Simple short Seminar on LDAP

7/23/2019 Simple short Seminar on LDAP

1/20

ShashankHewlett Packard


2/20

Background and Motivation X.500 What is LDAP? Understanding LDAP Discussion and Q/A

Lightweight Directory Access Protocol 2


3/20

Originally inspired by Telecommunicationcompanies

Increased reliance on networkedcomputers

Need in information Ease-of-Use Administration Clear and consistent organization Integrity Confidentiality



4/20

X.500 standard. CCITT 1988 Refer ISO 9594 X.500-X.521 of 1990



5/20

Organizes directory entries into ahierarchical namespace

Powerful search capabilities Uses DAP (App. Layer) it is based on OSI.



6/20

Lightweight Directory Access Protocol Used to access and update information in a

directory built on the X.500 model



7/20

Lightweight alternative to DAP

Uses TCP/IP instead of OSI stack

Much Simpler Uses strings rather than DAPs ASN.1

notation to represent data.



8/20



9/20

Each entry describes an object (Class) Person, Server, Printer etc.

Example Entry: InetOrgPerson(cn, sn, ObjectClass)

Example Attributes: cn (cis), sn (cis), telephoneNumber (tel), ou (cis),

owner (dn),



10/20

DNs consist of sequence of Relative DN cn=John

Smith,ou=Finland,ou=Vaasa,dc=accdom,dc=for,dc=int

Directory Information Tree (DIT)



11/20


Attribute Type String

CommonName CN

LocalityName L

StateorProvinceName ST

OrganizationName O

OrganizationalUnitName OU

CountryName C

StreetAddress STREET

domainComponent DC

Userid UID


12/20

Authentication BIND/UNBIND

ABANDON Query

Search

Compare entry

Update Add or Delete Entry

Modify an entry



13/20

Client establishes session with server(BIND) Hostname/IP and port number Security

User-id/password based authentication

Anonymous connection - default access rights

Encryption/Kerberos also supported

Client performs operations Read/Update/Search SELECT X,Y,Z FROM PART_OF_DIRECTORY

Client ends the session (UNBIND)

Client can ABANDON the sessionLightweight Directory Access Protocol 13


14/20

Request includes LDAP version, the namethe client wants to bind as,

authentication type Simple (clear text passwords, anonymous)

Kerberos v4 to the LDAP server (krbv42LDAP)

Kerberos v4 to the DSA server (krbv42DSA)

Server responds with a status indication UNBIND: Terminates a protocol session

UnbindRequest ::= [APPLICATION 2] NULL

ABANDON: MessageID to abandonLightweight Directory Access Protocol 14


15/20

Request includes baseObject: an LDAPDN Scope: how many levels to be searched

derefAliases: handling of aliases sizeLimit: max number of entries returned timeLimit: max time allowed for search attrsOnly: return attribute types OR values also Filter: cond. to be fulfilled when searching Attributes: List of entrys attributes to be

returned

Read and List implemented as searches Compare: similar to search but returns

T/FLightweight Directory Access Protocol 15


16/20

ADD request Entry: LDAPDN List of Attributes and values (or sets of values)

MODIFY request Used to add, delete, modify attributes

DELETE request



17/20

Current LDAP version supports Clear text passwords

KERBEROS version 5 authentication

Other authentication methods possible in

future versions

SASL support added in version 3 Kerberos deemed stronger than SASL



18/20

Authentication operation



19/20



20/20


Documents

Simple short Seminar on LDAP