Lightweight Directory Access Protocol Overview Our discussion will primarily focus upon the Pluggable Authentication Modules,

LDAP, and the Berkeley Software Distribution BSD! "ariants of #$%&' As we are aware this class of #$%& "ariants comprise some of the most well(known "ersions of #$%&, such as Apple Mac OS &, )reeBSD, $etBSD, OpenBSD, OpenDarwin, and P*(BSD to name a few' +his wide "ariety of distributions, combined with a robust feature(set consisting of the * shell, enhanced security, portability, "i editor, +*P,%P networking, paged "irtual memory, and more, make #$%& BSD a compelling choice for enterprise usage' PAM -e will begin our discussion with an e.amination of the Pluggable Authentication Modules PAM! in"ented by Sun Microsystems, %nc'' +his is a "ery important topic within LDAP, due to the fact that the BSD and other #$%& "ariants utili/e PAM to authenticate their sessions' %ndeed, we find that )reeBSD 0'. and $etBSD 1'. utili/e OpenPAM, )reeBSD 2'. utili/es Linu.(PAM, and Sun Solaris 33, %BM A%&, 4P(#& and "irtually all distributions of Linu. utili/e PAM' -e should point out that though PAM is not the only authentication framework of its type, others being 5SAP% and SSSD, it is the most widely used' PAM is an application programming interface AP%! for authentication ser"ices that permits network administrators to deploy additional authentication methods such as6 ,etc,passwd, ,etc,shadow, a simple trust as in pam7permit, a retinal scan or "oice print, a one(time password, $%S, $%S8, SS4, 9adius, S:SAM:, ;erberos, or LDAP' +his can be accomplished simply by installing new PAM modules, and editing configuration file, which tells the system which authentication modules to use' -e may also use PAM to modify authentication policies, enforce

<uotas by limiting file si/e, impose limits on logins, memory address space, stack si/e, *P# time, number of processes, in addition to other criteria, with "iolations being logged into syslog' Seifried, =>>3! +he need for PAM arose due to a number of factors, one of which was the need to update and re(compile information in the ,etc,passwd file' Another was the subse<uent implementation of $etwork %nformation System $%S! technology, which allowed centrali/ed control o"er systems in a $%S domain' +hereafter, there was ?shadow password? usage, followed by ;erberos implementation, password hashing, and the use of LDAP' Pollock, =>31! PAM Implementation +o deploy a LDAP ser"er within )reeBSD we will ha"e to edit a PAM file, typically it is the ,etc,pam'd,sshd file, to which we will insert ?auth sufficient ,usr,local,lib,pam7ldap'so no7warn?, which will bind PAM with our credentials, and allow us to use SS4 authentication' Burress, =>31! +he nss7ldap module facilitates the #$%& applications in looking up users, hosts, and groups in the LDAP directories, and to be in compliance with 9)* =1>@' 4oward, 3AAB! +he $ame Ser"ice Switch $SS! permits applications to authenticate using LDAP in conCunction with $%S and flat authentication files, by mapping attributes to names' An additional module, the pam7ldap module allows ?PAM(aware? applications to authenticate users using information stored in an LDAP directory' PAM(aware in essence is a ser"ice, process, command, or application such as login, su, +elnet, SS4, PPP, )+P, Samba, the POP and %MAP mail ser"ers, etc' that rely upon PAM modules for authentication' +he locations of these modules are usually the ?,etc,pam'conf file? or the ?,etc,pam'd directory?' As an e.ample, the PAM configuration file for the ?,bin,su? command

in Linu. distributions is ?,etc,pam'd,su?' A ser"ice, generically named ?other? is used to pro"ide defaults for PAM(aware ser"ices that are not e.plicitly configured' +o ensure that a #$%& command is PAM(aware we would in"oke the ?ldd? command' 5arfinkel et al', =>>1! )inally, as alluded to abo"e, modules as the name ?Pluggable Authentication Modules? implies, are "ery important in PAM' +he PAM modules are self(contained elements of program code that implement the primiti"es in one or more facilities for a particular mechanism' A few of the common modules we might deploy are the pam7krb0 module, which pro"ides functions to set user specific credentials and "erify the identity of a user, and the pam7ksu module which determine user pri"ileges, both by utili/ing ;erberos 0' Lupi, =>31! Other possible functions for the authentication modules to perform are with the #$%& password database, $%S, 9AD%#S, and LDAP, which will be the focus of our discussion going forward' Lightweight Directory Access Protocol LDAP Overview LDAP is an %:+) client,ser"er protocol as specified in 9)* 203> ?Lightweight Directory Access Protocol LDAP! +echnical Specification 9oad Map'? Deilenga, =>>E! As of this writing, the current stable "ersion of OpenLDAP is OpenLDAP(='2'12 ?OpenLDAP Software ='2 AdministratorFs 5uide?, =>31! LDAP saw its origins in the &'0>>,%SO(A0A2 standards, and it was intended as a simplified protocol for small systems to implement when accessing &'0>> systems' )indlay, =>>0! LDAP clients originally accessed gateways by utili/ing the Directory Access Protocol DAP! of an &'0>> ser"er' 4owe"er, DAP is a resource(intensi"e and implements a full OS% protocol stack, as such LDAP was designed to operate "ia +*P,%P while offering the same

