Lightweight Directory Access Protocol LDAP - PowerPoint PPT Presentation

1 / 53
About This Presentation
Title:

Lightweight Directory Access Protocol LDAP

Description:

Email system may use LDAP to look up addresses. ... describing what it is or, to which object class it belongs called objectClass. ... – PowerPoint PPT presentation

Number of Views:266
Avg rating:3.0/5.0
Slides: 54
Provided by: ICT371
Category:

less

Transcript and Presenter's Notes

Title: Lightweight Directory Access Protocol LDAP


1
Lightweight Directory Access ProtocolLDAP
  • Useful site/reference books for LDAP
  • http//www.openldap.org
  • Understanding and Deploying LDAP Directory
    Services, Tim Howes
  • LDAP System Administration, Gerald Carter
  • LDAP is an open, vendor-independent network
    protocol for accessing directory services.
    "lightweight" protocol is efficient and easy to
    use.
  • LDAP enables central management of users, groups,
    devices and data, helps reduce the number of
    distinct, application-specific directories,
    hence, eases the administration works.

2
LDAP
  • LDAP defines a message protocol used by directory
    clients and directory servers. The LDAP protocol
    uses different messages. For example, a bind
    request may be sent from the client to the LDAP
    server at the beginning of a connection. A search
    request is used to search for entry/entries in
    the directory.
  • LDAP defines a standard method for accessing and
    updating information in a directory.
  • LDAP defines a communication protocol it defines
    the transport and format of messages used by a
    client to access data in a directory.
  • LDAP does not define the directory service itself.

3
LDAP Standards
  • LDAP and X.500
  • X.500 is an overall model for directory service.
    The Directory Access Protocol (DAP) of X.500 is a
    "heavyweight" protocol that operates over a full
    OSI protocol stack and requires a significant
    amount of computing resources.
  • LDAP was originally developed as a front end for
    accessing X.500 directory service. LDAP is a
    lightweight protocol that runs directly over
    TCP/IP (port 389) and efficiently provides most
    of the functionality of DAP for Internet access.
  • LDAP standards RFC1777, 2251, 3377, 4510-4519,
    etc.
  • LDAP V3 extended LDAP V2 in various areas such
    as
  • Referrals and Continuations A server that does
    not store the requested data can refer the client
    to another server.
  • Simple Authentication and Security Layer (SASL).
  • Internationalization with Unicode.
  • Schema directory, extended operations, controls,
    etc.

4
LDAP applications
  • Enterprises with distributed computer systems can
    use online directories for fast searches,
    cost-effective management of users and security,
    and a central integration point for multiple
    applications and services.
  • Email system may use LDAP to look up addresses.
    LDAP can be used as a central authentication
    server. LDAP is used by many commercial
    directory systems.
  • LDAP is useful for storing information that would
    be read from many locations, but updated
    infrequently. Typical information include email
    addresses, phone numbers, staff/customer/student
    data, etc.

5
Directory Systems
  • Directory systems such as Novell eDirectory,
    Microsoft Active Directory and OpenLDAP, help
    administrators to manage systems and network
    resources.
  • A directory system is like a database but there
    are differences, for examples,
  • Read-to-write ratio of directories are much
    higher.
  • The scale of data distribution in directory
    systems are much higher.
  • Data synchronization (between replicas) in
    directory systems may be less stringent.
  • Types of directory systems NOS based (e.g.
    Windows AD), application specific (e.g. Lotus
    Notes), open standard (e.g. OpenLDAP), global
    directory (e.g. DNS), etc.

6
Directory for managing resources
  • Directory lets organizations store information in
    a hierarchical, object-oriented fashion.
    Directory uses objects (entries) to represent
    network resources such as users, groups,
    machines, devices, and applications.
  • Directory uses containers to represent
    organizations or collections of related objects.
    Directory manages the relationships among objects
    and containers to provide a single, centralized,
    comprehensive view.
  • This makes resources easier to find, manage, and
    use in a highly distributed network.
  • By grouping related users and network resources
    objects in containers, administrators can easily
    apply different settings (such as access
    permissions) to different groups.
  • Directory also lets administrators delegate
    specific administrative privileges and tasks to
    individual users.

