LDAP and Security - Coursework Example

 LDAP (Lightweight Directory Access Protocol) Table of Contents INTRODUCTION Seeing that, in current email application packages each software package has a private address register, however how we search for an online address of somebody which is not at all known to us by email, how a firm is able to maintain one central state-of-the-art phone book that everyone can access to use. Thus, this wonderful aspect directed software corporations like that IBM, Microsoft, Netscape and Lotus to maintain a standard which is now acknowledged as LDAP (Lightweight Directory Access Protocol). Lightweight Directory Access Protocol or simply LDAP is a software protocol which is used to allow anyone to trace companies, workers or staff, and various other resources for instance files, documents and devices which are connected a network, on the open Internet as well as on an organizational intranet. As its name shows, it is a lightweight client-server protocol which is used for directory services, particularly the directory services which are based on X.500. Additionally, LDAP is implemented on TCP/IP or other connection oriented data transfer services. LDAP supported user programs are able to inquire LDAP servers to search for entries using a variety of techniques. In this scenario, LDAP servers’ directory holds all the data in its entries, as well as cleans can be employed to choose immediately the group or person we desired, and provide immediately the data and information we desired. On the other hand, LDAP is not restricted to contact details, or yet data regarding diverse public. LDAP can also be used to search for pointers to printers, encryption credentials as well as additional services on a framework, in addition to particular sign-on where one password for a client is distributed among a lot of services. Moreover, LDAP is very useful for some types of directory related details, where quick searches as well as fewer repeated database based updates are the standard (Gracion, 2010; Briggs & Spence, 2000; The Linux Documentation Project, 2010). This paper presents a comprehensive analysis of the security features which LDAP supports, then it will assess that how can access control list be implemented on the LDAP servers. Afterward it will also analyze the security auditing features that LDAP supports in addition to the detection of brute forcing attacks (such as NAT) against a LDAP server. LDAP AN OVERVIEW Lightweight Directory Access Protocol (LDAP) offers a network directory service that is used as a central database containing the vital data and information regarding the groups, public and additional units that form a business. Seeing that each organization's framework and its accurate description of necessary information can be diverse, thus in this scenario a directory service has to be extremely tailored and supple. However, it is an intrinsically difficult task. In this scenario, the X.500 network protocol intended for directory services is a main aspect under consideration. In view of the fact that it was intended to offer extensive directory services for huge and intricate businesses, therefore, X.500 is itself a huge and complicated network protocol, consequently in order that a trivial adaptation of it was developed which is acknowledged as LDAP. LDAP, explained in RFC 1777, is considered as a division of the X.500 network protocol, as well as it has been applied more extensively as compared to X.500 itself has been deployed in any framework (Bauer, 2003; Donnelly, 2000; Briggs & Spence, 2000). In this scenario, it can be said that LDAP and X.500 are unconfined network protocols, similar to TCP/IP; neither is an individual suite. Seeing that a network protocol has to be applied in a number of ways of software, like that a server domain, or kernel component, or else a user program. Additionally, as compared to TCP/IP, all the performances of LDAP are not similar or yet totally able to communicate (with no alterations). Fortunately LDAP is implemented and designed to be widespread. Moreover, developing an LDAP network database on a single communication platform that is well-matched with other LDAP application is typically a straightforward issue of regulating the database's network and communication record representation or arrangements. Consequently, it will not be problematic to execute an OpenLDAP server on a Linux machine that is able to offer address book working to the client that is executing, like that Netscape network Communicator software on Macs (Bauer, 2003; Donnelly, 2000; Briggs & Spence, 2000). LDAP and Security A Lightweight Directory Access Protocol service presents a variety of directory functionalities or services. Normally, it is used to store data and information of entities existing on a communication network; like that printers, diverse users, as well as systems, to network application design data. In this regard, all the LDAP network servers incorporate a number of structures prepared for supervision of who are authorized to revise as well as