1

Pertemuan #11User Authentication dan Directory Services

Kuliah Pengaman Jaringan

2

History of LDAPHistory of LDAP

X.500X.500

Collective name given to a series of standards produced by Collective name given to a series of standards produced by the ISO/ITU-T.the ISO/ITU-T.

Defining the protocol and information model for a global Defining the protocol and information model for a global directory service.directory service.

Independent of computing application and network platform.Independent of computing application and network platform. DAP - part of X.500 directory standard - used by clients to DAP - part of X.500 directory standard - used by clients to

access the directory.access the directory.

3

Introduction of LDAPIntroduction of LDAP

LDAP = Lightweight Directory Access Protocol Based on X.500 Directory Service (RFC1777) Stores attribute based data Data generally read more than written to No transactions No rollback Client-server model Based on entries Collection of attributes Has a distinguished name (DN) - like domain name

4

Why use LDAP

Centrally manage users, groups and other data Don’t have to manage separate directories for each application - stops the “N + 1 directory problem” Distribute management of data to appropriate people Allow users to find data that they need Not locked into a particular server Ability to distribute servers to where they are needed

5

LDAP vs Databases

Read-write ratio - LDAP is read optimised Extensibility - LDAP schemas are more easily changed Distribution - with LDAP data can be near where it is

needed Replication - with LDAP data can be stored in multiple

locations Different performance - databases are generally

deployed for limited amount of applications

6

LDAP vs Databases cont

Transaction model - LDAP transactions are simple -

usually changing one entry, databases can modify

much more Size of information - LDAP is better at storing small bits

of information Type of information - LDAP stores information in

attributes Standards are more important for directories - LDAP

clients can talk to any LDAP server, but database client

can only talk to the database it was designed for

7

Acronym

LDAP Lightweight Directory Access Protocol DN Distinguish Name RDN Relative Distinuished Name DIT Directory Information Tree LDIF LDAP Data Interchange Format OID Object Identifier

8

Namespaces - Hierarchal

9

Namespaces cont

Directory tree is similar to unix file system

- No root entry in ldap

- Each entry in ldap can both contain data and be a

container

- In unix, an entry is either a file or a directory - not

both LDAP distinguished names are read from bottom to top, unix file

systems from top to bottom

10

Global View

11

LDAP Entry

Entries are composed of attributes Attributes consist of types with multiple

values Type describes what the information is Value is the actual information in text format Attributes have a syntax which specifies what

type of data - see Schema later on

12

Referrals

1. Client requests

information

2. Server 1 returns referral

to server 2

3. Client resends request

to server 2

4. Server 2 returns

information to client

13

LDAP Servers

Slapd University of Michigan Openldap Netscape Directory Server Microsoft Active Directory (AD) Microsoft Exchange (interface only) Novell Directory Services (NDS) Lotus Domino (interface only) Sun Directory Services (SDS) Lucent’s Internet Directory Server (IDS)

14

Open LDAP

Based on UMich ldap server Available from http://www.openldap.org/ Versions:

- Historic: 1.2.13 - implements LDAPv2

- Stable: 2.0.25 - implements LDAPv3

- Release: 2.1.12 - implements LDAPv3 and other

- features

15

LDAP slapd architecture

LDAP daemon called slapd- Choice of databases

- LDBM - high performance disk based db- SHELL - db interface to unix commands- PASSWORD - simple password file db- SQL - mapping sql to ldap (in OpenLDAP 2.x)

- Multiple database instances- Access control- Threaded- Replication

16

LDAP slapd architecture

17

Using LDAP in Applications

18

Using Multiple Applications

19

LDAP URLs

Definition taken from RFC1959<ldapurl> ::= "ldap://" [ <hostport> ] "/" <dn> [ "?" <attributes> [ "?" <scope> "?" <filter> ] ]<hostport> ::= <hostname> [ ":" <portnumber> ]<dn> ::= a string as defined in RFC 1485<attributes> ::= NULL | <attributelist><attributelist> ::= <attributetype> | <attributetype> [ "," <attributelist> ]<attributetype> ::= a string as defined in RFC 1777<scope> ::= "base" | "one" | "sub"<filter> ::= a string as defined in RFC 1558

