
  BindRequest,
• bindResponse
  BindResponse,
• unbindRequest
  UnbindRequest,
• searchRequest
  SearchRequest,
• searchResEntry
  SearchResultEntry,
• searchResDone
  SearchResultDone,
• searchResRef
  SearchResultReference,
• modifyRequest
  ModifyRequest,
• modifyResponse
  ModifyResponse,
• addRequest
  AddRequest,
• addResponse
  AddResponse,
• delRequest
  DelRequest,
• delResponse
  DelResponse,
• modDNRequest
  ModifyDNRequest,

13
Message ID

• For the outstanding Message, message ID is
  unique.
• Result Message LDAPResult SEQUENCE
• resultCode Enumerated
• matchedDN LDAPDN,
• errorMessage LDAPString,
• referral Referral OPTIONAL

14
Applications(actions)

• Search
• Add
• Delete
• Modify
• Compare
• Bind allow authentication information to be
  exchanged between client and server
• unbind

15
Authentication and security

• Authentication Choice simple ( clear text
  password)
• SASL (Simple Authentication and Security Layer,
  RFC 2222)
• allows for integrity and privacy services to be
  negotiated.

16
Where do you go tomorrow?

• LDAP over SSL, Netscape extension.
• Replication supporting, Netscape extension
• More complex.
• From Lightweight to middleweight

17
Authentication and security

• Authentication Choice simple ( clear text
  password)
• SASL (Simple Authentication and Security Layer,
  RFC 2222)
• allows for integrity and privacy services to be
  negotiated.

18
Netscape Directory Server 3.1 configuration-1
19
Advanced configuration of Directory server.