LDAP - Basics

What is LDAP?

LDAP is a protocol used by clients for accessing the directory server.

 Image result for LDAP server

What is a directory server?

The directory server is a storage server which is widely used to store user's data of any organization. It uses LDAP protocol to listen to client requests for performing any read/write operations on it. Since the directory servers support LDAP protocol for interacting with clients, they are also called as LDAP servers.

Who are the clients to directory server?

Directory clients can be anything which is capable of interacting with the directory server. Examples of directory clients can be a java application, Apacheds studio (Apache DS studio is similar to SQL developer or TOAD for Oracle), etc. 

 Image result for apache ds client

How data in LDAP servers gets stored?

Data in LDAP server gets stored in a directory. When we add entries to the LDAP, they get stored under the base directory. Some of the entries may contain subentries also. Eventually, This result in data stored looks like a tree with root and child entries.

                  dc=example,dc=in
                          |
                          |
        +-----------------------------+-------------------------+
        |                                    |                                |
ou=groups,                ou=employees,                ou=realm,
dc=example,dc=in    dc=example,dc=in      dc=example,dc=in
                                             |
                                             |
                               +-------------------------------------+
                               |                                              |
                   cn=MSMITH,ou=employees,        cn=CDONALD,ou=employees,
                   dc=example,dc=in                         dc=example,dc=in
   

 Root entry in LDAP represents the organization that owns the directory. It can be represented as dc=example,dc=in (or) o=example.in (or) o=example,c=IN

 Child entries represent either groups or people in the organization. groups are the entries which contain people as subentries. In LDAP terms, groups are represented as 'ou' (organization unit). 

 ou=employees 
or
cn=MSMITH

 Here is how exactly these entries get stored in LDAP schema

 dn: dc=example,dc=in
dc: example, dc=in
objectclass: top

 dn: ou=employees,dc=example,dc=in
ou: employees
objectclass: organizationalUnit

 dn: cn=MSMITH,ou=employees,dc=domainname,dc=com
cn: MSmith
sn: Smith
objectclass: organizationalPerson

where 'dn' is a distinguished name which is used for uniquely identifying an entry in an LDAP hierarchy. 
'ObjectClass' is a predefined class in LDAP for storing the data in LDAP schema. objectClass is a special attribute which classifies the Object class of an entry. 

 Attributes(cn, sn) are the attributes of inetOrgPerson Object Class
cn-common name
sn-surname 

How LDAP is different from RDBMS?

 RDBMS  LDAP
 Data is stored in tables  Data is stored in directories.
 Each entry is represented in   a row  Each entry is represented as a list of key-value attributes.


What are Object Classes?

Object classes are a set of predefined classes used for storing entries in LDAP schema. Each class defines a set of mandatory/optional attributes to represent an entry. 

 dn: cn=MSMITH,ou=employees,dc=domainname,dc=com
cn: MSmith
sn: Smith

objectclass: organizationalPerson

'OrganizationPerson' object class in the above example represents a person. Attributes cn(common name), sn(surname), are initialized to create a 'OrganizationPerson' entry. 

Here are the list of predefined Object classes and their attributes LDAP provides
 Name  Type  Description
 Top  objectClass  Root Class
 ObjectClass  Attribute  An attribute which classifies the Object class of   an entry


 Name  Type  Description
 Organization  objectClass  represents an Organization
 o  Attribute  name of the Organization


 Name  Type  Description
 OrganizationalUnit   objectClass  represents a group in the Organization
 ou  Attribute  name of the department/group


 Name  Type  Description
Person  objectClass  represents a person
 cn  Attribute  common name
 sn  Attribute  surname
 telephoneNumber  Attribute  telephone number
 userPassword  Attribute  Encrypted user password


 Name  Type  Description
 OrganizationPerson  objectClass  Subclass of a person
 registeredAddress  Attribute  The address provided during registration
 postalAddress  Attribute  Communication Address
 postalCode  Attribute  telephone number


 Name  Type  Description
 inetOrgPerson  objectClass  Subclass of an Organization person (internet   Organization)
 uid  Attribute  user id
 department  Attribute  department name
 employeeNumber  Attribute  employee number
 givenName  Attribute  unique name was given by the organization
 manager  Attribute  manager of the employee


Similar to Java, LDAP also supports inheritance. Here, 'Top' is a superclass which every class in LDAP inherits. Since, every class inherits 'Top', every ObjectClass in LDAP has 'ObjectClass' attribute.

