1 / 64

Distributed Database

Distributed Database. “LDAP Directory” General Purpose Distributed Hierarchical Object-Oriented Directory Technology. Alireza Davoodi alirezadavoodi@aut.ac.ir Department of Computer Science Tehran Polytechnic November, 2006. Before All…. From Wikipedia: The word Directory:

fedora
Télécharger la présentation

Distributed Database

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distributed Database “LDAP Directory” General Purpose Distributed Hierarchical Object-Oriented Directory Technology Alireza Davoodialirezadavoodi@aut.ac.irDepartment of Computer ScienceTehran PolytechnicNovember, 2006

  2. Before All… • From Wikipedia: • The word Directory: • Used in computing and telephony • Meaning a repository or database of information. • Directory vs. conventional Database • Heavily optimized for reading, with the assumption that data updates are very rare compared to data reads. • Commonly, a directory supports search and browsing in addition to simple lookups.

  3. Before All… • Web Directory: • A website which offer access to a categorized listing of other websites optimized for lookup, search, or browsing is a directory, a web directory. • White Page: • Directory technology is often used in white page applications and network information services. • Domain Name System • The Domain Name System (DNS) is a prominent example of directory service providing a network information service. • LDAP • LDAP directory services is an example of general-purpose distributed hierarchical object-oriented directory technologies. • LDAP offers complex searching and browsing capabilities and is used for white pages, network information services,

  4. Survay

  5. Directory (Definition) • Directory: • Is a listing of information about objects. • Objects arranged in some order that gives details about each object. • In computer terms: • Is a specialized database, also called a data repository. • Stores typed and ordered information about objects. • Is often described as a database, but it is a specialized database that has characteristics that set it apart from general-purpose relational databases.

  6. Directory (vs. Database) • Specialized for Reading and Searching • Reading or searching much more often writing. • Not appropriate for storing information that changes rapidly. • Transaction Support • Most directory implementations still do not support transactions. • Transactions are supported in LDAP and are limited to transactions within the LDAP directory. • Interaction • SQL: Most databases support a standardized, very powerful access method called Structured Query Language (SQL). • SQL allows complex update and query functions at the cost of program size and application complexity. • DAP: Directories, such as an LDAP directory, on the other hand, use a simplified and optimized access protocol that can be used in slim and relatively simple applications.

  7. Directory (looks like)

  8. Message LDAP LDAP Client LDAP Server LDAP (Definition) • Stands For: Lightweight Directory Access Protocol • Described in RFC 2251-2256, 2829-2830 • Defines a lightweight access mechanism in which clients send requests to and receive responses from LDAP servers. • Information describing the various users, applications, files, printers, and other resources accessible from a network is often collected into a special database that is sometimes called a directory.

  9. LDAP (Why?) • Island of Information: • As the number of different networks and applications has grown, the number of specialized directories of information has also grown. • Then we have a distributed environment of information • Difficulty • Information Sharing • Accessibility • Maintenance • Control The Lightweight Directory Access Protocol (LDAP) is an open industry standard that has evolved to meet these needs.

  10. LDAP • A request is typically performed by the Directory client process. • The process that looks up information in the directory is called the Directory server. • The Lightweight Directory Access Protocol (LDAP) defines a message protocol used by directory clients and directory servers. • LDAP Client • A Directory Client that supports LDAP. • LDAP Server • A Directory Server that supports LDAP.

  11. LDAP Directory (Logical View)

  12. Directory (Terms)1 • DAP:Directory Access Protocol. • X.500 term for an OSI based network protocol that enables access to a DSA and which implies the directory data model. • DSA:Directory System Agent. • X.500 term for any DAP or LDAP enabled directory service e.g. an LDAP server. In fact the X.500 standard, which LDAP descend defines the term of Directory Service Agent, which refers to Directory server or package. • LDAP: Lightweight Directory Access Protocol. • IETF term for an TCP/IP based network protocol that enables access to a DSA. Some reduced functionality from X.500 DAP specification. • DIT:Directory Information Tree • The DIT is the hierarchy of objects that make up the local directory structure.

