ldap light weight directory access protocol

7/21/2019 Ldap Light Weight Directory Access Protocol

http://slidepdf.com/reader/full/ldap-light-weight-directory-access-protocol 1/30

LDAPLIGHT WEIGHT DIRECTORY

ACCESS PROTOCOL• PRESENTATION BY ALAKESH

APURVA DHAN AND ASH



WHAT IS LDAP

• LDAP IS LIGHT WEIGHT• SUFFICIENT STRAIGHT FORWARD• EASY TO IMPLEMENT AS AGAINST

X.500 DAP WHICH IS HEAVYWEIGHT



LDAP

• DIRECTORY BECAUSE DATA ISORGANISED IN THE FORM OF TREEMUCH LIKE UNIX FILE SYSTEM

• USES SIMPLIFIED SET OFENCODING

• RUNS DIRECTLY ABOVE TCP/IP• USES STRING TO REPRESENT DATA



LDAP

• LDAP SECURITY MODEL : DEFINESHOW INFORMATION CAN BEPROTECTED FROM UNAUTHORISEDACCESS



LDAP

• LDAP API• THERE ARE SEVERAL LDAP API

APPLICATION PROGRAMMINGINTERFACE OLDEST ONES WRITTENIN C

• NOW A DAYS LDAP API S AREAVAILABLE IN OTHER PROGRAMMINGLANGUAGES LIKE PERL JAVA



HOW LDAP WORKS

• LDAP DIRECTORY SERVICE IS BASEDON CLIENT SERVER MODEL

• LDAP IS A MESSAGE ORIENTEDPROTOCOL

• CLIENT CONSTRUCTS AN LDAPMESSAGE CONTAINING A RE UESTAND SENDS IT TO THE SERVER



HOW LDAP WORKS

• SERVER PROCESSES THERE UEST AND SENDS IT BACK TO

THE CLIENT IN THE FORM OF LDAPMESSAGE



LDAP BACKENDS

• THE BASIC DAEMON PROCESS THAT RUNS ON THE LDAP SERVERCALLED SLAPD COMES WITH

THREE DIFFERENT BACKENDDATABASES

• WE ASSUME THAT IN OUR CASEWE USE LDBM THE MOST USEDONE



HOW LDAP WORKS

• LDAP DATABASE WORKS BYADDING A COMPACT FOUR BYTEUNI UE IDENTIFIER

• INDEX FILES ARE MAINTAINED FORREFERRING TO DATA



LDAP PROTOCOLOPERATION• INTERROGATION OPERATION :

SEARCH ! COMPARE• ADD DELETE OPERATOIN :

ADD ! DELETE ! MODIFY ! MODIFY

DN• AUTHENTICATION AND CONTROLOPERATION :

BIND ! UNBIND ! ABANDON



LDAP INFORMATIONMODEL

• BASIC UNIT IS ENTRY " ACOLLECTION OF INFORMATIONABOUT AN OBJECT #

• AN ENTRY IS COMPOSED OF ASET OF ATTRIIBUTES



LDIF

• LDIF STANDS FOR LDAP DATAINTERCHANGE FORMAT

• DIRECTORY ENTRIES IN LDAP AREIN THE FORM OF LDIF



LDIF FORMAT

• BASIC FORM OF LDIF :$COMMENT

DN: %DISTINGUSHEDNAME& %ATTRDESC&:%ATTRVALUE& %ATTRDESC&:

%ATTRVALUE& '..• EXAMPLE : DN:UID(ALAKESH DC(IIT DC(EDU



LDAP

• IN ADDITION TO BEING A NETWORKPROTOCOL IT ALSO DEFINES FOUR

MODELS• LDAP INFORMATION MODEL :

DEFINES THE KIND OF DATA U PUT

• LDAP NAMING MODEL : HOW UORGANISE AND REFER TODIRECTORY INFORMATION



LDIF FORMAT

• LINES STARTING WITH $ ARECONSIDERED TO BE COMMENTS

• ALL OTHER ATTRIBUTES AREWRITTEN IN %ATTRDESC & (%VALUE& FORM



LDIF

• EACH ENTRY IS UNI UELY IDENTIFIED BY ADISTINIGUISHED NAME OR DN . THE DNCONSISTS OF THE NAME OF THE ENTRYPLUS A PATH IN THE DIRECTORY TREE

