LDAP technicalities
* LDAP is a protocol that implements access to a directory. It was derived from X.500 protocol. Typically, it involves an LDAP client accessing an LDAP server to search or update entries in a backend directory data store. Data store can vary from a simple text file to an enterprise level database but that is irrelevant to the LDAP protocol itself. LDIF (LDAP data interchange format) is a text file which describes the content in a LDAP server and also provides a way to add/modify content.
* There are four LDAP models, Information model (describes the entries/node than contain data, these are arranged in a directory information tree DIT and contain data as per data templates or object classes), Naming model (describes how each entry in a DIT is referenced called distinguished name (DN), it is by a unique attribute of an entry. It can also be a result of multiple attributes who together are unique for any entry. DN is made up of multiple relative DN or RDN from the node in question to the root of the tree), Functional model (defines the operations that can be performed on directory data including binding, read and write operations) and security model (describes client authentication to access LDAP server and provide credentials to prove its identify).
* Object classes are of three types, structural (each entry must have one structural object class), auxiliary (which extends an object class) and abstract (which is derived from a structural class)
* LDAP naming context determines what queries will be answered to by an LDAP server and what will be referred to another server similar to DNS operation. Normally, LDAP naming is mapped to DNS domain name with an auxiliary 'domain object' object class which has a 'dc' must-have attribute. An LDAP server with a naming context of dc=example,dc=com will not answer queries in dc=com context. Initially, naming context was defined in terms of organisational and geographical units which added complexity in uniquely identifying a particular directory.
* LDAP client authentication can be anonymous, simple (clear-text), simple with TLS and SASL authentication. SASL defines a pluggable authentication mechanism where client and server can negotiate any authentication method that they both can support such as kerberos
* www.ldapzone.com is a reference source
Terms:
Entry: A node in a directory information tree. It is an instance of one or multiple object classes and serves as a basic unit of a directory. Entry is named through a DN which may or may not be an attribute of the entry.
DN: Defines how an entry is named or referenced.
Attribute: Defines the data contained in an entry.
Attribute type: Defines what can or cannot become part of an attribute
Object class: Data template which defines the attributes that may or must be part of an object class. It also contains matching rules which represents the comparison rules for attributes. Matching and encoding rules are part of an object class. Matching rules are represented by OID, which is a unique reference.
Distributed directory: LDAP directory can be implemented in a distributed architecture where a master server delegates part of the DIT to another server. The lower server only directly answers queries in the sub-naming context and refers LDAP clients from the remaining queries to the upstream server. Master server refers clients to the lower server through referrals. Server can also support recursive operations where it follows the referrals without client even knowing it
userPassword: Attribute that defines password for a particular user entry. It can be of crypt, MD5, SHA or SSHA type. SSHA is salted authentication and is considered most secure
* There are four LDAP models, Information model (describes the entries/node than contain data, these are arranged in a directory information tree DIT and contain data as per data templates or object classes), Naming model (describes how each entry in a DIT is referenced called distinguished name (DN), it is by a unique attribute of an entry. It can also be a result of multiple attributes who together are unique for any entry. DN is made up of multiple relative DN or RDN from the node in question to the root of the tree), Functional model (defines the operations that can be performed on directory data including binding, read and write operations) and security model (describes client authentication to access LDAP server and provide credentials to prove its identify).
* Object classes are of three types, structural (each entry must have one structural object class), auxiliary (which extends an object class) and abstract (which is derived from a structural class)
* LDAP naming context determines what queries will be answered to by an LDAP server and what will be referred to another server similar to DNS operation. Normally, LDAP naming is mapped to DNS domain name with an auxiliary 'domain object' object class which has a 'dc' must-have attribute. An LDAP server with a naming context of dc=example,dc=com will not answer queries in dc=com context. Initially, naming context was defined in terms of organisational and geographical units which added complexity in uniquely identifying a particular directory.
* LDAP client authentication can be anonymous, simple (clear-text), simple with TLS and SASL authentication. SASL defines a pluggable authentication mechanism where client and server can negotiate any authentication method that they both can support such as kerberos
* www.ldapzone.com is a reference source
Terms:
Entry: A node in a directory information tree. It is an instance of one or multiple object classes and serves as a basic unit of a directory. Entry is named through a DN which may or may not be an attribute of the entry.
DN: Defines how an entry is named or referenced.
Attribute: Defines the data contained in an entry.
Attribute type: Defines what can or cannot become part of an attribute
Object class: Data template which defines the attributes that may or must be part of an object class. It also contains matching rules which represents the comparison rules for attributes. Matching and encoding rules are part of an object class. Matching rules are represented by OID, which is a unique reference.
Distributed directory: LDAP directory can be implemented in a distributed architecture where a master server delegates part of the DIT to another server. The lower server only directly answers queries in the sub-naming context and refers LDAP clients from the remaining queries to the upstream server. Master server refers clients to the lower server through referrals. Server can also support recursive operations where it follows the referrals without client even knowing it
userPassword: Attribute that defines password for a particular user entry. It can be of crypt, MD5, SHA or SSHA type. SSHA is salted authentication and is considered most secure
posted by Usman Wahid at
10:55 PM
|
0 comments