functionality of DAP, but by utili/ing less resources' ?OpenLDAP Software ='2 AdministratorFs 5uide?, =>31! Directory service. Directories typically contain descripti"e, attribute(based information filtering capabilities, but do not support complicated transaction or the roll(back functionality of DBMS systems designed for high("olume comple. updates' %deally a directory will pro"ide a rapid response to high("olume lookup and search operations' %n furtherance of reliability and a"ailability there should be the capability to replicate information efficiently, including keeping data inconsistencies to a minimum while the data is replicating' +here are "arious means for implementing directory ser"icesG one method is ?local?, which pro"ides ser"ice to a single system' A different method is ?global?, which would pro"ide ser"ices on a larger basis, such as to the %nternet' +o accomplish this global, ser"ices are customarily distributed o"er multiple systems, culminating in a directory ser"ice' +he global ser"ice will also pro"ide a uniform ?namespaceH which will present the same "iew of the data, independent of which system the user is on' ?OpenLDAP Software ='2 AdministratorFs 5uide?, =>31! LDAP +he operational steps of LDAP consist of a LDAP client connecting to an LDAP ser"er, and <uerying the directory tree or LDAP backend database with an authentication re<uest along with an authori/ation identifier' +he routed re<uest is "alidated against the user information on the LDAP Ser"er' %f the user identification is successful the application will populate the user credentials along with the authori/ation identifier, and the user will be authenticated and identified against the user information at the LDAP store and may access the resource once the correct credentials are passed. By deploying an LDAP ser"er on a network, all of these resources

can authenticate by means of the same user %D and password combination, thus pro"iding SSO functionality' As such, a "ery useful method of authentication and Single Sign(On SSO! implementation is to implement a LDAP ser"er' As depicted in )ig' 3!, a user will log in to the IPortal AH resource, the resource will then "alidate the user information and generate an authori/ation identifier' +he re<uest will then be routed through Portal A, along with the authori/ation identifier to the LDAP ser"er' +he routed re<uest is "alidated against the user information on the LDAP Ser"erG if the user identification is successful the resource will populate the user credentials along with the authori/ation identifier' -hen the user accesses Portal A for sign(on, the resource will forward the user information to the IPortal BH application along with an authori/ation identifier' +he Portal B resource will route the re<uest to the LDAP Ser"er for user identification, and the user will thereafter be authenticated and identified against the user information at the LDAP store and can automatically log on to Portal B once the correct credentials are passed. ;hurana, =>3=!

(Fig. 1)

(Khurana, 2012)

LDAP Components An LDAP ser"er has its data organi/ed into a ?tree? of entries, which each one belonging to one or more obCect classes, with each containing attributes and "alues' As an e.ample ?cn? is the entryFs common name, and distinguishes the entry from other entries that ha"e the same parent in that directory tree' +he userFs login %D is denoted by ?uid?, and the ?uid$umber? is the userFs #$%& #%D number, with ?gid$umber? signifying the userFs primary group' +he userFs home directory path is denoted by ?homeDirectory?, and ?userPassword? is in some instances the userFs password, though usually a ?shadowAccount? obCect will contains the encrypted password data' +he login shell is denoted by ?loginShell?, and ?gecos? contains the userFs comment field, which often consists of the full name of the user' LDAP Data Integrity *onnections to an OpenLDAP ser"er can be secured by +LS, as such end(to(end encryption of the client,ser"er transactions can be ensured, rendering unauthori/ed modification of the data stream highly improbable' %n further support of data integrity, the LDAP ser"er is

assigned a cryptographic public key certificate which is signed by a certifying authority' +herefore a client with a certificate from the ser"er is assured of the integrity and confidentiality of the communications between themsel"es and that ser"er' +o further ensure data integrity the LDAP data(stores are replicated unto secondary ser"ers "ia a ?slurpd? daemon which affords data redundancy in the e"ent of the master ser"er failing' ?OpenLDAP Software ='2 AdministratorFs 5uide?, =>31!

