Lightweight Directory Access Protocol – LDAP

L

LDAP (Lightweight Directory Access Protocol) is a protocol used to query and modify directory service over TCP/IP. A directory is a set of objects with attributes organized in a hierarchical structure.
A LDAP directory tree most often reflects political boundaries, geographic one or other organizations, depending on the chosen model. LDAP users currently prefer DNS to structure levels of a hierarchy. There may be more entries inside the directory representing people, organizations, printers, documents, groups, or anything else that represents a tree entry.

The current version for LDAP is v3; the specifications for it can be found in RFC 4510.
A client initiates an LDAP session by connecting to an LDAP server called DSA (Directory System Agent), standard on the TCP port 389. After that, the client sends an operating request to the server and the server sends back a response. Apart from a few exceptions, the client does not have to wait for a response before sending the next request, and the server can send the replies in any order.

The client can request the following operations:
Start TLS – using the LDAPv3 transport security extension (TLS) for a secure connection;
Bind – authenticating and specifying the LDAP protocol version;
Search – search for and/or return entries in directories;
Compare – test whether a specific entry contains assigned value;
Add a new entry;
Delete an entry;
Modify an entry;
Modify Distinguished Name (DN) – moves or renames an entry;
Abandon – abandons a previous request;
Extended Operation – generic operation used to define other operations;
Unbind – close the connection (not the reverse of bind).

In addition, the server can send “unsolicited notifications” that are not response requests.
An alternative method commonly used to secure LDAP communications is by using an SSL tunnel. The standard port used for SSL is 636. Using SSL for LDAP has been a common practice for version 2, but has never been standardized in a specification. This practice has depreciated along with LDAPv2, which was officially retired in 2003. LDAP is defined by ASN.1, and protocol messages are encoded in binary BER format. However, it uses the text representation for an ASN.1 fields/types.
The client grants each request a positive message ID and the server response has the same message ID. The answer includes a numeric code indicating success, error, or other kind of case. Before sending the reply, the server can send other messages with other data – for example, each entry found by the Search operation is returned to such a message.

The StartTLS operation establishes transport security at login. This can provide confidentiality of data to prevent third-party data from being observed, and/or data integrity protection.
Bind operation authenticates the client to the server.
Bind can send the unlicensed user’s DN and password, which is why the connection should be protected using Transport Layer Security (TLS).
The server checks the password with the userPassword attribute in the named entry.
Anonymous bind (without DN and password) resets the connection to the anonymous state.
Bind SSL provides authentication services through a wide range of ways such as Kerberos or TLS client.
Bind sets the LDAP protocol version. Usually customers should use LDAPv3, which is preset for this protocol but not always in the LDAP library. Bind must be the first operation in a session in LDAPv2, but it is not required in LDAPv3.
The Unbind operation ends any ongoing operations and closes the connection. He does not send an answer. The name of this operation has historical origins and is not the opposite of Bind. Customers can end a session by closing the connection, but they should use Unbind. Unbind allows the server to close the connection in a graceful way and free the resources that would otherwise be used for a while until it is discovered that the client had abandoned the connection. It also instructs the server to close closed operations and not send responses for operations that can not be closed.

There is also a non-standard LDAP: LDAP schema over SSL. This should not be confused with TLS, which is obtained by using the StartTLS operation using the standard LDAP schema.

About the author

Ilias spiros
By Ilias spiros

Recent Posts

Archives

Categories