7
LDAP Four Models
  • Four models for the use of directory services
  • LDAP Information model defines the kind of data
    in the directory
  • LDAP Naming model defines the organization and
    reference to the directory data
  • LDAP Functional model defines the way to access
    and update the data
  • LDAP Security model defines the way to protect
    data from unauthorized access

8
LDAP Information Model
  • LDAP information model defines the types of data
    and basic units of information that can be stored
    in the directory.
  • The basic unit of information is the entry, a
    collection of information (attributes) about an
    object. Often, information in an entry describes
    a real-world object such as people, departments,
    servers, printers, etc..
  • A set of attributes is stored in an entry.
  • Each attribute has a type and one or more values.
  • The type describes the kind of information
    contained.
  • The value contains the actual data.
  • Each entry contains information describing what
    it is or, to which object class it belongs
    called objectClass.

9
Relationship between Entries and Attributes
10
Attributes
  • Each directory entry contains a collection of
    attribute types and values. Attributes hold
    specific data element such as a name and a phone
    number.
  • cn common name
  • sn surname

11
LDAP Naming Model
  • LDAP naming model defines how to organize and
    refer data, i.e. how to refer to any particular
    directory entry within the directory structure.
    The design of a naming model is important for
    unique and unambiguous reference to an entry.
  • A naming model is also referred to as Namespace
    and Directory Information Tree (DIT).

dccsa-snm dccom
ouServers
ouPeople
cnSales web server
ouSales
cnJohn Chan
12
LDAP Naming Model
  • LDAP naming model specifies that entries are
    arranged in an inverted tree structure. LDAP
    names are backward relative to file system names
  • Every node (entry/object) in an LDAP directory
    contains data (attributes).
  • Some nodes can "contain" other nodes.
    Organizational Unit (OU) is an example of objects
    that can "contain" other objects.

dccsa-snm dccom
ouSales
ouEngineering
cnJohn Chan
cnKen Wong
13
LDAP Naming Model DN and RDN
  • LDAP directory namespace is hierarchical, it has
    the concept of fully-qualified names called
    Distinguished Names (DNs).
  • Each entry has a unique DN, such as,
  • cnJohn Chan, ouEngineering, dccsa-snm,
    dccom.
  • The DN of an entry helps identify the location of
    the entry in the directory tree.
  • In any entrys DN, the leftmost component is
    called the Relative Distinguished Name (RDN),
    e.g. cnJohn Chan
  • RDN of an entry must be unique among all its
    siblings.
  • Alias entry an entry pointing to another entry.

14
LDAP Functional Model
  • The Functional model describes operations that
    can be performed.
  • Three groups of operations are defined in the
    functional model
  • Interrogation operations - searching the
    directory and retrieve of data
  • Update operations - add, delete, rename and
    modify entries
  • Authentication and control operations - identify
    clients, controls in a session.
  • In addition to the above operations, version 3 of
    the LDAP protocol defines the way to add extended
    operation.

15
LDAP Functional Model
  • Two interrogation operations search operation
    and compare operation.
  • Search operation is for searching the directory
    for entries and retrieve individual directory
    entries.
  • Compare operation clients submits a compare
    request with a DN, an attribute name, and a
    value. The server returns positive or negative
    (true or false boolean) answer.
  • Authentication and control operations
  • Bind - a client authenticates itself to the
    directory.
  • Unbind - to terminate a connection and all
    operations.
  • Abandon - client issue an abandon request, with a
    message ID, to indicate which operation
    previously requested is no longer needed.

16
LDAP Search Operation
  • Used to search for entries and retrieve them
  • An LDAP search may takes eight parameters
    including
  • DN of base object for search
  • search scope
  • search filter
  • list of attributes to return
  • Other parameters alias, size, time, boolean

17
LDAP Search Operation Search Scope
  • A Sub-tree search scope covers the entire subtree
    from the search base.
  • A One-level search scope covers the immediate
    next level from the search base.
  • A Base search scope covers the search base only.