interpret the data and information in the network directory. For instance, some details in the directory may be openly understandable and accessible to all; however the majority of those details perhaps are not able to be reorganized or updated by all. In addition, further units of the network directory might be recognizable/ comprehensible simply by those to whom the directory manager has approved suitable access. Thus, a user needs to verify its details to network authentication service in order to access the LDAP service. Specifically, it has to inform the LDAP server that is typically contacting the data as a result those servers are able to make a decision what the user is permissible to view and carry out operations. On the other hand, if the user or client validates itself to the LDAP server, then the server gets a network request from the user, in order to make sure whether the network user is permitted to carry out the request. This procedure is recognized as security access control (Oracle, 2010; Findlay, 2002). The LDAP standard has planned the ways through which LDAP clients are able to validate themselves to LDAP servers (RFC 2829 along with RFC 2251). However, the security based access control is carried out in diverse methods by various LDAP network server applications. One more safety feature of the LDAP service is the manner in which network requests as well as responses are managed between the network clients and the server. In this scenario, a lot of LDAP servers maintain the utilization of protected network audits to correspond to clients, for instance to transmit and obtain features that hold coverts, like that keys as well as passwords. Moreover, LDAP servers utilize Socket Secure Layer to carry out this operation (Oracle, 2010; Findlay, 2002; Cooper, 2010). SECURITY FEATURES OFFERED BY LDAP This section presents security features that LDAP supports. This security features are outlined below: Security LDAP network directories are able to keep susceptible data and information like that user passwords, social security number, secret keys as well as various other details. In this scenario, the network protocol guarantees secure operation of important information by means of SASL that includes a variety of security certificates or encryption systems. However, a potential function of LDAP is that it lessens the difficult job of requiring memorizing an additional password for all the services that users typically access (Wrox Press, 2002). Asynchronous processes Asynchronous processes are those which do not stop. LDAP maintains asynchronous processes on the network directory. In the scenario of asynchronous processes, the network label to the device related processes would not stop in the subprogram, thus permitting the network systems to carry on as well as perform additional functional activities. Thus, the system will afterward be informed when the device reacts. Moreover, in scenario of LDAP, the processes from the client to the server can be stopped, as the process is being performed on a network (for a lot of time). Thus, asynchronous processes are allowed to help LDAP system avoid this situation (Wrox Press, 2002). Duplication In some operation situations that necessitate almost nil downtimes, it is essential that the LDAP network server is working well as well as providing the directory data and information to the users continuously. This can be done by duplicating or imitating the data and information existing on the LDAP server on single or more additional LDAP network servers that contribute in the data duplication. In this regard, the major benefit of this feature is that the network client processes are speedy as they communicate to the servers that are not held up by the performance operating cost linked with updates (Wrox Press, 2002). Referral The referral network service allows the LDAP servers to deal out; load-stability and disperse their network operations. In scenario of a referral, the LDAP server can decide to forward the client to other LDAP server for a part of data and information that the client demands, since most of the corporations want to access the data which is related to them (Wrox Press, 2002). Extendable Features LDAP-v3 allows the users to develop and extend the network protocol. However, this extensibility could be attained through below given techniques: (Wrox Press, 2002) Extended processes At present, the network protocol can be extended in order to up-hold a new process except the existing processes. For instance, now dealers can apply server side categorization of password termination or else results by means of these. Thus, if a network server or client does not identify the new process, the corresponding process is denied (Wrox Press, 2002). Control information At the present, this protocol allows to transmit extra data and information along with an LDAP network data message which can modify the use of a basic protocol process (Wrox Press, 2002). SASL The SASL structure, allows us create new verification and security techniques as they develop without