Lightweight Directory Access Protocol

Views:
 
Category: Education
     
 

Presentation Description

No description available.

Comments

Presentation Transcript

PowerPoint Presentation:

4/23/2013 Information Security LDAP - Lightweight Directory Access Protocol

Background and Motivation:

Background and Motivation Increased reliance on networked computers Need in information Functionality Ease-of-Use Administration Clear and consistent organization Integrity Confidentiality 4/23/2013 Information Security

What is LDAP?:

What is LDAP? Lightweight Directory Access Protocol. Used to access and update information in a directory built on the X.500 model. Specification defines the content of messages between the client and the server Includes operations to establish and disconnect a session from the server. LDAP allows us to search for an individual without knowing where they're located. Runs over TCP/IP. 4/23/2013 Information Security

X.500:

X.500 X.500 standard . Developed by CCITT 1988 Computer networking standards covering electronic directory services. Its components cooperate to manage information about objects such as countries, organizations, people, machines, and so on in a worldwide scope. It provides the capability to look up information by and to browse and search for information. 4/23/2013 Information Security

PowerPoint Presentation:

4/23/2013 Information Security Integration of a company’s applications and infrastructure with LDAP

Protocol overview:

Protocol overview Client starts an LDAP session by connecting to an LDAP server Default on TCP port 389 Client sends operation requests to the server Server sends responses in turn With some exceptions the client need not wait for a response before sending the next request Server may send the responses in any order 4/23/2013 Information Security

LDAP Concerns:

LDAP Concerns Information Structure of information stored in an LDAP directory. Naming How information is organized and identified. Functions / Operations Describes what operations can be performed on the information stored in an LDAP directory. Security Describes how the information can be protected from unauthorized access. 4/23/2013 Information Security

LDAP Information Storage:

LDAP Information Storage 4/23/2013 Information Security

LDAP Naming Examples:

LDAP Naming Examples 4/23/2013 Information Security Attribute Type String CommonName CN LocalityName L StateorProvinceName ST OrganizationName O OrganizationalUnitName OU CountryName C StreetAddress STREET domainComponent DC Userid UID "CN=John Smith, O= Isode Limited, C=GB" dn : cn =John Doe,dc = example,dc =com cn : John Doe givenName : John sn : Doe telephoneNumber : +1 888 555 6789 telephoneNumber : +1 888 555 1232 mail: [email protected] manager: cn =Barbara Doe,dc = example,dc =com objectClass : inetOrgPerson objectClass : organizationalPerson objectClass : person objectClass : top

LDAP Functions/Operations:

LDAP Functions/Operations Authentication BIND/UNBIND ABANDON Query Search Compare entry Update Add an entry Delete an entry (Only Leaf nodes, no aliases) Modify an entry, Modify DN/RDN 4/23/2013 Information Security

LDAP Security:

LDAP Security Current LDAP version supports Clear text passwords KERBEROS version 4 authentication SASL( Simple Authentication and Security Layer ) support added in version 3. 4/23/2013 Information Security

LDAP Security:

LDAP Security Authentication Assurance that the opposite party (machine or person) really is who he/she/it claims to be. Integrity Assurance that the information that arrives is really the same as what was sent. Confidentiality Protection of information disclosure by means of data encryption to those who are not intended to receive it. Authorization Assurance that a party is really allowed to do what he/she/it is requesting to do. This is usually checked after user authentication. 4/23/2013 Information Security

LDAP Security:

LDAP Security There are 3 methods that can be used for implementing the aspects of authentication, integrity and confidentiality No authentication Basic authentication Secure Lightweight Directory Access Protocol (LDAPS) 4/23/2013 Information Security

LDAP Security : No Authentication:

LDAP Security : No Authentication This method should only be used when data security is not an issue and when no special access control permissions are involved. No authentication is assumed when you leave the password and DN field empty in the bind API call. No authentication DN =“ ”, Pass=“ ” addressBook addressBook addressBook

LDAP Security : Basic Authentication:

LDAP Security : Basic Authentication Beside the option of using no authentication at all, the most simple security mechanism in LDAP is called basic authentication, which is also used in several other Web-related protocols, such as in HTTP . The security mechanism in LDAP is negotiated when the connection between the client and the server is established. Client Server Base64(DN, Password) ACK(“message”) DN store

LDAP Security : LDAPS:

LDAP Security : LDAPS LDAPS exact same protocol like LDAP running over a secured SSL ("Secure Socket Layer") connection to port 636 (by default ). HTTPS->HTTP LDAPS->LDAP LDAPS can solve the problem of verifying that you are connected to the correct server.

LDAP Security : LDAPS:

LDAP Security : LDAPS This is done in two ways: Check that the certificate is signed (trusted) by someone that you trust, and that the certificate hasn't been revoked. For instance, the server's certificate may have been signed by Verisign (www.verisign.com) Check that the least-significant CN Relative Distinguished Names (RDN) in the server's certificate's DN is the fully-qualified hostname, of the hostname that you connected to when creating the LDAPS object. For example if the server is < cn =ldap.example.com, ou = Mydepartment , o=My company> then the RDN to check is cn =ldap.example.com . 4/23/2013 Information Security

Summary:

Summary Entries are organized in a distinct hierarchy. An LDAP directory can be distributed across multiple servers. The LDAP client requires very few resources to run, and it can easily be integrated into other software . LDAP supports strong authentication and encryption methods. LDAP uses Unicode UTF-8 so almost any language character set can be represented. 4/23/2013 Information Security

PowerPoint Presentation:

4/23/2013 Information Security Thank You