  13. Directory (Terms)2 • Base:The base entry (a.k.a root and Suffix). • Describe the topmost entry in a DIT. The term base seems to be used • Root DSE: DSA Specific Entry • The RootDSE is the highest level in an LDAP enabled directory. • Conceptually the topmost entry in a LDAP hierarchy. • Think! of it as a super root and normally invisible i.e. not accessed in normal operations. • Sometimes confused with root or base or suffix. • Provide information about protocol versions supported, services supported and DIT(s) supported. • Entry:The name given to a stored object in a LDAP enabled directory. • Each entry has one parent entry (object) and zero or more child entries (objects). • The data content of an entry consist of one or more attributes

  14. Illustration (1) DIT Base Entry RootDSE

  15. Directory (Terms)3 • objectClass: Type of Entry (Object) • Object Classes are collections of attributes. • Each objectClass is uniquely identified by an OID. • OID: Object Identifier • Is a dot-separated valued e.g. 2.5.6.2 that uniquely defines an object and who is responsible for its definition. • RDN: Relative Distinguished Name. • The name given to an attribute(s) that is unique at its level in the hierarchy. • RDNs may be single valued or multi-valued in which case two or more attributes are combined using '+' (plus) to create the RDN e.g. cn+uid • DN: Distinguished Name. • A DN is comprised of a series of RDNs that uniquely describe the naming attributes on the path UP the DIT from the required entry to the directory root.

  16. Illustration (2) • Attribute: • The data in an entry is contained in attribute-value pairs. • Has a name (and sometimes a short form of the name) • Belongs to an objectClass. • The attributes characteristics are fully described by an ASN.1 definition. • Type: Data Type • Types is commonly used to refer the ASN.1 SYNTAX of an attribute.

  17. Illustration (3)

  18. LDAP Overview • LDAP is just a protocol that: • Defines the method by which directory data is accessed. • Defines and describes how data is represented in the directory service. • Defines how data is loaded into and saved from directory service. • LDAP does not define how data is stored or manipulated. • LDAP Models: • LDAP defines four models: • Information Model • Naming Model • Functional Model • Security Model

  19. LDAP (Models) • Information (Data) Model: • Defines how the information or data is represented in an LDAP enabled system. • Naming Model: • Defines how the Entry (Object) is referred. • Functional Model: • When you read, search, write or modify the LDAP you are using the Functional Model • Security Model: • Who can do what to what data. This is the LDAP Security Model

  20. LDAP (Information Model)1 • Data is represented in an LDAP enabled directory as a hierarchy of objects, each of which is called an Entry. • The resulting tree structure is called a Data Information Tree (DIT). • The top of the tree is commonly called the root (base or the suffix) entry. • Entry (Object) • The basic unit of information stored in the directory is called an entry (object). • Entries represent objects in the real world such as people, servers, organizations, and so on. • Entries are composed of a collection of attributes that contain information about the Object (Entry). • The information are represented as a value (values) for attribute.

  21. LDAP (Information Model)2 • Attribute • Contain information about the object. • Every attribute is identified by it’s unique name. • Every attribute has a type (know as datatype). • Some attributes have alias names that can be used wherever the full attribute name is used. • “cn” can be used when referring to the attribute “commonName”. • Attributes can have single or multi values. • Single means that only one data value may be present for the attribute. • Multi means there can be one or more data values for the attribute. • Attribute's characteristics are defined using ASN.1 notation. • Attributes defined in a schema. • For using attribute it’s schema must be identify be the server. • An attribute defined in one schema can be used by an objectClass defined in another schema. • An attribute definition includes: • Syntax: Its form e.g. string, number etc. • Matching rules: How it behaves in certain conditions e.g. are compares case sensitive or case-insensitive and other characteristics (properties)

  22. LDAP (Information Model)3 • Attribute Inheritance: • An attribute definition may be part of a hierarchy in which case it inherits all the properties of its parents e.g. commonName (cn), givenName (gn), surname (sn) are all children of the name attribute. • Every attribute is included in one or more objectclass • Attributes can be: • Optional (keyword is MAY) • Mandatory (keyword is MUST) as described in the ASN.1 definitions • An attribute may be optional in one objectClass and mandatory in another. • To use an attribute in an entry: • Its objectClass must be included in the entry definition • Its objectClass must be included in a schema which must be identified to the LDAP server.

