DIRECTORY SYSTEMS USING LDAP

ASSIGNMENT NO: 2 TITLE: Directory Systems using LDAP Name: ROLL NO. : DATE: REMARK: BATCH:

DIRECTORY SYSTEMS USING LDAP

DIRECTORY ACCESS PROTOCOL Enterprise Computing Environments have a need to store information in a centralized data store so that it can be added to, deleted, modified, and queried by users and applications. The information stored could be user accounts, e-mail addresses, digital certificates, component object names, network names, and so on. There is a need to access this information both from within the enterprise and from the Internet. The amount of information stored varies greatly with the customer. This data store has come to be known as a Directory Service. In order to succeed, IT organizations must choose Directory Services that are:

Flexible enough to store a range of information types Secure when accessing from both the Internet and intranet Scalable from a small business to the largest enterprise Extensible as business needs change

In addition, the Directory Service must be accessible via an open, standards-based protocol. Using an open protocol enables the information in the Directory Service to be accessible from clients from different vendors. Directory Services from different vendors communicating using an open protocol can exchange information with each other to create aggregated directories. Directory information can be made available through Web interfaces, as many organizations, and phone companies in particular do. Such interfaces are good for humans. However, programs too, need to access directory information. Directories can be used for storing other types of information, much like file system directories. For instance, Web browsers can store personal bookmarks and other browser settings in a directory system. A user can thus access the same settings from multiple locations, such as at home and at work, without having to share a file system. Several directory access protocols have been developed to provide a standardized way of accessing data in a directory. The most widely used among them today is the Lightweight Directory Access Protocol (LDAP). Obviously all the types of data in our examples can be stored without much trouble in a database system, and accessed through protocols such as JDBC or ODBC. The question then is, why come up with a specialized protocol for accessing directory information? There are at least two answers to the question. First, directory access protocols are simplified protocols that cater to a limited type of access to data. They evolved in parallel with the database access protocols. Second, and more important, directory systems provide a simple mechanism to name objects in a hierarchical fashion, similar to file system directory names, which can be used in a distributed directory system to specify what information is stored in each of the directory servers. For example, a particular directory server may store information for Bell Laboratories employees in Murray Hill, while another may store information for Bell Laboratories employees in Bangalore, giving both sites autonomy in controlling their local data. The directory access protocol can be used to obtain data from both directories, across a network. More important, the directory system can be set up to automatically forward queries made at one site to the other site, without user intervention.

DIRECTORY SYSTEMS USING LDAP

LDAP: LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL In general a directory system is implemented as one or more servers, which service multiple clients. Clients use the application programme interface defined by directory system to communicate with the directory servers. Directory access protocols also define a data model and access control. The X.500 directory access protocol, defined by the International Organization for Standardization (ISO), is a standard for accessing directory information. However, the protocol is rather complex, and is not widely used. The Lightweight Directory Access Protocol (LDAP) provides many of the X.500 features, but with less complexity, and is widely used. In the rest of this section, we shall outline the data model and access protocol details of LDAP. LDAP Data Model In LDAP, directories store entries, which are similar to objects. Each entry must have a distinguished name (DN), which uniquely identifies the entry. A DN is in turn made up of a sequence of relative distinguished names (RDNs). For example, an entry may have the following distinguished name. cn=Silberschatz, ou=Bell Labs, o =Lucent, c=USA As you can see, the distinguished name in this example is a combination of a name and (organizational) address, starting with a person's name, then giving the organizational unit (ou), the organization (o), and country (c). The order of the components of a distinguished name reflects the normal postal address order, rather than the reverse order used in specifying path names for files. The set of RDNs for a DN is defined by the schema of the directory system. Entries can also have attributes. LDAP provides binary, string, and time types, and additionally the types tel for telephone numbers, and PostalAddress for addresses (lines separated by a "$" character). Unlike those in the relational model, attributes are multi valued by default, so it is possible to store multiple telephone numbers or addresses for an entry. LDAP allows the definition of object classes with attribute names and types. Inheritance can be used in defining object classes. Moreover, entries can be specified to be of one or more object classes. It is not necessary that there be a single most-specific object class to which an entry belongs. Entries are organized into a directory information tree (DIT), according to their distinguished names. Entries at the leaf level of the tree usually represent specific objects. Entries that are internal nodes represent objects such as organizational units, organizations, or countries. The children of a node have a DN containing all the RDNs of the parent, and one or more additional RDNs. For instance, an internal node may have a DN c=USA, and all entries below it have the value USA for the RDN c. The entire distinguished name need not be stored in an entry; the system can generate the distinguished name of an entry by traversing up the DIT from the entry, collecting the RDN=value components to create the full distinguished name.

