LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.

LDAPLIGHT WEIGHT DIRECTORY

ACCESS PROTOCOL• PRESENTATION BY ALAKESH

APURVA DHAN AND ASH

WHAT IS LDAP

• LDAP IS LIGHT WEIGHT • SUFFICIENT STRAIGHT FORWARD • EASY TO IMPLEMENT AS AGAINST

X.500 DAP WHICH IS HEAVY WEIGHT

LDAP

• DIRECTORY BECAUSE DATA IS ORGANISED IN THE FORM OF TREE MUCH LIKE UNIX FILE SYSTEM

• USES SIMPLIFIED SET OF ENCODING

• RUNS DIRECTLY ABOVE TCP/IP• USES STRING TO REPRESENT DATA

LDAP

• LDAP SECURITY MODEL : DEFINES HOW INFORMATION CAN BE PROTECTED FROM UNAUTHORISED ACCESS

LDAP

• LDAP API • THERE ARE SEVERAL LDAP API

APPLICATION PROGRAMMING INTERFACE OLDEST ONES WRITTEN IN C

• NOW A DAYS LDAP API S ARE AVAILABLE IN OTHER PROGRAMMING LANGUAGES LIKE PERL JAVA

HOW LDAP WORKS

• LDAP DIRECTORY SERVICE IS BASED ON CLIENT SERVER MODEL

• LDAP IS A MESSAGE ORIENTED PROTOCOL

• CLIENT CONSTRUCTS AN LDAP MESSAGE CONTAINING A REQUEST AND SENDS IT TO THE SERVER

HOW LDAP WORKS

• SERVER PROCESSES THE REQUEST AND SENDS IT BACK TO THE CLIENT IN THE FORM OF LDAP MESSAGE

LDAP BACKENDS

• THE BASIC DAEMON PROCESS THAT RUNS ON THE LDAP SERVER CALLED SLAPD COMES WITH THREE DIFFERENT BACKEND DATABASES

• WE ASSUME THAT IN OUR CASE WE USE LDBM THE MOST USED ONE

HOW LDAP WORKS

• LDAP DATABASE WORKS BY ADDING A COMPACT FOUR BYTE UNIQUE IDENTIFIER

• INDEX FILES ARE MAINTAINED FOR REFERRING TO DATA

LDAP PROTOCOL OPERATION

• INTERROGATION OPERATION : SEARCH , COMPARE

• ADD DELETE OPERATOIN : ADD , DELETE , MODIFY , MODIFY DN

• AUTHENTICATION AND CONTROL OPERATION : BIND , UNBIND , ABANDON

LDAP INFORMATION MODEL

• BASIC UNIT IS ENTRY ( A COLLECTION OF INFORMATION ABOUT AN OBJECT )

• AN ENTRY IS COMPOSED OF A SET OF ATTRIIBUTES

LDIF

• LDIF STANDS FOR LDAP DATA INTERCHANGE FORMAT

• DIRECTORY ENTRIES IN LDAP ARE IN THE FORM OF LDIF

LDIF FORMAT

• BASIC FORM OF LDIF : #COMMENT DN: <DISTINGUSHED NAME> <ATTRDESC>: <ATTRVALUE> <ATTRDESC>: <ATTRVALUE> …..

• EXAMPLE : DN: UID=ALAKESH DC=IIT DC=EDU

LDAP

• IN ADDITION TO BEING A NETWORK PROTOCOL IT ALSO DEFINES FOUR MODELS

• LDAP INFORMATION MODEL : DEFINES THE KIND OF DATA U PUT

• LDAP NAMING MODEL : HOW U ORGANISE AND REFER TO DIRECTORY INFORMATION

LDIF FORMAT

• LINES STARTING WITH # ARE CONSIDERED TO BE COMMENTS

• ALL OTHER ATTRIBUTES ARE WRITTEN IN <ATTRDESC > = <VALUE> FORM

LDIF

• EACH ENTRY IS UNIQUELY IDENTIFIED BY A DISTINIGUISHED NAME OR DN . THE DN CONSISTS OF THE NAME OF THE ENTRY PLUS A PATH IN THE DIRECTORY TREE TRACING BACK TO THE TOP OF THE DIRECTORY HIERARCHY

