html5-img
1 / 30

LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL

LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL. PRESENTATION BY ALAKESH APURVA DHAN AND ASH. WHAT IS LDAP. LDAP IS LIGHT WEIGHT SUFFICIENT STRAIGHT FORWARD EASY TO IMPLEMENT AS AGAINST X.500 DAP WHICH IS HEAVY WEIGHT . LDAP.

paxton
Télécharger la présentation

LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LDAPLIGHT WEIGHT DIRECTORY ACCESS PROTOCOL • PRESENTATION BY ALAKESH APURVA DHAN AND ASH

  2. WHAT IS LDAP • LDAP IS LIGHT WEIGHT • SUFFICIENT STRAIGHT FORWARD • EASY TO IMPLEMENT AS AGAINST X.500 DAP WHICH IS HEAVY WEIGHT

  3. LDAP • DIRECTORY BECAUSE DATA IS ORGANISED IN THE FORM OF TREE MUCH LIKE UNIX FILE SYSTEM • USES SIMPLIFIED SET OF ENCODING • RUNS DIRECTLY ABOVE TCP/IP • USES STRING TO REPRESENT DATA

  4. LDAP • LDAP SECURITY MODEL : DEFINES HOW INFORMATION CAN BE PROTECTED FROM UNAUTHORISED ACCESS

  5. LDAP • LDAP API • THERE ARE SEVERAL LDAP API APPLICATION PROGRAMMING INTERFACE OLDEST ONES WRITTEN IN C • NOW A DAYS LDAP API S ARE AVAILABLE IN OTHER PROGRAMMING LANGUAGES LIKE PERL JAVA

  6. HOW LDAP WORKS • LDAP DIRECTORY SERVICE IS BASED ON CLIENT SERVER MODEL • LDAP IS A MESSAGE ORIENTED PROTOCOL • CLIENT CONSTRUCTS AN LDAP MESSAGE CONTAINING A REQUEST AND SENDS IT TO THE SERVER

  7. HOW LDAP WORKS • SERVER PROCESSES THE REQUEST AND SENDS IT BACK TO THE CLIENT IN THE FORM OF LDAP MESSAGE

  8. LDAP BACKENDS • THE BASIC DAEMON PROCESS THAT RUNS ON THE LDAP SERVER CALLED SLAPD COMES WITH THREE DIFFERENT BACKEND DATABASES • WE ASSUME THAT IN OUR CASE WE USE LDBM THE MOST USED ONE

  9. HOW LDAP WORKS • LDAP DATABASE WORKS BY ADDING A COMPACT FOUR BYTE UNIQUE IDENTIFIER • INDEX FILES ARE MAINTAINED FOR REFERRING TO DATA

  10. LDAP PROTOCOL OPERATION • INTERROGATION OPERATION : SEARCH , COMPARE • ADD DELETE OPERATOIN : ADD , DELETE , MODIFY , MODIFY DN • AUTHENTICATION AND CONTROL OPERATION : BIND , UNBIND , ABANDON

  11. LDAP INFORMATION MODEL • BASIC UNIT IS ENTRY ( A COLLECTION OF INFORMATION ABOUT AN OBJECT ) • AN ENTRY IS COMPOSED OF A SET OF ATTRIIBUTES

  12. LDIF • LDIF STANDS FOR LDAP DATA INTERCHANGE FORMAT • DIRECTORY ENTRIES IN LDAP ARE IN THE FORM OF LDIF

  13. LDIF FORMAT • BASIC FORM OF LDIF : #COMMENT DN: <DISTINGUSHED NAME> <ATTRDESC>: <ATTRVALUE> <ATTRDESC>: <ATTRVALUE> ….. • EXAMPLE : DN: UID=ALAKESH DC=IIT DC=EDU

  14. LDAP • IN ADDITION TO BEING A NETWORK PROTOCOL IT ALSO DEFINES FOUR MODELS • LDAP INFORMATION MODEL : DEFINES THE KIND OF DATA U PUT • LDAP NAMING MODEL : HOW U ORGANISE AND REFER TO DIRECTORY INFORMATION

  15. LDIF FORMAT • LINES STARTING WITH # ARE CONSIDERED TO BE COMMENTS • ALL OTHER ATTRIBUTES ARE WRITTEN IN <ATTRDESC > = <VALUE> FORM

