Directory is like a dictionary; it allows one to look up a name and retrieve items of information associated with that name.
Names in a directory are organized in a hierarchical tree.
**Object and classes :- Data stored in LDAP is stored in objects. These objects contain a number of attributes, which are basically a set of key/value pairs.
** Directory service
A directory service is simply the software system that stores and organizes information in a directory, and provides access to that information.
** Difference b/w Directory service and Database
The major difference with databases and directories is at the system level where a database is used to automate a process with a dedicated (relational) data model, but a directory is used to hold "identified" objects that can be used by many applications in random ways.
**The Lightweight Directory Access Protocol
The Lightweight Directory Access Protocol, or LDAP , is an application protocol for querying and modifying directory services running over TCP/IP.[1]
**Entries, Attributes, and Values
Entry
cn: John Doe
mail: johndoe@sun.com
mail: jdoe@stc.com
telephoneNumber: 471-6000 x.1234
Attributes :- cn , mail, telephoneNumber
Values :- John Doe ,johndoe@sun.com,jdoe@stc.com
** LDAP Directory Structure
Tree structure.
Top most - root
higher levels of hirearchy - groupings or organizations.
leaf nodes - individual persons
** Distinguished Names & Relative Distinguished Names
distinguished name of the John Doe entry is:
cn=John Doe, ou=People, dc=sun.com
cn=John Doe, ou=People is a RDN relative to the root RDN dc=sun.com.
Another example would be uid=bjensen,ou=People,dc=example,dc=com
**LDAP Service
A directory service is a distributed database application designed to manage the entries
and attributes in a directory.
**LDAP Client
A directory client accesses a directory service using the LDAP protocol. A directory client may use one of several client APIs available in order to access the directory service.
**Working of Client
By connecting to an LDAP server, the LDAP BC/eWay enables to search, compare, and modify an LDAP directory using the LDAP protocol.
**Referrals
referral is information that a server sends back to the client indicating that the requested information can be found at another location (possibly at another server).
Type :-
The type describes what the information is; the value is the information itself.
cn: person5
Here "cn" is the type and "person5" is the value.
Attribute:-
attribute is comprised of a type and one or more values that describe a particular trait of the object’s entry.
Entry:-
An entry, the base unit of the LDAP, is a collection of attributes which contain information that describes it.
Object Classes:-
The object classes are required or allowed and are defined with one or more attributes which are also required or allowed.
LDAP Schema:-
LDAP Schema defines what can be stored in the directory. It includes object classes and attributes.
**SSL with LDAP
SSL:-Secure Socket Layer (SSL) technology allows web browsers and web servers to communicate over a secure connection. Uses Encryption , Decryption .
SSL uses public key cryptography, which is based on key pairs. Public key , private key.
Digital signature :-The server computes a value and encrypts the value using its private key. The encrypted value is called a digital signature.
keytool:- Keytool is used to generate certificates. The keytool stores the keys and certificates in a file termed a keystore, a repository of certificates used for identifying a client or a server. Typically, a keystore contains one client or one server's identity.
For J2EE ,the server certificate is in keystore.jks. The cacerts.jks file contains all the trusted certificates, including client certificates
Authentication:- To verify that the site(server) is who and what it claims to be. To verify that the client is who and what it claims to be .
Confidentiality:-Data cannot be deciphered by the third party and the data remains confidential between client and server.
Integrity:-
Data will not be modified in transit by that third party.
KeyStore :-
A KeyStore consists of a database containing a private key and an associated
certificate, or an associated certificate chain. The certificate chain consists of the
client certificate and one or more certification authority (CA) certificates.
TrustStore:-
A TrustStore contains only the certificates trusted by the client. It is a repository of certificates.
