Shashank

Hewlett Packard

Background and Motivation X.500 What is LDAP? Understanding LDAP Discussion and Q/A

Lightweight Directory Access Protocol

Originally inspired by Telecommunication companies Increased reliance on networked computers Need in information
Ease-of-Use Administration Clear and consistent organization Integrity Confidentiality

Lightweight Directory Access Protocol

X.500 standard. CCITT 1988

Refer ISO 9594 X.500-X.521 of 1990

Lightweight Directory Access Protocol

Organizes directory entries into a hierarchical namespace Powerful search capabilities Uses DAP (App. Layer) it is based on OSI.

Lightweight Directory Access Protocol

Lightweight Directory Access Protocol Used to access and update information in a directory built on the X.500 model

Lightweight Directory Access Protocol

Lightweight alternative to DAP Uses TCP/IP instead of OSI stack Much Simpler Uses strings rather than DAPs ASN.1 notation to represent data.

Lightweight Directory Access Protocol

Lightweight Directory Access Protocol

Each entry describes an object (Class)

Person, Server, Printer etc.

Example Entry:
InetOrgPerson(cn, sn, ObjectClass)

Example Attributes:
cn (cis), sn (cis), telephoneNumber (tel), ou (cis), owner (dn),

Lightweight Directory Access Protocol

DNs consist of sequence of Relative DN

Directory Information Tree (DIT)

cn=John Smith,ou=Finland,ou=Vaasa,dc=accdom,dc=for,dc =int

Lightweight Directory Access Protocol

10

Attribute Type
CommonName LocalityName StateorProvinceName OrganizationName OrganizationalUnitName CountryName StreetAddress CN L ST O OU C STREET

String

domainComponent
Userid

DC
UID

Lightweight Directory Access Protocol

11

Authentication
BIND/UNBIND ABANDON

Query
Search Compare entry

Update
Add or Delete Entry Modify an entry
Lightweight Directory Access Protocol 12

Client establishes session with server (BIND)

Hostname/IP and port number Security
User-id/password based authentication Anonymous connection - default access rights Encryption/Kerberos also supported

Client performs operations

Client ends the session (UNBIND) Client can ABANDON the session
Lightweight Directory Access Protocol

Read/Update/Search SELECT X,Y,Z FROM PART_OF_DIRECTORY

13

Request includes LDAP version, the name the client wants to bind as, authentication type
Simple (clear text passwords, anonymous) Kerberos v4 to the LDAP server (krbv42LDAP) Kerberos v4 to the DSA server (krbv42DSA)

Server responds with a status indication UNBIND: Terminates a protocol session

UnbindRequest ::= [APPLICATION 2] NULL

ABANDON:
MessageID to abandon Lightweight Directory Access Protocol
14

Request includes

Read and List implemented as searches Compare: similar to search but returns T/F
Lightweight Directory Access Protocol

baseObject: an LDAPDN Scope: how many levels to be searched derefAliases: handling of aliases sizeLimit: max number of entries returned timeLimit: max time allowed for search attrsOnly: return attribute types OR values also Filter: cond. to be fulfilled when searching Attributes: List of entrys attributes to be returned

15

ADD request

MODIFY request

Entry: LDAPDN List of Attributes and values (or sets of values)

Used to add, delete, modify attributes

DELETE request

Lightweight Directory Access Protocol

16

Current LDAP version supports

Clear text passwords KERBEROS version 5 authentication

Other authentication methods possible in future versions SASL support added in version 3
Kerberos deemed stronger than SASL

Lightweight Directory Access Protocol

17

Authentication operation

Lightweight Directory Access Protocol

18

Lightweight Directory Access Protocol

19

Lightweight Directory Access Protocol

20