Internet infrastructure. Prof. dr. ir. André Mariën

Transcription

1 Internet infrastructure Prof. dr. ir. André Mariën 1

2 Lightweight Directory Access Protocol 2

3 Object Identifier Representation: dotted decimal OID not intended for end-users Universally unique Example: INTEGER: all LDAP types: OID identical except for last number 3

4 OID Official OID: IANA Internet Assigned Numbers Authority: IANA OID registration register base OID: X Prefix: iso.org.dod.internet.private.enterprise ( ) IBM: 2, SUN: 42, NOKIA: 94, INTEL: 343, CIA: 743, Accenture: 945, Bekaert: 972, Tivoli: 1598, Generale Bank: 2049, Ubizen: 4910, K.U.Leuven:

5 Example of local structure organizations OID: SNMP: LDAP: attribute types: myattribute: object classes: myobjectclass:

6 Attribute Type Description Identification: OID, NAME Inheritance: SUP Syntax: SYNTAX Matching: examples: EQUALITY, ORDERING, SUBSTR Flags: examples: SINGLE-VALUE, NO-USER- MODIFICATION Usage: "userapplications : default "directoryoperation" "distributedoperation : DSA-shared "dsaoperation : DSA-specific, value depends on server 6

7 Operational Attributes used by servers for administering the directory system itself not returned in search results unless explicitly requested by name maintained automatically by the server not modifiable by clients 7

8 Operational Attributes: audit creatorsname: the DN of the user who added this entry to the directory. createtimestamp: the time this entry was added to the directory. modifiersname: the DN of the user who last modified this entry. modifytimestamp: the time this entry was last modified. 8

9 Directory Schema 9

10 Schema Schema is the collection of attribute type definitions object class definitions to determine how to match a filter or attribute value assertion (in a compare operation) against the attributes of an entry permissions for add and modify operations 10

11 Operational Attribute: subschema subschemasubentry: the DN of the subschema entry which controls the schema for this entry Allows reflection Enables more dynamic usage Simplifies extension support 11

12 Subschema Entries Used for administering information about the directory schema: object classes attribute types A single subschema entry contains all schema definitions used by entries in a particular part of the directory tree. 12

13 Server-specific Data Requirements An LDAP server MUST provide information about itself and other information that is specific to each server information is represented as a group of attributes located in the root DSE (DSA-Specific Entry) named with the zero-length LDAP DN retrievable with a base object search of the root with filter "(objectclass=*)" 13

14 Overview: scheme and structure Directory Schema Subschema Rule Object Classes Attribute Types Syntax rules DIT Subschema Area Entries Attributes Values : uses : determine : part of 14

15 LDAP Data modelling 15

16 Data modeling Inventory Applications Information classes Data elements Example: Mail system: userid, password, address, mail host, forwarding address 16

17 Data element description Format Number of occurrences (single-multiple) Data ownership Information consumers 17

18 Format selection Text string Case sensitive/case insensitive Example: names, URL Numeric Integer/floating point Example: employee number Binary Example: certificates, keys 18

19 Special classes Referral Objects of objectclass referral Must: attribute ref, type: URL ldap://server:port/dn/ Two systems: Return referral Chain (fetch answer from reference) Alias Objects of class alias Attribute: aliasedobjectname: DN Link to other part of the directory 19

20 LDAP protocol 20

21 LDAP: Access Protocol RFC 2251, update to RFC 1777 LDAPv3: December 1997 designed for connection-oriented, reliable transports, like TCP/IP all 8 bits in an octet are significant most used: TCP assigned port:

22 The LDAP protocol goals Compatibility with X.500: can access X.500 directories Lightweight: reduced resource requirements compared to DAP Use cases: management applications and browser applications Functionality: read/write interactive access to directories 22

23 LDAP Protocol Model Should minimize the complexity of clients Should possibly be used in asynchronous mode multiple pending requests replies out of order May return referrals to other LDAP servers to clients Should provide "some" compatibility with DAP servers 23

24 Multiple requests or replies request1 request1 request2 reply1 reply1 reply2 request3 reply3 reply3 reply4 reply2 Result code 24

25 LDAP Protocol network description: Abstract Syntax Notation 1 (ASN.1) transfer: Basic Encoding Rules (BER) Message Envelope: LDAPMessage envelope containing common fields required in all protocol exchanges common fields: messageid controls 25

26 LDAP messages BindRequest, BindResponse, UnbindRequest SearchRequest, SearchResultEntry, SearchResultDone SearchResultReference ModifyRequest, ModifyResponse, AddRequest, AddResponse, DelRequest, DelResponse, ModifyDNRequest, ModifyDNResponse CompareRequest, CompareResponse AbandonRequest ExtendedRequest, ExtendedResponse 26

27 Result Message: LDAPResult Result code: success, comparefalse, comparetrue referral nosuchattribute, nosuchobject Referral Not an answer, but a redirect to where the answer could be found 27