creating changes to the actual protocol (Wrox Press, 2002). IMPLEMENTATION OF AN ACCESS CONTROL LIST ON A LDAP SERVER This section summarizes that how can we implement LDAP access control lists (ACLs). In a lot of scenarios, organizations would not require minimizing access to data on our LDAP directory internet server. For instance, an LDAP server on an organizational intranet might hold a telephone information directory of the business as well as other staff. Thus, in this scenario, the organization would certainly desire the staff members to be capable to analyze the data in this information bank or directory. But, in some cases the top manager of the corporation would not want the staff members to be capable to have usual access to his/her phone number or personal details. In that scenario, an ACL (access control list) could be implemented to stop access. Additionally, this access control list would allow him/her to confine access to their network server so that only allowed people could call him/her. Moreover, access control lists help us to manage the rights to insert as well as erase network directory objects (Findlay, 2009; IBM, 2010). SECURITY AUDITING FEATURES DOES LDAP This section outlines some aspects regarding the LDAP power to stop the exposure of Brute Force Attacks. A network Brute force attacker tries to decode a secret message by trying every potential network access key to discover the right one (Tech-Faq, 2010; Oracle Corporation, 2008). However, to defend the LDAP port beside brute force assaults, obstruct the implanted LDAP snoop port through an association filter in a particular server framework. As this does not care for the entrenched LDAP port in a numerous server design, the pre-established link filter execution holds up filtering founded on the source IP address that needs to be employed to permit access simply from servers that are element of that particular domain. As a consequence, simply the machines in the network domain are able to access the LDAP port. In this scenario, the security beside the network vocabulary and brute force attacks of client accounts is provided by Web Logic Security Service (Oracle Corporation, 2008). CONCLUSION Lightweight Directory Access Protocol is a software protocol which is used to allow anyone to trace companies, workers or staff, and various other resources for instance files, documents and devices which are connected a network, on the open Internet as well as on an organizational intranet. This paper has presented in depth analysis of LDAP. This research has offered a more inclusive overview of some of the prime areas like LDAP overview, its features and security management aspects through the LDAP. Bibliography Bauer, M., 2003. LDAP for Security, Part I. [Online] Available at: http://www.linuxjournal.com/article/6789 [Accessed 19 February 2011]. Briggs, S. & Spence, S., 2000. LDAP (Lightweight Directory Access Protocol). [Online] Available at: http://searchmobilecomputing.techtarget.com/definition/LDAP [Accessed 18 February 2011]. Cooper, S.B., 2010. LDAP Security Protocol. [Online] Available at: http://www.ehow.com/facts_7395800_ldap-security-protocol.html [Accessed 19 February 2011]. Donnelly, M., 2000. An Introduction to LDAP. [Online] Available at: http://www.ldapman.org/articles/intro_to_ldap.html [Accessed 19 February 2011]. Findlay, A., 2002. Security with LDAP. [Online] Available at: http://www.skills-1st.co.uk/papers/security-with-ldap-jan-2002/security-with-ldap.html [Accessed 18 February 2011]. Findlay, A., 2009. Writing Access Control Policies for LDAP. [Online] Available at: http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/Access-Control-for-LDAP-Jan-2009.pdf [Accessed 18 February 2011]. Gracion, 2010. What is LDAP?. [Online] Available at: http://www.gracion.com/server/whatldap.html [Accessed 17 February 2011]. IBM, 2010. LDAP access control lists (ACLs). [Online] Available at: http://publib.boulder.ibm.com/iseries/v5r2/ic2928/index.htm?info/rzahy/rzahyaclco.htm [Accessed 19 February 2011]. Oracle Corporation, 2008. Ensuring the Security of Your Production Environment. [Online] Available at: http://download.oracle.com/docs/cd/E13222_01/wls/docs100/lockdown/practices.html [Accessed 18 February 2011]. Oracle, 2010. Security. [Online] Available at: http://download.oracle.com/javase/jndi/tutorial/ldap/security/index.html [Accessed 19 February 2011]. Tech-Faq, 2010. Brute Force Attack. [Online] Available at: http://www.tech-faq.com/brute-force-attack.html [Accessed 19 February 2011]. The Linux Documentation Project, 2010. 1.1. What's LDAP ? [Online] Available at: http://tldp.org/HOWTO/LDAP-HOWTO/whatisldap.html [Accessed 18 February 2011]. Wrox Press, 2002. Advanced Features of LDAP - Page 7. [Online] Available at: http://www.wdvl.com/Authoring/Languages/PHP/Pro/prophp2_1.html [Accessed 19 February 2011]. Appendix Practical Screens   LDAP Windows Client at Work   Login Screen          Main Screen         Add Entry         Add Attributes       LDAP Client Screen: Source: http://www.cqsl.com/visualldapscreens1.asp Read More