About LDAP

De Ensiwiki
Aller à : navigation, rechercher
VoIP deployment
"Projet de Spécialité 2010" Deployment of VoIP platform
Team Ouakkadi Mohamed Yassine, Rafiq Oualid, Legras-Lecarpentier Matthieu,Piton Benjamin, Torre Luc-Alexandre
Professors Franck Rousseau
Alphand Olivier
LIG laboratory, Drakkar group
Location Grenoble INP Ensimag
Date June 2010




LDAP protocol

LDAP uses a client/server approach, by connected mode with the TCP protocol, on the port 389 (default port). The transcription uses the BER (Basic Encoding Rule) codage for fast transfers on the network. It can accept TLS (Transport Layer Security) for the transfers confidentiallity (with the port 636). The standard allows many operations (control and extents operation) defined by RFC (Request For Comment).

Naming of entities

The entries of the LDAP directory are organized by the DIT (Directory Information Tree). Each entry is a tree's node with different types. It can be nammed by the DN (Distinguished name) like ou=Recherche,ou=France,dc=ensimag,dc=fr or by the RDN (Relative Distinguished Name) like ou=Recherche. The complete name (DN) contains all the tree's hierarchy, which must be read from right to left. Example of DIT: Media:dit.png

Hierarchy
Type Name

dc

domain component

ou

organization unit

cn

common name

LDAP protocol has defined a file's format LDIF (LDAP Interchange Format), which can contain:

  • description's entries of the directory.
  • attribut's value for the directory's entries.
  • instructions of treatments for the server.

Example of .ldif:

dn: ou=people, dc=abdomain, dc=org
objectclass: top
objectclass: organizationalUnit
ou: people
description: Branche gens
dn: ou=etudiants, ou=people, dc=abdomain, dc=org
objectclass: top
objectclass: organizationalUnit
ou: etudiants
description: Branche etudiants
dn: ou=personnel, ou=people, dc=abdomain, dc=org
objectclass: top
objectclass: organizationalUnit
ou: personnel
description: Branche personnel

Stockage of informations in the directory

Each entry of the directory contains a pair of attribut-value at least. Some attributs are obligatory like objectClass (which defines the type of the entry). Each attribut is defined by:

  • a description
  • a name
  • a egality's rule
  • a numeric value (called OID Object Identifier)
  • that it can contain.

The set of attribut and classes of a directory is called schema.

Acces and operations on the directory's data

It is possible to realize many operations in the directory:

  • added, removed or modified an entry
  • added, removed or modified an attribut
  • added, removed or modified a value
  • requests of research.

These operations can be realized with softwares (like phpLDAPadmin) in order to facilitate the maintenance of the data.

Security

A LDAP directory contains informations which must be protected. The standard LDAP plans 2 types of authentification: simple (maked by the server) and SASL (Simple Authentification and Security Layer). The acces control depends on the server LDAP. It doesn't exist a normalization in the standard LDAP. About the encoding of the transactions, the LDAP server uses SSL (Secure Sockets Layer) or StartTLS (Transport Layer Security).

LDAP server

A LDAP server must assure 3 functions:

  • answer at requests LDAP of the client
  • assure the data coherence of the directory by relationship schema
  • assure the permanent data stockage.

References

[1] linux-france.org
[2] openldap.org
Dominique Colombani, LDAP Maîtrise du protocole Exploitation d'un service d'annuaire, édition ENI.

Home page

VoIP & mobile IPv6 Speciality Project