Internet infrastructure Prof. dr. ir. André Mariën 1
Lightweight Directory Access Protocol 2
Object Identifier Representation: dotted decimal OID not intended for end-users Universally unique Example: INTEGER: 1.3.6.1.4.1.1466.115.121.1.27 all LDAP types: OID identical except for last number 3
OID Official OID: IANA Internet Assigned Numbers Authority: IANA http://www.iana.org/numbers.html OID registration register base OID: 1.3.6.1.4.1.X Prefix: iso.org.dod.internet.private.enterprise (1.3.6.1.4.1) IBM: 2, SUN: 42, NOKIA: 94, INTEL: 343, CIA: 743, Accenture: 945, Bekaert: 972, Tivoli: 1598, Generale Bank: 2049, Ubizen: 4910, K.U.Leuven: 9678 4
Example of local structure organizations OID: 1.3.6.1.4.1.9678 SNMP: 1.3.6.1.4.1.9678.1 LDAP: 1.3.6.1.4.1.9678.2 attribute types: 1.3.6.1.4.1.9678.2.1 myattribute: 1.3.6.1.4.1.9678.2.4000 object classes: 1.3.6.1.4.1.9678.2.2 myobjectclass: 1.3.6.1.4.1.9678.2.2.314 5
Attribute Type Description Identification: OID, NAME Inheritance: SUP Syntax: SYNTAX Matching: examples: EQUALITY, ORDERING, SUBSTR Flags: examples: SINGLE-VALUE, NO-USER- MODIFICATION Usage: "userapplications : default "directoryoperation" "distributedoperation : DSA-shared "dsaoperation : DSA-specific, value depends on server 6
Operational Attributes used by servers for administering the directory system itself not returned in search results unless explicitly requested by name maintained automatically by the server not modifiable by clients 7
Operational Attributes: audit creatorsname: the DN of the user who added this entry to the directory. createtimestamp: the time this entry was added to the directory. modifiersname: the DN of the user who last modified this entry. modifytimestamp: the time this entry was last modified. 8
Directory Schema 9
Schema Schema is the collection of attribute type definitions object class definitions to determine how to match a filter or attribute value assertion (in a compare operation) against the attributes of an entry permissions for add and modify operations 10
Operational Attribute: subschema subschemasubentry: the DN of the subschema entry which controls the schema for this entry Allows reflection Enables more dynamic usage Simplifies extension support 11
Subschema Entries Used for administering information about the directory schema: object classes attribute types A single subschema entry contains all schema definitions used by entries in a particular part of the directory tree. 12
Server-specific Data Requirements An LDAP server MUST provide information about itself and other information that is specific to each server information is represented as a group of attributes located in the root DSE (DSA-Specific Entry) named with the zero-length LDAP DN retrievable with a base object search of the root with filter "(objectclass=*)" 13
Overview: scheme and structure Directory Schema Subschema Rule Object Classes Attribute Types Syntax rules DIT Subschema Area Entries Attributes Values : uses : determine : part of 14
LDAP Data modelling 15
Data modeling Inventory Applications Information classes Data elements Example: Mail system: userid, password, email address, mail host, forwarding address 16
Data element description Format Number of occurrences (single-multiple) Data ownership Information consumers 17
Format selection Text string Case sensitive/case insensitive Example: names, URL Numeric Integer/floating point Example: employee number Binary Example: certificates, keys 18
Special classes Referral Objects of objectclass referral Must: attribute ref, type: URL ldap://server:port/dn/ Two systems: Return referral Chain (fetch answer from reference) Alias Objects of class alias Attribute: aliasedobjectname: DN Link to other part of the directory 19
LDAP protocol 20
LDAP: Access Protocol RFC 2251, update to RFC 1777 LDAPv3: December 1997 designed for connection-oriented, reliable transports, like TCP/IP all 8 bits in an octet are significant most used: TCP assigned port: 389 21
The LDAP protocol goals Compatibility with X.500: can access X.500 directories Lightweight: reduced resource requirements compared to DAP Use cases: management applications and browser applications Functionality: read/write interactive access to directories 22
LDAP Protocol Model Should minimize the complexity of clients Should possibly be used in asynchronous mode multiple pending requests replies out of order May return referrals to other LDAP servers to clients Should provide "some" compatibility with DAP servers 23
Multiple requests or replies request1 request1 request2 reply1 reply1 reply2 request3 reply3 reply3 reply4 reply2 Result code 24
LDAP Protocol network description: Abstract Syntax Notation 1 (ASN.1) transfer: Basic Encoding Rules (BER) Message Envelope: LDAPMessage envelope containing common fields required in all protocol exchanges common fields: messageid controls 25
LDAP messages BindRequest, BindResponse, UnbindRequest SearchRequest, SearchResultEntry, SearchResultDone SearchResultReference ModifyRequest, ModifyResponse, AddRequest, AddResponse, DelRequest, DelResponse, ModifyDNRequest, ModifyDNResponse CompareRequest, CompareResponse AbandonRequest ExtendedRequest, ExtendedResponse 26
Result Message: LDAPResult Result code: success, comparefalse, comparetrue referral nosuchattribute, nosuchobject Referral Not an answer, but a redirect to where the answer could be found 27