28 Searches: message flow SearchRequest... SearchResultEntry SearchResultEntry SearchResultDone 28

29 Message ID usage 29

30 Message ID usage ID is used for request - response matching asynchronous support: match answers to queries All LDAPMessage responses contain the messageid value of the corresponding request LDAPMessage. Req 314 Req 278 Rep 314 part1 Rep 314 part2 Rep 278 part1 Rep 278 result Rep 314 result 30

31 Authentication 31

32 Login logout: bind-unbind BindRequest BindResponse UnbindRequest... Unbind to terminate a protocol session no response defined 32

33 Bind Operation Authentication information exchange between the client and server. Authentication information: Protocol version: 3 Name Authentication: simple / SASL SaslCredentials ( mechanism [ credentials ] ) + Note: SASL EXTERNAL use authentication information from a lower layer protocol 33

34 Bind reply authmethodnotsupported strongauthrequired: SASL authentication required saslbindinprogress: continue with the same SASL mechanism inappropriateauthentication: provide credentials invalidcredentials: wrong password or SASL credentials 34

35 Support for challenge-response: serversaslcreds part of a SASL-defined bind mechanism to allow the client to authenticate the server to which it is communicating to perform "challenge-response" authentication 35

36 LDIF 36

37 LDIF: directory changes List of entries with header Dn: <distinguished name> List of operations on objects changetype: ( add delete modify ) Modify: which attributes, how: ( add delete replace ) attribute [Data] - 37

38 LDIF: example 1 version: 1 dn: cn=andre Marien, ou=marketing, dc=mymarket, dc=com objectclass: top objectclass: person objectclass: organizationalperson cn: Andre Marien sn: Marien uid: amarien telephonenumber: description: A big spender 38

39 LDIF: example 2 version: 1 dn: cn=bob Davids, ou=marketing, dc=airius, dc=com changetype: add objectclass: top objectclass: person objectclass: organizationalperson cn: Bob Davids sn: Davids uid: bob telephonenumber:

40 LDIF: example 3 version: 1 dn: cn= Bob Davids, ou=marketing, dc=airius, dc=com changetype: delete 40

41 LDIF: example 4 version: 1 dn: cn= Andre Marien, ou= Marketing, dc= mymarket, dc=com changetype: modify replace: telephonenumber delete: description - 41

42 LDAP Deployment 42

43 Deployment considerations Load balancing Local reference Master slave Write master & read slaves Partial replication Meta directory 43

44 Master - Slave O=xxx.com Replication O=xxx.com Updates Bulk access 44

45 Topologies N identical servers with full replication for load distribution N subtree servers Virtual top Top level server with referral Multiple locations for latency reduction Mix of the above 45

46 N identical servers with full replication for load distribution O=xxx.com O=xxx.com O=xxx.com 46

47 N subtree servers: Virtual top o=xxx.com l=it,o=xxx.com l=be,o=xxx.com l=us,o=xxx.com 47

48 N subtree servers: Top level server with referral o=xxx.com l=it,o=xxx.com l=be,o=xxx.com l=us,o=xxx.com 48

49 Multiple locations for latency reduction Italy: Belgium: United States: O=xxx.com O=xxx.com O=xxx.com 49

50 50

51 Replication IETF track: LDAP Replication Architecture The LDUP Replication Update Protocol LDAP Client Update Protocol LDUP Replication Information Model 51

52 LDAP Replication Architecture 52

53 Replication Context represents a section of DIT defining a unit of administration for replication. based at an entry identified as its root includes all its subordinate entries down the tree to its leaves, or until another Replication Context is encountered. 53

54 Naming Context a subtree of entries in the DIT possibly multiple Naming Contexts on a single server A Naming Context: may be made up of one or more non-overlapping Replication Contexts 54

55 Replicas cooperate to service the same Replication Context of the DIT. 55

56 Types of replicas Primary Replica Master Replica Read-Only Replica Fractional Replicas 56

57 Multi-master vs single master single-mastered: there is only one Replica where it may be updated multi-mastered: there is more than one Replica where it may be updated. 57

58 Single master set-up LDAP Clients must direct all write operations to the single Master Replica may direct their reads to any of the replicas 58

59 Read-Only Replica accepts only non-modifying LDAP operations against data subject to replication Modifications to DSA-operation attributes, which are not replicated, may of course still be allowed. All other modification operations shall be referred to a Master Replica. 59

60 Fractional vs full 60

61 Fractional vs. full Entry Specification a list of entry attributes to be included, or a list of attributes to be excluded in a replica. Empty specification: all entry attributes are included A Fractional Entry contains only a subset of its original attributes. results from the replication of changes governed by a Fractional Entry Specification Fractional Replica a replica that holds Fractional Entries of its Replication Context. must always be Read-Only All LDAP Update Operations must be referred to a Master Replica 61

62 LDUP Update transfer protocol Defines how Replication Updates are transferred from the Supplier to the Consumer Update consists of a set of Update Primitives describe the state changes that have been made to a single entry Each Update: a single entry, identified by its UUID Update commands: (add move rename remove)entryprimitive (add remove)attributevalueprimitive removeattributeprimitive 62

63 63