LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL

PRESENTATION BY ALAKESH APURVA DHAN AND ASH

WHAT IS LDAP
LDAP IS LIGHT WEIGHT SUFFICIENT STRAIGHT FORWARD EASY TO IMPLEMENT AS AGAINST X.500 DAP WHICH IS HEAVY WEIGHT

LDAP
DIRECTORY BECAUSE DATA IS ORGANISED IN THE FORM OF TREE MUCH LIKE UNIX FILE SYSTEM USES SIMPLIFIED SET OF ENCODING RUNS DIRECTLY ABOVE TCP/IP USES STRING TO REPRESENT DATA

LDAP
LDAP SECURITY MODEL : DEFINES HOW INFORMATION CAN BE PROTECTED FROM UNAUTHORISED ACCESS

LDAP
LDAP API THERE ARE SEVERAL LDAP API APPLICATION PROGRAMMING INTERFACE OLDEST ONES WRITTEN IN C NOW A DAYS LDAP API S ARE AVAILABLE IN OTHER PROGRAMMING LANGUAGES LIKE PERL JAVA

HOW LDAP WORKS

LDAP DIRECTORY SERVICE IS BASED ON CLIENT SERVER MODEL LDAP IS A MESSAGE ORIENTED PROTOCOL
CLIENT CONSTRUCTS AN LDAP MESSAGE CONTAINING A REQUEST AND SENDS IT TO THE SERVER

HOW LDAP WORKS

SERVER PROCESSES THE REQUEST AND SENDS IT BACK TO THE CLIENT IN THE FORM OF LDAP MESSAGE

LDAP BACKENDS
THE BASIC DAEMON PROCESS THAT RUNS ON THE LDAP SERVER CALLED SLAPD COMES WITH THREE DIFFERENT BACKEND DATABASES WE ASSUME THAT IN OUR CASE WE USE LDBM THE MOST USED ONE

HOW LDAP WORKS

LDAP DATABASE WORKS BY ADDING A COMPACT FOUR BYTE UNIQUE IDENTIFIER INDEX FILES ARE MAINTAINED FOR REFERRING TO DATA

LDAP PROTOCOL OPERATION

INTERROGATION OPERATION : SEARCH , COMPARE ADD DELETE OPERATOIN : ADD , DELETE , MODIFY , MODIFY DN AUTHENTICATION AND CONTROL OPERATION : BIND , UNBIND , ABANDON

LDAP INFORMATION MODEL

BASIC UNIT IS ENTRY ( A COLLECTION OF INFORMATION ABOUT AN OBJECT ) AN ENTRY IS COMPOSED OF A SET OF ATTRIIBUTES

LDIF
LDIF STANDS FOR LDAP DATA INTERCHANGE FORMAT DIRECTORY ENTRIES IN LDAP ARE IN THE FORM OF LDIF

LDIF FORMAT
BASIC FORM OF LDIF : #COMMENT DN: <DISTINGUSHED NAME> <ATTRDESC>: <ATTRVALUE> <ATTRDESC>: <ATTRVALUE> .. EXAMPLE : DN: UID=ALAKESH DC=IIT DC=EDU

LDAP
IN ADDITION TO BEING A NETWORK PROTOCOL IT ALSO DEFINES FOUR MODELS LDAP INFORMATION MODEL : DEFINES THE KIND OF DATA U PUT LDAP NAMING MODEL : HOW U ORGANISE AND REFER TO DIRECTORY INFORMATION

LDIF FORMAT
LINES STARTING WITH # ARE CONSIDERED TO BE COMMENTS ALL OTHER ATTRIBUTES ARE WRITTEN IN <ATTRDESC > = <VALUE> FORM

LDIF
EACH ENTRY IS UNIQUELY IDENTIFIED BY A DISTINIGUISHED NAME OR DN . THE DN CONSISTS OF THE NAME OF THE ENTRY PLUS A PATH IN THE DIRECTORY TREE TRACING BACK TO THE TOP OF THE DIRECTORY HIERARCHY
THE OBJECT CLASS DEFINES THE CLASS OF THE ATTRIBUTES THAT CAN BE USED TO DEFINE AN ENTRY

