Tuesday, March 20, 2007

LDAP and OpenLDAP (Part III)

In previous sections, we have know there are three models of LDAP architecture besides information model. This section will discuss these three models: the naming model, function model and security model.

Naming Model
Information model provides the basic elements to construct the directory. The naming model describe how these elements fit together to build up directory.

We have known the DIT -- Directory Information Tree, which is perhaps the most important concept of the naming model. The examples in Part I have shown us how the directory is created as a tree with the root entry having the information of company abc.com.

LDAP provides a great deal of flexibility in the tree design, but that does not mean that everything is possible. The directory always has to be a treelike structure, i.e., every entry above the directory root has to have one ancestor. You can not insert en entry that has no parent.

The concept of the distinguished name is the heart of the naming model. Each entry has an attribute called "distinguished name" (DN). This attribute is used to identify the entry unambiguously. From this, it is clear that the DN must be unique throughout the whole directory. The construction of the DN is used to construct the namespace and the directory information tree.

The distinguished name is a comma-separated list of subunits called "relative distinguished names." You obtain the distinguished name in postfixing the relative distinguished name (RDN) with the distinguished name of its ancestor.

Like the DN, the RDN has to be unique. However, the RDN has to be unique only in its scope. For example, if the parent is:
DN: ou=sales, l=Europe, o=abc.com

under this subtree there can be only one RDN:
uid=usr1

resulting in the DN:
DN: uid=usr1, ou=sales, l=Europe, o=abc.com

This means that you can have an entry with an RDN of uid = usr1 under l = Asia, as shown in Exhibit 18, resulting in the unique DN:
DN: uid=usr1, ou=sales, l=Asia, o=abc.com

As directories continue to increase in size, there may come a point where it is no longer useful to hold the whole directory tree on one server. For performance reasons, we might decide to put one part of the directory tree on another directory server. However, performance is not the only reason for placing one or more parts of the directory on other servers. Administrative considerations — allowing different policies for different parts of the directory tree — might also come into play. We can solve these problems using referrals besides partition which will be explained later.

Assume that our directory server does not hold the entire directory tree and that part of the tree is located on another server. For example, imagine that the directory tree holding the information of company abc.com for location of North America has been moved to a separate server. At this point, a client searching an entry in the sales department located at San Francisco would not find anything, receiving instead an error message indicating that the required entry had not been found on the server. This is not what we wanted to achieve. We need an entry that points to the exact location where the entry can now be found. This special entry is called a "referral."

The referral is a special entry of the object class "referral." Like the alias, the referral has a distinguished name to locate it in the directory. The referral has one required attribute: the "ref" attribute. The ref attribute is an LDAP URL pointing to the location where the real entry can be found.

Function model
The functional model describes the operations that can be performed on the directory.

At this point, it is useful to remember that LDAP is a protocol that mediates the messages sent between client and server. The client sends a message to the server requesting a certain action against the directory. The server then executes this action on behalf the client, sending a message back to the client containing the result code and the eventual results sets.

There are three groups of functions, plus one special group of the "extended operations." This group is new in version 3 of LDAP and has been defined in RFC 2251. The "extended operations" allow adding further functionality published in the form of RFCs or in private implementations. For example, the "StartTLS" (Transport Layer Security protocol) operation, not foreseen in RFC 2251, is an operation defined with an extended operation.

The three groups of functions are:
1. Interrogation operations: search, compare
2. Update operations: add, delete, modify DN, modify
3. Authentication and control operations : bind, unbind, abandon

All of these operations are requests made by an LDAP client to an LDAP server. The server executes the requested operation and sends back to the client the result plus an error code.

The most complicated operation is the search operation. It can have up to eight parameters: base, scope, derefAliases, sizeLimit, timeLimit, attrOnly, searchFilter, and attributeList:
1. Base: DN where the query should start
2. Scope: Extension of the query inside the directory information tree. The scope can have three different values:
a. baseObject: Limits the search to the base object only.
b. singleLevel: Limits the search to the base objects and the immediate children.
c. wholeSubtree: Extends the search to the entire subtree from the base object.
3. derefAliases: Indicates how alias dereferencing should be handled.
4. sizeLimit: Maximum number of entries a query will return. A number of "zero" means that there is no size limit.
5. timeLimit: Maximum number of seconds a query can take. A number of "zero" means that the client does not impose any time limit.
6. attrOnly: A Boolean value. Set to "true," it indicates that only attribute types are returned; set to "false," it returns attribute types and attribute values.
7. searchFilter: Defines the conditions under which a search return is successful. The conditions can be combined with the Boolean "and," "or," and "not" operators.
8. attributeList: Attributes that should be returned if the searchFilter matches. Two values have a special meaning: an empty list with no attributes and an asterisk, "*". Both values instruct the server to return all attributes of the matching entries. The asterisk allows you to specify further operational attributes to be returned.