20

LDAP URL examples

ldap://foo.bar.com/dc=bar,dc=com ldap://argle.bargle.com/dc=bar,

dc=com??sub?uid=barney ldap://ldap.bedrock.com/dc=bar,

dc=com?cn?sub?uid=barney

21

LDAPv3

Internationalisation - using UTF-8 Referrals Security Extensibility Feature and schema discovery

- LDAPv3 servers have a directory entry called root DSE (Directory Server Entry)- Contains: protocol supported, schemas, other useful info

22

LDAP slurpd architecture Replication daemon called slurpd

- Frees slapd from worrying about hosts being down etc

- Communicates with slapd through text file

23

Active Directory and LDAP

Provides a directory for a Microsoft network: Centrally manage Central security Central user administration Integrates with DNS Information replication Provides all the services a domain controller did

24

LDAP Protocol Uses client server model

Message oriented protocol - client sends messages toserver and gets replies

Can issue multiple requests at once - each responsehas message id to identify

9 basic protocol operations - interrogation, update andauthentication

LDAPv3 provides extended operations and controlsUses simplified version of Basic Encoding Rules (BER)- not plain text

25

Why have a Directory Service ? Simplifies management. Provides a single, consistent point

of management for users, applications, and devices. Strengthens security. Provides users with a single sign-on

to network resources and provides administrators with powerful and consistent tools to manage security services for internal desktop users, remote dial-up users, and external e-commerce customers.

Extends interoperability. Supplies standards-based access to all Directory features as well as synchronization support for popular directories.

26

What is Active Directory ?

Provides a single point of management for Windows-based user accounts, clients, servers, and applications.

Integrate systems not using Windows with Windows-based applications, and Windows-compatible devices, thus consolidating directories and easing management of the entire network operating system.

Extend systems securely to the Internet.

27

Usage of Active Directory

28

How Does Active Directory Work? Hierarchical Organization Object-oriented Storage Multi-Master Replication

29

What Are the Benefits of Active Directory? (1) Simplifies management tasks.

Eliminates redundant management tasks. Provides a single-point of management for Windows user accounts, clients, servers, and applications as well as the ability to synchronize with existing directories.

Reduces trips to the desktop. Automatically distributes software to users based on their role in the company, reducing or eliminating multiple trips that system administrators need to make for software installation and configuration.

Better maximizes IT resources. Securely delegates administrative functions to all levels of an organization.

Lowers total cost of ownership (TCO). Simplifies the management and use of file and print services by making network resources easier to find, configure, and use.

Strengthens network security. Makes use of existing systems through interoperability.

30

What Are the Benefits of Active Directory? (2)

Simplifies management tasks. Strengthens network security.

It improves password security and management. By providing single sign-on to network resources with integrated, high-powered security services that are transparent to end users.

It ensures desktop functionality. By locking-down desktop configurations and preventing access to specific client machine operations, such as software installation or registry editing, based on the role of the end user.

It speeds e-business deployment. By providing built-in support for secure Internet-standard protocols and authentication mechanisms such as Kerberos, public key infrastructure (PKI) and lightweight directory access protocol (LDAP) over secure sockets layer (SSL).

It tightly controls security. By setting access control privileges on directory objects and the individual data elements that make them up.

Makes use of existing systems through interoperability

31

What Are the Benefits of Active Directory? (3)

Makes use of existing systems through interoperability Takes advantage of existing investments and ensures

flexibility. Standards-based interfaces to all features make use of investments and ensure flexibility for future applications and infrastructure.

Consolidates management of multiple application directories. Using open interfaces, connectors, and synchronization mechanisms, organizations can consolidate directories including Novell's NDS, LDAP, ERP, e-mail, and other mission-critical applications.