Steps to create a keystore,trust store for server :-
1. Generate certificate .keystore.jks
C:\jdk1.5.0_13\bin>keytool -genkey -alias server -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks
What is your first and last name? [Unknown]: raghuvir
What is the name of your organizational unit? [Unknown]: india
What is the name of your organization? [Unknown]: sun
What is the name of your City or Locality? [Unknown]: blr
What is the name of your State or Province? [Unknown]: karnataka
What is the two-letter country code for this unit? [Unknown]: ka
Is CN=raghuvir, OU=india, O=sun, L=blr, ST=karnataka, C=ka correct? [no]: yes
2. Export it into file server.cer
C:\jdk1.5.0_13\bin>keytool -export -alias server -storepass changeit -file server.cer -keystore keystore.jks
Certificate stored in file
3. Import server.cer into the trust store (cacerts.jks)
C:\jdk1.5.0_13\bin>keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore cacerts.jks -keypass changeit -storepass changeit
Owner: CN=raghuvir, OU=india, O=sun, L=blr, ST=karnataka, C=kaIssuer: CN=raghuvir, OU=india, O=sun, L=blr, ST=karnataka, C=ka
Serial number: 4892be08Valid from: Fri Aug 01 13:10:56 IST 2008 until: Thu Oct 30 13:10:56 IST 2008Certificate fingerprints: MD5: A3:BD:00:49:35:3B:99:BB:82:15:B9:B0:68:5C:6B:86 SHA1: 09:07:4D:46:8A:22:2A:BE:7C:F4:0C:1E:C5:41:F9:84:B8:83:F3:13Trust this certificate? [no]: yesCertificate was added to keystore[Storing cacerts.jks]
Steps to creat a client keystore and trust store :-
1. Generate client certificate : keystore.jks
C:\jdk1.5.0_13\bin>keytool -genkey -alias client-alias -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks -dname "CN=client_hostname, OU=John,O=Sun, L=Bangalore, S=Karnataka, C=IN"
2. Export client certificate to a file called client.cer
C:\jdk1.5.0_13\bin>keytool -export -alias client-alias -storepass changeit -file client.cer -keystore keystore.jks
Certificate stored in file
3.Create truststore from client.cer , cacerts.jks
C:\jdk1.5.0_13\bin>keytool -import -v -trustcacerts -alias client-alias -file client.cer -keystore cacerts.jks -keypass changeit -storepass changeit
Owner: CN=client_hostname, OU=John, O=Sun, L=Bangalore, ST=Karnataka, C=INIssuer: CN=client_hostname, OU=John, O=Sun, L=Bangalore, ST=Karnataka, C=INSerial number: 4892cc92Valid from: Fri Aug 01 14:12:58 IST 2008 until: Thu Oct 30 14:12:58 IST 2008Certificate fingerprints: MD5: 17:C0:51:E9:BB:42:A1:83:20:B3:AD:64:46:1D:F9:19 SHA1: 54:61:C1:14:B0:21:FD:34:6B:EB:EE:32:50:C8:7A:9D:7A:60:FF:96Trust this certificate? [no]: yes
Certificate was added to keystore[Storing cacerts.jks]
Access Control :-
Using access control, you can control access to the entire directory, a subtree of the directory, specific entries in the directory (including entries defining configuration tasks), or a specific set of entry attributes.
The aci attribute has the following syntax:
aci: (target)(version 3.0;acl "name";permission bindRules;)
The following is an example of a complete LDIF ACI:
aci: (target="ldap:///uid=bjensen,dc=example,dc=com" (targetattr=*)(version 3.0; acl "example"; allow (write) userdn=ldap:///self;)
In this example, the ACI states that the user bjensen has rights to modify all attributes in her own directory entry.
target can be
target -> ldap:///distinguished_name
targetattr -> attribute
Adding an ACI at the Command-Line
Use the following ldapmodify command to give say for
example Charlene Daniels full rights to the directory:
ldapmodify -h myServer -p 5201 -D "cn=directory manager" -w passworddn: o=MyCorp,dc=example,dc=comchangetype: modifyadd: aciaci: (targetattr=*)(version 3.0; aci "give charlene full rights"; allow(all) userdn = ldap:///uid=cdaniels,ou=People,o=MyCorp,dc=example,dc=com;)
The following LDIF example allows members of the Engineering Admins group to modify the departmentNumber and manager attributes of all entries in the Engineering business category. This example uses LDAP filtering to select all entries with businessCategory attributes set to Engineering:
dn: dc=example,dc=comobjectClass: topobjectClass: organizationaci: (targetattr="departmentNumber manager") (targetfilter="(businessCategory=Engineering)") (version 3.0; acl "eng-admins-write"; allow (write) groupdn ="ldap:///cn=Engineering Admins, dc=example,dc=com";)
Referrals:-
Referral contains one or more LDAP URLs of Objects which is returned to the client.
The following table shows the values defined for this property. If this property has not been set, then the default is to ignore referrals.
ignore Ignore referrals
follow Automatically follow any referrals
throw Throw a ReferralException for each referral
Serach in LDAP :- http://docs.sun.com/source/816-6696-10/cmdline.html#14656
1)the following call will return all entries in the directory:
ldapsearch -h myServer -p 5201 -D "cn=directory manager" -w password -b "dc=example,dc=com" -s sub "objectclass=*"
2)You can specify a search filter directly on the command line. If you do this, be sure to enclose your filter in quotation marks ("filter"). Also, do not specify the -f option. For example:
ldapsearch -h myServer -p 5201 -D "cn=directory manager" -w password -b "dc=example,dc=com" "cn=Charlene Daniels"
No comments:
Post a Comment