TRACING BACK TO THE TOP OF THEDIRECTORY HIERARCHY

• THE OBJECT CLASS DEFINES THE CLASS OF THE ATTRIBUTES THAT CAN BE USED TODEFINE AN ENTRY



LDIF

• DIRECTORY DATA ISREPRESENTED AS ATTRIBUTE)VALUE PAIR . ANY SPECIFICPIECE OF INFORMATION ISASSOSICATED WITH A

DESCRIPTIVE ATTRIBUTE



LDAP CONFIGURATION

• THE CONFIGURATION FILESLAPD.OC.CONF CONTAINS THEDEFINITION OF ALL THE OBJECTCLASSES

• THE ATTRIBUTES OF THE OBJECT

CLASSES ARE DEFINED INSLAPD.AT.CONF FILE



LDAP CONFIGURATION

• EACH OBJECT CLASS HASRE UIRED AND ALLOWEDATTRIBUTE

• RE UIRED ATTRIBUTES MUST BEPRESENT WHILE ALLOWED ARE

OPTIONAL



LDAP CONFIGURATION

• EACH ATTRIBUTE HASCORRESPONDING SYNTAXDEFINITION



LDAP ACCESS CONTROL

• ACCESS TO %WHAT& * BY %WHO&%ACCESS LEVEL& %CONTROL& +

• THIS DIRECTIVE GRANTS ACCESS TO A SET OF ENTRIES/ATTRIBUTESBY ONE OR MORE RE UESTERS

• EXAMPLE : ACCESS TO , BY ,READ



LDAP ACCESS CONTROL

• THE ABOVE DIRECTIVE GIVESREAD PERMISSION TO EVERYONE

• FOR EXAMPLE ACCESS TODN(- . , ! C(INDIA BY , SEARCH

GIVES SEARCHING PERMS TOENTRIES UNDER C(INDIA SUBTREE



LDAPADD

• OPENLDAP PACKAGE COMESWITH SHELL EXECUTABLENAMED LDAPADD USED TO ADDENTRIES TO THE DATABASEWHILE LDAP SERVER IS RUNNING

• BASIC SYNTAX ISLDAPADD )F %DATAFILE& )D%DN& ) %PASSWD& / )W " IF

PASSWORD IS TO BE PROMPTED .



LDAPDELETE

• ANOTHER SHELL EXECUTABLEFOR DELETING ENTRIES

• ITS SYNTAX ISLDAPDELETE

CN(HI!O(IITB!C(INDIA1



LDAPMODIFY

• ITS ANOTHER SHELLEXECUTABLE TO MODIFY DATA IN

THE DIRECTORY DATABASE

• IT HAS SIMILAR SYNTAX TOLDAPADD



LDAPSEARCH

• SHELL ACCESSIBLE INTERFACE TOLDAP2SEARCH"# C ROUTINE

• LDAPSEARCH OPENS CONNECTION TO THE LDAPSERVER PERFORMSSEARCH WHICH FOLLOWS

FILTERING RULES DEFINED INRFC3554



LDAPSEARCH

• FOR EXAMPLE LDAPSEARCH )B-C(INDIA -O(IITB IF , IS

ALLOWED READ ACCESS BYDEFAULT THE O(IITB WILL BERETURNED

• )B OPTION SEARCHES FOR THESEARCH BASE



LDAP AND JAVACONNECTIVITY

• THERE EXISTS A PACKAGECALLED JNDI " JAVA NAMINGAND DIRECTORY INTERFACE #

• IT CONTAINS API S NEEDED TOCONNECT LDAP SERVER

RETRIEVE INFORMATION



JNDI EXAMPLE

• A 6789 ; 9<=> WRITTEN USING JNDI TO DO LDAP SEARCH• 8;; ?> ;8@> 8 '..

• 8 7< . 8;.H ?;>

• 8 7< . 8;.E > 8< • 8 7< . 8 ., • 8 7< . 8 .=8 >9 < 6.,

• 9; S> 9 •

7 ?;89 89 <8= 8 "S 8 *+ #• H ?;> > ( > H ?;>"5 ! 0. 5 # • > .7 "C< > .INITIAL2CONTEXT2FACTORY!E .INITCTX# • > .7 "C< > .PROVIDER2URL ! E .MY2SERVICE # • '''''''''.



• M< ;= 7 > > > <7 8 8 >= < > =)8 > 8 > <7> 8< .T ! < > 9 >> < => < 8 => =8 > > 9> >> =8 = < ;= 7 =8 >9 < 6 ><? 8 8 > > = < >; 8< ;= ? > > > <7 8 8 >= < OLTP.

• B>9 > < 8 <7 8 8 8< ! < > > !< LDAP =8 >9 < 8> > < 8 >= << 8 = > > 9 > > >Q > .

W 6 L= 7

ldap light weight directory access protocol

Documents