LDIF
DIRECTORY DATA IS REPRESENTED AS ATTRIBUTE-VALUE PAIR . ANY SPECIFIC PIECE OF INFORMATION IS ASSOSICATED WITH A DESCRIPTIVE ATTRIBUTE

LDAP CONFIGURATION
THE CONFIGURATION FILE SLAPD.OC.CONF CONTAINS THE DEFINITION OF ALL THE OBJECT CLASSES THE ATTRIBUTES OF THE OBJECT CLASSES ARE DEFINED IN SLAPD.AT.CONF FILE

LDAP CONFIGURATION
EACH OBJECT CLASS HAS REQUIRED AND ALLOWED ATTRIBUTE REQUIRED ATTRIBUTES MUST BE PRESENT WHILE ALLOWED ARE OPTIONAL

LDAP CONFIGURATION
EACH ATTRIBUTE HAS CORRESPONDING SYNTAX DEFINITION

LDAP ACCESS CONTROL

ACCESS TO <WHAT> [ BY <WHO> <ACCESS LEVEL> <CONTROL> ] THIS DIRECTIVE GRANTS ACCESS TO A SET OF ENTRIES/ATTRIBUTES BY ONE OR MORE REQUESTERS EXAMPLE : ACCESS TO * BY * READ

LDAP ACCESS CONTROL

THE ABOVE DIRECTIVE GIVES READ PERMISSION TO EVERYONE
FOR EXAMPLE ACCESS TO DN= . * , C=INDIA BY * SEARCH GIVES SEARCHING PERMS TO ENTRIES UNDER C=INDIA SUBTREE

LDAPADD
OPENLDAP PACKAGE COMES WITH SHELL EXECUTABLE NAMED LDAPADD USED TO ADD ENTRIES TO THE DATABASE WHILE LDAP SERVER IS RUNNING BASIC SYNTAX IS LDAPADD -F <DATAFILE> -D <DN> -w <PASSWD> / -W ( IF PASSWORD IS TO BE PROMPTED .

LDAPDELETE
ANOTHER SHELL EXECUTABLE FOR DELETING ENTRIES
ITS SYNTAX IS LDAPDELETE CN=HI,O=IITB,C=INDIA

LDAPMODIFY
ITS ANOTHER SHELL EXECUTABLE TO MODIFY DATA IN THE DIRECTORY DATABASE
IT HAS SIMILAR SYNTAX TO LDAPADD

LDAPSEARCH
SHELL ACCESSIBLE INTERFACE TO LDAP_SEARCH() C ROUTINE LDAPSEARCH OPENS CONNECTION TO THE LDAPSERVER PERFORMS SEARCH WHICH FOLLOWS FILTERING RULES DEFINED IN RFC1558

LDAPSEARCH
FOR EXAMPLE LDAPSEARCH -B C=INDIA O=IITB IF * IS ALLOWED READ ACCESS BY DEFAULT THE O=IITB WILL BE RETURNED
-B OPTION SEARCHES FOR THE SEARCH BASE

LDAP AND JAVA CONNECTIVITY

THERE EXISTS A PACKAGE CALLED JNDI ( JAVA NAMING AND DIRECTORY INTERFACE ) IT CONTAINS API S NEEDED TO CONNECT LDAP SERVER RETRIEVE INFORMATION

JNDI EXAMPLE

A typical code WRITTEN USING JNDI TO DO LDAP SEARCH will be like this ..
import import import import java.util.Hashable ; java.util.Enumeration ; javax.naming.* ; javax.naming.directory.* ;

class Search { public static void main(String[] args){ Hashtable env = new Hashtable(5 , 0.75f) ; env.put(Context.INITIAL_CONTEXT_FACTORY,Env.INITCTX) ; env.put(Context.PROVIDER_URL , Env.MY_SERVICE ) ; .

Why Ldap?
Most ldap servers are optimized for read-intensive operations.Thus, one can see an order of magnitude difference when reading data from an ldap directory versus obtaining the same data from a relational database server optimized for OLTP. Because of this optimization , however , most LDAP directories are not suited for