1 / 27

LDAP Directory Services:

LDAP Directory Services:. Security. Directory Security Overview. Brief Review of Directories and LDAP Brief Review of Security Basic Security Concepts Security as Applied to Directories Threats LDAP Protocol Security Features Typically Implemented Security Features Futures References.

odetta
Download Presentation

LDAP Directory Services:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LDAP Directory Services: Security

  2. Directory Security Overview • Brief Review of Directories and LDAP • Brief Review of Security • Basic Security Concepts • Security as Applied to Directories • Threats • LDAP Protocol Security Features • Typically Implemented Security Features • Futures • References

  3. A B C D search “G,C,A” E F G Client H I Brief Review of Directories & LDAP Directory Information Tree (DIT) Network LDAP Directory Database Directory Service

  4. Brief Review of Directories & LDAP • What directories are… • Object repositories • Typically read more than written • Have explicit access protocols • Support relatively complex queries • What directories are not… • RDBMSs • Lack notions of.. • Tabular views • JOIN operations • Stored Procedures

  5. Brief Review of Directories & LDAP • Obligatory, overly-simplified, Protocol Stack Diagram Directory-based Application LDAP TCP IP Ethernet, Cable, Wireless, whatever.

  6. Brief Review of Security • Notion of Security for a network protocol is comprised of (at least) these axes.. • Identity & Authentication • “Who are you and who says so?” • Confidentiality • “Tough petunias to eavesdroppers.” • Integrity • “Did anyone muck with this data?” • Authorization • “Yes, you can do that, but no, you can’t do that other thing.”

  7. Basic Security Concepts • Notions... • The notion of Identity • Of Names and Identifiers • Authentication Identity • Authorization Identity • Anonymity

  8. Basic Security Concepts Overall Namespace Names Identifiers

  9. Basic Security Concepts • The applicable “science & technology of implementation”... • Ciphers • Encryption • Integrity • AKA Cryptography [11]

  10. Basic Security Concepts, cont’d

  11. Basic Security Concepts, cont’d

  12. Basic Security Concepts, cont’d

  13. Security as Applied to Directories • One needs to separately consider each of the four security axes in the context of anticipated threats. • Also need to consider security from the perspectives of.. • the info stored in the directory, and.. • attributes of the requesters. • E.g. how much you trust them. • Note that.. • data security != access security

  14. Example Deployment Scenarios

  15. A 4 B C D search “G,C,A” E F G 7. Imposter Directory Service H I Client Directory Database Directory Security Threats Legitimate Directory Service 2 , 3 , 7. LDAP Network , 5 , 6. Directory Database 1.

  16. 8. 9. 10. Threats, cont’d Network Directory Service Host(s) Directory Database

  17. LDAP Protocol Security Features • Formal notions of.. • Authentication Identifiers [7], and.. • Authorization Identifiers [7] • Leverages several security mechanisms.. • Simple passwords [2, 8] • SASL [6] • Kerberos [2] • Digest [4] • SSL/TLS [7] • effectively is a session layer • The above may be used in various combinations together.

  18. LDAP Protocol Security Features • Integral-to-the-protocol data integrity and attribution are works-in-progress.

  19. Authenticated, plus Confidentiality- and Integrity-protected Channel LDAP A Directory Database B C D search “G,C,A” E F G Imposter Directory Service Client H I Directory Database LDAP Security Features Illustrated Legitimate Directory Service Network LDAP

  20. IP Ethernet, Cable, Wireless,Etc. Brief Intro to Directories and LDAP Directory-based Application LDAP TLS TCP

  21. IP Ethernet, Cable, Wireless, Etc. Brief Intro to Directories and LDAP Directory-based Application TLS SASL LDAP TCP

  22. Typical Security Features of Impls • Security Features typically found in LDAP Implementations • Simple password-based Authentication. • SSL on port 636 (aka “LDAPS”) • At least one impl does StartTLS on port 389. • Access control. • Configurability (e.g. Netscape’s DS Plug-ins).

  23. Typical Impl Security Features, cont’d • Important Notice: • The LDAP protocol is NOT an authentication protocol in and of itself (IMHO). • One MAY use LDAP itself as an authentication protocol, but one needs to carefully consider what functionality it does and doesn’t bring to your deployment when used in this manner. • Deployment configuration is critical • Many server-side knobs • e.g. requiring client authentication

  24. Directory DB Auth DB Example Directory Service Deployment(s) Authentication Service Desktop Clients Desktop Clients Clients LDAP LDAP-based Directory Service

  25. Directory Service SUNetIDSystem LDAP (Reads) TDS Network-based Applications Network-based Applications Directory DB Registry DB Auth DB Middleware Event Broker Network-based Applications Desktops (Browsers) TDS Web-based User Interface for Data Maintenance Registry HTTP(effectively authenticated writes) Behind the Scenes (simplified) LDAP Subject’sDesktop(browser) TDS

  26. Security Case Study • Case Studies of Application of Security • See.. • Access-Controlled White Pages at Stanford. RL “Bob” Morgan, University of Washington, March 1999. • http://staff.washington.edu/rlmorgan/talk/dir.ac.nac.1999.03/top.html • See also Refs [16..18].

  27. Futures • Integral-to-the-protocol Data Integrity • Implementations of Start TLS protocol operation. • Implementations adhering to the Authentication Methods for LDAP requirements and recommendations. • Hopefully, implementations (in addition to Microsoft’s Active Directory) utilizing Kerberos out-of-the-box. • Schema standardization and stabilization will continue. • you too can participate in IETF process • I encourage deployers to invest in the process!

More Related