• THE OBJECT CLASS DEFINES THE CLASS OF THE ATTRIBUTES THAT CAN BE USED TO DEFINE AN ENTRY

LDIF

• DIRECTORY DATA IS REPRESENTED AS ATTRIBUTE-VALUE PAIR . ANY SPECIFIC PIECE OF INFORMATION IS ASSOSICATED WITH A DESCRIPTIVE ATTRIBUTE

LDAP CONFIGURATION

• THE CONFIGURATION FILE SLAPD.OC.CONF CONTAINS THE DEFINITION OF ALL THE OBJECT CLASSES

• THE ATTRIBUTES OF THE OBJECT CLASSES ARE DEFINED IN SLAPD.AT.CONF FILE

LDAP CONFIGURATION

• EACH OBJECT CLASS HAS REQUIRED AND ALLOWED ATTRIBUTE

• REQUIRED ATTRIBUTES MUST BE PRESENT WHILE ALLOWED ARE OPTIONAL

LDAP CONFIGURATION

• EACH ATTRIBUTE HAS CORRESPONDING SYNTAX DEFINITION

LDAP ACCESS CONTROL

• ACCESS TO <WHAT> [ BY <WHO> <ACCESS LEVEL> <CONTROL> ]

• THIS DIRECTIVE GRANTS ACCESS TO A SET OF ENTRIES/ATTRIBUTES BY ONE OR MORE REQUESTERS

• EXAMPLE : ACCESS TO * BY * READ

LDAP ACCESS CONTROL

• THE ABOVE DIRECTIVE GIVES READ PERMISSION TO EVERYONE

• FOR EXAMPLE ACCESS TO DN=“ . * , C=INDIA” BY * SEARCH GIVES SEARCHING PERMS TO ENTRIES UNDER C=INDIA SUBTREE

LDAPADD

• OPENLDAP PACKAGE COMES WITH SHELL EXECUTABLE NAMED LDAPADD USED TO ADD ENTRIES TO THE DATABASE WHILE LDAP SERVER IS RUNNING

• BASIC SYNTAX IS LDAPADD -F <DATAFILE> -D

<DN> -w <PASSWD> / -W ( IF PASSWORD IS TO BE PROMPTED .

LDAPDELETE

• ANOTHER SHELL EXECUTABLE FOR DELETING ENTRIES

• ITS SYNTAX IS LDAPDELETE

‘CN=HI,O=IITB,C=INDIA’

LDAPMODIFY

• ITS ANOTHER SHELL EXECUTABLE TO MODIFY DATA IN THE DIRECTORY DATABASE

• IT HAS SIMILAR SYNTAX TO LDAPADD

LDAPSEARCH

• SHELL ACCESSIBLE INTERFACE TO LDAP_SEARCH() C ROUTINE

• LDAPSEARCH OPENS CONNECTION TO THE LDAPSERVER PERFORMS SEARCH WHICH FOLLOWS FILTERING RULES DEFINED IN RFC1558

LDAPSEARCH

• FOR EXAMPLE LDAPSEARCH -B “C=INDIA”

“O=IITB” IF * IS ALLOWED READ ACCESS BY DEFAULT THE O=IITB WILL BE RETURNED

• -B OPTION SEARCHES FOR THE SEARCH BASE

LDAP AND JAVA CONNECTIVITY

• THERE EXISTS A PACKAGE CALLED JNDI ( JAVA NAMING AND DIRECTORY INTERFACE )

• IT CONTAINS API S NEEDED TO CONNECT LDAP SERVER RETRIEVE INFORMATION

JNDI EXAMPLE

• A typical code WRITTEN USING JNDI TO DO LDAP SEARCH • will be like this …..

• import java.util.Hashable ;• import java.util.Enumeration ;• import javax.naming.* ; • import javax.naming.directory.* ;

• class Search {• public static void main(String[] args){• Hashtable env = new Hashtable(5 , 0.75f) ; • env.put(Context.INITIAL_CONTEXT_FACTORY,Env.INITCTX) ; • env.put(Context.PROVIDER_URL , Env.MY_SERVICE ) ; • ……………………….

• Most ldap servers are optimized for read-intensive operations.Thus, one can see an order of magnitude difference when reading data from an ldap directory versus obtaining the same data from a relational database server optimized for OLTP.

• Because of this optimization , however , most LDAP directories are not suited for storing data where changes are frequent.

Why Ldap?