Technically, LDAP is just a protocol that defines the method by which directory data is accessed. Necessarily, it also defines and describes how data is represented in the directory service (the Data Model). Finally, it defines how data is loaded into (imported) and saved from (exported) a directory service (using LDIF). LDAP does not define how data is stored or manipulated. Data storage is an 'automagic' process as far as the standard is concerned.
LDAP defines four models which we will now list and discuss - you can then promptly forget them since they bring very little to the understanding of LDAP.
1.Information Model: We tend to use the term Data Model, in our view a more intuitive and understandable term. The Data (or Informational) Model defines how the information or data is represented in an LDAP enabled system - this may, or may NOT, be the way the data is actually stored as explained above.
2.Naming Model: This defines all that 'dc=example,dc=com' stuff that you stumble across in LDAP systems. We stick pretty much to the specifications here because the terms are so widely used.
3.Functional Model: When you read, search, write or modify the LDAP you are using the Functional Model - wow.
4.Security Model: You can control, in a very fine-grained manner, who can do what to what data. This is complex but powerful stuff. We progressively introduce the concepts and have dedicated a specific chapter to it. To begin with - forget security. You can always go back and retro-fit security in LDAP. Where you cannot retro-fit, we reference security implications in the text.
LDAP security features
Network Information Services
When managing a large number of computers it is convenient to store configuration data in a central location rather than maintain separate files on each machine. Thus, DNS quickly replaced large /etc/hostsfiles on the Internet, and a number of more general nameservices were developed to serve more local needs. Sun's YP/NIS is probably the best known, but Hesiod[1] does a similar job and protocol suites such as XNS and NetBIOS also include nameservices of one sort or another.
Network Authentication Service
Authenticating users is one of the more visible aspects of computer security. People are used to providing usernames and passwords when they want to use a machine or other resource.
One approach to authentication in a network is simply to use the NIS to access conventional Unix password hashes and to do the validation locally on the desktop machine. This scheme is commonly used with YP/NIS but it suffers from having to make all password hashes available to all desktop machines. There are shadow-password schemes that prevent `ordinary' users from getting hold of the hash data, but these are fairly easy to bypass when used with a NIS. With access to a collection of password hashes, a cracker can mount a dictionary attack with a good chance of success so it would be better to keep the hashes away from client machines entirely.
References
http://www.skills-1st.co.uk/papers/security-with-ldap-jan-2002/security-with-ldap.html
www.zytrax.com/books/ldap/ch2
Hi Dexter! By reading your post above about the LDAP security feature, I understand what it does. By the first overview I understand what it means exactly. You had explained well in the overview section. However, personally I feel that your feature for this LDAP security feature is too little for me. I need to know more about it. And, if you could insert some videos to this post, that will be fantastic. So I strongly request if you could add a little bit more details, I will have better understanding about LDAP security feature. And thanks for posting the matter. Well done!
ReplyDelete