 'OrganizationPerson' inherits 'Person', 'inetOrgPerson' inherits 'OrganizationalPerson'

top
                             |
             +-----------+----------+
             |                             |
           person                 Organization
             |                 
             |
    organizationalPerson
             |
             |
       inetOrgPerson

Why LDAP?

Since LDAP is hierarchically structured, Lookup, search operations are faster when compared to other data stores like RDBMS and NOSQL. DN's(Distinguished Name) is used to identify an entry in an LDAP hierarchy.

 dn: uid=MSMITH,ou=employees,dc=example,dc=in
objectClass: OrganizationPerson
cn: MSmith
sn: Smith

 dn: uid=MSMITH,ou=employees,dc=example,dc=in means MSMITH belongs to an employee, which eventually belong to a example.in root or organization

Comments

Post a Comment

Popular posts from this blog

How to create, manage Thread pools in Java?

ThreadPool Creation Executors class provides several static methods to create various types of Thread pools in Java FixedThreadPool, CachedThreadPool, ScheduledThreadPool, WorkStealingPool are different variants of Thread pools available in java. A thread pool can be created by calling the below snippet. ExecutorService fixedPoolExecutorService = Executors . newFixedThreadPool ( 2 ); ThreadPool Management Thread pools are managed by ExecutorService Interface. We get the handle of ExecutorService while creating the Thread Pool. ExecutorService provides submit() method to submit your task. For submitting a task, y ou should create a task either by implementing Runnable or Callable and then pass the task's reference to the submit() method.  Submit() method is overloaded with submit(Runnable task) and submit(Callable Task) and returns Future in both the cases. Runnable version returns Null when we call future.get() whereas callable returns a value. The task of ...
Continue Reading »

Web Security

CSRF(Cross site request forgery) Attacker crafts a request to a website that the victim has access to. Victim is tricked to submit the request which he doesn't intend to. Victim tricked to changing  his personal information with attackers mobile/email. How To Fix: This attack can be protected by including csrf token in web forms which keeps changing for every request and every user. Referrer header is another option. Session fixation Attacker creates a session by accessing a malicious site. Persuades victim to login to the site with the same session id.  Attacker uses the same session and impersonate victim How To Fix: This attack can be prevented by creating a new session whenever user logs in. HSTS(HTTP Strict transport security) If the https protocol is omitted in the url, victim will be allowed to access the un-secured site. Since, the communication is not secured via http, victim will potentially be vulnerable to man in the middle attacks. Attacker can view the netw...
Continue Reading »

Cryptology - Encryption, Hashing, Digital Signatures, Digital Certificates

Image
Encryption & Decryption  A secret or disguised way of writing the actual data is encryption.  Deciphering(converting) the disguised data or secret back to the actual data is decryption. How to encrypt the data using encryption? Data can be encrypted using a encryption(cipher) algorithm associated with a secret key.  What is the purpose of a secret key in encryption?  It basically acts as a key to lock(encrypt) the data during encryption and unlock(decrypt) the locked data during decryption.  Symmetric encryption: If we use the same key for both encryption and decryption then we call the process as symmetric encryption. This process uses a single secret key. Asymmetric encryption: If we use a key pair(private key & public key) and use one key for encryption and the other key for decryption. we call this process as asymmetric encryption. What is the purpose of the encryption(Cipher) algorithm in encryption?  As the name suggest...
Continue Reading »