Chapter 2
Related Works
In this chapter, we will introduce works related to our research. First, we will present the basic concept of directory service and Lightweight Directory Access
Protocol (LDAP). Next, we will describe the LDAP Proxy architecture and introduce
the vendors of LDAP Proxies.
2.1 Directory Service
A directory service is a service that provides a directory for people to search for information quickly. A directory is a type of database that contains descriptive information of entries, and is optimized for searching and retrieving structured data. The entries in the directory are attribute-based and are generally read much more often then written. A directory usually offers a static view of the data, and it has simple updates without transactions. These special characteristics make directories suitable for storing static information, such as personal profile, network resource, access control data, or configuration information. To extend the directory’s capability of storing various types of information, schema can be used to describe the sequence of fields in the directory.
to a restricted context, such as the UNIX finger service on a single machine. Global
directory services provide services over the global network, i.e., the Internet, with
services like the DNS service. These services are usually distributed, cooperate multiple machines, and define a uniform namespace that gives an identical view of the data no matter where people access the service. The distributed and cooperative nature of these directory services also demands that the directory servers have the ability to communicate with each other using a common protocol and directory representation. The Lightweight Directory Access Protocol (LDAP) [1][2][3] is such an open-standard directory service that is widely accepted and vendor supported.
2.2 LDAP
LDAP is a set of protocols for accessing information directories. It is based on a client-server model and is a simplification of the X.500 directory access protocol (DAP)[10]. Unlike X.500, it supports TCP/IP. LDAP consists mainly of three parts: the data format defines how the directory information is stored and recalled, the
protocol defines how clients and servers interact with each other, and the API defines
how programs can interact with an LDAP server.
2.2. 1 The Data Format
Each piece of data stored in the LDAP server is called an entry, an object, or an
object entry. An LDAP entry is a collection of attributes and has an unambiguous
name called a distinguished name (DN). Each part of a DN is called a relative
types are typically mnemonic strings, like “cn” for common name and “ou” for organizational unit. The values depend on what type of attribute it is and can be either text or binary. An object class defines what object attributes are required and what are optional. LDAP entries are ordered in a hierarchical format, and the hierarchy is defined by a particular object class. The object classes are defined in RFC 2556 [5].
An example data format is shown below:
( 2.5.4.5 NAME ‘serialNumber’ EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1466.115.121.1.44{64} )
In this example, 2.5.4.5 is an object identifier, referred to as an OID. OIDs are used to help identify object classes and their attributes in a unique fashion. According to the OID syntax, we know where particular objects or attributes are originated. For example, 2.5.4 in the OID above refers to the IETF defined objects and attributes. Companies can get their own OID from the Internet Assigned Numbers Authority (IANA) at http://www.iana.org/. The specification of the attributes is given in RFC-1778 [2].
entries must be a member of a particular object class and a collection of name- value pairs.
Figure 1:A hierarchical structure of the directory data in an LDAP server
Figure 2:An example directory under the Netscape Directory Server
Consider the example shown in Figure 2. It is an example directory under the Netscape Directory Server [11], which is an LDAP server developed by the Netscape. In this LDAP server, the domain is cs.nthu.edu.tw, its branches are organization units (ou) in the name-value form of ou=prople, ou=groups, etc. Below the ou are entries with the distinguished names (dn) of uid=gchen, ou=people, and o=cs.nthu.edu.tw. Each LDAP server defines the object classes and the object hierarchy in a schema. The schema is the blueprint of the LDAP server; it defines the format of the records in the directory. Domain Oraginization unit Entry Oraginization unit Entry Entry cs.nthu.edu.tw
Directory Administrator Groups People
Accounting Managers Lexine Alk HR managers
2.2.2 The Protocol
LDAP uses the TCP/IP protocol for its basic network communication. Since LDAP data are primarily text based and text s do not take up much space, the message contents can easily be compressed. When a client interacts with an LDAP server, it goes through three basic steps. First, the client connects to the server. Second, it performs a series of operations with the server, and third it disconnects from the server. LDAP defines six basic operations: binding to the server, searching the server, comparing entries, adding an entry to the server, modifying existing ent ries, and removing an entry from the server. The most important operation is search operation, It involves a sequence of operations ldap_init, ldap_bind, ldap_search, amd
ldap_unbind shown in the Figure 8.