Searches: message flow SearchRequest... SearchResultEntry SearchResultEntry SearchResultDone 28
Message ID usage 29
Message ID usage ID is used for request - response matching asynchronous support: match answers to queries All LDAPMessage responses contain the messageid value of the corresponding request LDAPMessage. Req 314 Req 278 Rep 314 part1 Rep 314 part2 Rep 278 part1 Rep 278 result Rep 314 result 30
Authentication 31
Login logout: bind-unbind BindRequest BindResponse UnbindRequest... Unbind to terminate a protocol session no response defined 32
Bind Operation Authentication information exchange between the client and server. Authentication information: Protocol version: 3 Name Authentication: simple / SASL SaslCredentials ( mechanism [ credentials ] ) + Note: SASL EXTERNAL use authentication information from a lower layer protocol 33
Bind reply authmethodnotsupported strongauthrequired: SASL authentication required saslbindinprogress: continue with the same SASL mechanism inappropriateauthentication: provide credentials invalidcredentials: wrong password or SASL credentials 34
Support for challenge-response: serversaslcreds part of a SASL-defined bind mechanism to allow the client to authenticate the server to which it is communicating to perform "challenge-response" authentication 35
LDIF 36
LDIF: directory changes List of entries with header Dn: <distinguished name> List of operations on objects changetype: ( add delete modify ) Modify: which attributes, how: ( add delete replace ) attribute [Data] - 37
LDIF: example 1 version: 1 dn: cn=andre Marien, ou=marketing, dc=mymarket, dc=com objectclass: top objectclass: person objectclass: organizationalperson cn: Andre Marien sn: Marien uid: amarien telephonenumber: +1 401 555 1007 description: A big spender 38
LDIF: example 2 version: 1 dn: cn=bob Davids, ou=marketing, dc=airius, dc=com changetype: add objectclass: top objectclass: person objectclass: organizationalperson cn: Bob Davids sn: Davids uid: bob telephonenumber: +1 408 555 1212 39
LDIF: example 3 version: 1 dn: cn= Bob Davids, ou=marketing, dc=airius, dc=com changetype: delete 40
LDIF: example 4 version: 1 dn: cn= Andre Marien, ou= Marketing, dc= mymarket, dc=com changetype: modify replace: telephonenumber +1 408 555 1212 - delete: description - 41
LDAP Deployment 42
Deployment considerations Load balancing Local reference Master slave Write master & read slaves Partial replication Meta directory 43
Master - Slave O=xxx.com Replication O=xxx.com Updates Bulk access 44
Topologies N identical servers with full replication for load distribution N subtree servers Virtual top Top level server with referral Multiple locations for latency reduction Mix of the above 45
N identical servers with full replication for load distribution O=xxx.com O=xxx.com O=xxx.com 46
N subtree servers: Virtual top o=xxx.com l=it,o=xxx.com l=be,o=xxx.com l=us,o=xxx.com 47
N subtree servers: Top level server with referral o=xxx.com l=it,o=xxx.com l=be,o=xxx.com l=us,o=xxx.com 48
Multiple locations for latency reduction Italy: Belgium: United States: O=xxx.com O=xxx.com O=xxx.com 49
50
Replication IETF track: LDAP Replication Architecture The LDUP Replication Update Protocol LDAP Client Update Protocol LDUP Replication Information Model 51
LDAP Replication Architecture 52
Replication Context represents a section of DIT defining a unit of administration for replication. based at an entry identified as its root includes all its subordinate entries down the tree to its leaves, or until another Replication Context is encountered. 53
Naming Context a subtree of entries in the DIT possibly multiple Naming Contexts on a single server A Naming Context: may be made up of one or more non-overlapping Replication Contexts 54
Replicas cooperate to service the same Replication Context of the DIT. 55
Types of replicas Primary Replica Master Replica Read-Only Replica Fractional Replicas 56
Multi-master vs single master single-mastered: there is only one Replica where it may be updated multi-mastered: there is more than one Replica where it may be updated. 57
Single master set-up LDAP Clients must direct all write operations to the single Master Replica may direct their reads to any of the replicas 58
Read-Only Replica accepts only non-modifying LDAP operations against data subject to replication Modifications to DSA-operation attributes, which are not replicated, may of course still be allowed. All other modification operations shall be referred to a Master Replica. 59
Fractional vs full 60
Fractional vs. full Entry Specification a list of entry attributes to be included, or a list of attributes to be excluded in a replica. Empty specification: all entry attributes are included A Fractional Entry contains only a subset of its original attributes. results from the replication of changes governed by a Fractional Entry Specification Fractional Replica a replica that holds Fractional Entries of its Replication Context. must always be Read-Only All LDAP Update Operations must be referred to a Master Replica 61
LDUP Update transfer protocol Defines how Replication Updates are transferred from the Supplier to the Consumer Update consists of a set of Update Primitives describe the state changes that have been made to a single entry Each Update: a single entry, identified by its UUID Update commands: (add move rename remove)entryprimitive (add remove)attributevalueprimitive removeattributeprimitive 62
63