DIRECTORY SYSTEMS USING LDAP

Data Manipulation Unlike SQL, LDAP does not define either a data-definition language or a data-manipulation language. However, LDAP defines a network protocol for carrying out data definition and manipulation. LDAP also defines a file format called LDAP Data Interchange Format (LDIF) that can be used for storing and exchanging information. The querying mechanism in LDAP is very simple, consisting of just selections and projections, without any join. A query must specify the following: A base-that is, a node within a DIT-by giving its distinguished name (the path from the root to the node). A search condition, which can be a Boolean combination of conditions on individual attributes. Equality, matching by wild-card characters, and approximate equality are supported. A scope, which can be just the base, the base and its children, or the entire subtree beneath the base. Attributes to return. The Lightweight Directory Access Protocol (LDAP) is a protocol for clients to query and manage information in a Directory Service over a TCP connection (Port 389). The LDAP protocol was designed by University of Michigan to provide access to the X.500 Directory while not incurring the resource requirements of the Directory Access Protocol (DAP). This makes it very suitable for use on the Internet. Lightweight Directory Access Protocol (LDAP) Components:

A Data Modelwhich defines the syntax of the data in the directory An Organizational modelwhich defines how the data is organized in the directory A Security Modelwhich defines how the information in the directory is accessed in a secure manner The Functional Modelwhich defines the operations for querying and modifying the directory. The Topological Model defines how the directory service integrates with other directory services to form a global directory service on the internet.

Directory structure: A client starts an LDAP session by connecting to an LDAP server, called a Directory System Agent (DSA), by default on TCP port 389. The client then sends an operation request to the server, and the server sends responses in return. With some exceptions, the client does not need to wait for a response before sending the next request, and the server may send the responses in any order. The client may request the following operations:

StartTLS use the LDAPv3 Transport Layer Security (TLS) extension for a secure connection Bind authenticate and specify LDAP protocol version Search search for and/or retrieve directory entries

DIRECTORY SYSTEMS USING LDAP

Compare test if a named entry contains a given attribute value Add a new entry Delete an entry Modify an entry Modify Distinguished Name (DN) move or rename an entry Abandon abort a previous request Extended Operation generic operation used to define other operations Unbind close the connection (not the inverse of Bind)

In addition the server may send "Unsolicited Notifications" that are not responses to any request, e.g. before it times out a connection. A common alternative method of securing LDAP communication is using an SSL tunnel. This is denoted in LDAP URLs by using the URL scheme "ldaps". The default port for LDAP over SSL is 636. The use of LDAP over SSL was common in LDAP Version 2 (LDAPv2) but it was never standardized in any formal specification. This usage has been deprecated along with LDAPv2, which was officially retired in 2003 The protocol accesses LDAP directories, which follow the 1993 edition of the X.500 model:

An entry consists of a set of attributes. An attribute has a name (an attribute type or attribute description) and one or more values. The attributes are defined in a schema (see below). Each entry has a unique identifier: its Distinguished Name (DN). This consists of its Relative Distinguished Name (RDN), constructed from some attribute(s) in the entry, followed by the parent entry's DN. Think of the DN as the full file path and the RDN as its relative filename in its parent folder (e.g. if /foo/bar/myfile.txt were the DN, then myfile.txt would be the RDN).

Be aware that a DN may change over the lifetime of the entry, for instance, when entries are moved within a tree. To reliably and unambiguously identify entries, a UUID might be provided in the set of the entry's operational attributes. An entry can look like this when represented in LDAP Data Interchange Format (LDIF) (LDAP itself is a binary protocol): dn: cn=John Doe,dc=example, dc=com cn: John Doe givenName: John sn: Doe telephoneNumber: +1 888 555 6789 telephoneNumber: +1 888 555 1232 mail: john@example.com manager: cn=Barbara Doe,dc=example, dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top