18
LDAP Filters
  • A standard method for selecting relevant entries
    in a LDAP search operation. Detailed
    specifications are given in RFC 2254, 2251.
  • Each filter is enclosed in parentheses. To
    combine filters, use or .

present attr "" substring attr ""
initial any final initial value any ""
( value "") final value attr
AttributeDescription from Section 4.1.5 of
RFC2251 value AttributeValue from Section
4.1.6 of RFC 2251
filter "(" filtercomp ")" filtercomp and / or
/ not / item and "" filterlist or ""
filterlist not "!" filter filterlist 1
filter item simple / present / substring simple
attr filtertype value filtertype equal /
approx / greater / less equal "" approx
"" greater "gt" less "lt"
19
LDAP Filter - example
  • Return all entries in the scope of the search
    with attribute cn having the value "Albert"
  • (cn Albert)
  • Return all entries in the scope of the search
    which do not have the attribute cn with the value
    "Albert"
  • (!(cn Albert))
  • Return all entries in the scope of the search
    which have the attribute matching a combination
    of multiple filters, for example,
  • (( snChan)((cnAlbert)(cnJohn)))

20
LDAP Add and Delete Operations
  • Creates a new entry with
  • The DN of new entry, and
  • A list of attributes and their values to put in
    the new entry
  • Requirement
  • parent of new entry exists
  • no entry of same name exists in that parent
  • new entry matches requirements of schemas
  • access control allows operation
  • Deletes an entry
  • Takes DN of entry to delete
  • Requirement
  • entry exists
  • entry has no child objects
  • access control allows operation

21
LDAP Modify Operation
  • Allows updating existing entry
  • Can add, delete or replace attributes
  • Can modify many attributes in one modify
    operation
  • Requirement
  • entry exists
  • all attribute modifications must succeed
  • resulting entry obeys schemas
  • access control permits modification

22
LDAP Rename and Move Operations
  • Rename an entry
  • Parameters the DN and the new RDN of entry
  • Requirement
  • entry exists
  • new name not already used by other entry
  • access control allows operation
  • Moving an entry to a new parent entry
  • Parameters the DN of the entry, DN of the new
    parent entry
  • Requirement
  • the new parent entry exists
  • no entry in the new parent has the same RDN
  • access control allows operation

23
LDAP Bind Operation
  • Authenticates client to the directory
  • Three bind types
  • Simple bind
  • send DN and password in clear text to server
  • Need to use TLS to encrypt communication in this
    case
  • Simple Authentication and Security Layer (SASL)
    bind
  • A standard protocol independent way of
    negotiating and performing authentication
  • Anonymous bind
  • No (empty) DN and password
  • Client can bind, perform operations, bind again,
    and perform other operations

24
OpenLDAP utilities
  • The utility ldapsearch is used to query a
    directory, for example,
  • ldapsearch x h ldap.csa-snm.com b
    "dccsa-snm,dccom" "((ousales)(acTypestaff))"
  • Common parameters/options for ldapsearch
  • -x use simple authentication instead of SASL
  • -h specify hostname of LDAP server
  • -b specify the DN of the search base
  • -s specify the search scope, options are base,
    one and sub
  • -D specify a DN to bind with
  • -w specify a password (use W for interactive
    prompt)
  • Other utilities of OpenLDAP
  • ldapmodify, ldapdelete, ldapadd, ldapmodrdn
    (rename RDN), ldapcompare, ldappasswd
  • slapadd, slapcat, slapindex, slappasswd

25
LDAP Security Model
  • LDAP security model protects the information in
    the directory from unauthorized access. With
    anonymous bind, the server does not know who the
    client is, hence, limited (or none) privileges
    will be provided.
  • Apart from simple binding, LDAP also supports
    (LDAPv3) Secure Socket Layer SSL, Transport Layer
    Security TLS and Simple Authentication and
    Security Layer SASL.
  • Similar to the use of HTTPS (Hypertext Transfer
    Protocol over SSL) for secure web access, LDAP
    over SSL (LDAPS) allows secure LDAP client access
    and client authentication (uses port 636).
  • For secure directory data (queries/search and
    results) transmission between LDAP server and
    clients, LDAPv3 can use TLS encryption to prevent
    eavesdropping on the Internet.