The "compare" operation tests for the presence of a particular attribute in an entry with a given distinguished name. It returns "true" if the entry contains the attribute and "false" if the entry does not contain the attribute. Now look at the parameters for the "compare" operations:
1. entry: Distinguished name of the entry you are searching for
2. ava: Attribute name-value pair you want to verify is contained in the entry ("ava" means "attribute value assertion")

The "add" operation is a relative easy one, as it contains only two parameters: entry and attributeList
1. entry: Distinguished name of the new entry
2. attributeList: A list of name-value pairs of the attributes contained in the entry
Update Operations: Delete

The "delete" operation is still easier than the "add" operation inasmuch as it takes one parameter only, the distinguished name of the entry to be deleted.
entry: Distinguished name of the entry to be deleted

The "modify" operation is more complicated than the previous two. It takes three parameters: distinguished name, type of operation, and name-value pairs:
1. entry: Distinguished name of the entry to be modified
2. operation: Type of operation to be executed on this entry, with three possible values:
add: Adds a new attribute (name,value pair)
delete: Deletes an attribute
modify: Modifies an attribute
3. attributeList: Produces a list of name-value pairs to be added/modified

The main purpose of the "bind" operation is to let the client authenticate itself against the directory server. The "bind" operation takes three parameters, version, name, and authentication:
1. version: Version of LDAP the client wishes to use
2. name: Name of the directory object the client wishes to bind to
3. authentication: Authentication choice, which has two possible values:
simple: Indicates that the password travels in clear text over the wire.
sasl: Uses the SASL mechanism as described in RFC 2222, "Simple Authentication and Security Layer".

The operation "unbind" is very simple and does not take any parameters. The "unbind" operation does not return any value from the server. The client assumes that the connection to the server is now closed. The server releases any resources allocated for the client, discards any authentication information, and closes the TCP/IP connection with the client.

Another simple operation, "abandon" takes only one parameter. The "abandon" operation is used to inform the server to stop a previously requested operation. The abandon operation typically is used by GUIs in the case of long-running operations on the server to inform the server that the client is no longer interested in the result of the operation. The operation takes only one parameter: the operationID.
operationID: ID of the operation to be abandoned


Security model
Security model shows how to secure the data in the directory. There are two major arguments in place: authentication and authorization, also called "access control" in LDAP.

Before a client can access data on an LDAP server, two processes must take place first: authorization and authentication. These two processes are quite different from each other.

Authentication takes place when the client identifies itself for the server as it tries to connect. The process depends very much on the authentication mechanism used. The easiest way is to connect to the server without the need to provide an identity. To such an anonymous connection, if allowed at all, the server grants the lowest access rights. There are authentication schemes ranging from simple authentication with user and password to authentication using certificates. These certificates give the assurance to the server that the client really is who it says it is. Certificates can also assure the client about the server's identity.

Once the client has been recognized by the server, the client will have certain access rights to the data. Authorization is the process by which the server grants the correct access rights to the previously authenticated client. This means that the user can read and write data with restrictions that depend on the level of access granted. To define what each client can do, the server must maintain an access control information (ACI) file.

The first type of authentication is "no authentication at all," also called "anonymous bind" because the server has no idea of who actually is asking for a connection. Anonymous bind is used to access publicly available data.

After anonymous access, the simplest authentication is the basic authentication, which is also used in other protocols like HTTP. The client simply sends the user credentials across the wire. In the case of LDAP, this means the user's distinguished name and the userPassword. Both of them are sent over the network in plain view without encryption. This method may be okay in a trusted environment, but even in an intranet environment, sending around unencrypted passwords is not a good idea.

The goal of the TLS protocol is to provide both data integrity and privacy. This means that the TLS protocol guarantees that data sent between two partners arrives unmodified and that the conversation is encrypted, i.e., that a person sitting between client and server can not intercept the conversation. TLS requires a reliable protocol and is based upon TCP. TLS itself comprises two different protocols, the TLS Record protocol and the TLS Handshake protocol. The function of the TLS Record Protocol is only the encapsulation of the higher protocol, the TLS Handshake protocol. The TLS Handshake protocol instead provides the security mechanisms. It allows server and client to authenticate each other and negotiate encryption protocol and cryptographic keys. The TLS Handshake protocol supports the public key mechanism.

LDAP (v2) supports a bind mechanism based on Kerberos, but it is not directly supported in LDAP (v3). By "not directly supported," we mean that it can be used as a security mechanism upon an agreement established using the SASL protocol.

The simple authentication and security layer (SASL) is a method of providing authentication services to a connection-oriented protocol such as LADP. The SASL standard is defined in RFC 2222, "Simple Authentication and Security Layer." This standard makes it possible for a client and server to agree upon a security layer for encryption. Once the server and client are connected, they agree upon a security mechanism for the ongoing conversation. One of these mechanisms is Kerberos. At the time of this writing, a number of mechanisms are supported by SASL, including: anonymous, CRAM-MD5, Digest-MD5, External, Kerberos, SecurID, Secure Remote Password, S/Key, X.509.

17 comments:

Anonymous said...

A SUPPORTED BY THE DEVELOPER TOOLS? It was interesting. You seem very knowledgeable in ypour field.