  23. LDAP (Information Model)4 • At each level in the hierarchy: • The data contained in one attribute should uniquely identify the entry. • It can be anyattribute in the entry. • It can even be a combination of two or more attributes. • RDN (Relatively Distinguished Name) • The attribute value (s) selected to contain the unique data is (are) called the naming attribute (s) or the RDN.

  24. LDAP (Information Model)5 • Schema: The rule is: • Every attribute or objectClass (including its superior objectClass or attribute) used in an LDAP implementation must be defined in a schema • The schema must be known to the LDAP server. • Schemas define the type of objects that can be stored in the directory. • Schemas also list the attributes of each object type and whether these attributes are required or optional. • Schema, also define the inheritance and sub-Classing of objects and where in the DIT structure (hierarchy) objects may appear.

  25. LDAP (Information Model)6 • objectClass • Denotes the type of object being represented by a directory entry or record. • An objectClass has a globally unique name or identifier. • ObjectClasses are defined using ASN.1 notation. • Some typical object types are person, organization, organizational unit, domain component and groupOfNames • LDAP object classes defined sets of standard attributes that are listed as must contain (Mandatory attributes) and may contain (optional attributes) • There are some objectClasses and attributes defined as operational which are embedded in the LDAP server software and do not need definition.

  26. LDAP (Information Model)7 • An object class is declared as abstract, structural, or auxiliary. • An abstract objectClass is used as a template for creating other object classes. • A directory entry cannot be instantiated from an abstract object class. • Directory entries are instantiated from structural object classes. • An auxiliary object class cannot be instantiated by itself as a directory entry; • An auxiliary object can be attached to directory entries that are instantiated from structural object classes. • Auxiliary object classes provide a method for extending structural object classes without having to change the schema definition of a structural class.

  27. LDAP (Information Model)8 • ObjectClasses may be organized in a hierarchy in which case they inherit all the properties of their parents. • There are a confusing number of pre-defined objectClasses, each of which contains bucket-loads of attributes for almost all common applications. But of course the one you NEED is never defined • One or more objectClass(es) must be present in an LDAP entry.

  28. LDAP (Information Model)9 • OID (Object Identifier) • Each objectClass begins with a string of numbers delimited by decimals. This number is referred to as the OID. • Type • Type of the attribute is associated with syntax. • Syntax • Syntaxspecifies what kind of values can be stored in attributes. • Matchingrules • Matchingrules are part of what is called the operational characteristics of the LDAP server. • Matchingrules define the methods of comparison, available in the LDAP server. • Matching rules are typically built-in to the LDAP server and do not need to be defined explicitly. • A Matchingrule is defined for each attribute using the EQUALITY, SUBSTR, ORDERING

  29. LDAP (Information Model)10 • LDIF (LDAP Data Interchange Format ) • A convenient, yet necessary, data management mechanism. • LDIF files are used in five general cases: • To initially construct the DIT structure. • To add (import) bulk records into a directory. • To restore (import) a directory. • To archive (export) a directory. • To apply bulk edits to a directory. • LDIF files are simple text files • Can be created and edited with any suitable text editor.