26
Directory Security
  • Securing an LDAP directory
  • Authentication - checking the identification, two
    parties (user server) involved with a third
    party of mutual trust.
  • Authorization assign access rights to someone,
    and requiring certain rights to access resources
    or perform actions on resources. Different
    levels of access (read, write, etc.) to different
    resources may be assigned to different users.
  • Encryption transmitting or storing data
    securely so it is kept private.

27
Directory Schema
  • A directory schema is a set of rules that
    determines what data can be stored in a
    directory. Schema determines the allowed object
    classes and attributes. LDAP schema formats
    ASN.1, U of Michigan, LDAPv3.
  • A directory schema also determines how directory
    servers and clients should treat information
    during directory operations such as a search.
    Before a directory server stores a new or
    modified entry, it checks the entrys contents
    against the schema rules. Whenever directory
    clients or servers compare two attribute values,
    they consult the schema to determine what
    comparison algorithm to use.
  • Schemas can be used to impose constraints on the
    size, range, and format of data values stored in
    the directory.
  • There is only one namespace for attributes the
    definition of an attribute, such as cn, is the
    same for all Object Classes that support that
    attribute.

28
Directory Schema
  • Sets of rules that describes what kind of data is
    stored.
  • Determines rules that entries must follow.
  • Reduces duplication of data
  • Specifies details of object classes such as
    required attributes and allowed attributes.
  • Specifies details of attributes such as how to
    compare, data type, range/size, etc.
  • Schema consists of Attribute Types, Attribute
    Syntaxes and Object Classes.
  • Example of schema core.schema of openLDAP

29
Object Classes
  • Object classes are defined in LDAP Schema.
  • Object classes are used to group related
    information. An object class models some
    real-world object such as a person, printer, or
    network device.
  • An object class defines what attributes must, or
    may be present in an entry
  • For example, an object class called person that
    hold information about peoples requires that a
    name be present in the entry, and allows a number
    of optional attributes to be included, such as
    age, sex, telephone, etc.

30
Object Classes
  • An object class includes the following
    information
  • A name that uniquely identifies the class, such
    as person
  • An Object ID (OID) that also uniquely identifies
    the class
  • A set of mandatory attribute types.
  • A set of allowed attribute types, could be quite
    long.
  • A kind (or type) structural, auxiliary or
    abstract.
  • Multiple object classes
  • An entry can be one type of structural object
    class and can also be several types of auxiliary
    object classes.
  • An entry cannot be two different types of
    structural object classes (e.g. an entry cannot
    be a person as well as a device)

31
Kind/type of Object Class
  • Structural object classes represent real-world
    objects. Most object classes are structural
    classes. Each entry should belong to exactly one
    structural object class. Classes of this type can
    be instantiated into objects. Example person
  • Auxiliary object classes are used to add a set of
    attributes to an entry that already belongs to a
    structural class classes of this type provide
    attributes that extend a structural class.
    Classes of this type cannot be used on their own.
    Example dcObject
  • Abstract object classes are used only for classes
    needed to support LDAPs basic information model.
    Classes of this type provide attributes that
    flow through the hierarchy, for example, the
    abstract object class top ensures that all
    classes derived from it contain the attribute
    objectClass. Abstract object classes cannot be
    instantiated into object.

32
Example of Object Class
  • Here is the definition for the object class
    person
  • objectclass ( 2.5.6.6 NAME 'person'
  • SUP top STRUCTURAL
  • MUST ( sn cn )
  • MAY ( userPassword telephoneNumber
  • seeAlso description ) )
  • This says a person entry must contain
  • a surname (sn) and
  • common name (cn),
  • and may contain a userPassword, a
    telephoneNumber, a description, and a reference
    to another LDAP entry.

