adam's notes

Directory Services

Directory service is a network service that stores identity information about all the objects in a particular network, including users, groups, servers, client computers, and printers.

  • Each object in the directory has a number of attributes
  • directory schema describes:
    • the types of attributes
    • what information they contain
    • and whether they are required or optional
  • principle means of implementing privilege management and authorization on an enterprise network

How It Works

  • when an authenticated user logs on to a network,

    1. server security service generates an access key for the user
      • contains the username and group memberships of the user
    2. when the user attempts to access a resource, their access key is provided as identification
    3. security service matches username and group memberships from the access key with entries in the access list
      • calculates user’s access privileges

  • all this information is stored in a directory

    • similar to a database
      • but made of objects and attributes
        • an object is like a record
        • info about the object (attributes) are like fields
    • most directories are based on the same standard
      • for interoperability between vendor products

X.500 Standards

  • main directory standard is the X.500 series of standards
    • is complex
    • most directory services are implementations of LDAP
    • each object has a unique identifier called a distinguished name (DN)
      • made up of attribute value pairs, separated by commas
      • most specific attribute is listed first
        • referred to as the relative distinguished name
          • it uniquely identifies the object within the context of successive (parent) attribute values
      • successive attributes become progressively broader
    • the directory schema describes:
      • the types of attributes
      • what information they contain
      • the way object types are defined through attributes
      • e.g., distinguished name of a web server operated by Widget in London may be:
        • CN=WIDGETWEB, OU=Marketing, O=Widget, L=London, ST=London, C=UK, DC=Widget, DC=example

Securing Directory Services

  • LDAP provides no security
    • all transmissions are in plaintext
  • a server that allows anonymous access by unauthenticated clients is vulnerable to overloading by DoS attacks
  • authentication
    • referred to as binding to the server
    • can be implemented by:
      • No authentication
        • anonymous access is granted to the directory
      • Simple bind
        • client must supply its distinguished name (DN) and password
        • passed as plaintext
      • Simple Authentication and Security Layer (SASL)
        • framework that allows a client and server to negotiate authentication and encryption parameters to make connection over TCP port 389 secure
        • negotiate the use of a supported auth mechanism
          • e.g., Kerberos
        • STARTTLS command is used to require:
          • certificate-based encryption (sealing)
          • message integrity (signing)
        • preferred mechanism for Microsoft Active Directory
      • LDAP Secure (LDAPS)
        • server is installed with a digital certificate used to:
          • setup TLS session to authenticate to the server
          • protect the user’s LDAP credentials and data
          • uses port 636
  • if secure access is required
    • anonymous and simple bind access methods should be disabled
  • two levels of access need to be granted on the directory:
    • read-only access (query)
    • read/write access (update)
    • implemented using an access control policy
      • precise mechanism is vendor-specific and not specified by the LDAP standards documentation
  • LDAP directory server should only be accessible from the private network
    • unless its hosting a public service
    • so LDAP ports 389 (TCP + UDP) should be blocked by a firewall from access over the public interface

Graph View

Backlinks