  30. LDAP (Naming Model)1 • How entries are identified and organized. • Entries are organized in a tree-like structure called the Directory Information Tree (DIT). • DN and RDN • DN = Distinguished Name • RDN = Relative Distinguished Name • Entries are arranged within the DIT based on their distinguished name (DN). • A DN is a unique name that unambiguously identifies a single entry. • DNs are made up of a sequence of relative distinguished names (RDNs). • Each RDN in a DN corresponds to a branch in the DIT leading from the root of the DIT to the directory entry • In the simple and common case, an RDN has the form <attribute name> = <value> • A DN is composed of a sequence of RDNs separated by commas

  31. LDAP (Naming Model)2 • Entries are named according to their position in the DIT • The directory entry at the bottom of the figure has the DN of cn=John Smith,ou=people,o=ibm,c=us. • The organizational group people has the DN of ou=people,o=ibm,c=us.

  32. LDAP (Functional Model)1 • The LDAP functional model • Is comprised of three categories of operations that can be performed against a LDAPv3 directory service: • Authentication • Bind: to connect • Unbind: to disconnect • Abandon:Establish access rights and protect information • Query • Search for and Compare entries, for meeting user-specified criteria • Update • Add: Adding an entry • Delete: Deleting an entry • Modify: Modify the distinguished name (ModifyRDN) or relative distinguished name of an entry.

  33. LDAP (Functional Model)2 • Query • The most common operation is search. • To perform a search, the following parameters must be specified: • Base • A DN that defines the starting point, called the base object, of the search. • The base object is a node within the DIT. • Scope • Specifies how deep within the DIT to search from the base object. • There are three choices: • baseObject • singleLevel • wholeSubtree

  34. LDAP (Functional Model)3 • baseObject • Only the base object is examined • singleLevel • Only the immediate children of the base object are examined • The base object itself is not examined • wholeSubtree • The base object and all of its descendants are examined

  35. LDAP (Functional Model)4 • Query (continue) • Search Filter • Specifies the criteria an entry must match to be returned from a search. • The search filter is a Boolean combination of attribute value assertions. • For example, a search filter might specify entries with a common name containing “wolf” or belonging to the organization ITSO. • Attributes to Return • Specifies which attributes to retrieve from entries that match the search criteria. • An entry may have many attributes, this allows the user to only see the attributes they are interested in.

  36. LDAP (Functional Model)5 • Query (continue) • Alias Dereferencing • Limits • The size limit restricts the number of entries returned from the search.

  37. LDAP (Functional Model)6 • Compare • Compares an entry for an attribute value. • If the entry has that value, compare returnsTRUE.Otherwise, compare returns FALSE • Compare vs. Search: • “Compare” is almost the same as a “Search” with: • base scope • search filter of attribute=value. • Difference: • If the entry Exists but does not have the attribute-value at all: • Search will return not found • Compare will return FALSE • If the entry itself does not exist • Search will return not found

  38. LDAP (Functional Model)7 • Update

  39. LDAP (Functional Model)7 • Authentication • Authentication operations are used to establish and end a session between an LDAP client and an LDAP server.

  40. LDAP (Security Model)1 • The security model is based on the bind operation. • There are several security mechanism: • Simple • Simple Authentication and Security Layer (SASL) • Transport Layer Security (TLS)

  41. LDAP (Security Model)2 • Simple Authentication: • Client requesting access: • Supplies a DN identifying itself along with a simple clear-text password. • If no DN and password is declared, an anonymous session is assumed by the LDAP server. • The use of clear text passwords is strongly discouraged because of unauthorized parties. • Simple Authentication and Security Layer (SASL) • General authentication framework. • Several different authentication methods are available for authenticating the client to the server; one of them is Kerberos.

  42. LDAP (Security Model)3 • Transport Layer Security (TLS) • Allow operations too use TLS as a means to encrypt an LDAP session and protect against spoofing. • TLS and SSL is same in basic principle. • TLS just support in LDAP v3.