33
Object Class inheritance
  • Object class inheritance is also referred as
    subclassing. With subclassing, one object class
    can be derived from another, and inherits the
    characteristics.
  • For example, the object class inetOrgPerson
    extends the object class organizationalPerson and
    includes additional attribute types.
  • Therefore, inetOrgPerson entries must have all
    the "required" attributes defined in the object
    class organizationalPerson. Also, inetOrgPerson
    entries are allowed to include any of the
    "optional" attributes of the object class
    organizationalPerson.

34
Object Class Definitions for top and organization
  • Objectclass top
  • (2.5.6.0
  • Name top
  • ABSTRACT
  • MUST (
  • objectClass
  • )
  • )
  • Objectclass organization
  • (2.5.6.4
  • NAME organization
  • SUP top
  • STRUCTURAL
  • MUST (
  • o
  • MAY (
  • userPassword
  • searchGuide
  • seeAlso
  • businessCategory
  • x121Address
  • registeredAddress
  • destinationIndicator
  • preferredDeliveryMethod
  • telexNumber
  • teletexTerminalIdentifier
  • telephoneNumber
  • internationaliSDNNumber
  • facsimileTelephoneNumber
  • street
  • postOfficeBox
  • postalAddress
  • physicalDeliveryOfficeName
  • st
  • l
  • description
  • )

35
Example Object Class Definitions (1)
  • Object class top
  • All object classes derived from the object class
    top
  • Its purpose is to ensure every object contains
    the objectClass attribute
  • It exists only to be subclassed i.e., ABSTRACT
  • You will not find an entry for object class top
  • Because every object class inherits from top,
    every object class must contain the attribute
    objectClass
  • (2.5.6.0
  • NAME top
  • ABSTRACT
  • MUST (
  • objectClass
  • )
  • )

36
Example Object Class Definitions (2)
  • Object class person
  • Derived from top
  • Besides the attribute objectClass inherited
    from top every person entry must have the
    attributes sn and cn
  • The line with SUP top expresses that the
    object class top is its ancestor
  • We can use the numeric OID here SUP 2.5.6.0
  • (2.5.6.6
  • NAME person
  • SUP top
  • STRUCTURAL
  • MUST (
  • sn cn
  • )
  • MAY (
  • userPassword telephoneNumber seeAlso
    description
  • )
  • )

37
Example Object Class Definitions (3)
  • Object class organizationalPerson
  • Derived from person
  • This object class has a number of attributes
    useful for implementing an employee object such
    as fax number, organizational unit and so on.
  • It adds more optional attributes in addition to
    those provided by person.
  • (2.5.6.7
  • NAME 'organizationalPerson'
  • SUP person
  • STRUCTURAL
  • MAY (
  • title x121Address registeredAddress
    destination Indicator preferredDeliveryMet
    hod telexNumber teletexTerminal Identifier
    telephoneNumber internationaliSDNNumber
    facsimileTelephoneNumber street postOfficeBox
    postalCode postalAddress physicalDeliveryOff
    iceName ou st 1
  • )
  • )

38
Example Object Class Definitions (4)
  • Object class inetOrgPerson
  • This class was intended to accommodate
    information about a person in a typical
    Internet/Intranet environment
  • (2.16.840.1.113730.3.2.2
  • NAME ' inetOrgPerson '
  • SUP organizationalPerson
  • STRUCTURAL
  • MAY (
  • audio businessCategory carLicense
    departmentNumber displayName employeeNumber
    employeeType givenName homePhone
    homePostalAddress initials jpegPhoto
    labeledURI mail manager mobile o pager
    photo roomNumber secretary uid
    userCertificate x500uniqueIdentifier
    preferredLanguage userSMIMECertificate
    userPKCS12
  • )
  • )