Figure 8:a sequence of steps in a simple LDAP search operation
ldap_init open initializes the LDAP library, opens a connection to the directory server,
and returns a session handle for future use. The ldap-bind operation is responsible for client authentication. The bind operation allows a client to identify itself to the
session_handle ld
Client Server
ldap_init(host,port) 1. Initializes:
Client try to connect to the directory server and the server returns a session handle
ldap_simple_bind_s(ld ,DN,passwd) bind success
2. Bind operation: Initializes a LDAP bind operation to authenticate to the directory server using a Distinguish Name(DN) and password
ldap_search_s( ld ,search base,scope,filter,attr,result) search result
3. Search operation:
Search the directory entries use the LDAP search operation. The directory server return the result structure to client
ldap_unbind(ld ) unbind success
other information). LDAP supports a variety of authentication methods. We use password authentication in our experiments. When a bind operation is successfully completed, the directory server remembers the new identity until another bind is done or the LDAP session is terminated by calling ldap_unbind. The ldap_search operation initiates a LDAP search by specifying the criteria that entries fitting in the associated filter could be returned. We develop a search filter generation tools in our experiments. When all the LDAP operations are complete, a LDAP session is terminated by using
ldap_unbind.
LDAP also provides three important services. The referral service is designed to allow the LDAP servers to link to each other. Through this service, if a server cannot satisfy a request, the client will be referred to another server for possible results. The
replication service enables administrators to replicate the directory contents to
multiple servers in order to provide a high-availability service. That means, if one server goes down, then at least one other server will still be running and can provide the contents. Having multiple replicated servers also can load-balance the requests, which can speed up the directory service.
2.2.3 The APIs
One major reason that has led to the quick development of LDAP is the ease of development of LDAP clients through a set of well-defined APIs. Until now, there are several APIs for programmers to use, such as Netscape SDKs, Netscape C, Java and Perl SDK Internals, and Sun and Microsoft’s LDAP SDKs. [5]
2.3 LDAP Proxy
An LDAP proxy [7][8][9] sits between a client and its LDAP servers. When the client sends a request to the LDAP server, the request is routed to the LDAP proxy first. The LDAP proxy processes this request according to predefined rules before passes it on to the LDAP server. For example, when a user connects to the LDAP proxy, the LDAP proxy gets the user information from the user binding operation. This information includes user DN, request content, and operation type. According to this information and administrator predefined rules, the LDAP proxy then checks query syntax, and may rewrite, merge, and filter the query. These query manipulations are all processed at real- time. Major functions executed in the LDAP Proxy include single login, character set mapping, detect fail-over, and maintain load balancing.
LDAP proxies have the ability to chain several LDAP servers together and manage them as a whole. Thus, they can distribute the received requests to those servers in order to perform load balancing. This is shown in Figure 3. Furthermore, LDAP proxies can periodically detect whether back-end servers are alive. When they find that one LDAP server is failed, they will redirect the requests which are send to this server to other workable servers and notify the administrator to repair that server. This failover operation is shown in Figure 4.
Figure 3:The LDAP proxy can perform load balancing
Figure 4:The LDAP proxy can perform failover
In summary, an LDAP proxy transparently directs and transforms queries to the
Load Balancing/Failover Proxy Servers Masters or Slaves Searches or Updates
Forward Operations to a Server in a Server Group
Load Balancing/Failover LDAP Proxy Servers
Master or Slave Servers Searches
or Updates
LDAP servers. It can filter responses that are replied back to the client. It may support different levels of security in authentication and authorization and has the ability to perform load balance and failover.
2.4 Vendors of LDAP Proxy
Currently there are three companies supplying standalone LDAP proxy services [7][8][9]. Each LDAP proxy product offers the same basic functionality of accepting multiple LDAP client requests and returning the query results from one or more LDAP servers. In this section, we will briefly describe these LDAP proxy products.
2.4.1 Innosoft LDAP Proxy Server (ILPS)
behind the corporate firewall.
2.4.2 MaxWare LDAP Proxy Server (MLPS)
MLPS is the only vendor to provide VBScript capability to manipulate data as it passes through the proxy [8]. It provides a simple GUI to let administrators to maintain servers easily. The proxy runs as an application, not as a service, which might make implement difficult for some designers. MLPS uses groups to manage permission for viewing servers. The server bases groups on the IP address and LDAP credentials that the proxy passes from the client. MLPS’s other features include carrying out all necessary schema mapping, provid ing mechanisms for advanced access control, performing external authentication, and offering extensive configuration possibilities and statistics.
