Lightweight Directory Access Protocol (LDAP)
- is a protocol that makes it possible for applications to query user information
LDAP - Protocol Overview
An LDAP query typically involves:
- session connection - the user authenticates and connects to the server via an LDAP port.
- request - the user submits a query, such as an email lookup, to the server.
- response - the LDAP protocol queries the directory, finds the information and delivers it to the user.
- completion - the user disconnects from the LDAP port.
LDAP - Authentication
Before any LDAP query/operation commences, the user must be authenticated. There are two options for LDAP authentication in LDAP v3:
Simple Authentication
Simple authentication allows for three possible authentication mechanisms:
- Anonymous Authentication: Grants client anonymous status to LDAP
- Unauthenticated Authentication: For logging purposes only, should not grant access to a client
- Name/Password authentication: Grants access to the server based on the credentials supplied – simple user/pass authentication is not secure and is not suitable for authentication without confidentiality protection
SASL (Simple Authentication & Security Layer)
SASL authentication binds the LDAP server to another authentication mechanism, like Kerberos. The LDAP server uses the LDAP protocol to send an LDAP message to the other authorization service. That initiates a series of challenge-response messages that result in either a successful authentication or a failure to authenticate
It’s important to note that LDAP passes all of those messages in clear text by default, so anyone with a network sniffer can read the packets. You need to add TLS encryption or similar to keep your usernames and passwords safe
LDAP - Query/Operation
People can tackle all sorts of queries/operations with LDAP, they can:
- add - enter a new file into the database.
- delete - take out a file from the database.
- search - start a query to find something within the database.
- compare - examine two files for similarities or differences.
- modify - make a change to an existing entry.
LDAP - Terms
- Data Models - what types of information sit within your directory? Models help you understand the facets within your LDAP. You could have general information (such as an object class), names (how each item is uniquely referenced), functions (how the data is accessed), and security (how users move through authentication).
- Distinguished Name (DN) - this is a unique identifier of each entry that also describes location within the information tree.
- Modifications - these are requests LDAP users make to alter the data associated with an entry. Defined modification types include adding, deleting, replacing, and increasing.
- Relative Distinguished Name (RDN) - this is a way of tying DNs together while specifying relative location.
- Schema - the coding that underpins your LDAP is known as schema. You’ll use this language to describe the format and attributes of each item that sits on the server.
- URLs - this is a string that includes the address and port of a server, along with other data that can define a group, provide a location, or refer an operation to another server.
- Uniform Resource Identifier (URI) - this is a string of characters that defines a resource.