39
LDAP Data Interchange Format (LDIF)
  • LDIF is defined in RFC 2849
  • LDIF is used to represent entries of an LDAP
    directory or a set of changes to an LDAP
    directory in a text-based file format.
  • LDIF can be used for a variety of management
    functions, including backup, replication, bulk
    import/export or modification.
  • For example, to add entries, you can first put
    all the details of the entries in a ldif file and
    then use the ldapadd command with the option f
    ltfilename of ldifgt

dn uidjohnc,ouPeople,dccsa-snm,dccom uid
johnc cn John Chan givenName John sn
Chan mail johnc_at_csa-snm.com objectClass
person description a staff dn
uidmayc,ouPeople,dccsa-snm,dccom
Example of LDIF
40
Example - Content of a directory exported to a
LDIF file
  • dn oldap_abc.de
  • objectclass top
  • objectclass organization
  • o ldap_abc.de
  • l Munich
  • dn ouIT, oldap_abc.de
  • objectclass top
  • objectclass organizationalUnit
  • ou IT
  • description Information Technologies
  • dn ouHR, oldap_abc.de
  • objectclass top
  • objectclass organizationalUnit
  • ou HR
  • description Human Resources
  • dn uidSParker, ouHR, oldap_abc.de
  • objectclass top
  • objectclass person
  • objectclass organizationalPerson
  • objectclass inetOrgPerson
  • ou HR
  • cn Sarah Parker
  • sn Parker
  • givenName Sarah
  • uid SParker
  • mail SarahParker_at_ldap_abc.de
  • Mobile (0049) 89 671 293

41
Different Types of Objects
  • We have three different types of objects
  • The whole organization is identified by an o
  • oldap_abc.de
  • The individual departments, called
    organizationalUnit abbreviated with ou
  • ouIT,oldap_abc.de
  • ouHR,oldap_abc.de
  • The entry for a single person, called
    inetOrgPerson is identified as follows
  • uidSParker,ouHR,oldap_abc.de
  • Each entry corresponds directly to an object in
    the real world, i.e, a person, a printer, a
    computer, an organization, etc.

42
LDAP URLs
  • RFC 2255 defines the format of URL for LDAP
    system
  • ldapurl ldap"//" hostport "/" dn "?"
    attributes "?" scope "?" filter "?"
    extensions
  • port number defaults to 389 for LDAP and 636
    for LDAPS
  • dn the distinguished name used as the base of
    the search
  • scope either base, one or subtree
  • attributes a comma-separated list of the
    attributes to return
  • filter the search filter to apply
  • Example querying an LDAP server on port 389 and
    doing a subtree search of the CSA-SNM for any
    entry with a surname of "Chan", retrieving all
    attributes
  • ldap//csa-snm.com389/dccsa-snm,dccom??sub?(sn
    Chan)

43
Directory Structure
  • Hierarchical structure
  • A deeper (more layers) structure can easily
    delegate controls to local departments/units
  • Searching can be more efficient
  • Flat structure
  • A simple and flat structure (with a few
    containers) needs fewer movements of objects
    between containers when there is change in the
    real-world organization of staff and equipment
    (e.g. reorganization, changing of departments)
  • Other factors for design directory structure
  • Replication
  • Access Control
  • Requirement of applications that use the directory

44
Directory Structure
45
LDAP Referrals
  • LDAP referrals and search result continuation
    references are pieces of knowledge reference
    information sent from an LDAP server to an LDAP
    client indicating that other servers need to be
    contacted to fulfill the client's request.
  • LDAP referrals When an LDAP client performs an
    LDAP add, modify, delete, modify DN, compare, or
    search operation with a base-level scope, and the
    server does not hold the target entry, the
    knowledge reference information is returned to
    the client in an LDAP referral.
  • LDAP search result continuation references If
    the server was able to locate the entry referred
    to by the baseObject but was unable to search all
    the entries in the scope at and under the
    baseObject, the server may return one or more
    search result continuation references.
  • The information in LDAP referrals and search
    result continuation references is in the format
    of an LDAP Uniform Resource Locator (URL).

46
LDAP Referral Chaining
  • The information in LDAP referral or reference
  • Host name of the server to contact
  • Port number of the server
  • The base DN or target DN this part is optional.
  • Example ldap//serverB.csa-snm.com389/ousales
    ,dccsa-snm,dccom
  • Another way to glue together directory partitions
    is with chaining. When this approach is used and
    if the server is unable to process the client's
    request completely because it does not hold all
    the required data, it (the server) contacts other
    servers on behalf of the client (forming a chain
    of connections between servers). After the other
    servers have completed the operations, the server
    that was contacted by the client returns the
    combined results to the client.

