LDAP

Document Sample
LDAP Powered By Docstoc
					LDAP
Jianwen Luo
School of CTI, Depaul Univ.
Oct.23, 1998
What is LDAP ?
   LDAP is the abbreviate of
    Lightweight Directory Access
    Protocol.
   It is a standard protocol used by
    applications to access information
    in a directory.
   Vs. DAP, which is the underlining
    protocol of X.500
What does directory mean
here?
   The directory here means a type of
    database that has been optimized
    for searching and retrieving
    structure data.
   Most commonly, the directory are
    used to store information about
    user profile. Like user name,
    permission.
Why LDAP is necessary ?
   Traditionally, every department has
    its own user database.
   User has more account today,
    email, web, Unix, NT,...
   How to synchronize the user info.
    when his work is related to more
    than one department?
   When Intranet/Extranet used, how
    to efficiently control the user
    access?
Why LDAP is necessary -2
?
   How to identify the source over
    network.
   Vs, DNS, too simple, only includes
    host information.
    NDS, not based natively on
    TCP/IP, vendor supplied.
   X.500 too complicated, require OSI
    stack.
•History of LDAP?.
   X.500, complex, using OSI
   LDAP version 1, RFC 1487,1993
       client interact with a LDAP service which interacts
        with one or more X.500 server

   LDAP version 2, RFC 1777, 1995
       LDAP servers could run independently of X.500.

   LDAP version 3, RFC 2251, 1997
       Communication between master servers.
       Referral capacity
•Protocol Model of LDAP 3.
   Client/Server structure.
   Objective: minimize the complexity
    of clients.
Data Model of LDAP 3 -2
   DIT tree (Directory Information
    Tree)
   Entry: Tree is made of entries.
   DN (Distinguished Name): a set of
    attribute=value group which
    uniquely identify an object
   RDN(Relative distinguished name)
   Naming Context
Data Model of LDAP 3 -2.
   DIT tree
•Attributes of Entries.
   Entries consist of a set of
    attributes.
   An attribute is a type with one or
    more associated value.
   An attribute type is identified by a
    short description name and object
    identifier.
   Object identifier decides what kind
    of value you can have.
•Elements of Protocol
   LDAP protocol is described using
    ASN.1. (Abstract Syntax Notation)
   All protocol operations are
    encapsulated in a common
    envelope, the LDAPMessage.
•LDAP message envelop.
    LDAPMessage ::= SEQUENCE {

       messageID       MessageID,
       protocolOp    CHOICE {
            bindRequest BindRequest,
            bindResponse BindResponse,
            unbindRequest UnbindRequest,
            searchRequest SearchRequest,
            searchResEntry SearchResultEntry,
            searchResDone SearchResultDone,
            searchResRef SearchResultReference,
            modifyRequest ModifyRequest,
            modifyResponse ModifyResponse,
            addRequest     AddRequest,
            addResponse AddResponse,
            delRequest    DelRequest,
            delResponse DelResponse,
            modDNRequest ModifyDNRequest,
            modDNResponse ModifyDNResponse,
            compareRequest CompareRequest,
            compareResponse CompareResponse,
            abandonRequest AbandonRequest,
            extendedReq ExtendedRequest,
            extendedResp ExtendedResponse },
        controls   [0] Controls OPTIONAL }

   MessageID ::= INTEGER (0 .. maxInt)

   maxInt INTEGER ::= 2147483647 -- (2^^31 - 1) --
•Message ID
   For the outstanding Message,
    message ID is unique.
    Result Message: LDAPResult ::=
    SEQUENCE {
       resultCode Enumerated {…};
       matchedDN LDAPDN,
       errorMessage LDAPString,
       referral Referral OPTIONAL }
•Applications(actions)
   Search
   Add
   Delete
   Modify
   Compare
   Bind: allow authentication
    information to be exchanged
    between client and server
   unbind:
•Authentication and
security
   Authentication Choice ::simple (
    clear text password)
   SASL (Simple Authentication and
    Security Layer, RFC 2222)
     allows for integrity and privacy
      services to be negotiated.
•Where do you go
tomorrow?
   LDAP over SSL, Netscape
    extension.
   Replication supporting, Netscape
    extension
   More complex.
   From Lightweight to middleweight
•Authentication and
security
   Authentication Choice ::simple (
    clear text password)
   SASL (Simple Authentication and
    Security Layer, RFC 2222)
     allows for integrity and privacy
      services to be negotiated.
Netscape Directory Server 3.1 configuration-1
Advanced configuration of Directory
server.

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:11
posted:3/24/2012
language:
pages:19