  16. LDIF • EACH ENTRY IS UNIQUELY IDENTIFIED BY A DISTINIGUISHED NAME OR DN . THE DN CONSISTS OF THE NAME OF THE ENTRY PLUS A PATH IN THE DIRECTORY TREE TRACING BACK TO THE TOP OF THE DIRECTORY HIERARCHY • THE OBJECT CLASS DEFINES THE CLASS OF THE ATTRIBUTES THAT CAN BE USED TO DEFINE AN ENTRY

  17. LDIF • DIRECTORY DATA IS REPRESENTED AS ATTRIBUTE-VALUE PAIR . ANY SPECIFIC PIECE OF INFORMATION IS ASSOSICATED WITH A DESCRIPTIVE ATTRIBUTE

  18. LDAP CONFIGURATION • THE CONFIGURATION FILE SLAPD.OC.CONF CONTAINS THE DEFINITION OF ALL THE OBJECT CLASSES • THE ATTRIBUTES OF THE OBJECT CLASSES ARE DEFINED IN SLAPD.AT.CONF FILE

  19. LDAP CONFIGURATION • EACH OBJECT CLASS HAS REQUIRED AND ALLOWED ATTRIBUTE • REQUIRED ATTRIBUTES MUST BE PRESENT WHILE ALLOWED ARE OPTIONAL

  20. LDAP CONFIGURATION • EACH ATTRIBUTE HAS CORRESPONDING SYNTAX DEFINITION

  21. LDAP ACCESS CONTROL • ACCESS TO <WHAT> [ BY <WHO> <ACCESS LEVEL> <CONTROL> ] • THIS DIRECTIVE GRANTS ACCESS TO A SET OF ENTRIES/ATTRIBUTES BY ONE OR MORE REQUESTERS • EXAMPLE : ACCESS TO * BY * READ

  22. LDAP ACCESS CONTROL • THE ABOVE DIRECTIVE GIVES READ PERMISSION TO EVERYONE • FOR EXAMPLE ACCESS TO DN=“ . * , C=INDIA” BY * SEARCH GIVES SEARCHING PERMS TO ENTRIES UNDER C=INDIA SUBTREE

  23. LDAPADD • OPENLDAP PACKAGE COMES WITH SHELL EXECUTABLE NAMED LDAPADD USED TO ADD ENTRIES TO THE DATABASE WHILE LDAP SERVER IS RUNNING • BASIC SYNTAX IS LDAPADD -F <DATAFILE> -D <DN> -w <PASSWD> / -W ( IF PASSWORD IS TO BE PROMPTED .

  24. LDAPDELETE • ANOTHER SHELL EXECUTABLE FOR DELETING ENTRIES • ITS SYNTAX IS LDAPDELETE ‘CN=HI,O=IITB,C=INDIA’

  25. LDAPMODIFY • ITS ANOTHER SHELL EXECUTABLE TO MODIFY DATA IN THE DIRECTORY DATABASE • IT HAS SIMILAR SYNTAX TO LDAPADD

  26. LDAPSEARCH • SHELL ACCESSIBLE INTERFACE TO LDAP_SEARCH() C ROUTINE • LDAPSEARCH OPENS CONNECTION TO THE LDAPSERVER PERFORMS SEARCH WHICH FOLLOWS FILTERING RULES DEFINED IN RFC1558

  27. LDAPSEARCH • FOR EXAMPLE LDAPSEARCH -B “C=INDIA” “O=IITB” IF * IS ALLOWED READ ACCESS BY DEFAULT THE O=IITB WILL BE RETURNED • -B OPTION SEARCHES FOR THE SEARCH BASE

  28. LDAP AND JAVA CONNECTIVITY • THERE EXISTS A PACKAGE CALLED JNDI ( JAVA NAMING AND DIRECTORY INTERFACE ) • IT CONTAINS API S NEEDED TO CONNECT LDAP SERVER RETRIEVE INFORMATION

  29. JNDI EXAMPLE • A typical code WRITTEN USING JNDI TO DO LDAP SEARCH • will be like this ….. • import java.util.Hashable ; • import java.util.Enumeration ; • import javax.naming.* ; • import javax.naming.directory.* ; • class Search { • public static void main(String[] args){ • Hashtable env = new Hashtable(5 , 0.75f) ; • env.put(Context.INITIAL_CONTEXT_FACTORY,Env.INITCTX) ; • env.put(Context.PROVIDER_URL , Env.MY_SERVICE ) ; • ……………………….

  30. Why Ldap? • Most ldap servers are optimized for read-intensive operations.Thus, one can see an order of magnitude difference when reading data from an ldap directory versus obtaining the same data from a relational database server optimized for OLTP. • Because of this optimization , however , most LDAP directories are not suited for storing data where changes are frequent.

More Related