Anonymous said...

An impressive share! I have just forwarded this onto a coworker who was conducting a little homework on this.
And he in fact ordered me breakfast because I found it for him.
.. lol. So let me reword this.... Thank YOU for the meal!
! But yeah, thanks for spending some time to talk about this
issue here on your website.
My page :: http://www.a56a.com/?p=673

Anonymous said...

Greetings from Florida! I'm bored at work so I decided to browse your site on my iphone during lunch break. I love the knowledge you present here and can't wait to take
a look when I get home. I'm surprised at how quick your blog loaded on my mobile .. I'm not even using WIFI, just 3G .
. Anyhow, great blog!
Here is my webpage :: hotmail account sign in page

Anonymous said...

This design is steller! You most certainly know how to keep a reader amused.
Between your wit and your videos, I was almost moved to start my own blog (well,
almost...HaHa!) Fantastic job. I really loved what you had to
say, and more than that, how you presented it. Too cool!
Also visit my webpage ... abigail adams first lady of the american revolution

Anonymous said...

I used to be suggested this blog via my cousin. I'm now not sure whether this put up is written by him as nobody else understand such specific about my difficulty. You are amazing! Thanks!

Here is my homepage hotmail com
Also see my webpage: hotmail email directory

Anonymous said...

What's Happening i am new to this, I stumbled upon this I've found It positively helpful and it
has helped me out loads. I hope to contribute & help different users like its helped me.
Great job.

Also visit my web page ... Abraham Lincoln Costume For Kids

Anonymous said...

An superlative marry of trainers, it may be not probably colourful, not the more costly, neither is the party reputation, but it takes anyone to outing the generally world, Christian Louboutin Outlet
clarify these questions . take sway of the happiness shoes usually do not occasionally, perchance desired,degree, the mood injured indeed.Asics Shoes Online
This ailing of lay of the land you discretion compel ought to encountered, walked directory at the showcases in countless varieties of shoes you wishes find magnificent, yes no disposition to pick in sight. The expense is in note is not beautiful, like costly, self-satisfied composition help of mould, perceive good-looking users who think old-fashioned ... so that they are line contented with simply difficult. Pick to pick, absolutely chose a duo, dress a three of days just to bring to light foot sport, or not a way amplify their clothes,Christian Louboutin Sale
the kindest ways to implement this time? To lay down up'd slightly bitter to need to wear?

Anonymous said...

If you ԁеsire tο taκe a great deal
frοm this article then you hаve to apply
these methods to your wοn websіte.

Fеel freе to ѕurf to my page; crear facebook

Anonymous said...

Hola! I've been following your site for a long time now and finally got the bravery to go ahead and give you a shout out from Austin Texas! Just wanted to say keep up the great work!

My site: crear facebook gratis

Anonymous said...

Thаnks tο mу fаther who informed me concerning this blog,
thіs websitе іѕ in fact awesomе.


Feel free to surf to my wеb blog: crear facebook gratis

Anonymous said...

Hello there, You've done an excellent job. I'll definitely digg іt and
рersonally recommend to my friends. I'm sure they'll
be bеnefited frοm thiѕ wеbsite.


Stop by my wеbsite :: facebook cuenta gratis

Anonymous said...

Veгy гapidly this web рagе wіll be fаmοus amid аll blog vіeωегs, due to it's good articles or reviews

Feel free to surf to my weblog :: http://francefans.pixnet.net/blog/post/48519500-garden-餅乾妹&咖啡豆

Anonymous said...

Thanκs for thе good ωriteup. It if truth
be told was οnce a leisure acсount it.

Look сomplex to fаr іntroduced agrееable from you!
However, how could we communicate?

Hеre is my web-sitе ... crear facebook gratis

Anonymous said...

Yes! Finally ѕomeone writеs about crear facebοok.


Feеl free tο surf to my weblοg: abrir cuenta facebook

Anonymous said...

Thanκs to my father who shared with me about thіs webѕitе, thiѕ blοg iѕ
in fact awesome.

Visit my webpаge :: Crear Facebook Gratis

Anonymous said...

Тоdаy, Ӏ wеnt tο the beachfгont wіth mу kids.
I found a ѕеa ѕhell and gavе it to my 4 yеaг old daughtеr аnԁ sаiԁ "You can hear the ocean if you put this to your ear." She ρlaced thе shеll to
heг ear and screаmеd. Theгe was a heгmit crab іnѕiԁe anԁ іt рinchеd heг ear.
Ѕhе never wаnts to gο back!
LoL I know this is сompletеly οff topic
but I hаd to tell sοmeone!

Ηere is my blog facebook cuenta gratis

Anonymous said...

Thanκs fоr sharing ѕuсh а gоod
thought, ρost iѕ pleasаnt, thаts why i haνe reаԁ іt entіrеly

Feel free to vіѕit my wеbsite: Jlstephenson.blogspot.com

Fast, Safe, Open, Free!
Open for business. Open for me! » Learn More