Allows organizations to deploy directory-enabled networking. Network devices from leading vendors such as Cisco and 3COM can use the directory to let administrators assign quality of service and allocate network bandwidth to users based on their role in the company.

Allows organizations to develop and deploy directory-enabled applications. Using the fully extensible directory architecture, developers can build applications that deliver functionality tailored to the needs of the end user.

32

Cross-Platform Authentication The aim of cross-platform authentication is to

have a single, centralized password database that can be used to authenticate users on both Unix, Windows, and perhaps even other systems such as Macintosh or NetWare.

33

ADS limitation on Cross Platform The Microsoft clients for Windows 2000 and

XP are specific to authenticating against a Microsoft Active Directory server.

AD clients are only available on Windows 2000 and Windows XP.

AD Server only runs on Windows 2000 Server.

34

LDAP Alternatives

OpenLDAP, this is an excellent authentication system for Linux clients; however, Microsoft clients will not be able to authenticate to it.

iPlanet Directory Service, runs on Windows, Linux and Solaris systems. Although the iPlanet directory server contains a Windows NT to LDAP password synchronisation system, direct authentication to iPlanet directory server is not possible from Windows systems.

NDS. Novell's directory service.

35

MKS AD4Unix

Plug-in extension for Microsoft's Active Directory Server, that enables Unix-related authentication and user information to be stored in Active Directory.

AD4Unix includes a schema update, and an extension to Microsoft's User & Group manager (part of the Active Directory administration interface, which is in turn part of the Microsoft Management Console)

36

Authentication in Windows 2000 Kerberos Version 5. The Kerberos version 5 authentication

protocol is the default for network authentication on computers with Windows 2000.

Windows NT LAN Manager (NTLM). The NTLM protocol was the default for network authentication in the Windows NT® 4.0 operating system. It is retained in Windows 2000 for compatibility with downlevel clients and servers. NTLM is also used to authenticate logons to standalone computers with Windows 2000

37

Benefits of Kerberos Authentication (1)

More efficient authentication to servers. With NTLM authentication, an application server must connect to a domain controller in order to authenticate each client. With Kerberos authentication, the server does not need to go to a domain controller. It can authenticate the client by examining credentials presented by the client. Clients can obtain credentials for a particular server once and reuse them throughout a network logon session.

Mutual authentication. NTLM allows servers to verify the identities of their clients. It does not allow clients to verify a server’s identity, or one server to verify the identity of another. NTLM authentication was designed for a network environment in which servers were assumed to be genuine. The Kerberos protocol makes no such assumption. Parties at both ends of a network connection can know that the party on the other end is who it claims to be.

38

Benefits of Kerberos Authentication (2)

Delegated authentication. Windows services impersonate clients when accessing resources on their behalf. In many cases, a service can complete its work for the client by accessing resources on the local computer. Both NTLM and Kerberos provide the information that a service needs to impersonate its client locally. However, some distributed applications are designed so that a front-end service must impersonate clients when connecting to back-end services on other computers. The Kerberos protocol has a proxy mechanism that allows a service to impersonate its client when connecting to other services. No equivalent is available with NTLM.

39

Benefits of Kerberos Authentication (3) Simplified trust management. One of the benefits of the

Kerberos protocol is that trust between the security authorities for Windows 2000 domains is by default two-way and transitive. Networks with multiple domains no longer require a complex web of explicit, point-to-point trust relationships. Instead, the many domains of a large network can be organized in a tree of transitive, mutual trust. Credentials issued by the security authority for any domain are accepted everywhere in the tree. If the network includes more than one tree, credentials issued by a domain in any tree are accepted throughout the forest.

40

Benefits of Kerberos Authentication (4) Interoperability. Microsoft’s implementation of the

Kerberos protocol is based on standards-track specifications recommended to the Internet Engineering Task Force (IETF). As a result, the implementation of the protocol in Windows 2000 lays a foundation for interoperability with other networks where Kerberos version 5 is used for authentication.