  43. LDAP (Message) • LDAP defines the content of messages exchanged between an LDAP client and an LDAP server that come bellow: • Request From Client • Search • Modify (Modify and Add) • Delete • Response From Server • LDAP messages are carried over TCP/IP, a connection-oriented protocol. • There are operations to establish and disconnect a session between the client and server. • LDAP defines operations for accessing and modifying directory entries such as: • Binding and unbinding • Searching for entries meeting user-specified criteria • Adding an entry • Deleting an entry • Modifying an entry • Modifying the distinguished name or relative distinguished name of an entry (move) • Comparing an entry

  44. LDAP (Scenario)1 • General interaction between an LDAP client and an LDAP server: • Binding: • The Client establishes a session with an LDAP server • The client specifies • The host name or IP address • TCP/IP port number where the LDAP server is listening. • Authentication • Authenticated User • client provides a user name and a password. • Anonymous User • Without Username and Password. • Establish a session that uses stronger security methods such as encryption of data.

  45. LDAP (Scenario)2 • Performs Operations • Read and Update • Searching the directory • Unbinding • Closes the session with the server

  46. LDAP (More Details)1 • objectClass Definition • The formal objectClass definition is defined in RFC 2252. • The definition is in ASN.1 notation. ObjectClassDescription = "(" whsp numericoid whsp ; ObjectClass identifier [ "NAME" qdescrs ] [ "DESC" qdstring ] [ "OBSOLETE" whsp ] [ "SUP" oids ] ; Superior ObjectClasses [ ( "ABSTRACT" / "STRUCTURAL" / "AUXILIARY" ) whsp ] ; default structural ["MUST" oids ] ; AttributeTypes [ "MAY" oids ] ; AttributeTypes whsp ")" objectclass (2.5.6.2 NAME 'country' SUP top STRUCTURAL MUST c MAY ( searchGuide $ description ) )

  47. LDAP (More Details)2 objectclass (2.5.6.2 NAME 'country' SUP top STRUCTURAL MUST c MAY ( searchGuide $ description ) ) • 2.5.6.2 NAME “country”: • Defines a globally unique name for this objectClass • This is comprised of two parts: • NAME “country”: • Just allows you to refer to this objectClass by some semi-understandable text • Globally unique: • Is defined by 2.5.6.2 which is called an OID (ObjectIdentifier). • Obtaining an enterprise OID that allows you to define your own attributes and objectClasses: • Is a trivial • zero cost process • Via IANA (follow Online Application for a Private Enterprise Number). • It is a VERY BAD THING to re-use existing OIDs.

  48. LDAP (More Details)3 • Some more objectClasses: • “Top” objectClass objectclass ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass ) • “dcObject” objectClass objectclass ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'RFC2247: domain component object' SUP top AUXILIARY MUST dc ) • “pilotOrganization” objectClass objectClasses: ( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization' SUP ( organization $ organizationalUnit ) STRUCTURAL MAY buildingName )

  49. LDAP (More Details)4 • Entry (Object) Example (an object of pilotOrganization objectClass) dn: dc=example,dc=com dc: example.com objectclass: dcObject objectclass: pilotOrganization o: Tehran Polytechnic, Inc. ou: Accounting buildingName: Computer Sience Dept

  50. LDAP (More Details)5 • Attribute Definition • The formal objectClass definition is defined in RFC 2252. • The definition is in ASN.1 notation. AttributeTypeDescription = "(" whsp numericoid whsp ; Attribute Type identifier [ "NAME" qdescrs ] ; name used in Attribute Type [ "DESC" qdstring ] ; description [ "OBSOLETE" whsp ] [ "SUP" woid ] ; derived from this other ;Attribute Type [ "EQUALITY" woid ; Matching Rule name [ "ORDERING" woid ; Matching Rule name [ "SUBSTR" woid ] ; Matching Rule name [ "SYNTAX" whsp noidlen whsp ] ; Syntax OID [ "SINGLE-VALUE" whsp ] ; default multi-valued [ "COLLECTIVE" whsp ] ; default not collective [ "NO-USER-MODIFICATION" whsp ] ; default user modifiable [ "USAGE" whsp AttributeUsage ] ; default user Applications whsp ")"

More Related