Conclusion %t may be posited that there are a fair number of shortcomings to the use of LDAP authentication, such as the additional licensing and maintenance costs inherent to the LDAP ser"er' Other disad"antages to LDAP authentication are that it re<uires enhanced network security to communicate with the resources, and application customi/ation for integration with other system' ;hurana, =>3=! )urther, the comple.ity of updating an LDAP database is more comple. than updating an $%S master' $onetheless, we must concede that there are numerous benefits to the LDAP method of authentication, such as it being a "iable alternati"e to $%S or $%S8' %ts primary ad"antages include its capacity to store and deploy both non(authentication data and authentication data, and the a"ailability of data that is secured by the +LS protocol' Additionally, the credentials of the end user are authenticated through the LDAP schema i'e' a set of rules that define what can be stored as entries in an LDAP directory'

%t also bears pointing out the many benefits of centrali/ed administration, such as negating the need to define the same user %D across multiple systemsG this SSO functionality also facilitates consistent control o"er password comple.ity policies, e.piration policies, and password resetting' LDAP allows comple. A*L, which facilitate fine grain tuning of permissions on database entries' Additionally, ha"ing a single instance of users on the network aids in the creation and deletion of accounts' )inally, LDAP data may be utili/ed for alternate purposes such as phone directories, mail routing, staff databases etc', which reduces data redundancy and inconsistency' Janmeer, =>>3!

9eferences Burress, +' =>31!' LDAP Authentication' 9etrie"ed from http6,,www'freebsd'org,doc,en,articles,ldap(auth,article'html Burnside, M', Lu, M', K ;eromytis, A' D' =>>B, $o"ember!' Authentication on untrusted remote hosts with public(key sudo' %n Proceedings of the 22nd Large Installation System Administration Conference (LISA'08): o!em"er #$%&' 2008' San (iego' California' )SA pp' 3>1(3>@!' #S:$%& Association'

)indlay, A' =>>0, )ebruary!' LDAP Schema Design' %n )*))+ ,inter -echnical Conference' London' 5arfinkel, S', Spafford, 5', K Schwart/, A' =>>1!' Practical ) I. and Internet security' OF9eilly Media, %nc'' 4oule, B' =>3=!' sudo Authentication "ia SS4 Agent' 9etrie"ed from http6,,silicone.us'com,blog,=>3=,33,sudo(authentication("ia(ssh(agent,

4oward, L' 3AAB!' 9)* =1>>@' An approach for using LDAP as a network information ser"ice' ;hurana' A' =>3=!' Single Sign(On SSO! %mplementation #sing LDAP Ser"er' 9etrie"ed from http6,,www'webportalclub'com,=>33,3=,single(sign(on(sso(implementation(using'html Lupi, )' =>31!' Pluggable Authentication Modules PAM!' +he $etBSD 5uide' Marshall, B' =>>3!' %ntroduction to LDAP' 9etrie"ed from ftp6,,crimson'ihg'uni( duisburg'de,LDAP,docs,ldap7tut7"='pdf OpenLDAP Software ='2 AdministratorFs 5uide' =>31!' 9etrie"ed from http6,,www'openldap'org,doc,admin=2, Pollock, -' =>31!' PAM +utorial' 9etrie"ed from http6,,content'hccfl'edu,pollock,A#ni.=,PAM(4elp'htm Seifried, ;' =>>3!' Linu. Limiting and Monitoring #sers' Linu. AdministratorFs Security 5uide' 9etrie"ed from http6,,www'linu.topia'org,online7books,linu.7administrators7security7guide,3E7Linu.7 Limiting7and7Monitoring7#sers'htmlLPAM #ni.-are @ Documentation' =>>2!' 9etrie"ed from http6,,uw@32doc'sco'com,en,S:*7pam,pam(1'html Janmeer, 9' =>>3!' LDAP %mplementation 4O-+O' 9etrie"ed from http6,,www'tldp'org,4O-+O,archi"ed,LDAP(%mplementation(4O-+O,inde.'html Deilenga, ;' =>>E!' 9)* 203>' Lightweight directory access protocol ldap!6 +echnical specification road map'