DIRECTORY SYSTEMS USING LDAP

"dn" is the distinguished name of the entry; it's neither an attribute nor a part of the entry. "cn=John Doe" is the entry's RDN (Relative Distinguished Name), and "dc=example, dc=com" is the DN of the parent entry, where "dc" denotes 'Domain Component'. The other lines show the attributes in the entry. Attribute names are typically mnemonic strings, like "cn" for common name, "dc" for domain component, "mail" for e-mail address and "sn" for surname. A server holds a subtree starting from a specific entry, e.g. "dc=example, dc=com" and its children. Servers may also hold references to other servers, so an attempt to access "ou=department, dc=example, dc=com" could return a referral or continuation reference to a server which holds that part of the directory tree. The client can then contact the other server. Some servers also support chaining, which means the server contacts the other server and returns the results to the client. LDAP rarely defines any ordering: The server may return the values of an attribute, the attributes in an entry, and the entries found by a search operation in any order. This follows from the formal definitions - an entry is defined as a set of attributes, and an attribute is a set of values, and sets need not be ordered. Protocol overview: A client starts an LDAP session by connecting to an LDAP server, called a Directory system agent (DSA), by default on TCP port 389. The client then sends an operation request to the server, and the server sends responses in return. With some exceptions, the client does not need to wait for a response before sending the next request, and the server may send the responses in any order. The client may request the following operations:

StartTLS use the LDAPv3 transport layer security (TLS) extension for a secure connection Bind authenticate and specify LDAP protocol version Search search for and/or retrieve directory entries Compare test if a named entry contains a given attribute value Add a new entry Delete an entry Modify an entry Modify Distinguished Name (DN) move or rename an entry Abandon abort a previous request Extended Operation generic operation used to define other operations Unbind close the connection (not the inverse of Bind)

In addition the server may send "Unsolicited Notifications" that are not responses to any request, e.g. before it times out a connection LDAP example in JAVA import javax.naming.directory.InitialDirContext; import javax.naming.directory.DirContext;

DIRECTORY SYSTEMS USING LDAP

import javax.naming.directory.Attributes.*; import javax.naming.NamingException; import javax.naming.directory.*; import javax.naming.*; import java.util.*; import javax.servlet.*; import javax.servlet.http.*; import java.io.*; import java.sql.*; import java.net.*; import java.util.StringTokenizer; import javax.mail.*; import javax.mail.internet.*; import javax.activation.*; *****This program is used to retrieve the password from LDAP.******* import javax.naming.directory.InitialDirContext; import javax.naming.directory.DirContext; import javax.naming.directory.Attributes.*; import javax.naming.NamingException; import javax.naming.directory.*; import javax.naming.*; import java.util.*; import javax.servlet.*; import javax.servlet.http.*; import java.io.*; import java.sql.*; import java.net.*; import java.util.StringTokenizer; import javax.mail.*; import javax.mail.internet.*; import javax.activation.*; public class ldap { public static void main(String a[]) { String ENTRYDN = "cn="+"abc"+", ou=usermast, o="+"abc.com"+",c=US";// This is root DN Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL,"ldap://"+"100.100.100.100"+":389"); // LDAP URL try{ env.put(Context.SECURITY_PRINCIPAL,"cn=admin, o="+"abc.com"+", c=US");//DN env.put(Context.SECURITY_CREDENTIALS,"mandiracharu");//This is password DirContext ctx = new InitialDirContext(env); Attributes userAttributes = new BasicAttributes(true);

DIRECTORY SYSTEMS USING LDAP

BasicAttribute basicattribute = new BasicAttribute("objectclass","top"); basicattribute.add(1, "person"); basicattribute.add(2, "OpenLDAPperson"); basicattribute.add(3, "connectme"); userAttributes.put(basicattribute); //This depends upon your LDAP tree structure userAttributes.put(new BasicAttribute("cn","abc")); userAttributes.put(new BasicAttribute("userpassword","hello")); userAttributes.put(new BasicAttribute("uid","abc")); userAttributes.put(new BasicAttribute("sn","abc")); userAttributes.put(new BasicAttribute("ispid","0005")); userAttributes.put(new BasicAttribute("userblocked","no")); userAttributes.put(new BasicAttribute("parentid","abc")); userAttributes.put(new BasicAttribute("filename"," ")); userAttributes.put(new BasicAttribute("jpegphoto","")); ctx.createSubcontext("uid="+"abc"+", ou=usermast, o=abc.com, c=US", userAttributes); //DN ctx.close(); }catch(Exception e){ e.printStackTrace(); //return "false"; } //return "true"; }//end of verify }//end of class CONCLUSION: LDAP is a protocol for accessing a directory. A directory contains objects; generally those related to users, groups, computers, printers etc and company structure information. LDAP gives you query methods to add, update and remove objects within a directory.