47
LDAP Replication
  • In replication systems, a Master server sends
    updates to another server a Replica (or slave)
    server accepts those changes.
  • Single-Master Replication system
  • Only one server contains a writable copy of a
    given directory entry. Only the master server
    can perform write operations.
  • All replicas contain read-only copies of the
    entry.
  • Multi-Master Replication system
  • More than one read/write copy of an entry is
    available. Client may submit update operation to
    any of the read/write replicas. The set of
    cooperating servers need to ensure that changes
    are propagated to all servers and that
    consistency is maintained.

48
Single-Master Replication
  • Method I all modifications go to the master LDAP
    server
  • Method II Referrals
  • Client sends modification to replica
  • Replica returns referral to master
  • Client resubmits modification to master
  • Master returns results to client
  • Master updates replica with change
  • Method III Chaining
  • Client sends modification to replica
  • Replica forwards request to master
  • Master returns result to replica
  • Replica forwards result to client
  • Master updates replica

49
OpenLDAP Access Control
  • OpenLDAP server Stand-alone LDAP daemon (slapd)
  • At present, there is no standard LDAP access
    control model specified. Different vendors are
    using different approaches to implement access
    control. Some vendors place a separate Access
    Control List (ACL) on each directory entry
    (possibly with inherited settings from parent
    entries). With OpenLDAP, there is not a separate
    ACL for each entry. Instead, directives in the
    slapd configuration file form the basis for
    access control policy.
  • All slapd runtime configuration is accomplished
    through the slapd.conf file. An important
    configuration in the slapd.conf file is about
    access control. Access to slapd entries and
    attributes is controlled by the access directives
    defined in the configuration file.
  • Reference for slapd.conf - http//www.openldap.org

50
OpenLDAP Access Control
  • ltaccess directivegt access to ltwhatgt
  • by ltwhogt ltaccessgt ltcontrolgt
  • ltwhatgt dn.ltbasic-stylegtltregexgt
    dn.ltscope-stylegtltDNgt
    filterltldapfiltergt attrsltattrlistgt
  • ltwhogt anonymous users self
  • dn.ltbasic-stylegtltregexgt
    dn.ltscope-stylegtltDNgt
  • ltaccessgt selfltlevelgtltprivgt
  • ltlevelgt none auth compare search read
    write
  • ltscope-stylegt base one subtree children
  • ltprivgt -wrscx0
  • ltcontrolgt stop continue break

51
OpenLDAP Access Control
  • The ltwhatgt part of an access specification
    determines the entries and attributes to which
    the access control applies.
  • Examples of specifying ltwhatgt
  • dn"cnJohn,oustaff,dccsa-snm,dccom"
  • dn.base"oustaff,dccsa-snm,dccom"
  • match the base entry only, i.e. oustaff
  • dn.one"oustaff,dccsa-snm,dccom"
  • match entries at the next level
  • dn.subtree"oustaff,dccsa-snm,dccom"
  • match entries of the subtree including the base
    entry
  • dn.children"oustaff,dccsa-snm,dccom"
  • match entries of the subtree excluding the base
    entry
  • Attributes are selected by including a
    comma-separated list of attribute names in the
    ltwhatgt selector, for example,
  • dn.subtree"oustaff,dccsa-snm,dccom" attrssn

52
OpenLDAP Access Control
  • The ltwhogt part identifies the entity or entities
    being granted access. Entities can be specified
    by a number of ways
  • the special "" identifier, matching any entry,
  • the keyword "self" matching the entry protected
    by the access,
  • Anonymous non-authenticated Users
    authenticated
  • a regular expression matching an entry's
    distinguished name
  • a regular expression matching the client's IP
    address or domain name
  • The kind of ltaccessgt granted can be one of the
    following
  • none auth compare search read write
  • Each level implies all lower levels of access,
    e.g. granting the write access to an entry also
    grants read, search, compare, and auth access to
    that entry.

53
OpenLDAP Access Control
Write a Comment
User Comments (0)
About PowerShow.com